This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JonnyV
Contributor
‎2020-06-26 12:38 PM
Jump to solution

policy push causes DB timeouts/drops/renegotiation on Oracle TNS 19100 and 1521 traffic

Problem:

We have been having issues with a DB performance impact after policy push since our upgrade to r80.30 (more than 4 months ago). We did not notice these issues in r77.30.

We eventually found document that seemed to match our behavior. https://packetpushers.net/sqlnet-a-k-a-oracle-tns-and-firewalls/

Observed behavior is as follows:

We push policy and begin to see an uptick in 19100 traffic from clients to server in new sessions. Typical traffic was appx 10 packets per minute, after push it jumped to almost 9k per min. We were unable to gather debug info from CP, because of the sheer volume of traffic would max out the CPUs and lock up the FW.

Solution:

Set 1521 and 19100 traffic at the service object to "keep connections open after policy has been installed"
We did not have to configure user.def or tables.def to address any OOS packets, as this just appears to be noise from the software load-balancing within Oracles TNS implementation.

1 Solution

Accepted Solutions
JonnyV
Contributor
‎2020-06-26 12:59 PM
In response to PhoneBoy
Jump to solution

Understood
For our environment setting it at the service object made more sense; since those services are not present on the perimeter firewalls.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-06-26 12:54 PM
Jump to solution

You can also set it in global properties (I think) to keep all existing connections on a policy installation.
JonnyV
Contributor
‎2020-06-26 12:59 PM
In response to PhoneBoy
Jump to solution

Understood
For our environment setting it at the service object made more sense; since those services are not present on the perimeter firewalls.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events