The Oracle Database Firewall is a great product for performing both Database Policy Enforcement (DPE) and Database Activity Monitoring (DAM). In DPE mode there are two in-line modes; physical and proxy. The physical mode is being deprecated, so proxy is recommended. In addition, some packet replication technologies can be used as well, such as Gigamon. These solutions not only involve configuring the Firewall Server, but significant configuration of the network hardware. For Database Activity Monitoring the Oracle Database Firewall can either be connected to the database server via physical port spanning/mirroring or the Oracle Audit Vault Host Monitor can be used instead.
In some Oracle Database Firewall use cases, network port spanning/mirroring just can’t be used because of constraints on the network, such as virtual networking components. For example, in some blade chassis, all the blades share the same physical network adapters. This is also true of databases in the cloud (Oracle Cloud, Azure and Amazon) and virtualization, such as Oracle VM, VMWare, etc. In this case, the solution is to use the Oracle Audit Vault Host Monitor in conjunction with the Oracle Database Firewall to perform Database Activity Monitoring. No additional networking configuration is required, but there is more overhead on the database server itself.
Configuring the network to use spanning/mirroring to be able to use Database Activity Monitoring directly is a better solution, since there is no additional load on the database server. However, when re-configuring the network is too difficult, use the Host Monitor. These simple steps will help optimize your Oracle Database Firewall deployment