06-23-2010 04:30 PM
Hello,
I'm about to run a WAAS implementation Project but I have got below prerequisites that it should be taken on firewalls from one of my colleague, can you please let me know whether this is true?
1) disable checking the TCP Sequence Number Fields
2) to allow TCP option modifications.
Doing this may leave the Customer LAN environment vulnerable to DoS attacks. In addition, Cisco has encountered many challenges getting WAAS to work even when both of these items have been changed on the FWs.
Solved! Go to Solution.
06-29-2010 04:56 AM
The ports/protocols you need to open are the same as WAAS not being there. It's the security/normalization checks that you'll have to turn off. The problems I would anticipiate are:
Regards,
Zach
06-24-2010 05:44 AM
Can I ask what brand of firewalls you are using?
Regards,
Zach
06-27-2010 08:56 PM
They are Checkpoint firewalls.
06-28-2010 06:09 AM
Thanks. I see the following options for deploying WAAS:
I'm personally not a fan of (1) or (2) above, since they reduce the level of benefit provided by the firewall(s) or hide optimized traffic from them all together. Option (3) may be an option, but it depends on your topology.
Do you have a topology diagram of your deployment that you can share?
Thanks,
Zach
06-28-2010 09:41 PM
Thanks Zach,
our network is rather difficult to explain because they are not optimized and very complicated, it would be eaiser for us to put WAAS behind the firewall which will be easier for us but outside of Firewall that is a mass.
unfortunately I can not share the diagram due to our security policy.
for the option #1, what kind of port or protocol needs to be open? just wanted to feel how big they are.
06-29-2010 04:56 AM
The ports/protocols you need to open are the same as WAAS not being there. It's the security/normalization checks that you'll have to turn off. The problems I would anticipiate are:
Regards,
Zach
02-24-2020 10:41 AM
Hi Zach,
I have same issue.
We have Dynamic IP-IPSec Tunnel build between Palo Alto(Cluster) and Cradlepoint (Remote Office).
Behind the Cradlepoint and Palo Alto we have WAAS devices.
When WAAS is enabled, Palo Alto is dropping packets.
We have created Zone protection profile for allowing non-syn-tcp traffic.
But still palo alto is dropping traffic.
What need to be done on Palo Alto to allow WAAS -TCP 0x21?
Any help would be appreciated.
Thanks
Dev
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: