Fortinet FortiDB User Manual

Utilities User Guide

FortiDB

Version 3.2

www.fortinet.com

FortiDB Utilities User Guide

Version 3.2
December 19, 2008
15-32000-81369-20081219

© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.

Trademarks

ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGuard,
FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield,
FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The
names of actual companies and products mentioned herein may be the trademarks of their respective
owners

Table of Contents

Table of Contents

FortiDB MA Utilities ................................................................................................. 3

Auto Discovery......................................................................................................... 4

DB2 .....................................................................................................................................6

MS-SQL ..............................................................................................................................6

Connection Summary .............................................................................................. 8

Rule Chaining ........................................................................................................... 9

Chaining with Parameterized User-Defined Rules............................................................11

General PUDR Steps...................................................................................................12

PUDR Process.............................................................................................................12

PUDR Eligible Rules....................................................................................................13

Chaining the UBM Policy and PUDR Together ...........................................................14

Alert Behavior ..............................................................................................................17

PUDR Alert Behavior with Multiple SELECT-List Objects

in the Violating SQL Statement...................................................................................18

Report Manager...................................................................................................... 20

Alert Report Manager........................................................................................................20

Setting a Report Schedule...........................................................................................20

Reporting by Time .......................................................................................................23

Enabling Email Recipients ...........................................................................................23

Specifying Report Parameters.....................................................................................23

Activating ARM ............................................................................................................27

Running and Analyzing Reports ..................................................................................27

Custom Reports ................................................................................................................30

Using This Feature ......................................................................................................30

Scheduling ...................................................................................................................30

Customer and Company Information...........................................................................32

Report and Template Generation and Management ...................................................33

Report History..............................................................................................................39

Licensing and Administration ............................................................................................40

Custom Report Properties ...........................................................................................40

SOX Compliance Reports.................................................................................................42

Reports and Acronyms ...............................................................................................43

Common Report Header Fields ...................................................................................43

SOX Report Specifics ........................................................................................... 44

History of Privilege Changes Report (HPC)......................................................................44

COBIT Objectives and Setup Requirements ..............................................................44

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 1

Table of Contents

Report Body Columns ................................................................................................. 44

Abnormal or Unauthorized Changes to Data Report (AUC) .............................................45

COBIT Objectives and Setup Requirements .............................................................. 45

Report Body Columns ................................................................................................. 45

Abnormal Use of Service Accounts Report (AUS) ........................................................... 46

COBIT Objectives and Setup Requirements .............................................................. 46

Report Body Columns ................................................................................................. 46

Abnormal Termination of Database Activity Report (ATD) ...............................................47

COBIT Objectives and Setup Requirements .............................................................. 47

Report Body Columns ................................................................................................. 47

End of Period Adjustments Report (EPA) ........................................................................48

COBIT Objectives and Setup Requirements .............................................................. 48

Report Body Columns ................................................................................................. 48

Determining Your Reporting Period.............................................................................49

Verification of Audit Settings Report (VAS) ......................................................................50

COBIT Objectives and Setup Requirements .............................................................. 50

Report Body Columns ................................................................................................. 50

Licensing and Administration.......................................................................................51

Index ........................................................................................................................ 53

FortiDB Version 3.2 Utilities User Guide

2 15-32000-81369-20081219

FortiDB MA Utilities

FortiDB MA Utilities

FortiDB MA provides several utilities to help you use other modules:

• Auto Discovery to ease the burden of manually setting up database
connections

• Connection Summary to show which database connections are Open or are
Open and Running

• Rule Chaining to trigger one rule based upon another

• Report Manager for custom, offline reports

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 3

Auto Discovery

FortiDB MA provides the ability to search for, and establish connections to,
databases on your network. Rather than manually entering all of the connection
information, you can have FortiDB MA automatically discover it for you.

Auto Discovery

Selecting Addresses for Auto-Discovery

In order to use this feature:

1 Select the Database->New menu, and click the Auto Discovery button on the

Create New Database Connection screen. Or you can just select Auto Discovery
from the Main page.

2 Enter an IP address range and specify the RDBMS type you are interested in.

3 By clicking the Edit button next to the desired type of database, you can enter a

range of ports, in case there are databases listening on non-default ports.

4 Click Close to close the Edit Port Range screen.

FortiDB Version 3.2 Utilities User Guide

4 15-32000-81369-20081219

Auto Discovery

Selecting Non-Standard Ports for Auto-Discovery

5 Click the Begin Discovery button.

Results from Auto-Discovery

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 5

DB2 Auto Discovery

Discovered Database Information Populating Connection Form

DB2

MS-SQL

The process will automatically return:

• Database Type and version

• IP address (with port if applicable)

• Database name/instance

Once the Auto Discovery list is returned, you can create, by clicking the Add
button on the Discovered Database Applications screen, the database
connections you wish to assess or monitor.

The additional required and recommended fields will need to be completed
manually. (See the FortiDB MA Administration Guide for more information on
setting up connections)

Auto Discovery does not return the database name and version for DB2 UDB with
V8 Fix Pack 10.

It is sometimes necessary to temporarily open another port in your firewall to
make sure the Auto Discovery program communicates with all SQL Server
versions. You should configure the firewall on your target machine so that it allows
UDP packets:

FortiDB Version 3.2 Utilities User Guide

6 15-32000-81369-20081219

Auto Discovery MS-SQL

• Destined for port 1434

Note: FortiDB MA sends a packet to port 1434, which MSSQL uses in order to
return information about itself such as instance name, version, etc. (Even though
this is an MSSQL-specific port number, FortiDB MA uses it for all Auto-Discovery­related transmissions.)

• Originating from the port whose number is specified in the dss.udpport
property in dssConfig.properties.

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 7

MS-SQL Connection Summary

Connection Summary

The Connection Summary utility allows you to see, by FortiDB MA module and in
one place, a dashboard view of all of your database connections.

Connection Summary Button

Connection Summary Output

FortiDB Version 3.2 Utilities User Guide

8 15-32000-81369-20081219

Rule Chaining MS-SQL

Rule Chaining

The Rule Chaining module allows you to associate rules so that one, the source1
rule, can influence the execution of another, the target
established with the same target database.

2

rule. Both rules are

Rule Chaining Setting Screen

FortiDB MA offers two types of chained-rule pairs:

• Rule pairs in which there are no parameters passed. (In this case, you may
use Guarded Items from Privilege Monitor (PM), Metadata monitor (MM),
Content Monitor (CM), and User Behavior Monitor (UBM))

• Rule pairs in which there are parameters passed(In this case, you may use
Guarded Items only from User Behavior Monitor (UBM))

You invoke Rule Chaining from the tree navigator on the left.

1. This is sometimes called the original rule.

2. This is sometimes called the chained rule.

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 9

MS-SQL Rule Chaining

Configuring a Rule Chain for a Specific Target Database Connection

You can perform the following:

• Choose the target database (the database you want to run the rules against)

• Add item (new chain)

• Delete item

• View/Modify item (make changes to an existing chain)

• Enable item (a chain does not have to be enabled when it is created)

• Disable item

Rule Chaining Setting Screen

FortiDB Version 3.2 Utilities User Guide

10 15-32000-81369-20081219

Rule Chaining Chaining with Parameterized User-Defined Rules

After the database has been specified and you have clicked on [Add Item], you
will be presented with the Create Rule Chaining Settings page.

Here, you need to:

• Name the Rule Chain

• Select the policy you want to use as the Source Rule

• Select the target rule (Chained Rule) you want to execute, once the first rule
had been violated.

• Specify whether you want the chain to run immediately upon source-rule
violation or not. Run Immediately means that the target rule will run as soon
as there is a source-rule violation. Run as Scheduled means that the target
rule will run according to the module-, database-, or item-specific schedule that
is in effect for the source rule.

• Decide whether you want to immediat

1

ely enable the chain or not. Unless you
check the Enable Chain? checkbox, the chain won't be in effect. This allows
you to create the chain and then only use it when needed.

You can see the Module and the name of the available guarded items for all
policies. For example, 'PM|' or 'UBM|' preceding the rule name indicates the PM,
or UBM module, respectively.

After the Rule Chain is invoked, alerts will appear with those of other policies.

Note: For UBM policies, which are indicated in green, you can pass parameters
from the Source Rule to the Chained Rule, if the latter is a Parameterized User­Defined Rule (PUDR) and if the Chain meets certain other conditions. For more
information on how to create a PUDR see the FortiDB MA User Behavior Monitor
(UBM) User Guide. For more information on using PUDRs in a chain, see

Chaining with Parameterized User-Defined Rules).

Chaining with Parameterized User-Defined Rules

Parameters, specific to the RDBMS type of your target database, can be passed
from the source to the target in order to permit the target to perform specific tasks,
such as to kill the session of a suspicious user.

The source rule can be a UBM User, Object, or Session Policy. The target rule can
only be a User-Defined Rule (UDR) and specifically one that can accept
parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality
can be accessed within the UBM module. (See the FortiDB MA User Behavior
Monitor (UBM) User Guide)

When there is a violation of the source rule, the target UDR gets executed, with
the parameters passed from the source rule. An alert is generated both for the
source violation and for the PUDR execution.

1. A module schedule will be overridden by a database-specific schedule, if one is set. A
database-specific schedule will be overridden by an item-specific schedule if one is set.

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 11

Chaining with Parameterized User-Defined Rules Rule Chaining

General PUDR Steps

The general step for creating a chain that uses a PUDR are:

1 In UBM, define an Object, User, or Session policy that will be your Source Rule.

2 In UBM, define a PUDR that will be your Target Rule

3 In the Rule Chaining module, define a chain which associates the UBM policy and

the PUDR.

PUDR Process

Parameterized User-Defined Rule Flow Diagram

The PUDR process involves these steps.

1 The source rule is violated and an alert is generated.

2 FortiDB MA determines if there is a PUDR that is chained to the source rule.

• If a rule is chained, FortiDB MA fetches the information on the chain
relationship

3 FortiDB MA checks to see if the source rule is to be run immediately or not.

4 FortiDB MA checks to see if the chained rule is a PUDR vs. a regular policy

a If a regular UDR, FortiDB MA runs the UDR without passing any

variables.

b If the rule is a PUDR and is set to be run immediately, FortiDB MA

passes the parameters defined in the rule chain to the PUDR.

c If the rule is a PUDR and is set to be run with the schedule settings of

the source rule, FortiDB MA indicates that parameters have to be
passed for the successful execution of the PUDR.

5 An alert is generated for the PUDR.

FortiDB Version 3.2 Utilities User Guide

12 15-32000-81369-20081219

Rule Chaining Chaining with Parameterized User-Defined Rules

PUDR Eligible Rules

Disabled Parameter Checkboxes

If the chosen target rule cannot accept parameters, they will be grayed out.

Validating the PUDR before Saving

If one or more variables selected do not appear in the PUDR, FortiDB MA
presents a warning message.

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 13

Chaining with Parameterized User-Defined Rules Rule Chaining

Chaining the UBM Policy and PUDR Together

Associating a Source Rule That Can Pass parameters with a PUDR

Example of Chaining to a PL/SQL-based PUDR

In this Oracle PL/SQL kill-session example, we:

1 Create a DB user, BAD_GUY, whose session we will monitor, in our Oracle target

database.

Item Setting for Session Policy

FortiDB Version 3.2 Utilities User Guide

14 15-32000-81369-20081219

Rule Chaining Chaining with Parameterized User-Defined Rules

Policy Settings for Suspicious Login Time

2 Create a UBM Session Policy, our Source rule, in order to monitor BAD_GUY and

generate an alert to trigger our Target rule, a PUDR. We will pass the Session ID
from the Source to the Target rule.

3 Create a Target PUDR, in the UBM module, which will contain the following kill-

session code. That code, in turn, will accept our passed Session ID parameter
(shown in red):

FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219 15