Bypassing dedicated network interface in Oracle RAC DB cluster environment

Product / Version includes:

Deep Security11.1 , Deep Security11.2 , Deep Security20.0 , Deep Security9.6 , Deep Security11.0 , Deep Security10.2 , Deep Security10.1 , Deep Security10.0 , Deep Security10.3

Last updated: 2021/08/28

Solution ID: KA-0008063

Category: Configure

Summary

In an AIX or Oracle cluster environment, you may bypass network security scan on dedicated NIC, which has cluster traffic only. It will help you mitigate any performance issues or connectivity issues. Note that only the dedicated NIC used for cluster can be bypassed. You should never bypass NIC with traffic for production.

The procedure below only applies to Deep Security Agent (DSA) installations on AIX or Oracle servers. It should only be used by customers using a clustered database or other clustering software on a set of AIX or Oracle servers. The purpose of the modification is to avoid cluster node evictions or data replication performance issues where the clustering application (e.g. Oracle RAC DB) is highly sensitive to the packet latency impact of Deep Security Firewall or Intrusion Protection/Detection features.

Traffic on the bypassed interfaces will not be inspected, firewalled or protected in any way. For this reason, it is very important to ensure that only cluster infrastructure traffic (e.g. cluster internode communication, node health checks, or data replication) is running on the interface(s) to be bypassed. ONLY BYPASS CLUSTER-PRIVATE NETWORK INTERFACES. DO NOT BYPASS INTERFACES CARRYING PRODUCTION TRAFFIC OR INTERFACES WHICH ARE OPEN TO THE PUBLIC INTERNET.

To bypass dedicated network interface, follow the procedure for your environment:

EXPAND ALL

AIX

Determine the MAC address of each interface that you want to bypass.

netstat -I <interface name>

Below is an example:

-bash-3.2# netstat -I en0  Name  Mtu   Network     Address            Ipkts Ierrs    Opkts Oerrs  Coll  en0   1500  link#2      26.3e.22.8a.c.4   6169460     0  1069162     0     0  en0   1500  10.203.144  qa-aix71          6169460     0  1069162     0     0

Convert the MAC address to uppercase with 0 padding and colon separators.
For example, convert "26.3e.22.8a.c.4" to "26:3E:22:8A:0C:04".
Assemble the MAC addresses into a comma-separated list with prefix "MAC_EXCLUSIVE_LIST=".
For example, "MAC_EXCLUSIVE_LIST=26:3E:2C:86:AB:04,26:3E:22:8A:0C:04".
On the AIX server, stop the ds_agent process. This will not interfere with business operations and will not affect the protection of the AIX server, as the ds_filter kernel module remains loaded and functional.
#stopsrc -s ds_agent
On the AIX server, use vi or another editor to create or edit the file /etc/ds_filter.conf by adding the line of text from Step 3 to the file.
On the AIX server, start the ds_agent process. Again, this will not interfere with business operations and will not affect the protection of the AIX server.
#startsrc -s ds_agent
The traffic on the interfaces in the list from Step 3 will now be bypassed by the Deep Security Agent. Please collect the output from the following commands to confirm that the configuration is correct:
#netstat -I <interface_name>
#netstat -I <interface_name>
#cat /etc/ds_filter.conf
#ls -l /etc/ds_filter.conf
#ps -ef |grep ds_agent

Other OS

If you have ORACLE RAC cluster in Solaris, Linux or even Windows, to bypass the NIC, follow the steps in this KB article: Bypassing a network interface in Windows, Linux and Unix.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Bypassing dedicated network interface in Oracle RAC DB cluster environment

AIX

Other OS

Bypassing dedicated network interface in Oracle RAC DB cluster environment

Product / Version includes:

Summary

AIX

Other OS