https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334803#M310938 <HTML><HEAD></HEAD><BODY><P>you can check the number of packets (if any) that matched that inspection:</P><P>show service-policy</P><P></P><P>Patrick</P></BODY></HTML> Tue, 15 Oct 2013 16:01:58 GMT Patrick Moubarak 2013-10-15T16:01:58Z https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334802#M310936 <P>In a recent Cisco Security Advisory <A href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa" target="_blank">(Advisory ID: cisco-sa-20131009-asa)</A> there is a "SQL*Net Inspection Engine Denial of Service Vulnerability" identified.&nbsp; I plan to follow the upgrade process to resolve this, however, I will not be able to perform the upgrade for a couple of weeks.</P><P></P><P>The temporary work around suggested is to disable SQL*Net inspection:</P><P></P><PRE>ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect sqlnet</PRE><P></P><P> This seems simple enough, but I am banging my head on the desk trying to figure out how this will affect any database traffic that may be going through these interfaces.&nbsp; If the default sqlnet inspection is disabled does that mean I need to add explicit ACL entries per interface to allow that traffic?&nbsp; I've reviewwed the information from this thread: <A _jive_internal="true" href="https://community.cisco.com/thread/2005571" target="_blank">https://supportforums.cisco.com/thread/2005571</A></P><P></P><P>I know there are SQL and Oracle databases on this particular segment, but what confuses me is that there are no rules configured to NAT anything right now.&nbsp; Is there some sort of way to see if any traffic even matches that default inspection so I know whether it's doing anything right now?</P><P></P><P>I seem to be overthinking this because I keep going in circles with my own reasoning.&nbsp; I'm not sure what config information to include with my question.&nbsp; I can tell you that there are many interfaces in use.&nbsp; There is no NAT.&nbsp; There are mulitple security levels.&nbsp; </P><P></P><P>Thank you in advance.</P> Tue, 12 Mar 2019 02:52:10 GMT https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334802#M310936 epatrickwhite 2019-03-12T02:52:10Z https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334803#M310938 <HTML><HEAD></HEAD><BODY><P>you can check the number of packets (if any) that matched that inspection:</P><P>show service-policy</P><P></P><P>Patrick</P></BODY></HTML> Tue, 15 Oct 2013 16:01:58 GMT https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334803#M310938 Patrick Moubarak 2013-10-15T16:01:58Z https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334804#M310941 <HTML><HEAD></HEAD><BODY><P>Patrick,</P><P></P><P><STRONG>Thank you!</STRONG>&nbsp; This was exactly what I was asking for.&nbsp; In my post I asked the question "Is there some sort of way to see if any traffic even matches that default inspection."&nbsp; </P><P></P><P>That is all I needed.&nbsp; I don't know why I couldn't find how to show this information.</P></BODY></HTML> Tue, 15 Oct 2013 18:52:21 GMT https://community.cisco.com/t5/network-security/can-i-disable-quot-inspect-sqlnet-quot/m-p/2334804#M310941 epatrickwhite 2013-10-15T18:52:21Z