MySQL Secure Deployment Guide  /  Installing MySQL Enterprise Firewall

Chapter 8 Installing MySQL Enterprise Firewall

MySQL Enterprise Firewall is an application-level firewall that enables database administrators to permit or deny SQL statement execution based on matching against allowlists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics.

Each MySQL account registered with the firewall has its own statement allowlist, enabling protection to be tailored per account. For a given account, the firewall can operate in recording, protecting, or detecting mode, for training in the accepted statement patterns, active protection against unacceptable statements, or passive detection of unacceptable statements.

MySQL Enterprise Firewall installation is a one-time operation that involves running a script located in the share directory of your MySQL installation.

To install MySQL Enterprise Firewall:

  1. Run the linux_install_firewall.sql script that is located in the /usr/local/mysql/share directory.

    The installation script creates stored procedures in the default database, so choose a database to use. Then run the script as follows, naming the chosen database on the command line. This deployment uses the mysql database.

    $> cd /usr/local/mysql
    $> bin/mysql -u root -p mysql < /usr/local/mysql/share/linux_install_firewall.sql
    Enter password: (enter root password here)
  2. MySQL Enterprise Firewall does not work together with the query cache. By default, the query cache is disabled. Ensure that the query cache remains disabled by specify these settings under the [mysqld] option group in the MySQL configuration file:


    Setting query_cache_size to 0 deallocates the query cache buffer.

  3. To enable the firewall, enable the mysql_firewall_mode system variable. By default, this variable is enabled when the firewall is installed. To configure the firewall state explicitly, add it under the [mysqld] option group in the MySQL configuration file:

  4. Restart MySQL server to apply the new configuration settings.

    $> systemctl restart mysqld
  5. To verify that MySQL Enterprise Firewall is enabled, connect to the server and execute this statement:

    $> cd /usr/local/mysql 
    $> bin/mysql -u root -p
    Enter password: (enter the root password here)
    mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';
    | Variable_name       | Value |
    | mysql_firewall_mode | ON    |

MySQL Enterprise Firewall is now enabled an ready for use. For information about registering accounts with the firewall and configuring operational modes, see Using MySQL Enterprise Firewall. An example is provided that demonstrates how to register an account with the firewall, use the firewall to learn acceptable statements for the account, and protect the account against execution of unacceptable statements.