Dam Process Document

Sr. No. INDEX

1.1 Introduction
1.2 Gateway Listener Configuration
1.3 Agent Installation
1.4 DB Service DISCOVERY Configuration
1.5 DB Data Classification Configuration
1.6 Risk Assessment of DB Server Configuration
1.7 Site and Server Group Configuration
1.8 Security and Audit Policy Creation
1.9 Audit and Alert Report Creation
1.10 Monitoring Alerts, Violation, System event and Alarm.
1.11 Incident Creation & Closure Process
1.12 Daily Monitoring Activity
1.13 Backup configuration and process
1.14 DC & DR audit policy with disc quota and purge period
1.15 Report Archive and purging
1.16 Other Configuration
Uploading the License
Adding Route for particular subnet or agent IP in the Gateway
Extracting the Archive report file MPRV
Generating the GTI

Page 1 of 77
1.1. INTRODUCTION
This document purpose is to provide the brief about Imperva application console and there
configuration. Also it include the daily task and monitoring process. Also this document include
the backup, security, audit and purging police configured in the DAM solution.

Listener Configuration on the gateway

1.2. Gateway Listener Configuration
Before registering the agent, we have to first configure a listener on the gateway via the CLI.
We need one listener per gateway. A single listener can listen for multiple agents. In BOI we
have configured the 5555 as listener port on gateway on which agent communicate for log
transfer.

To configure a listener on the gateway, SSH to the gateway:

1. Type the command impcfg
2. Choose Manage Gateway
3. Choose Manage Remote Agents
4. Choose Add a Listener
5. Define the Type of listener. Recommended to use TCP.
6. Type an IP Address for the listener. This can be the IP address of the Management
interface.
7. Type an IP Mask for the listener.
8. Type a Port for the listener. This should be a high port, above 1024. In our Premises we
have configured the “5555” port.

9. Determine what interface you want the listener to listen on.

10. If you want to add a Virtual IP address, choose y, otherwise type n.
11. Determine if you want to enable SSL (if you want communication encrypted). For this
example we’ll say no. You are returned to the main menu.
12. Type t to move to the top level.
13. Then type A to apply your changes. The listener has been configured. You can now
register the agent.
For an overview of installing agents, see Overview of Installing Agents

Page 2 of 77
Page 3 of 77
 Agent Installation:
1.3. Agent Installation

To check the Support of DB with respect of OS.

We can check the supported DB and relative OS detail from below links.
https://www.imperva.com/data-security-coverage-tool/
Agent, which_ragent_package download link:
https://ftp-us.imperva.com/
Imperva agent location: \\172.1.57.119\sharefolder\DAM\New Agents\

Agent Memory Requirements

The SecureSphere Agent requires memory for operation based on different factors. The
following lists the amount of memory that is required for operation based on the number of
CPU cores:

Name Windows Linux/Unix

1-32 cores 300MB 360MB

32-128 cores 500MB 660MB

>128 cores 2GB 2GB

Agent Disk Space Requirements

The SecureSphere Agent uses up to 500 MB of database server disk space for its normal
operation, logging, storing configuration, and more. In addition, to ensure audit information is
preserved in the event of network problems, the SecureSphere Agent reserves 8 GB of
database server disk space by default.
Disk space Requirements

Operation AIX Solaris HPUX Linux Windows

Normal operation, logging,

storing configuration, and 500 MB 500 MB 500 MB 500 MB 500 MB
more (Installation folder)

Ensure audit information

is preserved in the event 8 GB 8 GB 8 GB 8 GB 8 GB
of network problems

Required when Upgrading

750 MB 1500 MB 1250 MB 250 MB 300 MB
Agents*

Page 4 of 77
Required Permissions for Agent Installation/Configuration
To install and configure agents, you require administrator privileges. To run with
administrator privileges:
In Windows: Open the Windows Start Menu, search for ‘cmd,’ then right-
click cmd.exe and select "Run as administrator." In command window, navigate to location
of installation package and run as required.
In Unix/Linux: Run as root user (uid=0). Also “/tmp” ( location where the installation setup
was copied) folder should have execution permission. i.e. ( rw,nosuid,nodev,exec,relatime
)To verify check run the below command.
 mount | grep noexec
Sample Output: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
/dev/mapper/rhel-tmp on /tmp type xfs
(rw,nosuid,nodev,noexec,relatime,attr2,inode64,noquota)
/dev/mapper/rhel-var_tmp on /var/tmp type xfs
(rw,nosuid,nodev,noexec,relatime,attr2,inode64,noquota) ( in this /tmp folder is having no
execution permission (noexec) due to which you cannot execute installation script from given
folder.)

Page 5 of 77
To install a Linux agent:

The which_ragent_package tool is a tool developed by Imperva meant to take the

guesswork out of deciding which agent package to use.Make sure to download the latest
version of the which_ragent_package tool every time you want to run it.
Note: The which_ragent_package tool is relevant for non-windows OS only.

1. Copy the “which_ragent_package” from “\\172.1.57.119\sharefolder\DAM\New

Agents\which_ragent” to the remote server /tmp location. (From the FTP server
(/Downloads/SecureSphere_Agents/Misc/which_ragent_package_xxx.tar.gz)
2. SSH to the server where you want to run the tool.
3. Login, and access the directory on the remote server where the tool was downloaded.
4. Verify that the installation file has executable permissions (or type “chmod 777
installation PKG name).
5. To check the compatibility of the given server for a particular agent , run the utility
6. Which_ragent_package_0173.tar.gz since it is in gunzip form we have to extract the
same.
7. For that command is “gunzip <filename>” press enter Note: Here filename is
Which_ragent_package_0173.tar.gz
8. Now to extract from the tar format command is tar –xvf filename
9. After the successful extraction for tar , which_ragent_package_0173.sh file will be
generated
10. Run that file and give the version. For e.g : ./which_ragent_package_0173.sh –v 13.0
11. Here you will get the name & version of agent file which is supported by this server

12. Now copy the file from \\172.1.57.119\sharefolder\DAM\New Agents to /tmp folder of the
sarver.
13. Go to /tmp directory using command cd /tmp
14. The agent file format will be .tar.gz , gunzip the file using the command gunzip
<filename>
15. For e.g - gunzip Imperva-ragent-RHEL-v4-kSMP-pi386-b13.0.0.20.0.569909.tar.gz
16.
17. Now the file is in “.tar” format, extract from tar format using a command tar –xvf
<filename>
18. For e.g - tar –xvf Imperva-ragent-RHEL-v4-kSMP-pi386-b12.0.0.1084.tar.gz” Type
“./” then type the agent package file name. Installation is run.
19. After successful extraction of file , install.sh file will be generated, run that file using
command
./install.sh (NOTE - The default directory of agent installation is /opt/Imperva)

Page 6 of 77
20. After running install.sh file, Type “y” to continue with accept the default installation
location in /opt/Imperva/.
21. After extraction, Type “1” to run a Quick Configuration.
22. Type “1” for monitoring DB traffic.
23. Enter the Name of agent "name of application like BBPS-PROD-01"
24. Type the IP address (172.1.80.10 for DC and 172.2.46.230 for DR) of the listener you
previously configured on a gateway.
25. Type “2” for monitoring the both (Internal & EXTERNAL) then Enter the gateway
password 'Imp#BOI123' for registration. The agent is installed and registered. You can
register it to additional gateways if desired. We’ll type no.
26. Type Y to restart the agent services.
27. After starting the remote agent the “Agent Installation Manager” wizard will be displayed.
28. Select “1” to start with Quick configuration.
29. Press ‘y’ for using the same configuration for installer as was for agent.
30. Specify the location of installer path as /opt/imperva and specify the size of installer
folder – 100 MB. Or press enter for default value
31. Now the Agent Installation Manager is successfully registered to the gateway. Press any
key to continue.
32. Press “y” to start Agent Installation Manager Services, and then press any key to
continue.

Now agent and Installer manager was installed on the given server.

To install a Window agent:

For window systems we can directly copy the window based agent setup from
\\172.1.57.119\sharefolder\DAM\New Agents\Windows\Imperva-ragent-Windows-
b13.5.0.21.0.572491 to their “c:” drive.

Steps1: Agent Installation

1. Login as Administrator to the Database Server

2. Create Imperva Folder in “(C:)” drive of Database server and Copy the Downloaded
Agent file to that Imperva folder which we have kept at
\\172.1.57.119\sharefolder\DAM\New Agents.
3. Extract the file and open the folder.
4. Run the Imperva-Ragent Setup, if it prompt’s error saying “No administrative
privileges”, Run CMD as administrator. (From cmd type command “ msiexec /i
"<agent full path>\<package name.msi>" Eg. msiexec /i "c:\Imperva\Imperva-ragent-
Windows-b13.0.0.10.0.512010\Imperva-ragent-Windows-b13.0.0.10.0.512010.msi".)
5. Click Next --> Next.
6. Desired Location or the default location "C:\Program Files (x86)\Imperva\"
7. Installation will start and a Black CMD screen will popup.
8. Click Next --> Next.
9. Type 1 for Quick Configuration.
10. Type “1” i.e. True for DB traffic Monitoring
11. Type “2” i.e. False for file traffic monitoring (File, Sharepoint etc.)
12. Type “2” i.e. False for Sharepoint traffic monitoring (File, Sharepoint etc.)
13. Enter the Name of agent "name of application like BBPS-PROD-01"
14. Type “2” i.e. both for Local and Network traffic.

Page 7 of 77
 15. Agent is asking for Primary or Secondary, choose Primary.
16. Enter the IP Address of DAM Gateway.(172.1.80.10 for DC and 172.2.46.230 for DR)
17. Enter the Password 'Imp#BOI123' for registration.
18. Type “n” to skip the registration of remote agent with secondary gateway
19. After that agent will installed successfully and ask to run the agent service type 'y' for
same.
20. It will prompt installation is completed. Click “Close” to successful completion of
installation prompt.
21. Check the status of agent running and registered.

Steps for Installer Installation

22. Double Click on Imperva-ragentinstaller-Windows-b3.5.0.20.0.567601.msi (from

command msiexec /i "<agent full path>\<package name.msi>" Eg. msiexec /i
"c:\Imperva\Imperva-ragent-Windows-b13.0.0.10.0.512010\Imperva-ragentinstaller-
Windows-b3.0.0.0.0.504928.msi”
23. Click Next --> Next
24. Desired Location or the default location "C:\Program Files (x86)\Imperva\"
25. Click Next --> Next.
26. Installation will start and a Black CMD screen will popup.
27. Press 1 for Quick configuration.
28. Enter the same Name of agent "name of application like AML-NODE-01"
29. Agent is asking for Primary or Secondary, choose Primary.
30. Enter the IP Address of DAM Gateway.(172.1.80.10 for DC and 172.2.46.230 for DR)
31. Enter the Password 'Imp#BOI123' Press enter when prompted for destination folder
and Space.
32. Press enter when prompted for destination folder and Space.
33. After that agent will installed successfully and ask to run the agent service type 'y' for
same.
34. After this agent will installed, the one more time agent will prompt screen for
installation then press 'q' for quit.

Steps to UN-Install DAM agent on windows

1. Please execute the following steps for DAM agent un-installation:
2. Open CMD as an administrator
3. Access the directory where the agent is located. By default, that’s, command on cmd
-
4. cd C:\Program Files (x86)\Imperva\RemoteAgent
5. Execute command on cmd –
6. RemoteAgentCli.exe --mode menu
7. Select perform Actions then select stop agent
8. Go back to the main menu (execute command on cmd) and quit.
9. Uninstall the agent from control panel > programs > uninstall programs

To uninstall the SecureSphere Agent on non-Windows system:

1. Stop the SecureSphere Agent .

To stop the non-Windows SecureSphere Agent:
2. Execute one of the following commands:
<remote agent directory>/ragent/bin/rainit stop

Page 8 of 77
 OR
<remote agent directory>/ragent/bin/cli actions stop (remote agent directory is
by default “/opt/impeva”

3. Execute: the following command:

4. < remote agent directory >/ragent/bin/uninstall
5. where < remote agent directory > is the directory in which the SecureSphere
Agent is installed.
6. Follow the on-screen instructions.
7. To uninstall the SecureSphere Agent Installation Manager on non-Windows
system:
Stop the SecureSphere Agent Installation Manager. Execute the following
command:
<remote agent installer directory>/installer/bin/rainstallerinit stop
8. Execute: the following command:
9. <base dir>/installer/bin/uninstall
10. where <base dir> is the directory in which the SecureSphere Agent Installation
Manager is installed.
11. Follow the on-screen instructions.

Note: Beginning with SecureSphere Agent version 10.0, it is not necessary to uninstall the
SecureSphere Agent before installing a SecureSphere Agent. The only exception to this is
when you want to re-install exactly the same version SecureSphere Agent that is already
installed, in which case you must uninstall the SecureSphere Agent before installing it

Discovery and Classification configuration.

1.4. DB Service Discovery Configuration:
Service Discovery: This feature is use to discover the unknown database on the premises.
Service discovery scans your network for open ports and determines the services listening
on these ports
Requirement: To scan DB service with unknown Port we need to open all ports or specific
ports (ports defined in the global port group selected in scan policy) from MX to DB server ip
series.
For unknown database with known ports will discover by default while scanning with default
setting. For database which are configured with unknown port for that we have to add the
custom port details or we can provide the range of ports.

To configure a custom Port

In BOI we have created the custom port (BOI Custom DB PORT) and scan IP series group
for service discovery. To configure the custom port
1. Go to the Global Object > select the global port groups in scope selection box.
2. To add the new port group click on “+”. Type the name of the port groups and click
create.

Page 9 of 77
 3. Select the DB service under protocol and type the respective ports and click on
“save”.

To configure the custom IP group.

1. Go to the Global Object > select the IP groups in scope selection box. In that we
have created “Scan_Services” the custom IP group for the scan.
2. To add the new ip series click on “+”. Type the name of group and click create.

2. Select the single or network or range depend on your requirement and provide the

Page 10 of 77
 start ip address for single ip, for range provide start and end ip details of range and for
network provide the CIDR notation (i.e. 172.1.1.1/23) and save the configuration.

To configure a Service discovery scan

1. In the Main workspace, click Discovery and Classification > Scans.

2. Click New and then click Service Discovery. Type a name for the new scan and select the
server group to which you want discovered services added, then click Create.
3. If you want SecureSphere to automatically add newly discovered services to
SecureSphere configuration, enable the first radio button. Otherwise, to manually review
services before updating SecureSphere, enable the second radio button. In BOI we have
selected the manually review services option.
4. To scan existing Server Groups for new services, enable the option's checkbox.
5. Then configure the IP addresses you want to scan.
6. Click New, then select an IP group. It is recommended that you configure an IP group to
as limited a range as possible. If choosing, for example to scan with the Internal IP
Addresses group, please consider the impact on your network. For example, if your
organization operates an IPS.
7. Enable the types of Services you want to scan for. We select the all in service type.
8. Optionally configure advanced configuration. Enabling enhanced scanning additionally
scans non-default ports for services like Oracle and MySQL. While New Entities
Configuration enables you to customize naming conventions used to create new Services
in SecureSphere as mention in above.
9. Click Save.
10. On the Scheduling tab, click Run the scan now.

Page 11 of 77
Page 12 of 77
After successful scanning to see the scan result Go to the DISCOVERY &
CLASSIFICATION > Discovered Server. In given page click on “Server Discovery Results”.
Where we can generate PDF or Create the Report of given scan result.
Result:

1.5. DB Data Classification Configuration:

Data Classification: Data Classification consists of scanning database services to classify
data types hosted on these services. It required credentials you provide to search existing
services, either found through service discovery, or manually configured.
To do the database classification first we have to create the “Scan Profile” and select the
required “data type”. In BOI we have created the “BOI PII & CII Profile” scan profile. Then
we have to configure the DB credential for the databases.
To create the new Scan profile

1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scan Profiles.
3. Select a scan profile.

Page 13 of 77
4. In the Data Types tab:
5. You can enable or disable any data type by selecting or de-selecting the appropriate
check box.
Here we have created the “BOI PII&CII profile”, and then enable or disable the data
types required by the BOI.
6. In the Settings tab, we tick the manual or automatic update the secure SecureSphere
configuration based on classification result. Here we have selected the manually
review results before update. After scanning we shared the scan result with DB owner
and they update us the
Actual table details which contain the given data type.
7. Select the “save sample data” based on accuracy level 0.7% (i.e. 70%).It will save the
sample of data present in the scan table where data type accuracy will matched 70 %
.
8. Click Save.

Page 14 of 77
DB Credential configuration:
To configure the DB user password of particular server group for which we need to do
classification (Configure the “Direct Access Information” & Configure the “Direct Access
Information”)
1. In the Main workspace, click Setup > Sites.
2. Click the Server group for which we need to do risk assessment. Select the Service of
database, and select a ”Direct Access Information” under “Definition” tab , then provide
the required details like DB user name , password, verify password , port, SID.
3. Click the save button, then click on “Test Connection”. Once the connection is
successful add the same details in “Database Connections” by clicking on “+” icon. After
providing the required details click on “Save” and then click on “test connection”

Page 15 of 77
To configure data classification options:

1. In the Main workspace, select Discovery & Classification > Scans Management.
The Scans window appears.
2. Select an existing Data Classification Scan or click New and create a new Data
Classification Scan and provide the name of scan.
3. Select the Scan name and go to the Details pane, click the Settings tab. Data
Classification options are displayed.
4. If you so desire, you can change the scan profile you wish the scan to use. You can
configure the profile if you want, adding data types and rules, and deleting data types
and user-defined rules. For more information, configure a Scan Profile as mention in
above.
5. Click the Apply to tab and select the services on which you want to run data
classification. For more information on Apply to, see Applying Policies.
6. Click the Scheduling tab and configure scheduling options if you want service
discovery to run on a regular basis. For more information on scheduling
see Configuring Scheduling.
7. Click Save in the upper right of the screen. Your settings are saved.
8. Once the scan has been configured, it can be run by selecting Action > Run Now

Page 16 of 77
After successful scanning to see the scan result Go to the DISCOVERY &
CLASSIFICATION > Classification DB Data. In given page click on “DB Data
Classification Results”. Where we can generate PDF or Create the Report of given scan
result.

Once scan is complete we generate the PDF or CSV and share the same with DB owner so
that they can provide us the actual Table which contain the respective DATA type. After
getting the data from DB owner we accept or reject the discovered classified data. So that
we will get the sensitive table groups for creating sensitive data access policy.
1. Go to the DISCOVERY & CLASSIFICATION > Classification DB Data.
2. In given page click on “DB Data Classification Results”.
3. In result pane we select the “Accepted by user” or “Rejected by User” in action
column of respective table as per the details receive from the DB owner.
4. Click on “SAVE”.
5. After saving the above classification result it create the Table Groups on the base of
data type and server group under Setup >Global Object > Table Groups. Which
we are adding in the “Sensitive data access” security policy for generating the alert
for Sensitive tables.

Page 17 of 77
Action configuration for classified data.

Sensitive Data Table Group

Page 18 of 77
Creating Security Policy for Sensitive Data Access:

Risk Management configuration.

1.6. Risk Assessment of DB Server Configuration:

SecureSphere Assessment and Risk management streamlines vulnerability assessment at
the data layer. Assessment scans can be run on-demand or at scheduled intervals.
Assessment policies are available for a different types of databases including Oracle,
Microsoft SQL, IBM DB2 and more. The vulnerability assessment process, which can be
fully customized, uses industry best practices such as DISA STIG and CIS benchmarks. In
BOI we have created the custom assessment policy as per client requirement for MSQL
(2012, 2016), MYSQL 5.7 , Oracle ( 11, 11.2G & 12 ) and PostgresSql 8 or 9.
Requirement: Before initiating the Risk assessment of the server group we need to check
the connectivity from MX server to DB server listener port and once we are able to telnet on
DB listener port from the MX server then we need to provide the DB User password and OS
user credential for scanning.

Page 19 of 77
To configure the DB user password and Server OS credential (Configure the “Direct Access
Information” & Configure the “Direct Access Information”)
.
1. In the Main workspace, click Setup > Sites.
2. In the Sites tree, select the database for which you want to configure database
credentials.
3. Select the Service of database, and select a ”Direct Access Information” under
“Definitions” tab , then provide the required details like DB user name , password, verify
password , port, SID.
4. Click the save button, then click on “Test Connection”. Once the connection is
successful add the same details in “Database Connections” by clicking on “+” icon. After
providing the required details click on “Save” and then click on “test connection”

POLICY Base:

To configure a DB assessment Scan:

1. In the Main workspace, click Risk Management > DB Assessment Scans.
2. Click “+” and create policy or Tag base scan rules type a Name (In policy base scan
we can create the rule base on selected assessment policy. Which can’t be changed

Page 20 of 77
 once created but in the Tag base scan rule we can select the different policy on the base
of Tag assign to the policy which we can change depend on requirement.).. Select the
type of database you want to assess, and select a Policy, then click Create.
3. Click Save.
4. Go to the scheduled option of the created rule and click Run the Assessment Scan now.
The scan will run.

5. Once complete, we can review assessment scan results by selecting the “Risk Console”
and clicking the “Assessment Results”. There is option to generate the report in pdf or
create as report option at the top of Assessment result.

TAG Base:-
6. In the Main workspace, click Risk Management > DB Assessment Scans.
7. Click “+” and create Tag base scan type and provide the name of Rule. Go to the DB
Assessment policy. Select the policy based on DB type and click on “Details” option and
type the name of the policy tag and enter (it will display the name as given in the below
screen)and click the “Save” .

Page 21 of 77
8. Go to the “DB Assessment Scans” and select the new rule which we created and select
the policy tag in “setting” option. To view the applied policy click on “view effective policy”
button Click the Apply to tab, then select the services you want to assess.
9. Click Save.
10. Go to the scheduled option of the created rule and click Run the Assessment Scan now.
The scan will run.

Page 22 of 77
Page 23 of 77
 Agent Configuration in DAM console
1.7. Site and Server Group Configuration
Server groups are a representation of one or more servers located in a specific site. A server
in SecureSphere is a set of services or applications belonging to a single IP address. Server
groups enable SecureSphere to identify the specific entities at a site that need to be
protected, and whose operations you want to track and audit. They also allow you to select
the traffic that you want to manage using the following features: Ignore IP, limit monitoring to
specific IP addresses, manage applied policies on the server group level, and set server
group status
Creating the Site, Server Groups:
To create a Site & Server group:
1. In the Main workspace, select Setup > Sites.
2. In the Sites window, you will see the “default site”. To create the new SITE click on “+”.
Create site window will appear. Type the name of site and click on create. In BOI we have
created the “BOI_DC” and “BOI_DR” sites in DC and DR respectively
3. To create the server group, select the “BOI_DC” site in which you want to create the new
server group. The selected site information appears in the Details pane.
4. In the title bar of the Sites Tree pane, click on “+”. The Create Server Group dialog box
appears.
5. Type a name for the new server group, then click Create. The new server group is created
and added to the selected site in the Site Tree. E.g. here we have given the name IMT_DC.
6. Click Save. Settings are saved.

Page 24 of 77
Create the Service:
1. Right click on server group and click “create service”
2. Create Service dialog box will open. Type the name of service and select the type of
database service. E.g. Here we have type name as “IMT_Postgress_SQL” and selected the
“PostgreSQL Service”.
3. Click on “Save” Settings are saved.

Page 25 of 77
To Configuring Agent Operation Mode and protected IP address.
Operation mode defines the behaviour of SecureSphere regarding current traffic. There are
three operation modes: active, Simulation and disabled. To configure the operation mode:
1. In the Main workspace, select Setup > Sites. The Sites window appears.
2. Click the server group whose operating mode you want to modify. The server group
details appear in the Sites window.
3. Click the Definitions tab. The Definitions options are displayed.
4. Select the option button of the desired Operation Mode. The options include:
Active
Simulation
Disabled
5. We have selected the “Active” as we have to monitor and configure apply the policies on
given group.
Determines the operation mode of the server group and that of all defined services and
applications belonging to the server group. The three available operation modes are:
Active: Configures SecureSphere to actively monitor traffic and apply policies. This means
that alerts are generated and traffic is blocked when required by a policy.
Simulation (default): Configures SecureSphere to simulate monitoring. It monitors traffic
and generates alerts and violations, but does not prevent traffic from reaching its destination
(block). It is recommended to use simulation mode when SecureSphere is learning traffic.
Disabled: Suspends all monitoring and blocking activities. Can be used to help
troubleshooting. Traffic flows uninterrupted through SecureSphere. Disabled mode can be
used as a temporary fix to overcome problems with configuration that generates a hail of
alerts or blocks sources that need to have access to the network. Use disabled mode
carefully.
6. In Protected IP address we have to add the agent IP. To add new agent ip click “+”
under the protected IP address .Type the new agent ip and select the gateway
group. E.g. here we have type the IP “172.1.30.49” and Gateway group we have
selected “DCBOI” (Gateway cluster name.)
7. Go to the server tab and select the OS type.

Page 26 of 77
 8. Click on “Save” for configuration save.

Custom Port and Policy Configuration:

While creating the service of specific database it enter the default ports of database in
service ports. If in agent discover the new ports in data interface then we need to add the
new ports in server group of given agent.

To add the custom port and policy configuration:

1. In the Main workspace, select Setup > Sites. The Sites window appears.
2. Click the server group then select the services whose port you want to modify. Type the
multiple new ports with using comma as a separation (E.g. 5432, 5433) with in
“postgressSql_port”.
3. In “applied policy” we can see the all policy which is applied on given server group. We
can directly add or modify the policy from here by click on “EDIT POLICY” Icon.
4. Click on “Save” to save the configuration.

Page 27 of 77
Agent Configuration:
1. In the Main workspace, select Setup > Agents option.
2. Click on “New agents” option to see the new add agent.
3. Click on given agent and select the “Explore in Workbench”.
4. Given agent will show in “Agents” pane of Workbench.
5. Go to the “settings” tab in Agent configuration window at bottom.
6. Select the relative server group and service type which we have created for
given agent.
7. Go to Data interfaces and select the respective service which we have
created in all discovered interfaces.
8. Click “SAVE” to save the configuration.
9. Right click on agent and select the “restart agent” option to push the new
configuration on agent.

Page 28 of 77
Page 29 of 77
 Policy Creation

1.8 Security and Audit Policy Creation

Through security policy we can monitor the security alert for given server groups. In BOI we
are created the custom policy for generating the alert on “insert, delete, update” operations.
There are some policy which are applied from the SOM “BOI - Attempt to Backup
Database”, “BOI-Failed Login Attempts”, “BOI-Oracle - Attempt to Execute Database
Export”. To create a Security policy for new Server groups:
1. Go to the Main workspace of MX, select Policies > Security.
2. Click the “+” sign and from the drop down list, select “DB Service” for creating New
Policy window will opens.
3. In the Create New Policy window, type the Name for the security policy.
4. Select either From Scratch, or if you already created the policy template then tick Use
Existing option and select the existing policy template from the list.
Note: remove the existing policy server group after creation from the Use Existing option.
5. If we select from the scratch then from the Type drop-down list, select “DB Service
Custom”. Click Create. The new policy is created.
6. We have to select the new security policy which we have created and then select “Match
criteria” tab in Policy detail pane. We have to add the matching criteria for which we are
required the alert. In BOI we have selected the “operations” as a match criteria in which we
have selected the “insert, delete, update” operation for which we required alert.
7. After selecting the match criteria Go to the “Apply To” tab and select the server group on
which we need to apply the policy.
8. Click Save for save the Settings.
9. After saving the configuration, we have to push the configuration on gateway and agent.

Page 30 of 77
 Go to the Main workspace, select Setup > Agents option. Select the servers which are in
the above server groups. Right click on selected agent and click “restart agent” agent
option.

Page 31 of 77
To configure an audit policy:
1. Go to the Main workspace of MX, select Policies > Security..
2. Click the “+” sign and from the drop down list, select “DB Service” for creating the New
Database Policy window will opens.
3. Type the Name for the Audit policy.
4. Select either From Scratch, or if you already created the policy template then tick Use
Existing option and select the existing policy template from the list.
5. If you select from the scratch then Click Create for new policy creation.
6. We have to select the new Audit policy which we have created and then select “Match
criteria” tab in Policy detail pane. We have to add the matching criteria for which we are
required Audit. In BOI we have selected two matching criteria “Event Type” & “operation” in
which we have selected the “Query” & “insert, delete, update, Privileged Operations”
operation respectivly for which we required Audit.

Page 32 of 77
7. After selecting the match criteria Go to the “Apply To” tab and select the server group on
which we need to apply the policy.
8. To set the quota (max disk use by the policy to store the audit data in the gateway) Go to
the “Settings” tab and under Quota section give the maximum Size (GB) and maximum Size
(%). Here we have given 500 GB and 70 %. Which we can change as per requirement.
9. Go to the Archive tab to schedule archiving jobs. Select the Action set and Archive
setting from the drop down. (Here we have selected the “Audit_archive” action set and
“Default Archiving Setting” which we have created in BOI for the same). Specify the
time and purging
10. Go to “External logger” tab for enable to send audit logs to any third-party SIM/SIEM
system. Select the audit syslog action from the drop down and Enable the option “Enable
using gateway configuration if exist”
11. Click Save for save the Settings.
12. After saving the configuration, we have to push the configuration on gateway and agent.
Go to the Main workspace, select Setup > Agents option. Select the servers which are in
the above server groups. Right click on selected agent and click “restart agent” agent
option.

Page 33 of 77
Page 34 of 77
 Report Creation

1.9. Audit and Alert Report Creation:

SecureSphere enables you to configure reports to be accompanied with tasks when they are
generated. This can be useful when wanting to assign someone to review a report, and is
accomplished by configuring an action set with the required action interfaces, then attaching
the action set as a followed action to the report configuration.

Page 35 of 77
In BOI we have created the alert reports for individual server groups with follow action set of
mail, which send the daily alert reports to respective DB Owners. Also we have created the
Audit report for all individual server groups which store in the NFS partition through script.
Path of Report in backend: cd /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-
secsph/webapps/SecureSphere/WEB-INF/reptemp
To configure Audit Reports :
1. In the Main workspace, select Reports > Manage Reports. The Manage Reports
window appears displaying available report definitions and configuration options.
2. In the Reports pane of the Report Management window, click New. The New report
type dropdown menu appears.
3. Select a report type for audit select the “DB Audit” , alert report for based on security
policy, The Create Report dialog box appears for the report type you selected.
4. Type a name for the report. This name appears both in the generated report and in
the View Results window.
5.Type a Report Description (optional). This description appears in the generated
report.
6.Click the radio button to identify the basis of your new report. You have two options:

From Scratch: Creates a report from scratch with all available parameters needing to
be configured.
Use existing: Enables you to select an existing report definition to use as the basis for
the new report. If you click this radio button, select the existing report to be used as the
basis for the new report from the Use existing drop-down list. Only available for alerts,
and system events. NOTE: Remove the existing audit policy and server group of
selected policy template.
7. Enable the Copy Permissions from Existing Report if desired. This will apply the
same permissions to the new report definition as those from the existing report that was
selected.
8. Click Create. SecureSphere creates the requested report.
9. Select the new created report, go to “DATA SCOPE” tab and select the audit policy
name related the selected server server group. In collection at time frame select Last
and type 1 and select day from drop down. So that it will generate the report for last day.
10. In Available Field select the “server group” by clicking the upper arrow and select
the respective server group for which you want to generate the report.
11. Go to Tabular tab and select the column of the reports.
12. Go to Data Analysis Views tab if you want the graphical representation. We have
disabled the all graph in given tab.
13. Go to Scheduling for schedule the report time. We select recurring option and select
daily , type 1 day and select the date and time of execution. It will generate the daily
report at provided time.
14. Go to the “General Details” and select the format of the report. i.e. CSV or PDF
format.
15. Click “SAVE” for saving the configuration.

Page 36 of 77
Page 37 of 77
Page 38 of 77
Alert report Creation:
1. In the Main workspace, select Reports > Manage Reports. The Manage Reports window
appears displaying available report definitions and configuration options.
2. In the Reports pane of the Report Management window, click New. The New report type
dropdown menu appears.
3. Select a report type alert which are based on security policy, The Create Report dialog
box appears for the report type you selected.
4. Type a name for the report. This name appears both in the generated report and in the
View Results window.
5. Type a Report Description (optional). This description appears in the generated report.’
6. Click the radio button to identify the basis of your new report. You have two options:
From Scratch: Creates a report from scratch with all available parameters needing to
be configured.
Use existing: Enables you to select an existing report definition to use as the basis for
the new report. If you click this radio button, select the existing report to be used as the
basis for the new report from the Use existing drop-down list. Only available for alerts,
and system events. NOTE: Remove the existing security policy and server group of
selected policy template.
16.Enable the Copy Permissions from Existing Report if desired. This will apply the
same permissions to the new report definition as those from the existing report that was
selected.
17.Click Create. SecureSphere creates the requested report.

18.Select the new created report, go to “DATA SCOPE” tab .In Available Field select
multiple field. “Alert Type” field select all operation type except profile. Select “Custom
Policy” Field and select the “security policy” name of server groups for which we want to
generate the alert report. Select the “server group” by clicking the upper arrow and
select the respective server group for which you want to generate the report. Then
select Last few days field and select “1”. It will generate the last day alert report for given
server group.
19.Go to Tabular tab and select the column of the reports.
20. Go to Data Analysis Views tab if you want the graphical representation. We have
disabled the all graph in given tab.
21.Go to Scheduling for schedule the report time. We select recurring option and select
daily , type 1 day and select the date and time of execution. It will generate the daily
report at provided time.
22.Go to the “General Details” and select the format of the report. i.e. CSV or PDF
format.
23. Click “SAVE” for saving the configuration.

Page 39 of 77
Page 40 of 77
Page 41 of 77
 Monitoring
1.10. Monitoring Alerts, Violation, System event and Alarms:
Monitoring is a key phase in the SecureSphere application data management lifecycle.
SecureSphere is equipped with a user friendly monitor that clearly displays generated
information in a central location. Real-time information that is generated includes system
events, alerts, violations, blocked sources, gateway and agent status, system warnings,
database auditing, file server auditing, and archiving information.
Alert Monitoring:
On the base of Security policy real time alerts are generating. Alerts are notifications that a
violation or group of violations (of security policies) have taken place on monitored traffic. A
single security attack might contain a long sequence of violations, each generating an
individual alert and resulting in an alert storm. To correlate alerts into a of logical group,
prevent alert storms and assist in identifying attacks, SecureSphere aggregates violations
based on attack type, then displays aggregated violation. It consist the alerts that start with
name Distributed which is aggregation of alert of specific type on that specific duration. In
Details pane, we can see the bifurcation of these alerts based on Sources IP, Application
and SQL users based. For which we have to click on icon

To monitor the real time alert, Go to the Main Manu > Alerts.
It contain three panes filter pane, alert pane and details pane. In filter we can view the
alert based on the different filter like Severity, Action, Alert Type, Alert Flag, Alert Number,
and Server groups, Service, User Name and Source IP etc. For robust filtering we can
choose the Advance filter option at the bottom. Here we can view the alert on specific time
frame, object type and violation type.
In Alert pane there are 6 column.
First column consist the alert number.
Second column consist the Action performed i.e. Block or none.
Third consist a Severity.
Fourth consist the alert time.
Fifth consist the “number of occurrence”.
Six column consist an Alert description.
In Details pane we can view the alert details Event time, connection, gateway, server group,
source ip, source application, Source activity, OS users, query, database and schema
details and DB user details.

Page 42 of 77
Page 43 of 77
Violations Monitoring:
On the base of Violation type we will see the real time alerts here. Violations are warnings
that an event has taken place which violates a policy defined in SecureSphere. As opposed
to alerts, violations provide a specific indication regarding an event that has taken place,
including a number. of details regarding the offending traffic. This assists you in analyzing violations and
determining what type of threat they may pose to your data

To monitor the real time violation, Go to the Main Manu > Violations.
It contain three panes filter, Violations and details. In filter we can view the alert based on the
different filter like Severity, Action, Alert Type, Alert Flag, Alert Number, Server groups,
Service, User Name and Source IP etc. For robust filtering we can choose the Advance filter
option at the bottom. Here we can view the alert on specific time frame, object type and
violation type.
In Alert pane there are 6 column.
First column consist the Time.
Second column consist the Event ID.
Third consist a Service Type.
Fourth consist the Event Type.
Fifth consist the Source IP
Six column consist a User.
Seven Column consist a Destination IP.
Eight Column consist the Violation details.

Page 44 of 77
In Details pane we can view the alert details Event time, connection, gateway, server group,
source ip, source application, Source activity, OS users, query, database and schema
details and DB user details

System Event Monitoring:

System Events are events that have taken place in the system such as a login, or a direct
result of system changes such as signature updates, changes to configuration, activation of
settings, building profiles, automatic profile updates, rebuilding database indexes, server
start/stop, archiving activities, system related errors or warnings (e.g., predefined threshold
definitions being exceeded), and so on. System events may have security or compliance
implications, and therefore need to be monitored in much the same way as alerts and
violations.

Monitor System:
Monitor system shows the alarms generated by the MX, SOM, Cluster, Gateways and agent.
This needs to be monitor frequently.
To configure the alarm from MX we have to GO to Monitor> Monitor System > configured.

Page 45 of 77
In BOI these settings are pushed from the SOM hence we have to configure from the SOM.
To Configure from SOM Go to the Monitor System > Configuration.

IN SOM

Page 46 of 77
1.11. Incident Creation & Closure Process:
On the base of daily alert report. We share the alert report to respective department through
mail. Bank DAM team is creating the Incident for the same in HP SM tool. On the base of
proper SD or approval of authorized bank team, we send the mail to SOC team to close the
incident. Closure time of incident is 2 days. We are maintaining the all alert details in one
excel sheet with IM details.

Daily Monitoring Activity

1.12. Daily Monitoring Activity:
On Daily bases we have to monitor the cluster, gateway & agent status. Also we have to
monitor the Audit disk utilization of Gateway by server groups. Also we have to monitor the
failed JOB status and restart the same.
Cluster Monitoring: The Cluster management tab allows you to monitor the status,
performance of the Cluster, and provides indicators of problems as they arise. To check the
cluster status, gateway and agent status.
Go to the Main menu> Setup> Cluster Management. Cluster Management page consist a
5 pane.

1. Navigation pane: shows all Clusters and Gateway Groups on the MX server
2. Overview pane: Gives an overview of the state and health of the item selected in the
navigation pane. It shows the cluster status, Total load
3. Status Charts: Shows the health of the Agents and/or Gateways of the item selected in
the navigation pane.
4. Filters pane: Applies filters to the assets in the Assets pane
5. Assets pane: Gives a detailed view of the Gateway Groups, Gateways or Agents of the
item selected in the navigation pane. Allows configuration, movement and other actions
on these assets

Page 47 of 77
In Assets pane go to the Gateways tab, where we can see the gateway role, running status,
Network status, theoretical & calculated load and version. In Agent tab we can see the
agent status.
To see the DB users or process traffic distribution for particular agent. Just select the agent
and click on “traffic distribution” option at top of assets pane. It will open Agent traffic
distribution traffic where we can see the last 15 min or 7 days traffic analysis of particular
process or DB user. i.e. It consist IN and OUT traffic forwarded by the agent and IN and
OUT traffic ignore by the agent.
Note: We have enabled the automatically Load Balanced cluster configuration. In which we
cannot move the agent from on gateway to other. Cluster itself maintaining the load
balancing depend on the calculated Load and move the agent automatically.
Cluster Management page details:

Cluster Status: We have created DCBOI, DRBOI cluster in DC and DR DAM respectively.

Page 48 of 77
Gateway Status:

Agent Status:

Agent Traffic Distribution:

Page 49 of 77
Checking the Real-time Gateway status:
On Daily bases we have to monitor the gateway status i.e. CPU, SQL HIT, throughput and
connection/sec.
To monitor the real-time gateway status Go to the Main Menu> Monitor >Dashboard. Here
we can see the gateways real time CPU utilization, sql hit/s, throughput, connection/s. Alerts
and system events in graphical format. Page contain 5 panes.
1. SOM status pane: It shows the SOM connectivity with MX.
2. Gateways Pane: Lists the gateways currently being managed by SecureSphere.
3. Server Group Pane: Lists the server groups configured for the selected gateway,
provides statistics regarding traffic on the server groups, and provides a visual cue as to the
current operating status by using a green checkmark (running), or red exclamation mark
(warning). When a warning is displayed, you can hover over the warning to display a tooltip
with details regarding what is causing the warning. When no gateway is selected, server
groups for all gateways are displayed.
4. Alert Pane: Displays a list of alerts that have been generated by SecureSphere. To open
an alert’s details, click on the alert. Retrieves data every 10 seconds while graphs are
refreshed every 3 seconds. If a filter has been applied, displays only those alerts that match
the filter, with the type of filter appearing in the title bar. List displays amount of alerts that
can fit in window.
5. System Event Pane: Displays a list of system events generated by SecureSphere.
Retrieves data every 10 seconds.

Page 50 of 77
To view CPU Load/SQL Hits:
Displays a graph for all gateways showing either the current CPU load or hits per second.
You can manually change between the two graphs, or configure the display to automatically
alternate.

To View Throughput/Connections:
Displays a graph for all gateways showing either the current gateway throughput or
connections per second. You can manually change between the two graphs, or configure the
display to automatically alternate.

To View Connection and SQL Hits by Sever Groups.

Page 51 of 77
Audit Log Storage Status of Gateways:

To see the storage occupied by the audit log on the all gateways.
Go to the Main menu > Audit and select the Dashboard. Given Page consist of three
panes.
1. Storage Usage Overview Pane: Contain the graphical representation of gateway
storage status. It shows gateway storage status based on “Adequate available storage”,
“approaching full usage”, “Quota exceeded”.
To see the details view, click on respective graph. It will shows the graph of total, free and
used space of gateway by the audit logs. Also at bottom it will show the details of disk
utilization of gateway by audit policy.
Currently we are storing the 2 Weeks Audit log on the gateways. If we found any gateway
shows the quota exceeded graph then we have to see which audit policy quota was
exceeded in details view by clicking on given graph. Once we found policy whose quota was
exceeded then we to archive and purge that audit policy manually.
NOTE: Manually archive and purging steps are provide at Backup section of this document.
2. Audit Archive jobs requiring Attention: It shows the list of last five Audit archive
schedule jobs which finish with error or warnings. To see the last five status of job of
particular job click on view option under action column.
3. Audit Report requiring Attention: It shows the list of last five Audit report schedule jobs
which finish with error or warnings. To see the last five status of job of particular job click on
view option under action column.

Page 52 of 77
Details view of Audit storage:

Audit Archive jobs requiring Attention:

Audit Report requiring Attention

Page 53 of 77
 To view the Audit log and analysing audit policy statistics on gateway
Audit Details:
To View the audit data Go to Main menu> Audit and select the DB Audit data. In this
section we can see the audit summary, Data and statistics of audit data of particular audit
policy. There are different view section through which we can analyse the collected audit
logs.

Server Analysis: A category of views which provide information regarding database

servers that host database traffic. This enables you to see the activity on the monitored
servers, access patterns to these servers and their performance. Available server analysis
views include Monitored Servers, Most Accessed Databases, and DB Server Performance.

Source Analysis: A category of views which provides information that assist in analysing
the source of database traffic and provides advanced insight into items such as shared
database users. Views include tables of data which can be added to a filter and charts that
graphically represent data. This can assist in obtaining insight into the source of database
traffic including users, source IP addresses, logins and more. Available source analysis
views include Shared DB User, Most Active Users, Source Applications, Source Host, OS
Users, Source IPs, User Groups, Login Analysis and Performance by Source.

Data Access Patterns: A category of views which provides information regarding the
manner in which information in the database was accessed. This can assist in obtaining
insight into the types of queries being performed, most commonly used queries, sensitive
queries that have been conducted and more. Available data access pattern views include
Top Queries, Query Type Analysis, Sensitive Query Overview, Query Records and Data
Modification Analysis

Privileged Operations: A category of views which provides information regarding Privileged

Operations that gives critical insight into changes made to database objects such as tables,
stored procedures, users, permissions, database schemas, and the commands used to
modify them.

Available privileged operation views include Privileged Query Overview, Table

Drops/Truncates, Stored Procedure Changes and Changes to DB/Schemas, DCL
Commands, DDL Commands, Native Auditing Changes and Newly Created Users

Additional Views: Additional views provide various information regarding audit operations
that may be of value such as failed logins and errors in the SQL traffic. Available additional
views include Failed Logins, SQL Errors, and Unmonitored Encrypted Logins.

Time Based Analysis: A category of views which provides information about database
activity in different time frames. This gives insight regarding patterns of activity. Available
time based analysis views include Daily, Day of the Week and Hours of Day.

Page 54 of 77
Audit Management Statistics:
Imperva generates a number of statistics that reflect the operation of the audit mechanism
and its impact on overall Imperva operation. These statistics assist in determining if the
current settings for audit collection match the amount of audit data your system has been
configured to collect. They also assist in determining if current settings match the overall
configuration of SecureSphere, or whether they may impact other operations that use the
same system resources. For example, you can gauge whether audit quotas are sufficient for
audit policies based on the configuration. Also you can generate the report for the same.
In addition to displaying audit statistics based on a specific policy, we can display audit
statistics related to the gateway and management server. This provides an overview
regarding the efficiency of audit configurations to assist in making decisions regarding
managing the resources of system, archiving data, disk usage, understanding how load is
impacting operation (if there are lost events), and more.

Page 55 of 77
Stats on the base of Gateway:

Stats On the base of Audit Policy

Stats on the base of Management Server indexing:

Page 56 of 77
 BACKUPS
1.13. Backup configuration and process

1.13.1. BACKUP TYPES

In Imperva there are three different type of BACKUP which are mention in below.

 Export Backup
 Audit Archive
 Report Archive

 Export backup: Imperva Export (configuration) backup is the process of making a

copy of the complete configuration and settings for Imperva devices. Configuration
backups allow network administrators to recover quickly from a device failure, roll back
from misconfiguration or simply revert a device to a previous state. It is in encrypted
and password protected. This is the MX configuration backup which is required during
disaster recovery of the MX appliance.

 Audit Archive: Imperva Audit Archiving is the process of making a Copy of complete
Audit data collected by the gateway from all the agents as per the Audit policy defined
in the MX. It is created as MPRV format file with the Policy Name. These file we can
import in the MX whenever there is requirement to see the audit details for particular
site or group depend upon requirement.

 Report Archive: Imperva Report archiving is the process of making a Copy of all Alert
and Audit Reports generated by the MX. It is created MPRV format file for the same.

1.13.2. REQUIRMENT
Create the Backup of DAM solution, audit and report data on external Location for Disaster
recovery. Purge the older than 2 week audit data in Gateway.
In “172.1.57.43” NFS server, folders “ImpervaDCNew” and “ImpervaDRNew” are mounted at
“media/mount “point in DC and DR MX and gateways respectively. Imperva backup schedules
are coping the Archive and Report data on daily bases and MX configuration on Weekly bases
on these external NFS location. Old data of “172.1.57.43” they are manually coping in to the DR
Shared folder “\\172.26.63.6\dambackupfolder” as per available free space in “172.1.57.43”
server from there they are taking the data into the TAPES.

Page 57 of 77
1.13.3. Pre-Configuration requirement
I. Configuring the NFS Share Folder
To mount the NFS folder in MX and gateway. We have to first create the NFS shared folder
on“172.1.57.43” server. Right Click on the folder select the NFS sharing tab and Click on the
“Manage NFS sharing option”. Tick the “Share this folder” option and click on permission
button. Here we have to add the IP of MX and GW of DC with the “Read & Write” type of
access and “Everyone” user should have “No Access” permission. Similarly configure the
NFS folder for DR and give the permission to DR MX and gateways IP.
DC FOLDER

Page 58 of 77
DR FOLDER

Page 59 of 77
 II. Mounting the Audit Archive Directory (NFS) (Imperva OS version 13.6.0.40)
To permanently mount an NFS directory:
1. Confirm that the NFS server is running on the remote machine.
2. Confirm that the directory is shared.
3. SSH to the gateway.

1. Login as root.

2. Create a destination directory for the mount point (for example, /media/mount).
3. Run below command to add the entry in crontab so that every reboot it automatically
mount.
 crontab –e
IN DC MX
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew
/media/mount
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew
/media/backup
IN DC GW
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew
/media/mount

IN DR MX

Page 60 of 77
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew
/media/mount
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew
/media/backup
IN DR GW
@reboot root sleep 60;mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew
/media/mount

Run below Command to mount the NFS directory on MX and Gateways:

DC MX Server:
(Below Mount Point for Taking Backup of MX.)
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew /media/mount
(Below Mount Point for Taking Backup of MX.)
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew /media/backup
DC Gateway:
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDCNew /media/mount
DR MX Server:
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew /media/mount
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew /media/backup
DR Gateway:
 mount -t nfs -o nolock,nfsvers=3 172.1.57.43:/ImpervaDRNew /media/mount
NFS folder should have below mentioned settings (Otherwise we will get error like
permission denied).

Page 61 of 77
1.13.4. CONFIGURATION OF ACTION SET FOR EXPORT BACKUP AND REPORT
ARCHIVE
Configuring the EXPORT and Report Archive setting first we have to create the Action set.
Where we define the path for Archiving data. In BOI we have created the separate action set
for Export and audit archive.
Steps:-
Login to the MX “MAIN” interface and click on “POLICY” and select the System “ACTION
SET”. Click on “+” to add the path of backup. Type the Name and select the “Archive” type.
In BOI we have created the “System Archive” action for taking EXPORT backup.

Select the “NFS Archive>MX_backup_Archive” type the Directory path “/media/backup” and
“save” the setting.

Page 62 of 77
============================================== ===================

1.13.6. CONFIGURATION OF ACTION SET FOR AUDIT ARCHIVE

Configuring the Audit Archive setting first we have to create the Action set. Where we define
the path for Archiving data.
As BOI MX is manage by SOM. Login to the SOM and click on “Administrative
MAINTANANCE” and select the System “Definition Tab”. Select the “Action Interface” and
click on “+” to add the path of backup. Type the Name and select the “NFS Archive” type.
In BOI we have created the “Audit Archive” action for taking Audit backup.

Once Add provide the Backup directory path “ /media/mount”

1.13.7. MX EXPORT (Full Configuration) Backup Configuration

In Export backup we will define the Backup path and encryption password and schedule the
backup of MX.
Go to the “Admin” Console of the MX . Click on “Maintenance” Option and select “Export
System” option. Type the “Encryption password” and schedule the Configuration
Backup.
Note: Encryption password required while restoring the configuration. Password is with Bank
Team.We have scheduled the EXPORT BACKUP of MX WEEKLY bases at 5:30 AM in DC
and 7:00AM in DR.

Page 63 of 77
For manual backup click on “Export Now” option
DC MX:

DR MX:

1.13.8. AUDIT ARCHIVE AND PURGING CONFIGURATION

Go to the “MX” GUI, Click on the “POLICY” tab then click on “Audit” option. Select the any
audit policy and click on “Archiving” option of audit policy and select the “Audit_Archive”
action set which we have created previously. It is the path were archive file will be created
“i.e. “/media/mount” select the Archive Settings as “Default_Archive_Settings”. Schedule
the archive as daily bases and purge records older than “2 Weeks” and “SAVE” the setting.
Same way we have to schedule the archiving for all audit policy.
NOTE: As per BANK requirement we have scheduled the archive of audit policy on daily
bases and purge data older than 2 WEEK. Archive will be stored in External NFS server
(172.1.57.43) mount point “/media/mount” in MPRV format.

Page 64 of 77
For Manual Archive Select the Audit policy and click on “Action” option at corner and select
“Archive Now” Option. It will open Immediate Archiving window. In that Select the Achieving
Action set, Archive Settings as mention above and tick the Purge Archived Records if want
to purge the log then click “Archive” .

Page 65 of 77
1.14. DC & DR AUDIT POLICY WITH DISC QUOTA AND PURGE PERIOD DETAILS

Archive Disc Quota Disc

Policy Name Enabled Archive Settings Purge Period (%) Quota(GB)
BOI-FO Treasury Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-GPS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-GST Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI EMERGE Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI QRCash Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI ATMRECON Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI BBPS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI CMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-EDW Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI UPI Audit Policy TRUE Default Archiving Settings 2 Weeks 70 600
BOI FO CBS Audit Policy TRUE Default Archiving Settings 2 Weeks 70 500
BOI-DMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI BTESIP Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-EFRMS Audit Policy TRUE Default Archiving Settings 2 Weeks 70 700
BOI Mobile Banking Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 500
BOI-EWS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-FO CBS Audit Policy TRUE Default Archiving Settings 2 Weeks 70 500
BOI-CKYC Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI BIOMETRIC Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI IB Audit Policy TRUE Default Archiving Settings 2 Weeks 50 500
BOI FO Startoken Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-NSDLCDSL Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI - Login and Logout Audit TRUE Default Archiving Settings 2 Weeks 50 200
BOI-FO IB Audit Policy TRUE Default Archiving Settings 2 Weeks 70 400
BOI-Finnacle Domestic Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 500
BOI-CBOD Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI AML Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI FO IB Audit Policy TRUE Default Archiving Settings 2 Weeks 70 400
BOI-FO Startoken Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI SMS Audit Policy TRUE Default Archiving Settings 2 Weeks 70 500
BOI-Treasury Audit Policy TRUE Default Archiving Settings 2 Weeks 70 700
BOI-HRMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-RRB CBS Audit Policy TRUE Default Archiving Settings 2 Weeks 70 700
BOI CAPS Policy TRUE Default Archiving Settings 2 Weeks 50 300
BOI IMACS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-Passbook-kiosk Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 300
BOI-StarToken Audit Policy TRUE Default Archiving Settings 2 Weeks 50 400
BOI-Financial Inclusion Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-CTS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-Finnacle10 Audit Policy TRUE Default Archiving Settings 2 Weeks 70 700
BOI-RRB AML Audit Policy TRUE Default Archiving Settings 2 Weeks 70 600
BOI-SFMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI-SARAL Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200

Page 66 of 77
 Disc Quota Disc Quota
Policy Name Archive Enabled Archive Settings Purge Period (%) (GB)
BOI SFMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI BTESIP Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI FO IB Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI BBPS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Star Token Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI EMERGE Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI ATM Recon Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI -Table operations TRUE Default Archiving Settings 2 Weeks 50 200
BOI EWS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI FO Treasury Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI FO StarToken Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Finacle Domestic
Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI CBOD Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI - Login and Logout
Audit TRUE Default Archiving Settings 2 Weeks 50 200
BOI FO CBS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI SARAL Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI GPS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI UPI Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI DMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI GST Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI - DDL commands TRUE Default Archiving Settings 2 Weeks 50 200
BOI - DML Commands TRUE Default Archiving Settings 2 Weeks 75 750
BOI CTS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Financial Inclusion
Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI PIM Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Treasury Domestic
Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI CKYC Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI RECON Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI RRBCBS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Internet Banking Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI CAPS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI CFeedback Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI EFRMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI Mobile Banking Audit
Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI EDW Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI - Database
configuration changes TRUE Default Archiving Settings 2 Weeks 50 200
BOI HRMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI AML Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200
BOI SMS Audit Policy TRUE Default Archiving Settings 2 Weeks 50 200

Page 67 of 77
1.15. REPORT ARCHIVE AND PURGING CONFIGURATION
Go to the “Admin” Console of the MX. Click on “Maintenance” Option and select “Report
Archive” option. In Report Archiving select the Archiving Action as “System Export” which
we have created for MX backup and Archive Setting as “Default Archiving Settings”.
Note: Above setting will archive the report on daily in External NFS mount point with
MPRV format.
For manual backup click on “Archive Now” option. . It will Archive all the reports and save
single PRV file in NFS folder.
For manual Purging click on “Purge Now” option. It will purge all the reports.
DC

DR

Page 68 of 77
1.16. Other Configuration:
Uploading the License:
1. Go to the Admin Manu> License
2. Click on Action and select the import option. Upload window will open.
3. Click Choose File, browse to the location of the file and select it.
4. Click Upload. The upload begins and the Update License Information progress bar is
displayed.
When the status is reported as 100%, click Continue

Page 69 of 77
 Adding Route for particular subnet or agent IP in the Gateway
In Imperva DAM we have two interface. MGM (eth0) and Agent communication interface
(eth1).
If agent is having 172.1.30.X series IP then we have to add the route for given agent ip
towards the Agent communication interface. Default it will sent the traffic from the eth0.
Check the route in DAM gateway. If specific route is not available then we have to add the
static route on gateway for agent facing interface.
To add the route.
1) Login to the gateway CLI and type below command.
Impcfg

2) Select 3 (Manage Platform)

Page 70 of 77
3) Select the 1 ( manage network)

4) Select the 6 ( Static Routes)

5) Select the 1 ( Add route)

Page 71 of 77
6) Type the “host” ( if you want to add route for single ip other wise type “network”)
7) Type the IP address ( for network we have to add the network e.g. “172.1.13.0/24”)
8) Type the gateway 172.1.80.1 ( type the gateway of interface from where you want to send
the traffic. Here we have to send through eth1 interface which is for agent communication)

9) Type the “t” ( Top Level)

10) Type “A” Apply the configuration

11) Type “C” for confirm.

Page 72 of 77
12) Type “S” for Save the configuration and then type “q” quit the console after save the
configuration.

Verify the route:

Page 73 of 77
 Manually Updating Gateway Configuration.
This process need to be follow when the gateway create the core file and it do not
contain the update configuration.
Gateway reverted to last known good configuration appears on the Dashboard or
under Setup
The below procedure relevant for SecureSphere versions
The gateway always keeps a local copy of the last good configuration it has loaded.

If a configuration update from the MX to the gateway fails for some reason, the gateway
reverts to his old configuration working configuration

If you encounter message, perform the following procedure:

 Clear the configuration cache on the MX:
1. SSH to the MX
2. impctl server stop
3. delete the files under the following directories:
4.
1. rm -rf /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-
secsph/webapps/SecureSphere/gwconfig/*
2. rm -rf /var/ServerLogs/SecureSphereWork/conf_classes/*
5. Start the server - impctl server start

 Then, force the Gateway to get a configuration update:

1. SSH to the GW
2. impctl gateway stop
rm -fr /opt/SecureSphere/etc/configuration/**
rm -rf /opt/SecureSphere/etc/sg*
rm -rf /opt/SecureSphere/etc/{gwconf.xml,config.xml}
rm -rf /opt/SecureSphere/etc/global/*
impctl gateway start
3. Verify that the Gateway have received the configuration successfully:
 SSH to the Gateway
 Run the command: "gwlog"
 Search for the following notification (this is an example only):
<div id="NOTIFICATION">06/10/2013
14:56:57<b>[NOTIFICATION]ConfigManager.cpp:4709</b> Full
configuration update finished successfully (in 65 seconds)</div>
If the Full configuration update isn't finished successfully, contact Imperva Support, and
provide the Get-Tech-Info taken from your Gateway and MX.

Page 74 of 77
 Extracting the Archive report file MPRV
To extract the content of the archive report (which is stored in External storage daily in
MPRV format ) follow below steps.
1. Copy the archive report file from /media/mount to /tmp

2. Run below command to extract the file to /media/backup

java -jar ~mxserver/bin/packagertool.jar -pack -target <target_mprv_file> -source
<source_dir> -keystore <server_kst_file>
Example:-
java -jar /opt/SecureSphere/server/bin/packagertool.jar -unpack -target /media/backup/ -
source /tmp/archive-reports_20201120-050006_-1401912851717636572.mprv -keystore
/opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/conf/securesphere.kst

======================================================================

Generating the GTI:

This process required when we have to upload the GTI of MX/ Gateway / Agent.
GTI Creation of MX / Gateway
From MX/GW CLI

1. SSH to the appliance (MX or GW). Login to MX and GW as root

Run Below command:

"impctl support get-tech-info --last-server-archives=5 --case-number=123456"

2. Collect the generated file from /var/tmp/ or /tmp and send it to support.

From GUI:
Notes:

Page 75 of 77
 The Gateway must be in the status Running.
 When exporting technical information from a Onebox architecture, both Gateway and MX
technical information is exported.

To collect logs from the GUI:

1. Login to Management (MX)

2. For MX tech-log go to Admin workspace => select System Performance => Management
Server
3. For Gateway tech-log go to Main workspace => Setup => Gateways => Select relevant
GW => under Details pane

GTI Creation of Agent:

FROM DB Server:
Below steps include GTI file creation from the DB server, when agent shows disconnected
status.

1. SSH to the server with root access

2. Go to the agent installation directory: cd /opt/imperva/ragent/bin/

3. Run: ./racli

4. Select (3) Troubleshooting

5. Select (2) Get tech info

The log file ragent_tech_support.case-X.Y.tar.gz will be created and available under /var or
/tmp (for default installations it will be under /opt/imperva/agent/var )

Note: X and Y are numbers that represent counter of the number of times this operation was
performed.

Note: The Agent collects all relevant debugging data. The operation of collecting information
may take several minutes to complete depending on the Server host.

From DAM GUI when agent is active:

1. Go to Main menu > Agents and select the Workbench option.

2. Select the agent and right click on the agent.
3. Go the Log Retrieval option and select the Get agent technical info option.

Page 76 of 77
4. Get Agent Technical info for all selected agents window will open type the comment
and click OK.
5. Performing agent operation window will open which show the progress bar.
6. After completing, it will ask for save the generated file. Provide the path to save the file
and click finish.

Page 77 of 77