Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Implementing WAAS with Firewall

Hello,

I'm about to run a WAAS implementation Project but I have got below prerequisites that it should be taken on firewalls from one of my colleague, can you please let me know whether this is true?

1) disable checking the TCP Sequence Number Fields

2) to allow TCP option modifications.

Doing this may leave the Customer LAN environment vulnerable to DoS attacks.  In addition, Cisco has encountered many challenges getting WAAS to work even when both of these items have been changed on the FWs.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Implementing WAAS with Firewall

The ports/protocols you need to open are the same as WAAS not being there.  It's the security/normalization checks that you'll have to turn off.  The problems I would anticipiate are:

  • Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices.  The firewall should be configured to allow this option to change unmodified.
  • TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
  • Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

5 REPLIES
Cisco Employee

Re: Implementing WAAS with Firewall

Can I ask what brand of firewalls you are using?

Regards,

Zach

New Member

Re: Implementing WAAS with Firewall

They are Checkpoint firewalls.

Cisco Employee

Re: Implementing WAAS with Firewall

Thanks.  I see the following options for deploying WAAS:

  1. Disable a bunch of security checks on the firewall(s) to allow WAAS traffic to flow through
  2. Use Direrected Mode in WAAS to tunnel optimized traffic through the firewall
  3. Place the WAAS devices "outside" the firewalls so that the firewall(s) only see the LAN side (i.e. unoptimized) traffic

I'm personally not a fan of (1) or (2) above, since they reduce the level of benefit provided by the firewall(s) or hide optimized traffic from them all together.  Option (3) may be an option,  but it depends on your topology.

Do you have a topology diagram of your deployment that you can share?

Thanks,

Zach

New Member

Re: Implementing WAAS with Firewall

Thanks Zach,

our network is rather difficult to explain because they are not optimized and very complicated, it would be eaiser for us to put WAAS behind the firewall which will be easier for us but outside of Firewall that is a mass.

unfortunately I can not share the diagram due to our security policy.

for the option #1, what kind of port or protocol needs to be open? just wanted to feel how big they are.

Cisco Employee

Re: Implementing WAAS with Firewall

The ports/protocols you need to open are the same as WAAS not being there.  It's the security/normalization checks that you'll have to turn off.  The problems I would anticipiate are:

  • Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices.  The firewall should be configured to allow this option to change unmodified.
  • TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
  • Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

847
Views
0
Helpful
5
Replies