Anyone ever disable sqlnet inspection during active Oracle connections?

pcoughlin01 · ‎06-30-2010

Running FWSM 3.2(9) in a datacenter with active Oracle connections from an outside vlan to an inside vlan. Sqlnet inspection is enabled, however I don't believe it is needed, so I want to disable for possible performance improvement. If I remove the inspection while active Oracle connections are open through the firewall, will they get dropped (of course this assumes the sqlnet inspection isn't needed). Anyone ever done that?

Kureli Sankar · ‎06-30-2010

Pls. issue "sh service-policy" and make sure whether the sql inspection is processing packets and if they increment by issuing the same command again.

Inspection does two things, NAT fixup and dynamically opening ports as needed without the need for ACLs.

May be you are not doing any address translation or you are doing just identity translation and if you remove inspection then, make sure the ACLs allow the ports.

-KS

pcoughlin01 · ‎06-30-2010

Show service-policy definitely shows processed packets. Below is the output between back to back commands (~ 1 second apart). Correct, we are using static identity NAT for the Oracle servers on the inside, and a "debug sqlnet" shows only port 1521 (INFO: intercepted port is 1521). Therefore, it doesn't look like sqlnet inspection is needed. Have you ever disabled it during active Oracle connections? I want to disable it, but I'm afraid that it will bounce all Oracle connections, at which point, we'd need to restart a whole bunch of application servers.

FWSM# sho service-pol

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 104891795, drop 0, reset-drop 0
      Inspect: ftp, packet 1540053619, drop 126, reset-drop 9
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 596580, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 836274856, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 278078, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: dcerpc, packet 10601143, drop 18, reset-drop 0
    Class-map: class_sip_tcp
      Inspect: sip, packet 0, drop 0, reset-drop 0
FWSM#

FWSM# sho service-pol

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 104891905, drop 0, reset-drop 0
      Inspect: ftp, packet 1540053721, drop 126, reset-drop 9
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 596580, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 836285544, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 278078, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: dcerpc, packet 10601143, drop 18, reset-drop 0
    Class-map: class_sip_tcp
      Inspect: sip, packet 0, drop 0, reset-drop 0
FWSM#

Kureli Sankar · ‎06-30-2010

The connections that are up will not be terminated. Any new connections will not be inspeted and if ACLs do not allow will be denied.

You can remove inspection. If you are worried you can remove the inspection later in the day when the load will be low.

-KS

pcoughlin01 · ‎07-01-2010

Thanks for the info. Will give it a try at our next maintenance window, and will post the results.

Thanks,

Pat