01-27-2010 11:26 AM
Hello
Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?
I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.
Are there alternatives? Did someone out there have to do anything like this?
Thanks a lot.
GG
02-26-2010 10:24 AM
You can use Directed Mode in WAAS to tunnel the optimized traffic in UDP. Note that this still requires the 3-way handshake for the connection to succeed, including passing the auto-discovery option (0x21) used by WAAS.
Regards,
Zach
03-01-2010 01:25 PM
WAAS modifies the sequence numbers in the packets in order to accelerate them; Check Point firewall built-in IPS (also called SmartDefense in R65 and before) has a sequence number verification function; this function must be disabled (monitor only often still drops the connection; unfortunately even with IPS R70...)
WAAS central manager auto-discovery uses TCP options which are cleared by firewalls; I would recommend not to use auto-dicovery of the WAAS central manager (CM) but to enter the CM's IP address manually in each WAE accelerator device (CLI: central-manager address 10.10.10.10 or whatever IP)
I hope this helps
03-01-2010 01:29 PM
Just to clarify:
The WAAS auto-discovery (AD) process occurs between WAAS devices functioning in "application accelerator" mode, not to/from the Central Manager. The Central Manager isn't involved in the actual optimization of traffic.
Regards,
Zach
07-21-2010 06:06 AM
What TCP options does WAAS auto-discovery (AD) process use ?
03-15-2010 10:05 AM
Thanks for your replies. The following rules were modified and waas worked just fine.
Sequence Verifier
http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html
Packet Sanity
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071
Thanks again
Guido
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide