Oracle Redirect Sessions Are Blocked When Using Port-based Policy

Oracle Redirect Sessions Are Blocked When Using Port-based Policy

0
Created On 09/26/18 13:55 PM - Last Modified 07/19/22 23:12 PM


Resolution


Issue

Oracle redirect session does not go through the Palo Alto Networks device when security policy is configured to allow tcp/1521 only. The following is a sample of the security policy:
bad.png

By default, Oracle uses tcp port 1521, then dynamically opens other ports <1024 - 65000> for redirect sessions.

Note: This behavior can be disabled by adding a regkey on Windows server \HKLM\software\oracle\homeX\use_shared_socket.

Cause

For application "oracle", parent session and child session (ex. Oracle redirect session) are not linked by design. The child session appears in show session all as a predict session. However, it remains detached from the main parent session based on the application definition.

Resolution

In this case it is best to set policies by application (e.g. allow only "oracle" application), and not by application-port .

good.png

owner: ymiyashita
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1ECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail