Troubleshooting
Problem
There are two methods to verify S-TAP from the Guardium appliance: 1. Standard S-TAP verification 2. Advanced S-TAP verification What are the steps to resolve S-TAP verification failures ?
Symptom
S-TAP Verification fails with 0 Failed Checks and the following message:
"S-TAP verification completed. Not able to verify if the S-TAP is monitoring database traffic"
or message could read slightly different. For example:
"S-TAP verification complete."
or
"S-TAP verification completed. Not able to verify if the S-TAP is monitoring network database traffic"
Resolving The Problem
Standard Verification:
Checks the S-TAP and inspection engine by submitting an invalid login request to verify that the appropriate error message is returned. Upon receiving the S-TAP Verification Results pop-up, click the "Run Diagnostics" link under the Action column to confirm the basic checks have been made. If there are any errors in the checks, address the issue. By default, the system waits five seconds before displaying the verification results. High network latency can cause slow response from database server. The CLI command "store network_latency" can be issued if more time is needed to wait for response from the database server.
Network address translation between network locations where S-TAP and collector are installed will result in 0 failed checks.
Otherwise, if the result comes back with 0 Failed checks, yet the S-TAP verification still fails, the security policy configured might be the culprit behind such a failure.
During Standard S-TAP verification, the Guardium appliance issues an invalid login request with user 'resutlfd' against the database as seen in the following SLON trace:
STAP/KTAP TIME: 1415898368990
Packet 6 FROM 9.X.X.41 49158 TO 9.X.X.143 1434 Packet length: 180 1 0 1
00000000 : 10 01 00 b4 00 00 01 00 ac 00 00 00 04 00 00 74 ...............t
00000010 : ff 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 : e0 03 00 00 00 00 00 00 00 00 00 00 5e 00 0b 00 ............^...
00000030 : 74 00 08 00 84 00 08 00 94 00 00 00 94 00 0c 00 t...............
00000040 : ac 00 00 00 ac 00 00 00 ac 00 00 00 ac 00 00 00 ................
00000050 : 00 00 00 00 00 00 ac 00 00 00 ac 00 00 00 ac 00 ................
00000060 : 00 00 00 00 00 00 39 00 2e 00 37 00 30 00 2e 00 ......9...7.0...
00000070 : 31 00 34 00 38 00 2e 00 34 00 31 00 72 00 65 00 1.4.8...4.1.r.e.
00000080 : 73 00 75 00 74 00 6c 00 66 00 64 00 e3 a5 82 a5 s.u.t.l.f.d.....
00000090 : 53 a5 d2 a5 92 a5 92 a5 b3 a5 a2 a5 39 00 2e 00 S...........9...
000000a0 : 37 00 30 00 2e 00 31 00 34 00 38 00 2e 00 31 00 7.0...1.4.8...1.
000000b0 : 34 00 33 00 4.3.
The request is sure to fail, so the database server should send an exception of type 'LOGIN_FAILED' back to the Guardium appliance as follows:
STAP/KTAP TIME: 1415898369090
Packet 7 FROM 9.X.X.143 1434 TO 9.X.X.41 49158 Packet length: 154 1 1 6
00000000 : 04 01 00 9a 00 33 01 00 aa 82 00 18 48 00 00 01 .....3......H...
00000010 : 0e 21 00 4c 00 6f 00 67 00 69 00 6e 00 20 00 66 .!.L.o.g.i.n. .f
00000020 : 00 61 00 69 00 6c 00 65 00 64 00 20 00 66 00 6f .a.i.l.e.d. .f.o
00000030 : 00 72 00 20 00 75 00 73 00 65 00 72 00 20 00 27 .r. .u.s.e.r. .'
00000040 : 00 72 00 65 00 73 00 75 00 74 00 6c 00 66 00 64 .r.e.s.u.t.l.f.d
00000050 : 00 27 00 2e 00 19 53 00 55 00 50 00 50 00 4c 00 .'....S.U.P.P.L.
00000060 : 32 00 2d 00 57 00 49 00 4e 00 33 00 5c 00 53 00 5.-.W.I.N.3.\.S.
00000070 : 51 00 4c 00 53 00 45 00 52 00 56 00 45 00 52 00 Q.L.S.E.R.V.E.R.
00000080 : 32 00 30 00 31 00 32 00 00 01 00 00 00 fd 02 00 2.0.1.0.........
00000090 : 00 00 00 00 00 00 00 00 00 00 ..........
The response of error type LOGIN_FAILED is an exception. Therefore, an entry is made in the TURBINE.GDM_EXCEPTION MySQL table. If this entry cannot be made, the standard S-TAP verification will fail. Querying this table will confirm if an entry has been made. If an entry has not been made for the standard S-TAP verification test, this is likely due to the security policy rules configured on the appliance. Check if any policy rules ignore exceptions and errors returned by the database server or skip logging such information. Editing the policy with appropriate filters or testing with an "ALLOW-ALL" policy can confirm if this is the problem.
Advanced Verification:
For this type, a datasource definition associated with the target database needs to be created. The datasource definition includes credentials, which the verification process uses to log into the database. Then it submits a request to retrieve data from a non-existent table in order to generate an error message. Upon receiving the S-TAP Verification Results pop-up, click the "Run Diagnostics" link under the Action column to confirm the basic checks have been made. If there are any errors in the checks, address the issue. By default, the system waits five seconds before displaying the verification results. High network latency can cause slow response from database server. The CLI command "store network_latency" can be issued if more time is needed to wait for response from the database server.
Network address translation between network locations where S-TAP and collector are installed will result in 0 failed checks.
Otherwise, if the result comes back with 0 Failed checks (see screenshot above), yet the S-TAP verification still fails, the security policy configured is the likely culprit behind such a failure.
During Advanced S-TAP verification, the Guardium appliance issues the following SQL statement against the database, "SELECT * FROM NON_EXISTENT_TABLE" as seen in this SLON trace:
STAP/KTAP TIME: 1413989611156
Packet 9586 FROM 10.X.X.44 36019 TO 10.X.X.21 4902 Packet length: 94 1 0 6
00000000 : 01 01 00 5e 00 00 01 00 16 00 00 00 12 00 00 00 ...^............
00000010 : 02 00 00 00 00 00 00 00 00 00 01 00 00 00 53 00 ..............S.
00000020 : 45 00 4c 00 45 00 43 00 54 00 20 00 2a 00 20 00 E.L.E.C.T. .*. .
00000030 : 46 00 52 00 4f 00 4d 00 20 00 4e 00 4f 00 4e 00 F.R.O.M. .N.O.N.
00000040 : 5f 00 45 00 58 00 49 00 53 00 54 00 45 00 4e 00 _.E.X.I.S.T.E.N.
00000050 : 54 00 5f 00 54 00 41 00 42 00 4c 00 45 00 T._.T.A.B.L.E.
The SQL statement is sure to fail, so the database server should send an exception type of 'SQL_ERROR' back to the Guardium appliance as follows:
STAP/KTAP TIME: 1413989611156
Packet 9587 FROM 10.X.X.21 4902 TO 10.X.X.44 36019 Packet length: 152 1 1 6
00000000 : 04 01 00 98 00 3a 01 00 aa 80 00 d0 00 00 00 01 .....:..........
00000010 : 10 29 00 49 00 6e 00 76 00 61 00 6c 00 69 00 64 .).I.n.v.a.l.i.d
00000020 : 00 20 00 6f 00 62 00 6a 00 65 00 63 00 74 00 20 . .o.b.j.e.c.t.
00000030 : 00 6e 00 61 00 6d 00 65 00 20 00 27 00 4e 00 4f .n.a.m.e. .'.N.O
00000040 : 00 4e 00 5f 00 45 00 58 00 49 00 53 00 54 00 45 .N._.E.X.I.S.T.E
00000050 : 00 4e 00 54 00 5f 00 54 00 41 00 42 00 4c 00 45 .N.T._.T.A.B.L.E
00000060 : 00 27 00 2e 00 10 52 00 4f 00 45 00 47 00 50 00 .'....D.A.T.A.S.
00000070 : 53 00 39 00 30 00 31 00 51 00 5c 00 44 00 45 00 O.U.R.C.E.\.N.A.
00000080 : 56 00 30 00 38 00 00 01 00 00 00 fd 02 00 fd 00 M.E.1...........
00000090 : 00 00 00 00 00 00 00 00 ........
The response of error type SQL_ERROR is an exception. Therefore, an entry is made in the TURBINE.GDM_EXCEPTION MySQL table. If this entry cannot be made, the advanced S-TAP verification will fail. Querying this table will confirm if an entry has been made. If an entry has not been made for the advanced S-TAP verification test, this is likely due to the security policy rules configured on the appliance. Check if any policy rules ignore exceptions and errors returned by the database server or skip logging such information. Editing the policy with appropriate filters or testing with an "ALLOW-ALL" policy can confirm if this is the problem.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21690135