Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disabling of firewall inspection


I would like to know what is the impact/loss of disabling stateful inspection on any protocol in the firewall such as 'no inspect sqlnet'.

Is it a security threat etc ?

Hall of Fame Super Blue

Re: Disabling of firewall inspection

Stateful inspection in it's general form is covered by "inspect tcp". This tells the firewall to check the TCP flags/ sequence numbers etc. If you turned this off all the generic TCP applications would not be firewalled.

"inspect sqlnet" among others is doing more than stateful inspection. It is also interpreting some of the traffic at the application layer ie. the firewall or router has a limited understanding of the actual SQLNET protocol. A lot of the inspect types are there to allow you to secure the firewall against an inherently insecure protocol.

So for example, SQLNET works by a client connecting to a server on the well known SQL port 1521. The server then sends a packet back to the client telling it to use a new port for the connection. The client then makes a new connection to that port. Now if the firewall cannot find out what that port is then you need to open all ports on your firewall above 1024 because it could be any port the server told the client to use. So the firewall is provided with extra code to be able to snoop on the return message from the server and read the port. The firewall can then dynamically open the port for the new client connection.

So disabling it may well mean you have to open up a lot of extra ports. Disabling the more general "inspect tcp" would pretty much disable your firewall.

Apologies if you knew a lot of that, wasn't trying to bore you :-).

By the way, did you get that NAT issue solved ?


New Member

Re: Disabling of firewall inspection

Hi Jon,

Thanks for that.

NAT issue is not resolved as yet. I have updated the other post. Awaiting your reply.