Protecting SAP Systems on Windows Using Firewalls
Use
SAP recommends to use firewalls and Access Control Lists (ACLs) on network routers to protect SAP systems and databases from being attacked.
Windows has a build-in firewall which should be enabled by default in productively used landscapes. The only reason to disable the firewall temporarily are SAP installations or SAP upgrades, this is documented in the related installation and upgrade guides.
SAP does not recommend to install firewalls between SAP application server instances (ABAP or JAVA) and the database, as it would not increase security. Instead it makes it harder to analyze connection issues between application servers and the database.
The following figure shows an example of SAP instances with the recommended distribution of firewalls.
