Firewall Settings with Oracle RAC

Deep Security supports:

• SUSE Linux Enterprise Server 11 SP3 with Oracle RAC 12c Release 1 (v12.1.0.2.0)
• Red Hat Linux Enterprise Server 6.6 with Oracle RAC 12c Release 1 (v12.1.0.2.0)

The default Linux Server Deep Security policy is compatible with the Oracle RAC environment, with the exception of Firewall settings. Because there are complex communication channels between RAC nodes, the RAC environment will not work with the default Deep Security Agent Firewall settings because some packets will be blocked. You can disable Firewall or customize the Firewall settings as described below.

Add a rule to allow interconnect between nodes

1. In the Deep Security Manager, go to the Policies tab.



2. Select the Linux Server policy and click Details.
   In this document, we are editing the default "Linux Server" policy. A better practice would be to create a copy of that policy and customize the copy for use with Oracle RAC.
3. Click Firewall.



4. Click Assign/Unassign.



5. Click New > New Firewall Rule.
6. Under General Information, apply these settings:
   • Action: Force Allow
   • Protocol: Any
7. Under Packet Source, apply this setting:
   • IP: Enter a comma-separated list of the private IP address of all nodes
8. Under Packet Destination, apply this setting:
   • IP: Enter a comma-separated list of the private IP address of all nodes



9. Click OK.
10. In the Firewall Rules list for the policy, ensure that this new rule is selected and click OK and then click Save.

Add a rule to allow UDP port 42424

Follow the steps described in the procedure above to add a new rule that allows UDP port 42424. This port is used by the Cluster Synchronization Service daemon (CSSD), Oracle Grid Interprocess Communication (GIPCD) and Oracle HA Services daemon (OHASD).

Ensure that the Oracle SQL Server rule is assigned

Check that the "Oracle SQL Server" Firewall rule is assigned to the Linux Server policy. This is a pre-defined Deep Security Firewall rule that allows port 1521.

Ensure that anti-evasion settings are set to "Normal"

The Network Engine Anti-Evasion Settings are set to "Normal" by default. If this setting is set to "Strict", the RAC database response will be extremely slow.

Allow other RAC-related packets (optional)

The steps described above should be enough for most environments. However, if you are experiencing problems with your Oracle RAC database and you see that some packets are being dropped from Firewall events, try adding the following Firewall rules.

• Allow TCP post 6200: Add the public IP addresses of the RAC nodes in the IP fields under Packet Source and Packet Destination, and set destination port to 6200. This port is used by Oracle Notification Services (ONS). This port is configurable, so check the value on your system set the correct port number if it is something other than 6200.

  

• Allow Frame Type C0A8: Add a rule with the Frame Type set to "Other" and the Frame no set to "C0A8".

  

• Allow Frame Type 0AC9: Add a rule with the Frame Type set to "Other" and the Frame no set to "0AC9".

  

• Allow IGMP protocol: Add a rule with the Protocol set to "IGMP".

  

Please refer to the following link to check whether there are additional RAC-related components in your system that need extra Firewall rules to allow certain ports :

https://docs.oracle.com/database/121/RILIN/ports.htm#RILIN1178