We have a case where the Oracle connection failed during the replication to the DR , the replication process start for one to three hours then it failed , Oracle admins opened a ticket with oracle support and oracle support recommends to disable the below for oracle application :
SQLNet fixup protocol
Deep Packet Inspection (DPI)
SQLNet packet inspection
We have disabled the the inspection , but for the ALG I found in admin guide v6 that the paloalto functions as an ALG for the following protocols: FTP, SIP, H.323, RTSP, Oracle/SQLNet/TNS, MGCP protocols.but shows how to disable ALG just for SIP.
in the time I have added new custom application to override the oracle default one and added it to application policy so the PA will not affect this application .
and we are waiting for the result .
will this disable the ALG functionality on the Oracle application?
Yes, you are correct. If you create a custom application and refer that to a application override policy, the PAN firewall will skip the Layer-7 processing ( content check, ALG) for that traffic.
Please use this document to create application override policy.
After creating correct policy please check the session by using below command:
show session all filter source <x.x.x.x> destination <y.y.y.y>
show session id <type appropriate session number from above output>
This output will show
layer7 processing : completed
application : <the name of the custom app that you have created>
Could you please enable packet capture on PAN firewall between source and destination IP (bi-directional) to understand who is causing this problem. Also if you are using an application override policy for SQL traffic, could you please increase the time-out value for those custom application.
Ref Doc: How to Run a Packet Capture
Thanks but the problem with pcap andthe cli monitor is that the replication is online process and it will work for hours then it will stop, we don't have a trigger to fire to reproduce the problem , it's just happening daily with no time standard
Try to disable TCP sequence number checking:
set deviceconfig setting tcp asymmetric-path bypass
set deviceconfig setting tcp asymmetric-path
bypass bypass inspection for the session that has TCP sliding window tracking errors
drop drop offending packets that violated TCP sliding window tracking, enable TCP sequence number check for FIN/RST
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!