Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Guide / Configuring a firewall
Applies to SUSE Linux Enterprise Server for SAP Applications 15 SP6

10 Configuring a firewall

This chapter provides information about restricting access to the system using a firewall and encryption and gives information about connecting to the system remotely.

10.1 Configuring firewalld

By default, the installation workflow of SUSE Linux Enterprise Server for SAP Applications enables firewalld.

Note
Note: firewalld replaces SuSEfirewall2

SUSE Linux Enterprise Server for SAP Applications 15 introduces firewalld as the new default software firewall, replacing SuSEfirewall2. SuSEfirewall2 has not been removed from SUSE Linux Enterprise Server for SAP Applications 15 and is still part of the main repository, but it is not installed by default. If you are upgrading from a release older than SUSE Linux Enterprise Server for SAP Applications 15, SuSEfirewall2 will be unchanged and you must manually upgrade to firewalld (see Security and Hardening Guide).

The firewall must be manually configured to allow network access for the following components:

Additionally, open the ports 1128 (TCP) and 1129 (UDP).

SAP applications require multiple open ports and port ranges in the firewall. The exact numbers depend on the selected instance. For more information, see the documentation provided to you by SAP.

10.2 Configuring HANA-Firewall

To simplify setting up a firewall for SAP HANA, install the package HANA-Firewall. HANA-Firewall adds rule sets to your existing SuSEfirewall2 configuration.

HANA-Firewall consists of the following parts:

  • YaST module SAP HANA firewall Allows configuring, applying, and reverting firewall rules for SAP HANA from a graphical user interface.

  • Command-line utility hana-firewall Creates XML files containing firewall rules for SAP HANA.

    Instead of using YaST, you can configure firewall rules using the configuration file at /etc/sysconfig/hana-firewall.

Important
Important: SAP HANA MDC databases

For multi-tenant SAP HANA (MDC) databases, determining automatically the port numbers that need to be opened is not yet possible. If you are working with a multi-tenant SAP HANA database system, run a script to create a new service definition before using YaST:

# cd /etc/hana-firewall.d
# hana-firewall define-new-hana-service

The script prompts you to answer a series of questions, including TCP and UDP port ranges that need to be opened.

Note
Note: Install HANA-Firewall packages

Before continuing, make sure that the packages HANA-Firewall and yast2-hana-firewall are installed.

Procedure 10.1: Using HANA-Firewall
  1. Make sure the SAP HANA databases for which you want to configure the firewall are correctly installed.

  2. To open the appropriate YaST module, select Applications › YaST, Security and Users › Configure system firewall for SAP HANA.

  3. Under Global Options, activate Enable and reload firewalld.

  4. Select the desired zone from the Zone drop-down list, and add the required services using the right arrow button.

    To add services other than the preconfigured ones, use the following notation:

    SERVICE_NAME:CIDR_NOTATION

    For more information about the CIDR notation, see https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing. To find out which services are available on your system, use getent services.

  5. When you are done, click OK.

    The firewall rules from HANA-Firewall will now be compiled and applied. Then, the service hana-firewall will be restarted.

  6. Finally, check whether HANA-Firewall was enabled correctly:

    # hana-firewall status
    HANA firewall is active. Everything is OK.

For more information, see the man page of hana-firewall.

10.3 SAProuter integration

The SAProuter software from SAP allows proxying network traffic between different SAP systems or between an SAP system and outside networks. SUSE Linux Enterprise Server for SAP Applications now provides integration for SAProuter into systemd. This means that SAProuter will be started and stopped properly with the operating system and can be controlled using systemctl.

Before you can use this functionality, make sure the following has been installed, in this order:

  • An SAP application that includes SAProuter

  • The SAProuter systemd integration, packaged as saprouter-systemd

If you got the order of applications to install wrong initially, reinstall saprouter-systemd.

To control SAProuter with systemctl, use:

  • Enabling the SAProuter service: systemctl enable saprouter

  • Starting the SAProuter service: systemctl start saprouter

  • Showing the Status of SAProuter service: systemctl status saprouter

  • Stopping the SAProuter service: systemctl stop saprouter

  • Disabling the SAProuter service: systemctl disable saprouter