• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1039
  • Last Modified:

Why do I need SQL rules going both directions on my Juniper SSG firewall?

Server A needs to call on Server B via SQL (port 1433) across a zone  and in order to get this to work, I'm having to open SQL in both directions.  I think that the SQL ALG should prevent the need for this two way rule policy.  Is my firewall not working correctly or do I misunderstand how this should be operating??
Thanks!
0
NetAdminGuy
Asked:
NetAdminGuy
  • 3
  • 2
1 Solution
 
WalkaboutTiggerCommented:
If you have a policy that permits Server A to talk to Server B, for example:

set policy id 105 from trust to vpn ServerA ServerB SQL permit log

add a line

set policy id 105 application ignore

This should bypass ALG for this link for these hosts.  If SQL ALG is enabled on both ends, you likely will need rules on both sides regardless to bypass ALG for SQL for these two servers.

If both of these hosts are trusted hosts, bypassing ALG will reduce CPU on both firewalls.

Good luck!

Walkabout
0
 
NetAdminGuyAuthor Commented:
Would appreciate a follow up on what you think about the VPN since these are both on same network...is it best to use given this or should i leave that out?
0
 
WalkaboutTiggerCommented:
When you say both servers are on the same network, do you mean they are on the same IP subnet, same physical network or some other definition of "same network"?

0
 
NetAdminGuyAuthor Commented:
Odd...I thought I posted a follow up with more details but guess not.  Sorry.  Specifically, there are two servers on two seperate vlans (on our firewall this means two seperate zones) and the policy is all thats seperating them.  So they are located beside each other in a rack in same building with nothing but a logical zone/vlan and policy seperating them.  Just curious if you think a VPN between them is best odds in this case?   I wasnt clear about them being at same location before so just curious.  
0
 
WalkaboutTiggerCommented:
That would depend on the business and technical reasons requiring them to have been set up on logically separate networks.  If the reasons this was done originally are no longer pertinent, then from both a performance and maintenance perspective, you'll likely want to consider consolidating them on to the same network.

Without knowing more about the environment, I cannot give you better advice.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now