Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  How do you Suppress Unwanted events/alarms?

    Posted 07-16-2020 07:22
    Edited by Christopher Detzel 07-17-2020 10:56
    Dear All,

    I am new to the DAM  and still learning.  I have seen lot of unwanted alerts at agent level and particularly one of them is IPV6 listener traffic from the DB servers. I got reply from imperva  that IPV6 listener traffic not processed by DAM gateway . 

    # Could you pls someone to provide the steps to disable/stop IPv6 listener traffic on the respective servers .

    Next query i am capturing and analyzing the events from Traffic Distribution Analysis future to exclude the trusted traffic at agent level.

    #  Any minimum baseline standard controls to be followed to exclude the same.

    Thanks
    Prabhu




    ​​​
    #DatabaseActivityMonitoring

    ------------------------------
    Prabhu S

    ------------------------------


  • 2.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-17-2020 10:44
    Hi,

    Advanced configuration to disable the constant IPv6 events:
    <system-events-ipv6-listener-identified-enable>false</system-events-ipv6-listener-identified-enable>

    Regarding traffic analysis, if the agent is not having performance issues, then consider not ignoring traffic.
    If there are performance issues (lots of system capping, ,etc.), then use the Agent Monitoring Rules > Agent Criteria 
    The Agent Criteria rules typically work well for Source IP addresses and Process Details (note that ignoring the localhost may need to be set to 0.0.0.0).
    You'll want to dig more into the documentation, test in non-prod, and discuss with support to get your environment configured properly.

    ------------------------------
    Michael Kozikowski
    Visa
    DE
    ------------------------------



  • 3.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-17-2020 23:44
    Thanks Michael....

    I hope that HPS will decrease and able to see more legitimate DB traffic, , if  disable the IPV6 listener traffic. Could you pls confirm...


    TDA -certain agents have performance issue like capping etc., we are in the observation to get to more detail on this.

    Regards
    Prabhu

    ------------------------------
    Prabhu S
    Shakhbout City Al Mafraq
    ------------------------------



  • 4.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-20-2020 13:53
    Prabhu,
    Currently the agents do not support monitoring data via IPv6, so Imperva created an alert to inform you that IPv6 interfaces have been identified and cannot be monitored.  Suppressing this alert will not change the load on the agent, it is only suppressing the generation of an IPv6 alert, no change in the event load.

    If you want to reduce the agent load, I would first look at the discovered interfaces and disable any that aren't end user listeners.  This would include replication, backup, or other interfaces that transmit large amounts of traffic, but do not apply to our data.  If the data is irrelevant but enabled, the agent will pick it and and send it to the gateway, only to have the gateway discard it.  Disabling those non-relevant listeners can bring a significant reduction in load.  After that, the agent exclusion rules are the place to look, be careful with those, as they are based on the sessions.  Wide rules are the way to go here.  Exclude things like monitoring tools, backup, replication, known data connections, etc.

    Hope this helps!

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 5.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-21-2020 08:29
    Thanks Paul..

    If we have option in Agent Criteria  under AMR to exclude the unwanted events or similar kind of traffic then this will reduce the load on the agent level.


    Pls correct me if i am wrong . 

    Regards
    Prabhu

    ------------------------------
    Prabhu S
    Shakhbout City Al Mafraq
    ------------------------------



  • 6.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-21-2020 11:11
    Prabhu,
    That is correct, setting the irrelevant interfaces to "ignore" or using AMR exclude rules will reduce the load on the agent.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 7.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-21-2020 11:55
    Hi Paul,

    I have single eth intf  properties which has  IPV4 and IPV6  option  . I cant disable IPV6 option because MS clearly said that it may not work sometimes.

    The IPV6 listener traffic generated and forwarded through same ethernet port [ Via DAM agent discovered interface ]  . So the only option to exclude these type of traffic via agent critiera.

    When we look at the agent criteria  dont have the option to do that.

    Thanks
    Prabhu

    ------------------------------
    Prabhu S
    Shakhbout City Al Mafraq
    ------------------------------



  • 8.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-21-2020 17:26
    Prabhu,
    The agent listener does not pick up IPv6 traffic.  The process that analyzes listeners detects an IPv6 listener and sends an alert, but no IPv6 traffic listener is ever created by our agents.  We only have ipv4 listeners using an IP/port combination for the definition.  If you need proof of this, you can enable a loopback pcap.  It will write a pcap from the agent of everything it is sending to the gateway.  This file will be created in the "/remoteagent/var" directory.  Don't let this run too long, as this pcap will grow very quickly to huge sizes.

    To create this pcap, add this switch to the agent advanced settings:  <should-create-loopback-pcap>1</should-create-loopback-pcap>
    When done, set it back to:  <should-create-loopback-pcap>0</should-create-loopback-pcap>

    If you are using a v14.x agent, the size of this file is limited to 512mb by default. 
    You can increase this to a max size 2000mb:  <loopback-pcap-max-size-in-mb>2000</loopback-pcap-max-size-in-mb>


    This file can then be opened in Wireshark and you can see if the agent is actually capturing IPv6.



    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 9.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-21-2020 18:30
    Prahbu,
    With all of that in mind, the simple and effective approach is to disable the alerts with:
    <system-events-ipv6-listener-identified-enable>false</system-events-ipv6-listener-identified-enable>

    Again, take care to not ignore traffic unless it is actually impacting the DB server resources (CPU, etc.) or the Imperva appliances. Lowering the HPS may not actually be needed if everything is performing well. Are you actually seeing some sort of degradation? If so, then you'll want to engage support.

    Regards,
    Mike

    ------------------------------
    Michael Kozikowski
    Visa
    DE
    ------------------------------



  • 10.  RE: How do you Suppress Unwanted events/alarms?

    Posted 07-22-2020 11:39
    Thanks Paul and Michael..

    ------------------------------
    Prabhu S
    Shakhbout City Al Mafraq
    ------------------------------