Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ALG (Application Layer Gateway) and Oracle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ALG (Application Layer Gateway) and Oracle

L0 Member

Hi,

 

I've an application who has to query an Oracle database to get information from it. There is a PaloAlto firewall between my application and the DB. 

I actually reach the database, but I can't collect the information that I need. Making a quick tcpdump of incoming packets on the server in which my application is running, I noticed on wireshark that, on the response packet of the DB, there is this error: Malformed Packet: TNS.

There is no "deny" on the firewall, I was wondering if it can be related to the ALG functionality. Making some research online I found threads like these, in which is clearly said that the solution is to disable the ALG: 

http://packetpushers.net/sqlnet-a-k-a-oracle-tns-and-firewalls/
https://forums.juniper.net/t5/SRX-Services-Gateway/Oracle-TNS-packet-drop-issue/td-p/159316

 

 

The documentation of PaloAlto states: 
Palo Alto Networks firewall provides NAT ALG support for the following protocols: FTP, H.225, H.248, MGCP, MySQL, Oracle/SQLNet/TNS, RPC, RSH, RTSP, SCCP, SIP, and UNIStim.

But it is not clear which is the default behavior of the firewall with these services. It actually performs NAT ALG on all of the services listed, even if you do not specify to use it? 
Furthermore, I saw also that you can disable ALG module just on SIP application. And what if ALG is performed even on the services listed above and you want to disable it?

 

Is there someone who is able to help me on this matter?

 

Thanks in advance

5 REPLIES 5

Cyber Elite
Cyber Elite

Depending on the application's behavior the ALG accomodates returning packets requiring a pinholed port or 'special' NAT processing, like for example FTP where a new session is set up from the server to the client to provide a data channel

 

If your implementation requires a different methodology than the protocol standard, the ALG could mess things up 

 

In the first place you could try disabling ALG and secondly you could try an app override to a custom app which will disable all content inspection of the traffic in case non-standard (or a new incarnation/update/version that we have not incorporated yet) implementation is being used

 

in the case of the latter, please reach out to support so we can update our App-ID database 

 

I'm not quite sure what your question is regarding SIP. Each protocol has it's own decoder and ALG, so disabling one does not interfere with another 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization


@reaper wrote:


In the first place you could try disabling ALG 




The problem is, is it possible to disable ALG just for a single policy?  As far as I understand reading the guide (I don't have the access to the PA firewall), it's possible to disable ALG just in case of SIP applications (that's why I mentioned SIP in my previous question). 

 

You disable ALG at the application level, all the applications you listed can be "opened" individually (click the app in Objects > Applications and check it's settings) and ALG can be disabled per application

Sip is just a common example but all the other apps can be accessed and altered in exactly the same way
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Looks like ALG can be disabled only in specific applications.

In other cases you can use Application Override.

 

# set shared alg-override application
  sccp      application sccp
  sip       application sip
  teredo    application teredo
  unistim   application unistim
  <name>    <name>
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I wonder if it is typo in GUI that it mentiones SIP ALG in all cases?

 

sip-alg.PNG

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 6758 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!