Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

SQLNET ALG

 

The SQLNET protocol is used by Oracle SQL servers to execute SQL commands from clients, including load balancing and application-specific services. Support of stateful firewall and NAT services requires that you configure the SQLNET ALG for TCP port 1521. The ALG monitors the control packets, opens flows dynamically for data traffic, and performs NAT address and port rewrites.

Understanding the SQLNET ALG

The SQLNET Application Layer Gateway (ALG) processes Transparent Network Substrate (TNS) REDIRECT packets for IP addresses and port information. The SQLNET ALG performs Network Address Translation (NAT) on the payload of the TNS REDIRECT packet, opens a pinhole for a new connection from a client to a server, and transfers data between a client and a server located on opposite sides of a Juniper Networks device.

SQLNET ALG supports the following types of data transfer modes:

  • Redirect mode — connect-redirect type

  • Interleave mode — connect-accept type

  • Load balance — connect-redirect-connect-redirect type

SQLNET allows remote data access between applications and the Oracle database, or among multiple Oracle databases. SQLNET primarily establishes and maintains connection between a client application and an Oracle database server. SQLNET has several communication layers that enable clients and database servers to share, modify, and manipulate data.

Oracle SQL servers use the SQLNET protocol to execute SQL commands from clients, including load balancing and application-specific services. The SQLNET protocol uses TNS as its networking architecture, and all SQLNET traffic is encapsulated into TNS packet format.

The SQLNET ALG monitors control packets, opens pinhole for data traffic, and performs NAT and port rewrites. Support of stateful firewall and NAT services are required to configure the SQLNET ALG for TCP port 1521.

Example: Configuring the SQLNET ALG

The SQLNET ALG processes TNS REDIRECT packets, performs NAT, and opens a pinhole for a new connection from a client to a server.

This example shows how to configure the SQLNET ALG in route or NAT mode, allow SQLNET traffic to pass through a device, and transfer data between a client and a server located on opposite sides of a Juniper Networks device.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device

  • Two PCs (client and server)

Before you begin:

Overview

In this example, first you configure network interfaces on the device. Create security zones and assign interfaces to the zones, and configure a policy to allow SQLNET traffic to go through an SRX Series device.

Then you create a static NAT rule set rs1 with a rule r1 to match with the destination address 40.0.172.10/32, and you create a static NAT prefix with address 40.0.172.45/32.

Next you create a source NAT pool src-p1 with a source rule set src-rs1 to translate packets from interface fe-3/0/0.0 to interface fe-3/0/1.0. For matching packets, the source address is translated to an IP address in the src-p1 pool.

Then you create a destination NAT pool des-p1 with a destination rule set des-rs1 to translate packets from zone trust to destination address 40.0.172.10/32. For matching packets, the destination address is translated to an IP address in the des-p1 pool. Finally, you enable SQLNET ALG trace options.

Topology

Figure 1 shows the SQLNET ALG topology.

Figure 1: SQLNET ALG Topology
SQLNET ALG Topology

Configuration

To configure the SQLNET ALG, perform these tasks:

Configuring a Route Mode

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure route mode:

  1. Configure interfaces.
  2. Configure zones and assign interfaces to the zones.
  3. Configure a SQL policy that allows SQL traffic from the trust zone to the untrust zone.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Configuring a Static NAT Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a static NAT rule set:

  1. Create a static NAT rule set.
  2. Define a rule to match with the destination address.
  3. Define a static NAT prefix for the device.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Source NAT Pool and Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool and rule set:

  1. Create a source NAT pool.
  2. Create a source NAT rule set.
  3. Configure a rule that matches packets and translates the source address to an address in the source pool.
  4. Configure a rule that matches packets and translates the destination address to an address in the source pool.
  5. Configure a source NAT pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Destination NAT Pool and Rule Set

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a destination NAT pool and rule set:

  1. Create a destination NAT pool.
  2. Create a destination NAT rule set.
  3. Configure a rule that matches packets and translates the source address to the address in the pool.
  4. Configure a rule that matches packets and translates the destination address to the address in the pool.
  5. Configure a source NAT pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling SQLNET ALG

CLI Quick Configuration

Note

Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, the SQLNET application layer gateway is enabled by default.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable SQLNET ALG:

  1. Enable SQLNET ALG.

Enabling SQLNET ALG Trace Options

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable SQLNET ALG trace options:

  1. Enable SQLNET ALG trace options.
  2. Configure a filename to receive output from the tracing operation.
  3. Specify the maximum trace file size.
  4. Specify the level of tracing output.

Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the SQLNET ALG Control Session

Purpose

Verify that the SQL command is executed and all the SQL control and data sessions are created.

Action

From operational mode, enter the show security flow session command.

user@host>show security flow session

Meaning

  • Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name, number of packets in and out.

  • Policy name—Policy name that permitted the traffic.

  • In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and source interface for this session is fe-3/0/0.0).

  • Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and destination interface for this session is fe-3/0/1.0).

Verifying the SQLNET ALG

Purpose

Verify that the SQLNET ALG is enabled.

Action

From operational mode, enter the show security alg status command.

user@host>show security alg status

Meaning

The output shows the SQLNET ALG status as follows:

  • Enabled—Shows the SQLNET ALG is enabled

  • Disabled—Shows the SQLNET ALG is disabled.

Verifying the SQLNET ALG Resource Manager Group

Purpose

Verify the total number of resource manager groups and active groups that are used by the SQLNET ALG.

Action

From operational mode, enter the show security resource-manager group active command.

user@host>show security resource-manager group active

Verifying the SQLNET ALG Resource Information

Purpose

Verify the total number of resources and active resources that are used by the SQLNET ALG.

Action

From operational mode, enter the show security resource-manager resource active command.

user@host>show security resource-manager resource active

Related Documentation

Release History Table
Release
Description
Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, the SQLNET application layer gateway is enabled by default.