Why do I need SQL rules going both directions on my Juniper SSG firewall?

Server A needs to call on Server B via SQL (port 1433) across a zone  and in order to get this to work, I'm having to open SQL in both directions.  I think that the SQL ALG should prevent the need for this two way rule policy.  Is my firewall not working correctly or do I misunderstand how this should be operating??
Who is Participating?
Darrell PorterConnect With a Mentor Enterprise Business Process ArchitectCommented:
If you have a policy that permits Server A to talk to Server B, for example:

set policy id 105 from trust to vpn ServerA ServerB SQL permit log

add a line

set policy id 105 application ignore

This should bypass ALG for this link for these hosts.  If SQL ALG is enabled on both ends, you likely will need rules on both sides regardless to bypass ALG for SQL for these two servers.

If both of these hosts are trusted hosts, bypassing ALG will reduce CPU on both firewalls.

Good luck!

NetAdminGuyAuthor Commented:
Would appreciate a follow up on what you think about the VPN since these are both on same network...is it best to use given this or should i leave that out?
Darrell PorterEnterprise Business Process ArchitectCommented:
When you say both servers are on the same network, do you mean they are on the same IP subnet, same physical network or some other definition of "same network"?

NetAdminGuyAuthor Commented:
Odd...I thought I posted a follow up with more details but guess not.  Sorry.  Specifically, there are two servers on two seperate vlans (on our firewall this means two seperate zones) and the policy is all thats seperating them.  So they are located beside each other in a rack in same building with nothing but a logical zone/vlan and policy seperating them.  Just curious if you think a VPN between them is best odds in this case?   I wasnt clear about them being at same location before so just curious.  
Darrell PorterEnterprise Business Process ArchitectCommented:
That would depend on the business and technical reasons requiring them to have been set up on logically separate networks.  If the reasons this was done originally are no longer pertinent, then from both a performance and maintenance perspective, you'll likely want to consider consolidating them on to the same network.

Without knowing more about the environment, I cannot give you better advice.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.