Prabhu,
The agent listener does not pick up IPv6 traffic. The process that analyzes listeners detects an IPv6 listener and sends an alert, but no IPv6 traffic listener is ever created by our agents. We only have ipv4 listeners using an IP/port combination for the definition. If you need proof of this, you can enable a loopback pcap. It will write a pcap from the agent of everything it is sending to the gateway. This file will be created in the "/remoteagent/var" directory. Don't let this run too long, as this pcap will grow very quickly to huge sizes.
To create this pcap, add this switch to the agent advanced settings: <should-create-loopback-pcap>1</should-create-loopback-pcap>
When done, set it back to: <should-create-loopback-pcap>0</should-create-loopback-pcap>
If you are using a v14.x agent, the size of this file is limited to 512mb by default.
You can increase this to a max size 2000mb: <loopback-pcap-max-size-in-mb>2000</loopback-pcap-max-size-in-mb>
This file can then be opened in Wireshark and you can see if the agent is actually capturing IPv6.
------------------------------
Paul Hammons
Imperva Senior Sales Engineer
Cape Coral, Florida
------------------------------
Original Message:
Sent: 07-21-2020 11:55
From: Prabhu S
Subject: How do you Suppress Unwanted events/alarms?
Hi Paul,
I have single eth intf properties which has IPV4 and IPV6 option . I cant disable IPV6 option because MS clearly said that it may not work sometimes.
The IPV6 listener traffic generated and forwarded through same ethernet port [ Via DAM agent discovered interface ] . So the only option to exclude these type of traffic via agent critiera.
When we look at the agent criteria dont have the option to do that.
Thanks
Prabhu
------------------------------
Prabhu S
Shakhbout City Al Mafraq
Original Message:
Sent: 07-21-2020 11:11
From: Paul Hammons
Subject: How do you Suppress Unwanted events/alarms?
Prabhu,
That is correct, setting the irrelevant interfaces to "ignore" or using AMR exclude rules will reduce the load on the agent.
------------------------------
Paul Hammons
Imperva Senior Sales Engineer
Cape Coral, Florida
Original Message:
Sent: 07-21-2020 08:28
From: Prabhu S
Subject: How do you Suppress Unwanted events/alarms?
Thanks Paul..
If we have option in Agent Criteria under AMR to exclude the unwanted events or similar kind of traffic then this will reduce the load on the agent level.
Pls correct me if i am wrong .
Regards
Prabhu
------------------------------
Prabhu S
Shakhbout City Al Mafraq
Original Message:
Sent: 07-20-2020 13:52
From: Paul Hammons
Subject: How do you Suppress Unwanted events/alarms?
Prabhu,
Currently the agents do not support monitoring data via IPv6, so Imperva created an alert to inform you that IPv6 interfaces have been identified and cannot be monitored. Suppressing this alert will not change the load on the agent, it is only suppressing the generation of an IPv6 alert, no change in the event load.
If you want to reduce the agent load, I would first look at the discovered interfaces and disable any that aren't end user listeners. This would include replication, backup, or other interfaces that transmit large amounts of traffic, but do not apply to our data. If the data is irrelevant but enabled, the agent will pick it and and send it to the gateway, only to have the gateway discard it. Disabling those non-relevant listeners can bring a significant reduction in load. After that, the agent exclusion rules are the place to look, be careful with those, as they are based on the sessions. Wide rules are the way to go here. Exclude things like monitoring tools, backup, replication, known data connections, etc.
Hope this helps!
------------------------------
Paul Hammons
Imperva Senior Sales Engineer
Cape Coral, Florida
Original Message:
Sent: 07-17-2020 23:44
From: Prabhu S
Subject: How do you Suppress Unwanted events/alarms?
Thanks Michael....
I hope that HPS will decrease and able to see more legitimate DB traffic, , if disable the IPV6 listener traffic. Could you pls confirm...
TDA -certain agents have performance issue like capping etc., we are in the observation to get to more detail on this.
Regards
Prabhu
------------------------------
Prabhu S
Shakhbout City Al Mafraq
Original Message:
Sent: 07-17-2020 09:22
From: Michael Kozikowski
Subject: How do you Suppress Unwanted events/alarms?
Hi,
Advanced configuration to disable the constant IPv6 events:
<system-events-ipv6-listener-identified-enable>false</system-events-ipv6-listener-identified-enable>
Regarding traffic analysis, if the agent is not having performance issues, then consider not ignoring traffic.
If there are performance issues (lots of system capping, ,etc.), then use the Agent Monitoring Rules > Agent Criteria
The Agent Criteria rules typically work well for Source IP addresses and Process Details (note that ignoring the localhost may need to be set to 0.0.0.0).
You'll want to dig more into the documentation, test in non-prod, and discuss with support to get your environment configured properly.
------------------------------
Michael Kozikowski
Visa
DE
Original Message:
Sent: 07-16-2020 04:39
From: Prabhu S
Subject: How do you Suppress Unwanted events/alarms?
Dear All,
I am new to the DAM and still learning. I have seen lot of unwanted alerts at agent level and particularly one of them is IPV6 listener traffic from the DB servers. I got reply from imperva that IPV6 listener traffic not processed by DAM gateway .
# Could you pls someone to provide the steps to disable/stop IPv6 listener traffic on the respective servers .
Next query i am capturing and analyzing the events from Traffic Distribution Analysis future to exclude the trusted traffic at agent level.
# Any minimum baseline standard controls to be followed to exclude the same.
Thanks
Prabhu
#DatabaseActivityMonitoring
------------------------------
Prabhu S
------------------------------