Setting Additional Definitions for Firewall
To set further definitions for Firewall (in addition to those shown in Setting General Definitions for Firewall), select 2. Additional Settings from the iSecurity (part I) Global Parameters screen (STRFW > 81).
The Firewall Additional Settings screen appears.
| Firewall Additional Settings Analyze cmds in QCMDEXC,QCAPCMD . . . SQL: Y Rmt Cmd: Y FTP: Y DDM: Y Analyze calls to QSYS,QGY pgms . . . . SQL: Y Rmt Pgm: Y Inherit In-product DB2 authorities . . 1 1=No, 2=Yes, 3=No, Usr/Grp found-stop 4=Yes, Allowed only Inherit In-product IFS authorities . . 1 1=No, 2=Yes, from higher dir, 3=Yes, from higher dir or file* 4=Yes, from higher dir Allowed only Skip activities of user or grpprf . . Skip SQL parsing if final decision was taken at (leave blank for parsing) Global level . . . . . 1=Always, 2=Allow, 3=Reject IP level . . . . . . . 1=Always, 2=Allow, 3=Reject User level . . . . . . 1=Always, 2=Selected users For 2: user or grpprf. Action for SQL that cannot be parsed . 5 1=Allow, 2=Allow+Extended log 5=Reject, 6=Reject+Extended log Log internal activity of iSecurity . . N Y=Yes, N=No Log SQL Execute, Open & Fetch... stmts N Y=Yes, N=No Log indicates if SSL is used . . . . 1 1=No (saves performance), 2=Yes Check FTP Logon PWD by product . . . . N Y=Yes (not recommended), N=No F3=Exit F12=Previous |
The screen contains the following fields:
Analyze cmds in QCMDEXC,QCAPCMD
Enables analysis of commands within the defined servers (SQL, Remote CMD, FTP, and DDM) when these commands are called by QCMDEXC or QCAPCMD. With this analysis, you see calls to other programs/commands that are embedded within QCMDEXC or QCAPCMD.
There are four subfields, for
- SQL
- Rmt Cmd (Remote CMD)
- FTP
- DDM
Possible values for each are:
- Y: Analyze commands called for this server within QCMDEXC and QCAPCMD. (Recommended.)
- N: Do not analyze commands.
Analyze calls to QSYS,QGY pgms
Enables analysis of programs that reside in the QSYS library within the SQL and Remote Program servers. Such calls are normally permitted calls to APIs and should not need analysis.
There are subfields for the two servers, SQL and Rmt Pgm.
Possible values for each are:
- Y: Analyze the program calls.
- N: Do not analyze the program calls. (Recommended.)
Inherit In-product DB2 authorities
More specific authority takes preference over more generic authority concerning the object name in Native Object Security.
The field has these possible values:
- 1: No
- 2: Yes
- 3: No, Usr/Grp found-stop
- 4: Yes, Allowed only
Inherit In-product IFS authorities
For IFS files, whether priority is given to the security for higher-level directories containing an object or to the more specific security rules for lower-level directories or generic files.
The field has these possible values:
- 1: Give priority to lower-level directories, or to the generic or specific file's authorities.
- 2: Give priority to higher-level directories' authorities.
- 3: Give priority to higher-level directories or generic files' authority over that of lower-level directories or generic files.
Skip activities of user or grpprf
Up to six user profiles or group profiles whose activity is accepted without any Firewall checking.
Skip SQL parsing if final decision was taken at
Eliminate SQL parsing when not needed. This option can be activated based on the level on which the decision was taken and the type of the decision.
If the system decided at the Global or IP level whether to accept or reject the SQL activity, it could still decide to parse the SQL afterward. In that case:
- (blank): Regardless of the decision, it never skips parsing the SQL
- 1: Regardless of the decision, it always skips parsing the SQL.
- 2: If the decision was to allow the activity, it skips parsing the SQL.
- 3: If the decision was to reject the activity, it skips parsing the SQL.
If the decision was made at the User level:
- (blank) Regardless of the decision, it never skips parsing the SQL
- 1: Regardless of the decision, it always skips parsing the SQL.
- 2: Regardless of the decision, it skips parsing for up to three users or groups listed on the next line.
Action for SQL that cannot be parsed
Take these actions if Firewall cannot parse the commands within an SQL statement.
- 1: Allow the transaction.
- 2: Allow the transaction and write the unparsed SQL statement to an extended log.
- 5: Reject the transaction.
- 6: Reject the transaction and write the unparsed SQL statement to an extended log.
Log internal activity of iSecurity.
Whether to log internal activity by other iSecurity products, the operating system, and ShowCase. This is usually set to N.
Log SQL Execute, Open & Fetch... stmts
Whether to log the SQL Execute, Open, and Fetch statements. Since these are already scanned when the SQL statement is prepared, this can usually be set to N.
Log indicates if SSl is used
We can try to retrieve from a transaction if SSL is used or not. Since this is performance intensive, we do not recommend to use this or only for limited periods of time.
- 1: No (saves performance).
- 2: Yes (try to retrieve if SSL is used)
Check FTP Logon PWD by product
Whether Firewall should check logon passwords rather than letting the operating system do it.