MySQL Enterprise Firewall

by Lucas Vogel

MySQL Enterprise Firewall filters all incoming SQL statements allowing administrators to approve or deny SQL execution based on matching whitelist patterns, with a training mode for helping MySQL determine acceptable commands.


Oracle MySQL 8.0 Enterprise Edition includes MySQL 8.0 Enterprise Firewall (MEF), an application-level firewall that protects against SQL injection and other exploits by allowing all SQL statements for a given account where statements can be compared to whitelists of acceptable statements.

Enterprise Firewall Operational Modes

MEF is configured on a per-user basis, allowing administrators to fine-tune the whitelists of acceptable SQL statements according to the application(s) using the accounts. Each account registered with the firewall has several operational modes:

  • recording mode, for adding normalized SQL statements run through the account into the whitelist rules
  • protecting mode, for ensuring the application does not try to run any SQL statements deemed 'unfamiliar' to what it learned from the app in recording mode
  • detecting mode, which is a more passive version of protecting mode, writing violations to the error log but allowing access to the database

Enterprise Firewall Components

MEF runs on all servers, ensuring full protection of your distributed database environment through the use of several firewall components. The MYSQL_FIREWALL, MYSQL_FIREWALL_USERS AND MYSQL_FIREWALL_WHITELIST plugins set up the firewall and configure INFORMATION_SCHEMA tables for the firewall data cache. The firewall_users and firewall_whitelist in the mysql database store all firewall rules and data. FIREWALL_ADMIN and FIREWALL_USER privileges are added to the list of security settings for assignment to MySQL users.

You can get more detailed information in the MySQL 8.0 Enterprise Firewall Reference.

New Features in Version 8.0

The latest version of MEF includes an intrusion detection feature. This feature allows administrators to receive alerts from the firewall when suspicious activity occurs. These alerts will feed into MySQL Enterprise Monitor, an agent-free monitoring solution also included in Oracle MySQL Enterprise which offers functionality specific to monitoring MySQL Enterprise Firewall and other components of your MySQL deployment.