Deployment Guide Document version: 1.0

What's inside: 2 Prerequisites and configuration notes 2 Configuration example

Deploying the BIG-IP LTM with Oracle Database Firewall

3 Configuring the BIG-IP LTM for Database Policy Enforcement (inline) Mode

Welcome to the F5 Deployment Guide for the F5 BIG-IP® Local Traffic Manager™ (LTM) with Oracle® Database Firewall. This guide provides instructions on configuring the BIG-IP LTM for intelligent traffic management for Oracle Database Firewall deployments.

5 Configuring the BIG-IP LTM for Database Activity Monitoring Mode

Why F5

6 Document Revision History

The BIG-IP LTM provides high availability, load balancing, simple scalability and high operational resiliency for Oracle Database Firewall deployments. In an Oracle Database Firewall environment, the BIG-IP LTM provides intelligent traffic management and high availability by monitoring and managing connections to the Database Firewall Proxy services running in Inline Database Policy Enforcement (DPE) Mode, also called Proxy Mode. The Database Firewalls can now be run in Active-Active mode, enabling higher levels of availability, performance, and scalability. In addition, the LTM’s Oracle JDBC Client libraries allow thorough monitoring of both the Database Firewall Policy engine, and the Database server behind the firewall. The LTM also keeps persistence records for connections to always be directed to the same firewall for a specified period of time, to ensure traffic flows to and from each Database Firewall is symmetric. In addition, if the Database Firewall is running in out of band in Database Activity Monitoring (DAM) Mode, the BIG-IP LTM’s Interface Mirroring capabilities can send network traffic to the Database Firewall for analysis and reporting. For more information on Oracle Database Firewall, see http://www.oracle.com/technetwork/database/database-firewall/overview/index.html For more information on the F5 BIG-IP LTM, see http://www.f5.com/products/big-ip/big-ip-local-traffic-manager/overview/ Products and versions tested Product

Version

BIG-IP LTM

11.1 and 11.2

Oracle Database Firewall

5.1 and later

Important: M  ake sure you are using the most recent version of this deployment guide, available at http://www.f5.com/pdf/deployment-guides/oracle-database-firewall-ltm-dg.pdf

DEPLOYMENT GUIDE Oracle Database Firewall

To provide feedback on this deployment guide or other F5 solution documents, contact us at [email protected]

Prerequisites and configuration notes The following are general prerequisites and configuration notes for this guide: hh You must be running BIG-IP version hh T he BIG-IP system must be initially configured with the proper VLANs and Self IP addresses. For more information on VLANs and Self IPs, see the online help or the BIG-IP documentation. hh F or information on the F5 and Oracle integration between the BIG-IP Application Security Manager (ASM) web application firewall and the Oracle Database Firewall, see http://www.f5.com/pdf/deployment-guides/oracle-database-firewall-dg.pdf

Configuration example There are two modes of deployment described in this guide, Database Policy Enforcement (inline) mode, and Database Activity Monitoring mode. The following graphics show a logical configuration diagram for each mode. Database Policy Enforcement (inline) mode In this mode, as described in the introduction, the BIG-IP LTM provides traffic management and high availability by monitoring and managing connections to the Database Firewall Proxy services. This allows you to run the Oracle Database Firewalls in Active-Active mode, enabling higher levels of availability, performance, and scalability. Database Firewall Management Server

BIG-IP Local Traffic Manager

Internet

Active-Active

Firewall

Client

BIG-IP Local Traffic Manager

Web Tier

Database

Oracle Database Firewall (in Proxy Mode)

Figure 1: Database Policy Enforcement mode logical configuration example

Database Activity Monitoring mode For Database Activity monitoring mode, you can use the Port Mirroring capabilities of the BIG-IP LTM to send network traffic to the Database Firewall for analysis and reporting.

BIG-IP Local Traffic Manager

Internet Client

Firewall

BIG-IP Local Traffic Manager Database Web Tier

F5 Port Mirroring

Database Firewall Management Server Oracle Database Firewall (in Monitoring Mode)

Figure 2: Database Activity Monitoring mode logical configuration example

2

DEPLOYMENT GUIDE Oracle Database Firewall

Configuring the BIG-IP LTM for Oracle Database Firewall in Database Policy Enforcement (inline) Mode Use the following table to configure the BIG-IP LTM for the Oracle Database Firewall in Database Policy Enforcement (inline) mode. BIG-IP LTM Object

Health Monitor (Main tab-->Local Traffic -->Monitors)

Non-default settings/Notes Name

Type a unique name

Type

Oracle

Interval

60

Timeout

181

Send String

"Select status from V$SYSTEM"

Receive String

OPEN

User Name

Type the user name of an Oracle DB user. We recommend creating an account specifically for this monitor.

Password

Type the associated password.

Connection String

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=%node_ ip%)(PORT=%node_port%))(CONNECT_DATA=(SERVICE_ NAME=dbXX))(SERVER=dedicated)) Replace red text with your Service Name.

Name

Type a unique name

Health Monitor

Select the monitor you created above

Slow Ramp Time1

300

Load Balancing Method

Choose a load balancing method. We recommend Least Connections (Member)

Address

Type the IP Address of a DBFW Proxy node

Service Port

Type the appropriate port. This is the Proxy Port that you defined as the Enforcement Point on the DBFW. In our example, we type 15212 Click Add to repeat Address and Service Port for all nodes

Pool (Main tab-->Local Traffic -->Pools)

Important: If you have configured a Default Monitor for nodes on your BIG-IP system, and this default monitor is an ICMP monitor, you must remove the Default Monitor from the Database Firewall nodes you just added to the pool, or change the default monitor type. The Database Firewall's iptables service blocks all ICMP traffic. By default, the BIG-IP system does not assign a Default monitor to the nodes. Check Local Traffic > Nodes >Default Monitor to see if your system is using a default monitor. To remove the default monitor from a node, from the Nodes screen, click a node, and then select None. You can also change the Default monitor type.

Profiles (Main tab-->Local Traffic -->Profiles)

3

TCP (Profiles-->Protocol)

Persistence (Profiles-->Persistence)

Name

Type a unique name

Parent Profile

tcp-lan-optimized

Idle Timeout

36002

Name

Type a unique name

Persistence Type

Source Address Affinity

Timeout

36002

1

You must select Advanced for this option to appear.

2

S QL connections through the BIG-IP system and the Database Firewall may remain inactive for long periods of time. The idle timeout values in the TCP profile and the persistence profile may need to be increased to match your database environment.

DEPLOYMENT GUIDE Oracle Database Firewall

BIG-IP LTM Object

Non-default settings/Notes Name

Type a unique name.

Address

Type the IP Address for the virtual server

Service Port

1521

Virtual Servers

Protocol Profile (Client)

(Main tab-->Local Traffic -->Virtual Servers)

SNAT Pool

Select the TCP profile you created above None Important: This should be set to None. If SNAT is enabled, the DFBW cannot use any Client IP Address based Policies.

Default Pool2 Persistence Profile

1

Select the pool you created above 2

Select the Persistence profile you created

This completes the BIG-IP LTM configuration for Database Policy Enforcement mode.

4

DEPLOYMENT GUIDE Oracle Database Firewall

Configuring the BIG-IP LTM for Oracle Database Firewall in Database Activity Monitoring Mode In this section, we show you how to configure the BIG-IP LTM If you are running the Oracle Database Firewall in Database Activity Monitoring (DAM) Mode. The BIG-IP LTM configuration takes advantage of the Interface Mirroring feature; you simply configure this Mirror port with source and destination interfaces. To configure Interface mirroring 1. On the Main tab, expand Network, and then click Interfaces. 2. On the Menu bar, click Interface Mirroring. 3. From the Interface Mirroring State list, select Enabled. 4. From the Destination Interface list, select the BIG-IP interface that the Oracle Database Firewall network interface is connected. 5. From the Mirrored Interfaces Available list, select the BIG-IP interface where the client-to-database traffic exists, and then click the Add (<<) button to move it to the selected list. 6. Click Update. The BIG-IP LTM is now configured to mirror database traffic to the Oracle Database Firewall. This completes the LTM configuration of Database Activity Monitoring mode.

5

6 DEPLOYMENT GUIDE Oracle Database Firewall

Document Revision History

Version

1.0

Description New document

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 F5 Networks, Inc. Corporate Headquarters [email protected]

F5 Networks Asia-Pacific [email protected]

888-882-4447

F5 Networks Ltd. Europe/Middle-East/Africa [email protected]

Date 09-19-2012

www.f5.com F5 Networks Japan K.K. [email protected]

©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.

Deploying the BIG-IP LTM with Oracle Database Firewall - F5 Networks

Sep 19, 2012 - managing connections to the Database Firewall Proxy services running in .... 1. On the Main tab, expand Network, and then click Interfaces. 2.

728KB Sizes 0 Downloads 257 Views

Recommend Documents

Deploying the BIG-IP LTM with JD Edwards ... - F5 Networks
In a JD Edwards One environment, the BIG-IP LTM provides intelligent traffic ... Virtual server IP address: Service Port: WebLogic Server IPs:Port. 1: 2: 3: 4: 5: 6:.

Deploying the BIG-IP LTM with Microsoft Remote ... - F5 Networks
Aug 16, 2013 - Configuring the DNS settings. 28 ..... Name must correspond to the fully-qualified DNS name that is associated with the Client SSL profile that you create on the BIG- ...... This monitor checks the CPU, memory, and disk usage of the no

Deploying the BIG-IP LTM with Citrix XenDesktop - F5 Networks
To import the script using Linux/Unix/MacOS systems. 1. Download the script: http://devcentral.f5.com/wiki/default.aspx/tmsh/CitrixXenDesktopMonitor.html. 2.

Deploying the BIG-IP LTM with Microsoft Remote ... - F5 Networks
Aug 16, 2013 - Remote Desktop Services, one for the Remote Desktop Gateway Servers, .... and precludes exposing required services in the DMZ network.

Deploying the BIG-IP LTM for Oracle Database and RAC - F5 Networks
proxy in the Oracle Net environment, network performance, reliability, and faster client ... Appendix B: Service Name Switching using iRules, on page 1-16.

Deploying the BIG-IP Data Center Firewall - F5 Networks
Jun 13, 2012 - See Disabling Strict Updates on page 10 for specific information. h The iApp .... Log on to the BIG-IP system web-based Configuration utility. 5. .... Specify the IP address for the host or network destination to which you are allowing

Deploying the BIG-IP LTM with multiple BIG-IP ... - F5 Networks
h You must be running BIG-IP version 10.x. ... The LTM then intelligently directs the request to the best available web application server. You can host both the internal and external virtual servers on the same BIG-IP LTM, or you may.

Deploying the BIG-IP LTM with the VMware Zimbra ... - F5 Networks
find the table does not contain enough information for you to configure an individual .... In the Domain box, type the domain name you want the monitor to check.

Deploying the BIG-IP LTM with IBM InfoSphere Guardium - F5 Networks
Oct 22, 2012 - To achieve the levels of uptime demanded by advanced solutions, F5 ... h Reduced total cost of ownership through easier configuration and management, ... IBM Guardium see: http://www-01.ibm.com/software/data/guardium/.

Deploying the BIG-IP LTM and APM v11 with Citrix ... - F5 Networks
Jul 24, 2012 - h You can optionally configure the BIG-IP APM for two factor .... ://support.f5.com/kb/en-us/solutions/public/10000/200/sol10240.html for more.

Deploying F5 with SAP ERP Central Component - F5 Networks
Jun 11, 2013 - F5 Analytics (also known as Application Visibility and Reporting or AVR) is ...... first install and configure the necessary server software for these.