Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  Reaarrange Custom Security Poliicly

    Posted 10-15-2025 06:45

    Hi All,

    I created security policy for Match criteria - operation = insert with alert only. it running well. 

    but I create new one  for insert with additional criteria (row  affected > 30)  and blocking on. 

    When I do query insert to database,  it hit on 1st  insert policy. 

    so, I wondering if  MX has capabilities to re-arrange the policy that has been created ?

    Thank you
    Aloysius - Indonesia

    #DatabaseActivityMonitoring

    ------------------------------
    Aloysius Erwin
    se
    PT Exclusive Networks Indonesia
    Jakarta
    ------------------------------


  • 2.  RE: Reaarrange Custom Security Poliicly

    Posted 10-15-2025 15:06
    Edited by SBISOC 4430 10-15-2025 15:23

    Hi Aloysius,

    Traffic can be blocked via configuring a security policy on the DAM. Irrespective of connection mode (sniffing or inline), it is always the Gateway that decides whether or not to block traffic. The Gateway gets audit data from the agent, checks the policies defined, and then decides on what to do with the analysed traffic. A SecureSphere agent can block traffic when all the following conditions are met: 

    1. In the SecureSphere Agent's Settings tab, Enable Blocking is selected. 

    1. Default Connection Mode must be set to either Sniffing or Inline. In both cases, the agent forwards the traffic to the gateway. 

    1. Under Setup > Sites, ensure that the server group is in Active operation mode instead of Simulation mode. 

    1. Under Security Policies, an applicable security policy blocks the traffic when Action field is set to Block. 

    2. Above conditions help in blocking Internal/Local Traffic. In order to block External Traffic, one has to add an advanced agent configuration, restart agent and database.

    https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/65699.htm

    https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/63714.htm

    https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/62795.htm

    https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/2995.htm

    https://docs-cybersec.thalesgroup.com/bundle/z-kb-articles-knowledgebase-support/page/289936538.html

    For MSSQL Advanced Monitoring mode, inline mode is not supported. For MSSQL databases on Windows OS, after blocking in the sniffing mode for local TCP connections, it takes about a minute for the client to close the local TCP session (AGNT-6398). 

    In MSSQL Advanced Mode, blocking that is triggered by traffic from one agent causes blocking on all agents having the same server group (irrespective of the Gateways to which the agents are connected).

    Regards,



    ------------------------------
    SBISOC 4430
    Manager
    Mumbai
    ------------------------------

    Original Message