topic Re: ALG (Application Layer Gateway) and Oracle in General Topics

ALG (Application Layer Gateway) and Oracle

saul_reps — Thu, 19 Oct 2017 14:47:23 GMT

Hi,

I've an application who has to query an Oracle database to get information from it. There is a PaloAlto firewall between my application and the DB.

I actually reach the database, but I can't collect the information that I need. Making a quick tcpdump of incoming packets on the server in which my application is running, I noticed on wireshark that, on the response packet of the DB, there is this error: Malformed Packet: TNS.

There is no "deny" on the firewall, I was wondering if it can be related to the ALG functionality. Making some research online I found threads like these, in which is clearly said that the solution is to disable the ALG:

http://packetpushers.net/sqlnet-a-k-a-oracle-tns-and-firewalls/
https://forums.juniper.net/t5/SRX-Services-Gateway/Oracle-TNS-packet-drop-issue/td-p/159316

The documentation of PaloAlto states:
Palo Alto Networks firewall provides NAT ALG support for the following protocols: FTP, H.225, H.248, MGCP, MySQL, Oracle/SQLNet/TNS, RPC, RSH, RTSP, SCCP, SIP, and UNIStim.

But it is not clear which is the default behavior of the firewall with these services. It actually performs NAT ALG on all of the services listed, even if you do not specify to use it?
Furthermore, I saw also that you can disable ALG module just on SIP application. And what if ALG is performed even on the services listed above and you want to disable it?

Is there someone who is able to help me on this matter?

Thanks in advance

Re: ALG (Application Layer Gateway) and Oracle

reaper — Thu, 19 Oct 2017 15:08:50 GMT

Depending on the application's behavior the ALG accomodates returning packets requiring a pinholed port or 'special' NAT processing, like for example FTP where a new session is set up from the server to the client to provide a data channel

If your implementation requires a different methodology than the protocol standard, the ALG could mess things up

In the first place you could try disabling ALG and secondly you could try an app override to a custom app which will disable all content inspection of the traffic in case non-standard (or a new incarnation/update/version that we have not incorporated yet) implementation is being used

in the case of the latter, please reach out to support so we can update our App-ID database

I'm not quite sure what your question is regarding SIP. Each protocol has it's own decoder and ALG, so disabling one does not interfere with another

Re: ALG (Application Layer Gateway) and Oracle

saul_reps — Thu, 19 Oct 2017 17:31:49 GMT

@reaper wrote:

In the first place you could try disabling ALG

The problem is, is it possible to disable ALG just for a single policy? As far as I understand reading the guide (I don't have the access to the PA firewall), it's possible to disable ALG just in case of SIP applications (that's why I mentioned SIP in my previous question).

Re: ALG (Application Layer Gateway) and Oracle

reaper — Thu, 19 Oct 2017 18:44:59 GMT

You disable ALG at the application level, all the applications you listed can be "opened" individually (click the app in Objects > Applications and check it's settings) and ALG can be disabled per application

Sip is just a common example but all the other apps can be accessed and altered in exactly the same way

Re: ALG (Application Layer Gateway) and Oracle

Raido_Rattameister — Thu, 19 Oct 2017 22:41:00 GMT

Looks like ALG can be disabled only in specific applications.

In other cases you can use Application Override.

# set shared alg-override application
  sccp      application sccp
  sip       application sip
  teredo    application teredo
  unistim   application unistim
  <name>    <name>

Re: ALG (Application Layer Gateway) and Oracle

Raido_Rattameister — Thu, 19 Oct 2017 22:45:39 GMT

I wonder if it is typo in GUI that it mentiones SIP ALG in all cases?