Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Bypassing dedicated network interface in AIX cluster environment

    • Updated:
    • 8 Dec 2017
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 9.6
    • Platform:
    • IBM AIX 5.3
    • IBM AIX 6.1
    • IBM AIX 7.1
Summary

In an AIX cluster environment, you may bypass network security scan to dedicated NIC, which has cluster traffic only. It will help you mitigate any performance issues or connectivity issues. Note that only the dedicated NIC used for cluster can be bypassed. You should never bypass NIC with traffic for production.

The procedure below only applies to Deep Security Agent (DSA) installations on AIX servers. It should only be used by customers using a clustered database or other clustering software on a set of AIX servers. The purpose of the modification is to avoid cluster node evictions or data replication performance issues where the clustering application (e.g. Oracle RAC DB) is highly sensitive to the packet latency impact of Deep Security Firewall or Intrusion Protection/Detection features.

 
Traffic on the bypassed interfaces will not be inspected, firewalled or protected in any way. For this reason, it is very important to ensure that only cluster infrastructure traffic (e.g. cluster internode communication, node health checks, or data replication) is running on the interface(s) to be bypassed. ONLY BYPASS CLUSTER-PRIVATE NETWORK INTERFACES. DO NOT BYPASS INTERFACES CARRYING PRODUCTION TRAFFIC OR INTERFACES WHICH ARE OPEN TO THE PUBLIC INTERNET.
Details
Public

To bypass dedicated network interface in AIX environment:

  1. Determine the MAC address of each interface that you want to bypass.

    netstat -I <interface name>

    Below is an example:

    -bash-3.2# netstat -I en0  Name  Mtu   Network     Address            Ipkts Ierrs    Opkts Oerrs  Coll  en0   1500  link#2      26.3e.22.8a.c.4   6169460     0  1069162     0     0  en0   1500  10.203.144  qa-aix71          6169460     0  1069162     0     0
  2. Convert the MAC address to uppercase with 0 padding and colon separators.
    For example, convert "26.3e.22.8a.c.4" to "26:3E:22:8A:0C:04".
  3. Assemble the MAC addresses into a comma-separated list with prefix "MAC_EXCLUSIVE_LIST=".
    For example, "MAC_EXCLUSIVE_LIST=26:3E:2C:86:AB:04,26:3E:22:8A:0C:04".
  4. On the AIX server, stop the ds_agent process. This will not interfere with business operations and will not affect the protection of the AIX server, as the ds_filter kernel module remains loaded and functional.

    #stopsrc -s ds_agent

  5. On the AIX server, use vi or another editor to create or edit the file /etc/ds_filter.conf by adding the line of text from Step 3 to the file.
  6. On the AIX server, start the ds_agent process. Again, this will not interfere with business operations and will not affect the protection of the AIX server.

    #startsrc -s ds_agent

  7. The traffic on the interfaces in the list from Step 3 will now be bypassed by the Deep Security Agent. Please collect the output from the following commands to confirm that the configuration is correct:

    #netstat -I <interface_name>
    #netstat -I <interface_name>
    #cat /etc/ds_filter.conf
    #ls -l /etc/ds_filter.conf
    #ps -ef |grep ds_agent

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1119005
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.