MySQL Workbench Manual  /  Administrative Tasks  /  MySQL Enterprise Firewall Interface

6.8 MySQL Enterprise Firewall Interface

MySQL Workbench provides a graphical interface to MySQL Enterprise Firewall. For additional information about MySQL Enterprise Firewall, see https://dev.mysql.com/doc/en/firewall.html.

Setup and Configuration

MySQL Workbench can manage the MySQL Enterprise Firewall installation and configuration by installing (or uninstalling) and enabling (or disabling) the plugin, and enabling (or disabling) Firewall Tracer.

To prepare MySQL Enterprise Firewall plugin:

  1. Open a connection to MySQL Enterprise Edition.

  2. From the Navigator area of the sidebar and with the Administration secondary tab selected, click Firewall (see MYSQL ENTERPRISE) to open the Administration - Firewall secondary tab in the workspace.

    If MySQL Enterprise Firewall is not installed, click Install Firewall. After the plugin is installed, MySQL Workbench displays three controls: Installed status, Enabled status, and Tracer status. The following figure shows the MySQL Enterprise Firewall installed, but not yet enabled within MySQL Workbench.

    Figure 6.33 MySQL Enterprise Firewall Installation and Configuration

    Content is described in the surrounding text.

  3. Click Enable Firewall to make the plugin fully operational, and optionally click Enable Firewall Tracer to enable tracing. You can modify the plugin controls as follows:

    • Install: Executes queries to install the new MySQL Enterprise Firewall tables and stored procedure needed to switch the state. Uninstall reverses these effects, which also removes the recorded rules.

    • Enable: Executes SET GLOBAL mysql_firewall_mode = ON; against the connected MySQL server. Disable sets it to OFF instead of ON.

      This is a runtime operation. Configure the MySQL server configuration file to enable MySQL Enterprise Firewall at startup. Specifically, select the mysql_firewall_mode option in the configuration option to enable it after a restart. You can edit the MySQL configuration file with an external editor or use MySQL Workbench to edit it.

Firewall Rules and Information

The Firewall Rules tab lists the active and recorded rules for a given user, the state of each rule, and includes options to add, delete, and save rules. Figure 6.34, “MySQL Enterprise Firewall Rules” shows the location of actions available within the Firewall Rules tab. The actions are:

  • State (mode): Options include OFF (disables firewall protection for the account), PROTECTING (enables the allowlist), RECORDING (training mode), and RESET (removes the rules, sets the mode to OFF mode). For additional information about the meaning of these states, see Firewall Concepts.

  • Administrative actions include Add and Delete for individual rules, and Clear to clear (remove) all rules. Add From File prompts for a firewall rules text file (defaults to the .fwr extension) that contains one rule per line, and Save To File saves the current rules.

  • Active rules are used in PROTECTIVE mode, and Rules being recorded are entries still being RECORDED. Switching from RECORDING to PROTECTING mode copies the recorded rules into the active rule subset.

Note

MySQL Workbench executes queries, gets variables, and performs a lot of checks. For this reason, MySQL Workbench is more useful as an administration tool for MySQL Enterprise Firewall than a tool to record rules. For example, RECORDING rules in MySQL Workbench records the behind-the-scenes operations performed by MySQL Workbench for the MySQL user. Also, a MySQL user in PROTECTING mode could have access to operations in MySQL Workbench that are not accessible to a typical firewalled MySQL user.

Figure 6.34 MySQL Enterprise Firewall Rules

Content is described in the surrounding text.