Why do I need SQL rules going both directions on my Juniper SSG firewall?

Posted on 2009-04-28
Last Modified: 2012-05-06
Server A needs to call on Server B via SQL (port 1433) across a zone  and in order to get this to work, I'm having to open SQL in both directions.  I think that the SQL ALG should prevent the need for this two way rule policy.  Is my firewall not working correctly or do I misunderstand how this should be operating??
Question by:NetAdminGuy
    LVL 15

    Accepted Solution

    If you have a policy that permits Server A to talk to Server B, for example:

    set policy id 105 from trust to vpn ServerA ServerB SQL permit log

    add a line

    set policy id 105 application ignore

    This should bypass ALG for this link for these hosts.  If SQL ALG is enabled on both ends, you likely will need rules on both sides regardless to bypass ALG for SQL for these two servers.

    If both of these hosts are trusted hosts, bypassing ALG will reduce CPU on both firewalls.

    Good luck!

    LVL 3

    Author Closing Comment

    Would appreciate a follow up on what you think about the VPN since these are both on same it best to use given this or should i leave that out?
    LVL 15

    Expert Comment

    When you say both servers are on the same network, do you mean they are on the same IP subnet, same physical network or some other definition of "same network"?

    LVL 3

    Author Comment

    Odd...I thought I posted a follow up with more details but guess not.  Sorry.  Specifically, there are two servers on two seperate vlans (on our firewall this means two seperate zones) and the policy is all thats seperating them.  So they are located beside each other in a rack in same building with nothing but a logical zone/vlan and policy seperating them.  Just curious if you think a VPN between them is best odds in this case?   I wasnt clear about them being at same location before so just curious.  
    LVL 15

    Expert Comment

    That would depend on the business and technical reasons requiring them to have been set up on logically separate networks.  If the reasons this was done originally are no longer pertinent, then from both a performance and maintenance perspective, you'll likely want to consider consolidating them on to the same network.

    Without knowing more about the environment, I cannot give you better advice.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now