Imperva Cyber Community

Expand all | Collapse all

Is there a limitation on blocking when my windows server + MSSQL has DH?

  • 1.  Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 25 days ago
    Hi Everyone

    I come again for your help.  I just install an agent in:

    Windows 2016 + MSQL (it's in the list of the ACP)
    Agent versión: Imperva-ragent-Windows-b14.4.0.20.0.596392

    The issue:  agent is not blocking. 

    It has the advance monitoring configured as follow:
    <external-traffic-monitoring-in-kern>1</external-traffic-monitoring-in-kern>
    <mssql-advanced-monitoring>1</mssql-advanced-monitoring>

    agent  in sniffing mode ( should it be in inline mode?)

    Also we hace DH enable in the server

    Any idea of what Im missing


    #DatabaseActivityMonitoring
    #ImpervaAgent

    ------------------------------
    Freddy Brito
    Daitek S.A.
    Buenos Aires, Argentina
    ------------------------------


  • 2.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 25 days ago
    when you apply this configuration

    <external-traffic-monitoring-in-kern>1</external-traffic-monitoring-in-kern>
    <mssql-advanced-monitoring>1</mssql-advanced-monitoring>

    Have you restarted the agent after to put this command???

    ------------------------------
    alejandro hernandez
    Mexico City
    ------------------------------



  • 3.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 25 days ago
    Hi Alejandro.

    YEs. I  restarted the agent

    Best regards

    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 4.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Impervian
    Posted 25 days ago
    Hello,

    Have you checked your operation mode? It should be active in order to block requests, not simulation.

    https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/458.htm

    Br,

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 5.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 25 days ago
    Hi Sabajete

    Yes, I'm in active mode

    image.png

    And the Agent

    image.png
    image.png




    Any idea?

    Best regards


    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 6.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 25 days ago
      |   view attached
    Hi Everyone

    Here I come with the reason of this issue in Windows + MSSQL

    This is related to a knowned bug AGNT-9013

    For Agent - v14.4 Patch 10 it was fix according with the Agent-14.4-release notes (Check the attachment).  However, the documentation (online) says the following
    https://docs.imperva.com/bundle/v14.4-agent-release-notes/page/release-highlights.htm

    And support told me that blocking is only supported with agent in sniffing mode, hence, this is best-effort only and we cannot guarantee 100% blocking.

    But also I noticed blocking in win2012 and not in win2016.  

    Regards



    ------------------------------
    Freddy Brito
    Daitek S.A.
    CABA AGU
    ------------------------------

    Attachment(s)



  • 7.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Imperva Employee
    Posted 20 days ago
    Freddy,
    In this scenario, the agent has to be in sniffing mode.  Because this is a best effort blocking, some items will get through.  I find it very useful to pair a short or long block to a block event.  In this scenario, if an IP triggers a block action, with a long block followed action, that IP will be unable to do anything against the DB for a while.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 8.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 19 days ago
    Thanks Paul

    But I'm not able to block yet. Once I resolve this I'll try what you suggested.

    Thanks

    Best regards





    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 9.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Imperva Employee
    Posted 19 days ago
    Freddy,
    When testing this, remember, the first attempt will probably not be blocked, you should try it multiple times.
    A great test for this is to block on a query that returns a large dataset.  If the dataset is large enough it gives our system time to initiate the block on, even in sniffing mode.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------