Today, each Windows OS is shipped with a build-in, enabled firewall service. SAP systems should be secured by firewalls to prevent DoS attacks, block port snooping, allow or deny access from certain IP addresses or address ranges, to specific SAP applications.
This picture shows a proven and secure SAP landscape:
Recently we have seen some customer landscapes where firewalls are used to isolate traffic between SAP applications and the database.
This picture shows the difference to the first scenario:
What are the advantages of using so many firewalls?
If you see some, for example “more” security, please discuss them with me.
What are the disadvantages?
First, we have several vendors for the different firewalls used in such a scenario. The build-in firewall service from Windows comes from Microsoft. The other firewalls used in the network, are from different vendors.
A common problem we have seen in several customer configurations is the occurence of sudden, non- reproducible, non-predictable network errors of type 10054 and 10055. It’s almost impossible to trace these problems using WireShark or Netmon, because of the huge trace files we would get on both sides, the application server and the database.
In one case the problems just “vanished”, when we used WireShark to trace the network traffic between application server and database. The situation was not reproducible anymore, because of the change in the landscape: Two additional network monitors changed the behavior.
Even if you configure the firewalls to allow traffic to pass through, there is no guarantee that in high network load situations, these rare network connection errors can even though occur.
To track down the problem, remove the firewall (temporary) if possible, or add an application server into the same subnet, where the database is connected to.
Too many firewalls will spoil SAP and database operations!
This may sound a little strange, but it’s based on the experience we have in SAP support with such scenarios.