Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3188
Views
0
Helpful
5
Replies

WAAS and Checkpoint compatibility.

ggalteroo
Level 1
Level 1

‎01-27-2010 11:26 AM

Hello

Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?

I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.

Are there alternatives? Did someone out there have to do anything like this?

Thanks a lot.

GG

0 Helpful
5 Replies 5

Zach Seils
Level 7
Level 7

‎02-26-2010 10:24 AM

You can use Directed Mode in WAAS to tunnel the optimized traffic in UDP.  Note that this still requires the 3-way handshake for the connection to succeed, including passing the auto-discovery option (0x21) used by WAAS.

Regards,

Zach

0 Helpful

Patrick Moubarak
Level 4
Level 4

‎03-01-2010 01:25 PM

WAAS modifies the sequence numbers in the packets in order to accelerate them; Check Point firewall built-in IPS (also called SmartDefense in R65 and before) has a sequence number verification function; this function must be disabled (monitor only often still drops the connection; unfortunately even with IPS R70...)

WAAS central manager auto-discovery uses TCP options which are cleared by firewalls; I would recommend not to use auto-dicovery of the WAAS central manager (CM) but to enter the CM's IP address manually in each WAE accelerator device (CLI: central-manager address 10.10.10.10 or whatever IP)

I hope this helps

0 Helpful

Zach Seils
Level 7
Level 7
In response to Patrick Moubarak

‎03-01-2010 01:29 PM

Just to clarify:

The WAAS auto-discovery (AD) process occurs between WAAS devices functioning in "application accelerator" mode, not to/from the Central Manager.  The Central Manager isn't involved in the actual optimization of traffic.

Regards,

Zach

0 Helpful

wrobbin
Level 1
Level 1
In response to Zach Seils

‎07-21-2010 06:06 AM

What TCP options does  WAAS auto-discovery (AD) process use ?

0 Helpful

ggalteroo
Level 1
Level 1

‎03-15-2010 10:05 AM

Thanks for your replies. The following rules were modified and waas worked just fine.

Sequence Verifier

http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html

Packet Sanity

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071

Thanks again

Guido

0 Helpful
Customers Also Viewed These Support Documents