Solved: Implementing WAAS with Firewall

a4ter · ‎06-23-2010

Hello,

I'm about to run a WAAS implementation Project but I have got below prerequisites that it should be taken on firewalls from one of my colleague, can you please let me know whether this is true?

1) disable checking the TCP Sequence Number Fields

2) to allow TCP option modifications.

Doing this may leave the Customer LAN environment vulnerable to DoS attacks. In addition, Cisco has encountered many challenges getting WAAS to work even when both of these items have been changed on the FWs.

Zach Seils · ‎06-29-2010

The ports/protocols you need to open are the same as WAAS not being there. It's the security/normalization checks that you'll have to turn off. The problems I would anticipiate are:

Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices. The firewall should be configured to allow this option to change unmodified.
TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

View solution in original post

Zach Seils · ‎06-24-2010

Can I ask what brand of firewalls you are using?

Regards,

Zach

a4ter · ‎06-27-2010

They are Checkpoint firewalls.

Zach Seils · ‎06-28-2010

Thanks. I see the following options for deploying WAAS:

Disable a bunch of security checks on the firewall(s) to allow WAAS traffic to flow through
Use Direrected Mode in WAAS to tunnel optimized traffic through the firewall
Place the WAAS devices "outside" the firewalls so that the firewall(s) only see the LAN side (i.e. unoptimized) traffic

I'm personally not a fan of (1) or (2) above, since they reduce the level of benefit provided by the firewall(s) or hide optimized traffic from them all together. Option (3) may be an option, but it depends on your topology.

Do you have a topology diagram of your deployment that you can share?

Thanks,

Zach

a4ter · ‎06-28-2010

Thanks Zach,

our network is rather difficult to explain because they are not optimized and very complicated, it would be eaiser for us to put WAAS behind the firewall which will be easier for us but outside of Firewall that is a mass.

unfortunately I can not share the diagram due to our security policy.

for the option #1, what kind of port or protocol needs to be open? just wanted to feel how big they are.

Zach Seils · ‎06-29-2010

The ports/protocols you need to open are the same as WAAS not being there. It's the security/normalization checks that you'll have to turn off. The problems I would anticipiate are:

Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices. The firewall should be configured to allow this option to change unmodified.
TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

devnetsec · ‎02-24-2020

Hi Zach,

I have same issue.

We have Dynamic IP-IPSec Tunnel build between Palo Alto(Cluster) and Cradlepoint (Remote Office).

Behind the Cradlepoint and Palo Alto we have WAAS devices.

When WAAS is enabled, Palo Alto is dropping packets.

We have created Zone protection profile for allowing non-syn-tcp traffic.

But still palo alto is dropping traffic.

What need to be done on Palo Alto to allow WAAS -TCP 0x21?

Any help would be appreciated.

Thanks

Dev