Where should I place a firewall in my SAP landscape?
Today, each Windows OS is shipped with a build-in, enabled firewall service. SAP systems should be secured by firewalls to prevent DoS attacks, block port snooping, allow or deny access from certain IP addresses or address ranges, to specific SAP applications.
This picture shows a proven and secure SAP landscape:
Recently we have seen some customer landscapes where firewalls are used to isolate traffic between SAP applications and the database.
This picture shows the difference to the first scenario:
What are the advantages of using so many firewalls?
If you see some, for example “more” security, please discuss them with me.
What are the disadvantages?
First, we have several vendors for the different firewalls used in such a scenario. The build-in firewall service from Windows comes from Microsoft. The other firewalls used in the network, are from different vendors.
A common problem we have seen in several customer configurations is the occurence of sudden, non- reproducible, non-predictable network errors of type 10054 and 10055. It’s almost impossible to trace these problems using WireShark or Netmon, because of the huge trace files we would get on both sides, the application server and the database.
In one case the problems just “vanished”, when we used WireShark to trace the network traffic between application server and database. The situation was not reproducible anymore, because of the change in the landscape: Two additional network monitors changed the behavior.
Even if you configure the firewalls to allow traffic to pass through, there is no guarantee that in high network load situations, these rare network connection errors can even though occur.
To track down the problem, remove the firewall (temporary) if possible, or add an application server into the same subnet, where the database is connected to.
Conclusion:
Too many firewalls will spoil SAP and database operations!
This may sound a little strange, but it’s based on the experience we have in SAP support with such scenarios.
Using different types of firewall is advantageous for any system ,Every system need protection from unauthorized source.
Hello Ravi,
no disagreement to your comment! Usually, a firewall system should not be bought from only one vendor! A security solution should consist of several vendors using different solutions for firewall, intrusion detection, and so on.
This blog discuss the usage of firewalls between SAP application parts (dialog instances, (A)SCS instances, etc.) and databases. And that’s not very efficient and cause more problems in operations, than the gain of security.
Best regards,
Kalle
You find all ports used by SAP applications here: https://help.sap.com/viewer/ports
Best regards,
Kalle
Hi,
my company is currently making a change of our IT provider. They are currently planning the network and firewall environment and plan to install firewalls between the SAP application and the database server. We at SAP support have expressed our concerns. The project management would now like a best practice or a white paper from SAP on this topic. Does SAP have such a document?
Best regards,
Norbert
Hello Norbert,
I had three or four customer tickets analyzing “communication” problems between database and SAP ABAP work processes. The analysis took a long time and was very complicated (network trace on OS level, in two cases we need a full memory dump of the Windows OS and Microsoft’s help to analyze it …).
In all cases it was not related to SAP, not related to the used database or database client library, or related to Windows OS.
Sometimes it was a filter driver on Windows level (for example the network filter driver of an antivirus solution which acts as additional firewall/host intrusion detection) or indeed an extra firewall between the two subnets used for application server instances and the database.
Therefore, I wrote this SAP note:
2438832 – Network problems if firewall used between database and application servers
If a customer ignores our recommendation (which is definitely not “against” security!!!), then they will have to analyze and solve communication problems on their own.
Best regards,
Kalle
Hello,
Is avoiding fw between App and DB Server a general recommendation or is it limited to the Windows-Linux configuration described in the note?
BR
Antonio
Hello Antonio,
it is not dependent to any database or heterogeneous landscapes (Unix/Windows). 5 weeks ago, we had an issue in a Windows only landscape. Almost a dozen (!) application servers connecting to a database, which ran on a Windows Failover cluster. Network traces showed, that the clients (that's the SAP application server instances) send the network package to the database successfully. The database also retrieved the network package successfully.
But the ACK network package (which was successfully sent by the database) never arrived on the application server host.
Root cause: The Windows firewall configuration on the application server ...
My point is: If you want to avoid such issues, place a good, fast and redundant firewall in front of your SAP/database subnet! Or isolate even the communication between database and application servers with firewall and live with the side effects ...
Best regards,
Kalle