MySQL Enterprise Firewall

Only available in select Commercial Editions

MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.

MySQL Enterprise Firewall protects your data by monitoring, alerting, and blocking unauthorized database activity without any changes to your applications. It provides multiple operating modes to help administrators block, detect and respond to malicious database attacks:

  • Allow - SQL statements are executed and results are generated for statements that match an approved allowlist
  • Block - SQL statements are blocked from executing that do not match an approved allowlist
  • Detect - SQL statements that do not match a allowlist are executed and administrators are notified of policy violations
Enterprise Firewall

Group Profiles

Creates a composite list of allowed queries for a group of users. Record allowed normalized queries to build the list. Enforces firewall protection across all in the group profile.

Block SQL Injection Attacks

MySQL Enterprise Firewall blocks SQL Injection attacks that can result in loss of valuable personal and financial data. Allowlist creation, real-time threat monitoring, SQL statement blocking and alerting enable DBAs protect data assets.

Database Intrusion Detection

Acting as a security alarm, MySQL Enterprise Firewall notifies administrators to SQL statement activity that does not match an approved allowlist.

Real-time Threat Monitoring

MySQL Enterprise Firewall monitors for database threats in real time. All incoming queries pass through a SQL analysis engine and are matched against an approved allowlist of expected SQL statements. SQL attacks are blocked if they don't represent expected statements.

Block Suspicious Traffic

Statements that do not match the approved allowlist are blocked, logged and can be analyzed to help block a potential SQL injection attack. This provides DBAs with valuable information in preventing malicious attacks, stolen credentials and loss of data.

Learn and Build allowlists

Automatically create user specific allowlists of pre-approved SQL statements using a self-learning system. MySQL Enterprise Firewall records all incoming SQL statement and builds an allowlist. Only incoming queries that match the allowlist are approved and allowed to pass through to MySQL.

Transparent Protection

MySQL Enterprise Firewall requires no changes to your application regardless of development language, framework or 3rd party application. MySQL Enterprise Firewall acts as a "walled garden" transparently protecting MySQL databases regardless of application development language (Java, Python, PHP, .NET, Javascript, etc.), database frameworks (Hibernate, Doctrine, SQL Alchemy, etc.) or 3rd party applications (Wordpress, Joomla, Drupal, etc.).

High Performance

MySQL Enterprise Firewall runs within each MySQL instance and provides scale-out performance. It doesn't require additional firewall services to run or maintain and runs transparently so no changes are required to your database applications.


MySQL Enterprise Firewall tracks and provides metrics on both allowed and blocked SQL statements. Blocked statements are logged for inspection and alerting.

Additional Resources