Resolve a Palo Alto firewall blocking oracle application.
Download as DOCX, PDF
0 likes278 views
The document discusses an issue where an Oracle application is being blocked by a Palo Alto firewall due to Oracle creating redirect sessions on dynamic ports instead of just port 1521. There are two ways to resolve this: 1. Disable Oracle's redirect session behavior by adding a Windows registry key. 2. Create firewall policies based on the Oracle application instead of just port 1521, which will allow the redirect sessions instead of blocking them. Either of these two solutions will resolve the firewall blocking issue.
Resolve a Palo Alto firewall blocking oracle application.
- 1. Resolve a Palo Firewall blocking ORACLE application Issue : Oracle AppisbeingblockedbyPalofirewall Oracle createsredirectsessionwhichdoesnotdoesnotuse port1521 buta port-basedsecuritypolicyis configuredtoallowtcp/1521 only. Since bydefault,Oracle usestcpport 1521, but at the same time oracle will opendynamicports betweenport1024 - 65000 for redirectsessions,thiscausesthe oracle applicationtocreate a parent sessionandchildsession (the childsessionisusedin the redirectsession)butsince these twoare notlinkedbydesign,even thoughthe childsessionappearsinthe command"show sessionall"asapredictsession.The are two waysto resolve thisbehaviorandallowPaloaltofirewall todetectthe redirects sessionsornotblock the redirectsessions. 1. To resolve itfromWindows(if itisrunon a windowsserver)pointof view : You can disable thisoracle behaviorbyaddinga regkeyonWindowsserver HKLMsoftwareoraclehomeXuse_shared_socket. 2. You can mitigate thisproblemby creatingpoliciesbasedonthe oracle applicationandnotbasedon the application-portnumber1521 as shownbelow. PaloFirewall policyChange tofix issue. Before After The above 2 solutionsbothworktoresolve the issue.