Applies to SUSE Linux Enterprise Server for SAP Applications 12 SP5

9 Firewalling #

This chapter presents information about restricting access to the system using firewalling and encryption and gives information about connecting to the system remotely.

9.1 Configuring SuSEfirewall2 #

By default, the installation workflow of SUSE Linux Enterprise Server for SAP Applications enables SuSEfirewall2. The firewall needs to be manually configured to allow network access for the following:

SAP application
Database (see the documentation of your database vendor; for SAP HANA, see Section 9.2, “Configuring HANA-Firewall”)

Additionally, open the ports 1128 (TCP) and 1129 (UDP).

SAP applications require many open ports and port ranges in the firewall. The exact numbers depend on the selected instance. For more information, see the documentation provided to you by SAP.

9.2 Configuring HANA-Firewall #

To simplify setting up a firewall for SAP HANA, install the package HANA-Firewall. HANA-Firewall adds rule sets to your existing SuSEfirewall2 configuration.

HANA-Firewall consists of the following parts:

YaST Module SAP HANA Firewall. Allows configuring, applying, and reverting firewall rules for SAP HANA from a graphical user interface.
Command Line Utility hana-firewall. Allows applying and reverting the configured firewall rules for SAP HANA.
If you prefer, you can configure the rule sets using the configuration file at /etc/sysconfig/hana-firewall instead of using YaST.
Service hana-firewall. Ensures that configured firewall rules for SAP HANA are kept.

Important: SAP HANA MDC Databases

For multi-tenant SAP HANA (MDC) databases, determining the port numbers that need to be opened is not yet possible automatically. If you are working with a multi-tenant SAP HANA database system: Before you use YaST, run a script on the command line to create a new service definition:

# cd /etc/hana-firewall.d
# ./create_new_service

You need to switch to the directory /etc/hana-firewall.d, otherwise the rule file for the new service will be created in a place where it cannot be used.

The script will ask several questions: Importantly, it will ask for TCP and UDP port ranges that need to be opened.

Note: Install HANA-Firewall Packages

Before continuing, make sure that the packages HANA-Firewall and yast2-hana-firewall are installed.

Procedure 9.1: Using HANA-Firewall #

Make sure the SAP HANA databases for which you want to configure the firewall are correctly installed.
To open the appropriate YaST module, select Applications › YaST, Security and Users › SAP HANA Firewall.
When you open this YaST module, it will create a configuration proposal based on the number of installed SAP HANA instances.
Choose whether you want to accept the proposal using Yes or No.
Important: Narrow Down Settings from Proposal
The proposed settings allow all detected SAP HANA instances on all detected network interfaces. Narrow down the proposal to secure the system further.
Under Global Options, activate Enable Firewall. Additionally, decide whether to Allow Remote Shell Access (SSH).
Choose a network interface under Allowed Services on Network Interface.
Allow network services by selecting them in the list box on the left and clicking →. Remove services by selecting them in the list box on the right and clicking ←.
To add services other than the preconfigured ones, add them using the following notation:
```
SERVICE_NAME:CIDR_NOTATION
```
For more information about the CIDR notation, see https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing. To find out which services are available on your system, use getent services.
Repeat from Step 5 for all network interfaces.
When you are done, click OK.
The firewall rules from HANA-Firewall will now be compiled and applied. Then, the service hana-firewall will be restarted.
Finally, check whether HANA-Firewall was enabled correctly:
```
# hana-firewall status
HANA firewall is active. Everything is OK.
```
Tip: Checking Which Firewall Rules Are Enabled
Gaining an overview of which firewall rules are enabled in the current configuration of the script is possible using the command line:
```
# hana-firewall dry-run
```

For more information, see the man page of hana-firewall.

9.3 SAProuter Integration #

The SAProuter software from SAP allows proxying network traffic between different SAP systems or between an SAP system and outside networks. SUSE Linux Enterprise Server for SAP Applications now provides integration for SAProuter into systemd. This means, SAProuter will be started and stopped properly with the operating system and can be controlled using systemctl.

Before you can use this functionality, make sure the following has been installed, in this order:

An SAP application that includes SAProuter
The SAProuter systemd integration, packaged as saprouter-systemd

If you got the order of applications to install wrong initially, reinstall saprouter-systemd.

To control SAProuter with systemctl, use:

Enabling the SAProuter Service: systemctl enable saprouter
Starting the SAProuter Service: systemctl start saprouter
Showing the Status of SAProuter Service: systemctl status saprouter
Stopping the SAProuter Service: systemctl stop saprouter
Disabling the SAProuter Service: systemctl disable saprouter