Common problem…
Joe Bob at Warehouse X starts his shipping and receiving application in the morning before going out to smoke his first cig. A couple hours later he may wander back into the building and fill out some information before heading back out to the dock.
In the meantime, the database application just sites there doing nothing. No heartbeats, no random traffic. Firewall drops state information after 1 hour. So when Joe Bob comes back after 4 hours to type information into client GUI which is talking to the front end app. The front end app tries to connect to the database server. The firewall says “I’ve never seen this connection and drops out-of-sync packets.
Result: Random hangs, random behavior, random
How to fix?
1) Lengthen the session timeout:
You can hunt down and find those connections from front end app to back end database and lengthen the session timeouts.
Problem is this may not scale if you have tons of database servers and applications.
2) For internal firewalls going to/from internal database servers, you might consider this. Ignore out of state drops.
You can do this on a per firewall basis or for the whole domain.
Wouldn’t do this on a perimeter firewall obviously, but internally the cost/benefit/risk may make sense for you depending on how many of these database servers you have around. Remember you still have SRC/DST/PORT rules, its just that there won’t be any TCP state kept for them. So theoretically hackers could send incomplete TCP sessions through your internal firewalls. You probably have bigger fish to fry than worry about an attack like this on an internal firewall.