ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

DI: MS-SQL inspection w. customer service

08.18.08   |  
‎08-18-2008 02:59 AM



one of my customers and I are wondering, how to implement a DI with a policy, that matches

traffic for MS-SQL services not running on well-known-ports. While one has to specifiy an

application inside the policy configuration for DI, this cannot be done with MS-SQL, because

there is no application like SQL or MS-SQL.


Usually one has to select the propper application for a protocol, that has cutomer ports or port

ranges (version 6.0.0.x, C&E Volume 4, page 152):



 - - - - - -

When using a custom service in a policy with a Deep Inspection (DI) component,
you must explicitly specify the application that is running on that service so that the
DI module can function properly. For example, if you create a custom service for
FTP running on a nonstandard port number such as 2121 (see Figure 52), you can
reference that custom service in a policy as follows:

set service ftp-custom protocol tcp src-port 0-65535 dst-port 2121-2121
set policy id 1 from untrust to trust any ftp-srv1 custom-ftp permit

However, if you add a DI component to a policy that references a custom service,
the DI module cannot recognize the application because it is using a nonstandard
port number.

 - - - - - -



So, how is one able to solve this for MS-SQL? Or would you call this a build-in limitation

for "Deep Inspection" on SSG devices?


With kind regards,



ScreenOS Firewalls (NOT SRX)

Re: DI: MS-SQL inspection w. customer service

08.18.08   |  
‎08-18-2008 04:42 PM

MS-SQL is not on the list of supported protocols for DI. The list can be found in ScreenOS Concepts & Examples Guide, Volume 4.


In particular, page 129 has the list of available protocols for which DI attack objects exist.