WAAS and Checkpoint compatibility.

Unanswered Question
Jan 27th, 2010


Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?

I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.

Are there alternatives? Did someone out there have to do anything like this?

Thanks a lot.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Zach Seils Fri, 02/26/2010 - 10:24

You can use Directed Mode in WAAS to tunnel the optimized traffic in UDP.  Note that this still requires the 3-way handshake for the connection to succeed, including passing the auto-discovery option (0x21) used by WAAS.



Patrick Moubarak Mon, 03/01/2010 - 13:25

WAAS modifies the sequence numbers in the packets in order to accelerate them; Check Point firewall built-in IPS (also called SmartDefense in R65 and before) has a sequence number verification function; this function must be disabled (monitor only often still drops the connection; unfortunately even with IPS R70...)

WAAS central manager auto-discovery uses TCP options which are cleared by firewalls; I would recommend not to use auto-dicovery of the WAAS central manager (CM) but to enter the CM's IP address manually in each WAE accelerator device (CLI: central-manager address or whatever IP)

I hope this helps

Zach Seils Mon, 03/01/2010 - 13:29

Just to clarify:

The WAAS auto-discovery (AD) process occurs between WAAS devices functioning in "application accelerator" mode, not to/from the Central Manager.  The Central Manager isn't involved in the actual optimization of traffic.



wrobbin Wed, 07/21/2010 - 06:06

What TCP options does  WAAS auto-discovery (AD) process use ?


This Discussion

Related Content