Disabling of firewall inspection

Unanswered Question
Mar 10th, 2009
User Badges:


I would like to know what is the impact/loss of disabling stateful inspection on any protocol in the firewall such as 'no inspect sqlnet'.

Is it a security threat etc ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Tue, 03/10/2009 - 11:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Stateful inspection in it's general form is covered by "inspect tcp". This tells the firewall to check the TCP flags/ sequence numbers etc. If you turned this off all the generic TCP applications would not be firewalled.

"inspect sqlnet" among others is doing more than stateful inspection. It is also interpreting some of the traffic at the application layer ie. the firewall or router has a limited understanding of the actual SQLNET protocol. A lot of the inspect types are there to allow you to secure the firewall against an inherently insecure protocol.

So for example, SQLNET works by a client connecting to a server on the well known SQL port 1521. The server then sends a packet back to the client telling it to use a new port for the connection. The client then makes a new connection to that port. Now if the firewall cannot find out what that port is then you need to open all ports on your firewall above 1024 because it could be any port the server told the client to use. So the firewall is provided with extra code to be able to snoop on the return message from the server and read the port. The firewall can then dynamically open the port for the new client connection.

So disabling it may well mean you have to open up a lot of extra ports. Disabling the more general "inspect tcp" would pretty much disable your firewall.

Apologies if you knew a lot of that, wasn't trying to bore you :-).

By the way, did you get that NAT issue solved ?


cisco_lite Tue, 03/10/2009 - 14:14
User Badges:

Hi Jon,

Thanks for that.

NAT issue is not resolved as yet. I have updated the other post. Awaiting your reply.



This Discussion