Strengthening Database Security with SQL Firewall in Oracle 26ai

 

SQL Firewall in Oracle 26ai

A hands-on, step-by-step walkthrough for DBAs

Why SQL Firewall Matters

   Robust mitigation of SQL injection attacks

   Zero-trust session context verification

   Bypass-proof, kernel-level inspection

   Seamless “capture and enforce” lifecycle

   Native integration and scalability

The 4-Phase Implementation Flow

1️⃣ Enable SQL Firewall      2️⃣ Capture Phase      3️⃣ Generate Allow-List      4️⃣ Enforce Phase


 

STEP 1  Enable the Global SQL Firewall

Turn on SQL Firewall at the database level before any capture or enforcement can begin.

SQL Firewall enabled successfully at the global level.

STEP 2  Enable Capture

Start a capture session for a target user (schema) to record real, in-flight SQL activity:

BEGIN

  DBMS_SQL_FIREWALL.CREATE_CAPTURE(

    username         => 'TEST',

    top_level_only   => FALSE,

    start_capture    => TRUE

  );

END; /

✅ PL/SQL procedure successfully completed.

Capture running — recording live SQL activity for the TEST user.


 

STEP 3  Stop Capture

Once enough representative traffic has been recorded, stop the capture:

EXEC DBMS_SQL_FIREWALL.STOP_CAPTURE('TEST');

Capture stopped for the TEST user.

STEP 4  Review the Generated Allow-List Policies

The captured SQL activity is translated into allow-list policies, viewable through:

   DBA_SQL_FIREWALL_ALLOWED_SQL

   DBA_SQL_FIREWALL_ALLOWED_IP_ADDR

   DBA_SQL_FIREWALL_ALLOWED_OS_USER

   DBA_SQL_FIREWALL_ALLOWED_OS_PROG

STEP 5  Enable the Missing OS Program

Only “sqlplus.exe” was captured as an allowed OS program, so we explicitly enable the additional client program before enforcing:

Adding an allowed OS program to the policy.


 

STEP 6  Test with SQL Developer

With enforcement active, a connection attempt is made from SQL Developer — a client outside the original allow-list:

Connection attempt from SQL Developer under active enforcement.

STEP 7  Review Blocked Records

SQL Firewall correctly intercepts and logs the unauthorized attempt:

Blocked activity recorded by SQL Firewall.

Result: only recognized SQL, IPs, OS users, and programs are allowed to reach the database — everything else is captured and blocked. 🛡️


Comments

Popular posts from this blog

MySQL Installation on Oracle Cloud’s “Always Free” Compute Instance

MySQL Replication on Oracle Cloud’s “Always Free” Compute Instance