02-23-2014 01:32 PM
We have a case where the Oracle connection failed during the replication to the DR , the replication process start for one to three hours then it failed , Oracle admins opened a ticket with oracle support and oracle support recommends to disable the below for oracle application :
SQLNet fixup protocol
Deep Packet Inspection (DPI)
SQLNet packet inspection
We have disabled the the inspection , but for the ALG I found in admin guide v6 that the paloalto functions as an ALG for the following protocols: FTP, SIP, H.323, RTSP, Oracle/SQLNet/TNS, MGCP protocols.but shows how to disable ALG just for SIP.
in the time I have added new custom application to override the oracle default one and added it to application policy so the PA will not affect this application .
and we are waiting for the result .
will this disable the ALG functionality on the Oracle application?
02-23-2014 02:42 PM
Yes, you are correct. If you create a custom application and refer that to a application override policy, the PAN firewall will skip the Layer-7 processing ( content check, ALG) for that traffic.
02-24-2014 04:10 AM
the same error with the same ORA number in oracle server
02-24-2014 07:15 AM
Please use this document to create application override policy.
How to Create an Application Override Policy
After creating correct policy please check the session by using below command:
show session all filter source <x.x.x.x> destination <y.y.y.y>
show session id <type appropriate session number from above output>
This output will show
layer7 processing : completed
application : <the name of the custom app that you have created>
02-24-2014 09:31 AM
Could you please enable packet capture on PAN firewall between source and destination IP (bi-directional) to understand who is causing this problem. Also if you are using an application override policy for SQL traffic, could you please increase the time-out value for those custom application.
Ref Doc: How to Run a Packet Capture
02-26-2014 01:49 PM
Thanks but the problem with pcap andthe cli monitor is that the replication is online process and it will work for hours then it will stop, we don't have a trigger to fire to reproduce the problem , it's just happening daily with no time standard
02-27-2014 06:45 AM
Try to disable TCP sequence number checking:
set deviceconfig setting tcp asymmetric-path bypass
set deviceconfig setting tcp asymmetric-path
bypass bypass inspection for the session that has TCP sliding window tracking errors
drop drop offending packets that violated TCP sliding window tracking, enable TCP sequence number check for FIN/RST
03-01-2014 05:14 AM
Thanks Anon but will it effect other tcp protocol? In other words can we specify it for oracle only? Or for src and dest only?
03-03-2014 04:59 AM
no, this setting will disable the inspection globally for all traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!