We can configure database firewall bridge and proxy mode, to configure you have to installed audit vault and firewall then must be registered between audit vault and firewall ,
I assumed that you have already done , if not you can follow below links:
- Installing oracle audit vault server
- Installing oracle database firewall server
- Register audit vault and database firewall.
Database Firewall Deployment Modes:
Configure database firewall bridge and proxy mode, the Database Firewall can be deployed in different configurations depending on your individual security requirements.
• In-line network blocking – SQL traffic is passed through the Database Firewall and inspected before it is forwarded to the database or blocked.
• Out-of-band passive network monitoring – A copy of the SQL traffic to and from the database is sent to the Database Firewall (usually by means of a span port) for analysis and alerting.
• Combined deployment: in-line and/or out-of-band deployments can be configured on the same Database Firewall and combined with local server-side, monitor-only agents for local connections.
• Proxy blocking and monitoring: In this mode, The network is configured in proxy mode and all database client connection string must be changed to proxy IP address and port.
The Database Firewall operates in two modes depending on your security and operational needs.
• Database Activity Monitoring (DAM): The system detects and logs unusual activity, and produces warnings, but does not block potential threats. It is also known as monitoring mode.
• Database Policy Enforcement (DPE): The system performs all the actions of database activity monitoring and blocks potential attacks. It is also known as blocking mode
Network Interface Cards
Oracle recommends the following number of network interface cards (NICs) for each x86 64-bit server on which you install the following components:
- At least 1 NIC for a Database Firewall operating as a proxy
- At least 2 NICs for a Database Firewall in DAM Mode (monitoring only)
- At least 3 NICs for a Database Firewall in DPE Mode (monitoring and blocking)
Configure a Bridge in the Database Firewall
To configure database firewall bridge and proxy mode the Database Firewall must be inline with network traffic (or configured as a proxy) if used in blocking (DPE) mode to block potential SQL attacks. If the Database Firewall is not in proxy mode, then you must allocate an additional IP address that is unique to the database network, to enable a bridge. The bridge IP address is used to redirect traffic within the Database Firewall. When the Database Firewall is used as a proxy, you do not need to allocate this additional IP address.
To configure Database Firewall Bridge IP address:
- Log in to the Database Firewall administration console.
- In the System menu, click Network, and then click the Change button.
- In the Traffic Sources section, find the traffic source that you want to configure as a bridge.First Add traffic sourceThen add second network interface and enable Bridge.
- This traffic source must have two network interfaces. You can add an interface if necessary from the Unallocated Network Interfaces section of the page.
- Select Bridge Enabled for this traffic source.
- If necessary, edit the IP address or Network Mask. The bridge IP address is used to redirect traffic within the Database Firewall.
- Click Save
- The IP address of the bridge must be on the same subnet as all protected databases deployed in DPE mode on that bridge. This restriction does not apply to protected databases deployed in DAM mode.
- If the Database Firewall’s management interface (specified in the console’s Network page) and the bridge are connected to physically separate networks that are on the same subnet, the Database Firewall may route responses out of the wrong interface. If physically separate networks are required, use different subnets.
- Bridge uses two network interfaces one is database firewall and another is the network switch. Here spanning technique of network switch will be used.
Configure a Database Firewall as a Traffic Proxy
To configure database firewall bridge and proxy mode we can use network traffic source a traffic proxy. We can associates this proxy with an enforcement point. We can also specify multiple ports for a proxy in order to use them for different enforcement points. Once you set up the Database Firewall as a traffic proxy, your database clients connect to the database using the Database Firewall proxy IP and port.
To configure a traffic proxy:
- Ensure that the IP address of the proxy interface is on the same subnet as the secured target.
- Log in to the administration console of the Database Firewall that is
Register database firewall with audit vault must be complete after installation of audit vault and firewall. We must associate each Database Firewall with an Audit Vault Server by specifying the server’s certificate and IP address so that the Audit Vault Server can manage the firewall. If you are using a resilient pair of Audit Vault Servers for high availability, you must associate the firewall to both servers.
I assumed you install oracle audit vault and database firewall , you can also follow below links:
- Installing Oracle Audit Vault Server 18.104.22.168.0
- Installing Oracle AVDF (Oracle Database Firewall) 22.214.171.124.0
- First Login Audit Vault server with AV admin username and password. Copy audit vault server certification. For this following:
In setting tab > Security Menu > Click Certification > the server certification is displayed > copy the server certification in text file.
2. Long in Oracle Database Firewall with Firewall admin and password. Now server certification of AV past in Firewall certification box. For this:
System menu > click audit vault server > Enter IP Address of audit vault server > paste server certification of AV > apply.
NOTE: If you are using a resilient pair of Audit Vault Servers, select the Add Second Audit Vault Server check box, and enter the IP address and certificate of the secondary Audit Vault Server.
3. Register database firewall in Audit vault server. Login AV with admin username and password. For this:
Click Firewall tab > click Register Button > Enter database firewall name > Enter Firewall IP Address > Save.
4. After save, click Register button. After successfully register again check diagnostic report for everything OK.acting as a proxy.
- In the System menu, click Network, then click the Change button.
- We have used Management Interface as a network proxy.
- To free up additional network interfaces, you can remove them from an existing traffic source or traffic proxy by clicking the Remove button for the network interface(s) you want to free up.
- Click Add.The new traffic proxy appears under the Traffic Proxies area of the page.
- Under the new proxy, select Enabled.
- In the Proxy Ports section for the new proxy, enter a Port number, and then click Add.You can specify more than one port per proxy by entering another port number and clicking Add.
- Check Enabled next to the port number(s).
- Click Save.