DATABASE SECURITY AND COMPLIANCE

FortiDB Release Notes VERSION 5.1.7

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com  FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected]

Thursday, July 09, 2015 FortiDB 5.1.7 Release Notes 1st Edition

TABLE OF CONTENTS Introduction What’s new Oracle 12c support for DAM Support for Oracle syslog data collection Fdbagent support AIX and Linux 6 Monitor synonyms PostgreSQL support for DAM Configuration backup via CLI Security enhancements Support for Microsoft SQL RPC (remote procedure call) in native audit mode DB2 version 10.x support for both VA and DAM Troubleshooting enhancements

Change and performance notices General Supported target databases Collection methods for monitoring Activity profiling and policy-based activity auditing Internal database repository in sniffing mode How to set up FortiDB agents Downloading the agent file Setting up FortiDB agents How to set up the FortiDB TCP/IP sniffer How to set up encoding for displaying data Software install - internal database repository RAID CLI status message RAID configuration changes in 3000D appliances Oracle monitoring with TCP/IP sniffing SGA Agent collection method has been removed

Upgrade instructions Hardware & software support Supported hardware Supported platforms Supported internal repositories Upgrade from previous versions

5 6 6 6 6 6 6 6 6 7 7 7

8 8 8 9 10 10 10 10 10 11 11 12 13 13 13 13

14 14 14 14 14 14

Resolved issues Known issues

15 16

Introduction

Introduction This document provides installation instructions and caveats, resolved issues, and known issues for FortiDB 5.1.7, build 0017. FortiDB provides a database security platform which encompasses Database and Data Discovery, Vulnerability Management, Database Activity Monitoring and Audit, Intrusion Prevention and Compliance Reporting. For additional documentation, please visit:

http://docs.fortinet.com/fortidb/

5

FortiDB 5.1.7 Release Notes

What’s new

What’s new Oracle 12c support for DAM For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods.

Support for Oracle syslog data collection Oracle syslog data collection is now available when you use sniffer-based data collection.

Fdbagent support AIX and Linux 6 For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6.

Monitor synonyms You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases.

PostgreSQL support for DAM DAM can now monitor PostgreSQL databases when you use sniffer-based data collection.

Configuration backup via CLI You can now back up your FortiDB configuration using CLI commands.

Security enhancements A number of security enhancements have been added to address current threats and SSL-related issues.

6

FortiDB 5.1.7 Release Notes

What’s new

Support for Microsoft SQL RPC (remote procedure call) in native audit mode FortiDB now supports RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring.

DB2 version 10.x support for both VA and DAM DAM and VA now support newer versions of IBM DB2.

Troubleshooting enhancements FortiDB now provides more CLI commands that retrieve diagnostic data.

7

FortiDB 5.1.7 Release Notes

Change and performance notices

Change and performance notices General l

l

Monitor settings for web UI access – To view all objects in the web UI properly, set your monitor to a screen resolution of 1280x1024. Web browser support – The web UI supports the following web browsers: l Internet Explorer 7.x, 8.x, 9.x, 10.x, 11.x l

Firefox 4.x/5.0

l

Chrome 4x.x

Supported target databases FortiDB 5.1.7 supports the following target databases. Some initial configuration of your target databases is required before you can monitor them (DAM). For configuration details, in the online help, under “Target Management”, see “Required Settings for Monitoring Target Databases”.

Database

Vulnerability Assessment

DAM

Oracle

9.2.x 10gR1 10gR2 11.1.0.x 11gR2

9i 10gR2 11.1.0.x 11gR2 12c

2000 2005 2008 2008R2 2012 2014

2000 2005 2008 2008R2 2012 2014

ASE 12.5 ASE 15.0.2 ASE 15.5 ASE 15.7 IQ

ASE 12.5 Sniffer only) ASE 15.0.2 ASE 15.5 ASE 15.7 (MDA only)

8 9 10

9.5 9.7 10

MS SQL Server

Sybase

DB2 UDB

8

FortiDB 5.1.7 Release Notes

Change and performance notices

Database

Vulnerability Assessment

DAM

MySQL

5.1 5.5

5.1 (not supported with TCP/IP sniffer) 5.5 (not supported with TCP/IP sniffer)

Postgre SQL

NA

8.x

Collection methods for monitoring FortiDB monitors database activity using collection methods that are customized for each of the supported target databases. Some collection methods require the FortiDB agent to execute on the target database host. The following table provides collection method information for each type of database. For details about collection methods, in the online help, under “Database Activity Monitoring > Target Monitoring Management > General Tab”, see “Choosing a Collection Method”.

Target Database

Target collection methods

FortiDB collection methods

Oracle

audit_trail=DB,EXTENDED

DB, EXTENDED. Agent is not required.

audit_trail=XML, EXTENDED

XML File Agent. FortiDB agent is required. Please see “Running the Oracle XML File Agent (UNIX, Windows)” in online help.

SPAN/mirror port

TCP/IP sniffer

SPAN/mirror port

SYSLOG format

Trace file

SQL Trace. Agent is not required.

MS SQL Server

For SQL 2000, make sure the following commands are issued before starting monitoring: USE master GO EXEC sp_configure 'show advanced options', 1 GO RECONFIGURE WITH OVERRIDE GO EXEC sp_configure 'xp_cmdshell', 1 GO RECONFIGURE WITH OVERRIDE GO EXEC sp_configure 'show advanced options', 0 GO SPAN/mirror port

TCP/IP sniffer

9

FortiDB 5.1.7 Release Notes

Change and performance notices

Target Database

Target collection methods

FortiDB collection methods

DB2

DB2 configuration

DB2 Agent. FortiDB agent is required. Please see “Running the DB2 Agent on Windows” and “Running the DB2 Agent on UNIX” in online help.

SPAN/mirror port

TCP/IP sniffer

MDA

MDA. Agent is not required.

SPAN/mirror port

TCP/IP sniffer

MySQL

General query log

General query log

PostgreSQL

SPAN/mirror port

TCP/IP sniffer

Sybase

Activity profiling and policy-based activity auditing The activity profiling and policy-based activity auditing can only be used when FortiDB is deployed in sniffing mode.

Internal database repository in sniffing mode When FortiDB is deployed in sniffing mode, it cannot use an external database repository.

How to set up FortiDB agents This section explains how to obtain and set up the Oracle XML File Agent and DB2 Agent.

Note: To run the FortiDB agent, your target machine requires Java SE 6 (JDK 6).

Downloading the agent file You download the latest FortiDB agent in binary mode. Contact Fortinet Technical Support for a download location.

Setting up FortiDB agents To set up the agents, please refer to the documentation.

10

FortiDB 5.1.7 Release Notes

Change and performance notices

How to set up the FortiDB TCP/IP sniffer The TCP/IP sniffer allows you to collect database activity without using database native audit functionality or installing agents on the database. To use the sniffer, simply configure a SPAN port on the switch and mirror all database traffic to it. Connect one of FortiDB’s interfaces to this port and choose it when you configure the target database in FortiDB’s web UI. This collection method is only supported in the appliance version.

How to set up encoding for displaying data Some databases can contain information encoded in a non-English character set. Use the following steps to set up FortiDB to display non-English data: l

l

If you are collecting from an agent-based collector, set the auditFileEncoding property in the agent.properties file to the encoding that the database uses. To generate reports that contain non-English encoded characters, set the DAM Report Encoding system property to the encoding you want to use. To access this property, in the web UI, go to Administration > Global Configuration > Reporting.

By default, FortiDB uses UTF-8 encoding. In general, any encoding supported by the Java VM is supported by FortiDB, but for exporting PDF reports, the encoding specified by DAM Report Encoding must map to a supported PDF font. FortiDB supports the following encodings for exporting PDF data:

Locale

Supported encodings

Japanese

l

Shift_JIS

l

SJIS

l

EUC-JP

l

EUC_JP

l

x-EUC-JP-LINUX

l

EUC_JP_LINUX

l

ISO-2022-JP

l

ISO2022JP

l

windows-31j

l

MS932

l

Cp930

l

Cp939

l

Cp942

l

Cp943

l

Cp33722

11

FortiDB 5.1.7 Release Notes

Change and performance notices

Locale

Chinese

Korean

Others

Supported encodings l

x-mswin-936

l

MS936

l

GB18030

l

x-EUC-CN

l

EUC_CN

l

GBK

l

x-windows-950

l

MS950

l

x-MS950-HKSCS

l

MS950_HKSCS

l

x-EUC-TW

l

EUC_TW

l

Big5

l

Big5-HKSCS

l

Cp935

l

Cp937

l

Cp948

l

Cp950

l

Cp964

l

ISO2022_CN_CNS

l

ISO2022_CN_GB

l

x-windows-949

l

MS949

l

EUC-KR

l

ISO-2022-KR

l

ISO2022KR

UTF-8

Visit http://java.sun.com/javase/6/docs/technotes/guides/intl/encoding.doc.html for additional information about encodings supported by the Java virtual machine.

Software install - internal database repository When using the FortiDB software version and choosing Oracle as the internal repository, only Oracle 10g Release 2 (10.2) or Oracle 11g are supported.

12

FortiDB 5.1.7 Release Notes

Change and performance notices

RAID CLI status message The get system raid command returns the following status message: Raid State: Degraded This message is harmless and can be safely ignored.

RAID configuration changes in 3000D appliances FortiDB 3000D has a PERC H710 RAID controller, and it supports hardware based RAID 0, 1, 5, 10, and so on. The only way to change the RAID configuration is in the BIOS. To enter the BIOS Configuration Utility, during startup, when prompted by the BIOS screen, press . You need a keyboard and a display to connect to the FortiDB 3000D appliance. You cannot change the RAID configuration using the serial port connection. If the RAID level of the FortiDB 3000D is changed, the hard disk needs to be formatted. To obtain the required format image, contact Fortinet Technical Support.

Oracle monitoring with TCP/IP sniffing When you deploy the FortiDB TCP/IP sniffer to monitor an Oracle database, FortiDB stops monitoring any previously configured connections for that database. To monitor the database using an additional collection method (for example, to monitor local access to the database), create a new connection.

SGA Agent collection method has been removed The SGA collection method has been removed from the Monitor setup. This option was available for Oracle databases only.

13

FortiDB 5.1.7 Release Notes

Upgrade instructions

Upgrade instructions Hardware & software support Supported hardware FortiDB 5.1.7 supports the following hardware platforms: l

FortiDB 400B

l

FortiDB 400C

l

FortiDB 500D

l

FortiDB 1000B

l

FortiDB 1000C

l

FortiDB 1000D

l

FortiDB 2000B

l

FortiDB 3000D

Supported platforms FortiDB 5.1.7 software supports the following platforms: l

Windows 2003 32-bit, 64-bit

l

Windows XP

l

Linux Red Hat 4 64-bit, RH5 64-bit

l

Solaris

Supported internal repositories FortiDB 5.1.7 software supports the following internal repositories: l

Derby (Shipped with FortiDB)

l

PostgreSQL 8.3

l

Oracle 10g Release 2 (10.2), Oracle 11G

l

MS SQL Server 2005, 2008 (Windows only)

Upgrade from previous versions You can upgrade from previous official 4.x releases. Upgrade from 3.x versions is not supported.

14

FortiDB 5.1.7 Release Notes

Resolved issues

Resolved issues The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Fortinet Customer Service & Support:

https://support.fortinet.com Resolved issues Bug ID Description 282237

FortiDB 500D does not work properly in VLAN environments

267433

FortiDB models 400B, 2000B, 1000B, 1000C do not work properly after an upgrade to 5.1.5 and 5.1.6

230240

Cannot archive when audit data is larger than 2.5 million records

264711

Table policy does not generate alerts and generates an error message

264700

The tablecolumn policy cannot select columns that have name that is longer than 255 characters

264633

Data policy for Microsoft SQL database does not generate alerts as expected

263953

DAM alert detail displays errors when table name contains spaces

277626

Privilege Summary Report is not displayed correctly

274057

Support spaces in tablepolicy for audit

241046

Running a VA scan via the CLI and saving the reports to disk generates error messages

15

FortiDB 5.1.7 Release Notes

Known issues

Known issues There are no known issues for this release. For inquires about a particular bug, please contact Fortinet Customer Service & Support:

https://support.fortinet.com

16

FortiDB 5.1.7 Release Notes

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.