Database Firewall rules allow you to control access to your server-based databases.
Understanding CPQ Firewall Rules
Some customers use the optional database tables to store sensitive or large tables. To keep that data more secure, no external system can read or write to the database unless it uses the correct password and is added to the allow list. For example, your integration/ETL tool (like Informatica) or your reporting tool (like Grow) may want to write to your database tables. Or your company administrator may want to just look at those database tables to investigate an issue from their own laptop. It doesn't matter the size or the purpose: if you want to access your database tables through another computer, it must be allowed first.
Determining the Need for a CPQ Firewall Rule
The firewall settings are NOT required for your users or company administrators who use their web browser. The firewall settings are NOT required for web service calls. They are only required for specific IP addresses using port 1433, such as:
- The address of the workstation for the occasional company administrator who is manually performing CRUD operations on a database table or view through MSSMS, Data Studio, or a similar database tool over this port.
- The address of the server running an integration engine, such as Informatica, which is automatically performing CRUD operations to maintain or migrate data over this port.
- The address of certain integrated platforms, such as Epicor Kinetic, that access this port to share information required by the integration.
All other customers, administrators, web service endpoints, or other systems using the Epicor CPQ system do not need to be added to the firewall’s allowlist, as they are not interacting directly with the database on a special port. They are simply using web services over HTTPS port 8080, which CPQ's firewall allows.
Finding the Addresses for a Firewall Rule
How do you know what address to add to the allow list?
- If you are working on the computer you wish to add to the allow list, you can google "what is my IP" to see your public IP address. Remember that your IP address can change depending on your location, or even the time of day.
- If you are remote controlling the computer you wish to allow, perform the task above, but from the controlled computer's own browser.
- If you want to grant access to a system you cannot control, such as a cloud-computing resource, see the settings or documentation for that system to find its public IP address or hostname. In many cases, using the hostname of a cloud-computing resource is more reliable than using an IP address, because IP addresses within cloud-based systems can be reassigned.
Allowing Access Through the CPQ Firewall
In the Epicor CPQ admin portal under Infrastructure > Database Firewall, list of existing firewall rules appears.
Adding a Firewall Rule
Select the Add button and enter the following information:
Deleting a Firewall Rule
| Property | Description |
|---|---|
| Name | The name of your range. We suggest giving it a specific name that will help you review the list for unused or unnecessary entries later. |
| Begin IP | The lower end of the IP range you want to define. |
| End IP | The higher end of the IP range you want to define. You can set these two IP addresses the same, which will create a very narrow range of just one address. |
Allowing Access Through Your Firewall
Editing a Firewall Rule
Select the "Delete" link next to the range you no longer want.
Rules cannot be edited. Instead, delete the old range and then add a new replacement for it with the updated properties.
The instructions above only describe connections through our firewall. Chances are, you may need to allow connections through your own firewall. Add the following to your allow list:
| Setting | Description |
|---|---|
| Port | 1433 |
| IP Address | Instead of an IP address, we suggest your IT department use the database hostname provided to you when you requested your CPQ database access. |
Why a hostname instead of an IP address?
Epicor CPQ is a cloud-based service based on Microsoft Azure. The IP addresses are dynamic, and subject to change without warning. While a ping from the command line shows the IP address at any one time, that IP address might change in the future. Only a hostname that resolves through DNS will always remain up-to-date. For more details, see Microsoft's instructions on accessing Azure resources by hostname or "portal URL".
In the past, some people described firewall rules with terms like whitelist or blacklist. Today, we use the phrase allowlist and denylist. Synonyms and search terms: white list, black list, allow list, deny list.