Hi Aloysius,
Traffic can be blocked via configuring a security policy on the DAM. Irrespective of connection mode (sniffing or inline), it is always the Gateway that decides whether or not to block traffic. The Gateway gets audit data from the agent, checks the policies defined, and then decides on what to do with the analysed traffic. A SecureSphere agent can block traffic when all the following conditions are met:
-
In the SecureSphere Agent's Settings tab, Enable Blocking is selected.
-
Default Connection Mode must be set to either Sniffing or Inline. In both cases, the agent forwards the traffic to the gateway.
-
Under Setup > Sites, ensure that the server group is in Active operation mode instead of Simulation mode.
-
Under Security Policies, an applicable security policy blocks the traffic when Action field is set to Block.
- Above conditions help in blocking Internal/Local Traffic. In order to block External Traffic, one has to add an advanced agent configuration, restart agent and database.
https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/65699.htm
https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/63714.htm
https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/62795.htm
https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/2995.htm
https://docs-cybersec.thalesgroup.com/bundle/z-kb-articles-knowledgebase-support/page/289936538.html
For MSSQL Advanced Monitoring mode, inline mode is not supported. For MSSQL databases on Windows OS, after blocking in the sniffing mode for local TCP connections, it takes about a minute for the client to close the local TCP session (AGNT-6398).
In MSSQL Advanced Mode, blocking that is triggered by traffic from one agent causes blocking on all agents having the same server group (irrespective of the Gateways to which the agents are connected).
Regards,
------------------------------
SBISOC 4430
Manager
Mumbai
------------------------------