DATABASE SECURITY AND COMPLIANCE
FortiDB Release Notes VERSION 5.1.7
FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email:
[email protected]
Thursday, July 09, 2015 FortiDB 5.1.7 Release Notes 1st Edition
TABLE OF CONTENTS Introduction What’s new Oracle 12c support for DAM Support for Oracle syslog data collection Fdbagent support AIX and Linux 6 Monitor synonyms PostgreSQL support for DAM Configuration backup via CLI Security enhancements Support for Microsoft SQL RPC (remote procedure call) in native audit mode DB2 version 10.x support for both VA and DAM Troubleshooting enhancements
Change and performance notices General Supported target databases Collection methods for monitoring Activity profiling and policy-based activity auditing Internal database repository in sniffing mode How to set up FortiDB agents Downloading the agent file Setting up FortiDB agents How to set up the FortiDB TCP/IP sniffer How to set up encoding for displaying data Software install - internal database repository RAID CLI status message RAID configuration changes in 3000D appliances Oracle monitoring with TCP/IP sniffing SGA Agent collection method has been removed
Upgrade instructions Hardware & software support Supported hardware Supported platforms Supported internal repositories Upgrade from previous versions
5 6 6 6 6 6 6 6 6 7 7 7
8 8 8 9 10 10 10 10 10 11 11 12 13 13 13 13
14 14 14 14 14 14
Resolved issues Known issues
15 16
Introduction
Introduction This document provides installation instructions and caveats, resolved issues, and known issues for FortiDB 5.1.7, build 0017. FortiDB provides a database security platform which encompasses Database and Data Discovery, Vulnerability Management, Database Activity Monitoring and Audit, Intrusion Prevention and Compliance Reporting. For additional documentation, please visit:
http://docs.fortinet.com/fortidb/
5
FortiDB 5.1.7 Release Notes
What’s new
What’s new Oracle 12c support for DAM For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods.
Support for Oracle syslog data collection Oracle syslog data collection is now available when you use sniffer-based data collection.
Fdbagent support AIX and Linux 6 For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6.
Monitor synonyms You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases.
PostgreSQL support for DAM DAM can now monitor PostgreSQL databases when you use sniffer-based data collection.
Configuration backup via CLI You can now back up your FortiDB configuration using CLI commands.
Security enhancements A number of security enhancements have been added to address current threats and SSL-related issues.
6
FortiDB 5.1.7 Release Notes
What’s new
Support for Microsoft SQL RPC (remote procedure call) in native audit mode FortiDB now supports RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring.
DB2 version 10.x support for both VA and DAM DAM and VA now support newer versions of IBM DB2.
Troubleshooting enhancements FortiDB now provides more CLI commands that retrieve diagnostic data.
7
FortiDB 5.1.7 Release Notes
Change and performance notices
Change and performance notices General l
l
Monitor settings for web UI access – To view all objects in the web UI properly, set your monitor to a screen resolution of 1280x1024. Web browser support – The web UI supports the following web browsers: l Internet Explorer 7.x, 8.x, 9.x, 10.x, 11.x l
Firefox 4.x/5.0
l
Chrome 4x.x
Supported target databases FortiDB 5.1.7 supports the following target databases. Some initial configuration of your target databases is required before you can monitor them (DAM). For configuration details, in the online help, under “Target Management”, see “Required Settings for Monitoring Target Databases”.
Database
Vulnerability Assessment
DAM
Oracle
9.2.x 10gR1 10gR2 11.1.0.x 11gR2
9i 10gR2 11.1.0.x 11gR2 12c
2000 2005 2008 2008R2 2012 2014
2000 2005 2008 2008R2 2012 2014
ASE 12.5 ASE 15.0.2 ASE 15.5 ASE 15.7 IQ
ASE 12.5 Sniffer only) ASE 15.0.2 ASE 15.5 ASE 15.7 (MDA only)
8 9 10
9.5 9.7 10
MS SQL Server
Sybase
DB2 UDB
8
FortiDB 5.1.7 Release Notes
Change and performance notices
Database
Vulnerability Assessment
DAM
MySQL
5.1 5.5
5.1 (not supported with TCP/IP sniffer) 5.5 (not supported with TCP/IP sniffer)
Postgre SQL
NA
8.x
Collection methods for monitoring FortiDB monitors database activity using collection methods that are customized for each of the supported target databases. Some collection methods require the FortiDB agent to execute on the target database host. The following table provides collection method information for each type of database. For details about collection methods, in the online help, under “Database Activity Monitoring > Target Monitoring Management > General Tab”, see “Choosing a Collection Method”.
Target Database
Target collection methods
FortiDB collection methods
Oracle
audit_trail=DB,EXTENDED
DB, EXTENDED. Agent is not required.
audit_trail=XML, EXTENDED
XML File Agent. FortiDB agent is required. Please see “Running the Oracle XML File Agent (UNIX, Windows)” in online help.
SPAN/mirror port
TCP/IP sniffer
SPAN/mirror port
SYSLOG format
Trace file
SQL Trace. Agent is not required.
MS SQL Server
For SQL 2000, make sure the following commands are issued before starting monitoring: USE master GO EXEC sp_configure 'show advanced options', 1 GO RECONFIGURE WITH OVERRIDE GO EXEC sp_configure 'xp_cmdshell', 1 GO RECONFIGURE WITH OVERRIDE GO EXEC sp_configure 'show advanced options', 0 GO SPAN/mirror port
TCP/IP sniffer
9
FortiDB 5.1.7 Release Notes
Change and performance notices
Target Database
Target collection methods
FortiDB collection methods
DB2
DB2 configuration
DB2 Agent. FortiDB agent is required. Please see “Running the DB2 Agent on Windows” and “Running the DB2 Agent on UNIX” in online help.
SPAN/mirror port
TCP/IP sniffer
MDA
MDA. Agent is not required.
SPAN/mirror port
TCP/IP sniffer
MySQL
General query log
General query log
PostgreSQL
SPAN/mirror port
TCP/IP sniffer
Sybase
Activity profiling and policy-based activity auditing The activity profiling and policy-based activity auditing can only be used when FortiDB is deployed in sniffing mode.
Internal database repository in sniffing mode When FortiDB is deployed in sniffing mode, it cannot use an external database repository.
How to set up FortiDB agents This section explains how to obtain and set up the Oracle XML File Agent and DB2 Agent.
Note: To run the FortiDB agent, your target machine requires Java SE 6 (JDK 6).
Downloading the agent file You download the latest FortiDB agent in binary mode. Contact Fortinet Technical Support for a download location.
Setting up FortiDB agents To set up the agents, please refer to the documentation.
10
FortiDB 5.1.7 Release Notes
Change and performance notices
How to set up the FortiDB TCP/IP sniffer The TCP/IP sniffer allows you to collect database activity without using database native audit functionality or installing agents on the database. To use the sniffer, simply configure a SPAN port on the switch and mirror all database traffic to it. Connect one of FortiDB’s interfaces to this port and choose it when you configure the target database in FortiDB’s web UI. This collection method is only supported in the appliance version.
How to set up encoding for displaying data Some databases can contain information encoded in a non-English character set. Use the following steps to set up FortiDB to display non-English data: l
l
If you are collecting from an agent-based collector, set the auditFileEncoding property in the agent.properties file to the encoding that the database uses. To generate reports that contain non-English encoded characters, set the DAM Report Encoding system property to the encoding you want to use. To access this property, in the web UI, go to Administration > Global Configuration > Reporting.
By default, FortiDB uses UTF-8 encoding. In general, any encoding supported by the Java VM is supported by FortiDB, but for exporting PDF reports, the encoding specified by DAM Report Encoding must map to a supported PDF font. FortiDB supports the following encodings for exporting PDF data:
Locale
Supported encodings
Japanese
l
Shift_JIS
l
SJIS
l
EUC-JP
l
EUC_JP
l
x-EUC-JP-LINUX
l
EUC_JP_LINUX
l
ISO-2022-JP
l
ISO2022JP
l
windows-31j
l
MS932
l
Cp930
l
Cp939
l
Cp942
l
Cp943
l
Cp33722
11
FortiDB 5.1.7 Release Notes
Change and performance notices
Locale
Chinese
Korean
Others
Supported encodings l
x-mswin-936
l
MS936
l
GB18030
l
x-EUC-CN
l
EUC_CN
l
GBK
l
x-windows-950
l
MS950
l
x-MS950-HKSCS
l
MS950_HKSCS
l
x-EUC-TW
l
EUC_TW
l
Big5
l
Big5-HKSCS
l
Cp935
l
Cp937
l
Cp948
l
Cp950
l
Cp964
l
ISO2022_CN_CNS
l
ISO2022_CN_GB
l
x-windows-949
l
MS949
l
EUC-KR
l
ISO-2022-KR
l
ISO2022KR
UTF-8
Visit http://java.sun.com/javase/6/docs/technotes/guides/intl/encoding.doc.html for additional information about encodings supported by the Java virtual machine.
Software install - internal database repository When using the FortiDB software version and choosing Oracle as the internal repository, only Oracle 10g Release 2 (10.2) or Oracle 11g are supported.
12
FortiDB 5.1.7 Release Notes
Change and performance notices
RAID CLI status message The get system raid command returns the following status message: Raid State: Degraded This message is harmless and can be safely ignored.
RAID configuration changes in 3000D appliances FortiDB 3000D has a PERC H710 RAID controller, and it supports hardware based RAID 0, 1, 5, 10, and so on. The only way to change the RAID configuration is in the BIOS. To enter the BIOS Configuration Utility, during startup, when prompted by the BIOS screen, press . You need a keyboard and a display to connect to the FortiDB 3000D appliance. You cannot change the RAID configuration using the serial port connection. If the RAID level of the FortiDB 3000D is changed, the hard disk needs to be formatted. To obtain the required format image, contact Fortinet Technical Support.
Oracle monitoring with TCP/IP sniffing When you deploy the FortiDB TCP/IP sniffer to monitor an Oracle database, FortiDB stops monitoring any previously configured connections for that database. To monitor the database using an additional collection method (for example, to monitor local access to the database), create a new connection.
SGA Agent collection method has been removed The SGA collection method has been removed from the Monitor setup. This option was available for Oracle databases only.
13
FortiDB 5.1.7 Release Notes
Upgrade instructions
Upgrade instructions Hardware & software support Supported hardware FortiDB 5.1.7 supports the following hardware platforms: l
FortiDB 400B
l
FortiDB 400C
l
FortiDB 500D
l
FortiDB 1000B
l
FortiDB 1000C
l
FortiDB 1000D
l
FortiDB 2000B
l
FortiDB 3000D
Supported platforms FortiDB 5.1.7 software supports the following platforms: l
Windows 2003 32-bit, 64-bit
l
Windows XP
l
Linux Red Hat 4 64-bit, RH5 64-bit
l
Solaris
Supported internal repositories FortiDB 5.1.7 software supports the following internal repositories: l
Derby (Shipped with FortiDB)
l
PostgreSQL 8.3
l
Oracle 10g Release 2 (10.2), Oracle 11G
l
MS SQL Server 2005, 2008 (Windows only)
Upgrade from previous versions You can upgrade from previous official 4.x releases. Upgrade from 3.x versions is not supported.
14
FortiDB 5.1.7 Release Notes
Resolved issues
Resolved issues The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Fortinet Customer Service & Support:
https://support.fortinet.com Resolved issues Bug ID Description 282237
FortiDB 500D does not work properly in VLAN environments
267433
FortiDB models 400B, 2000B, 1000B, 1000C do not work properly after an upgrade to 5.1.5 and 5.1.6
230240
Cannot archive when audit data is larger than 2.5 million records
264711
Table policy does not generate alerts and generates an error message
264700
The tablecolumn policy cannot select columns that have name that is longer than 255 characters
264633
Data policy for Microsoft SQL database does not generate alerts as expected
263953
DAM alert detail displays errors when table name contains spaces
277626
Privilege Summary Report is not displayed correctly
274057
Support spaces in tablepolicy for audit
241046
Running a VA scan via the CLI and saving the reports to disk generates error messages
15
FortiDB 5.1.7 Release Notes
Known issues
Known issues There are no known issues for this release. For inquires about a particular bug, please contact Fortinet Customer Service & Support:
https://support.fortinet.com
16
FortiDB 5.1.7 Release Notes
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.