Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WAAS and Checkpoint compatibility.

Hello

Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?

I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.

Are there alternatives? Did someone out there have to do anything like this?

Thanks a lot.

GG

Everyone's tags (1)
5 REPLIES
Cisco Employee

Re: WAAS and Checkpoint compatibility.

You can use Directed Mode in WAAS to tunnel the optimized traffic in UDP.  Note that this still requires the 3-way handshake for the connection to succeed, including passing the auto-discovery option (0x21) used by WAAS.

Regards,

Zach

Re: WAAS and Checkpoint compatibility.

WAAS modifies the sequence numbers in the packets in order to accelerate them; Check Point firewall built-in IPS (also called SmartDefense in R65 and before) has a sequence number verification function; this function must be disabled (monitor only often still drops the connection; unfortunately even with IPS R70...)

WAAS central manager auto-discovery uses TCP options which are cleared by firewalls; I would recommend not to use auto-dicovery of the WAAS central manager (CM) but to enter the CM's IP address manually in each WAE accelerator device (CLI: central-manager address 10.10.10.10 or whatever IP)

I hope this helps

Cisco Employee

Re: WAAS and Checkpoint compatibility.

Just to clarify:

The WAAS auto-discovery (AD) process occurs between WAAS devices functioning in "application accelerator" mode, not to/from the Central Manager.  The Central Manager isn't involved in the actual optimization of traffic.

Regards,

Zach

New Member

Re: WAAS and Checkpoint compatibility.

What TCP options does  WAAS auto-discovery (AD) process use ?

New Member

Re: WAAS and Checkpoint compatibility.

Thanks for your replies. The following rules were modified and waas worked just fine.

Sequence Verifier

http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html

Packet Sanity

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071

Thanks again

Guido

2570
Views
0
Helpful
5
Replies
CreatePlease to create content