As shown in the following figure, a USG firewall is deployed between the SQL
database server and users to protect the server.
At the beginning, users can access the SQL
database properly. After a period of time, the access becomes slow or the
application program reports errors.
Capture and analyze the packets passing
through the USG. It is found that the interval between two access packets
exceeds 600 seconds. By default, an SQL session on the USG ages out after 600
seconds. That is, after an SQL session is established, if no packet matches the
session within 600 seconds, the USG ages the session. User applications are
unaware of session aging. When a user sends data again, the USG reestablishes a
session. As a result, the user access is delayed. If the delay exceeds the
tolerance of an application program, the application program reports an error.
In this case, you need to configure a persistent connection on the USG to
ensure that the session does not age within a relatively long period of time.
Session aging on the USG delays or even
interrupts SQL access. As a result, user access to the SQL database is delayed
or an application program that uses the database service reports an error.
1. Configure an ACL to match the packets
that need to hold the session for a long time.
Persistent connections are stored on the USG for a long time. If there are many
persistent connections, the USG performance will be affected. Therefore, the
matching conditions must be accurate.
Assume that the source IP address of the user is 192.168.1.100/32.
acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 192.168.1.100 0
2. Enable the persistent connection
function in the interzone.
The default aging time of persistent connections is 168 hours. You can run the firewall long-link aging-time aging-time command to set the aging
Assume that the user is in the trust zone and the SQL database server is in the untrust zone.
firewall interzone trust untrust
firewall long-link 3998 outbound