Does anyone have any experiences or "gotchas" they'd like to share when they've implemented Riverbed Steelhead appliances behind PA firewalls?

Showing results for 
Search instead for 
Did you mean: 

Does anyone have any experiences or "gotchas" they'd like to share when they've implemented Riverbed Steelhead appliances behind PA firewalls?

L4 Transporter

I see that there's a 'riverbed-rios' app listed in Applipedia, which gives me some hope.

Specifically what I am concerned about is discussed here (with configuration examples for PIX/ASAs):

The Riverbed appliances we have take advantage of TCP option 76 for autodiscovering other Steelhead appliances that are in-path. Has anyone configured a Palo Alto to allow this traffic? I'm not finding anything in the CLI guide that implies this advanced, granular configuration of TCP is available, but I'm hoping I'm wrong and this traffic can be permitted (or is magically already permitted by using the 'riverbed-rios' AppID - that would be awesome).


L4 Transporter

Just to clarify on this one here's Palo Alto support's reply to this question:

Hello Eric

I did some research on this one for you.

PA firewalls does not alter the TCP options, whenever we send traffic through the Firewall, TCP options are no altered.

Please let me know if you have any questions.

Thank you again for choosing Palo Alto Networks.


Harsha Natarajan | Network Security Engineer

Hey Eric,

Just wondering how you went with this?

I need to implement something similar. My incredibly limited understanding of the situation is that in the scenario above for cisco the traffic passes like:


BUT in Palo world, the traffic needs to go to the PA Firewall, THEN to the Riverbed, THEN back to the PA Firewall, THEN off to its final destination.

We actually haven't implemented firewalls on both sides of Riverbed appliances yet, so unfortunately I don't have any experiences to share. We have plans in the works to implement PA, but the actual implementation is about a month out. The most I had received from support was as it is above, basically "PA won't muck with option 76 traffic." So in theory the Riverbeds should see each other and work as normal (at least in theory).


No problems mate - thanks for the prompt reply 🙂

I'll probably be implementing in the next month or so as well.

I will be sure to share my experiences here when its done!

L2 Linker

We have a remote branch office VPNed back to our Datacenter via an IPSEC tunnel between two Palos ; in the DC I setup a separate interface for the branch office traffic on the Palo, the routed the traffic out of the DC steelhead to that interface, down the IPSEC tunnel & out the other end where the second steelhead picks it up.

Works fine - Palo identifies the traffic as application riverbed-rios so there may be a gotcha in there if you want to filter by application type (since you cant tell what the original app was once its been processed by the steelhead).

Some excellent feedback there SimmSimm - thank you so much for that!!



If you want to be more granular, you can plug your riverbed on palo and use PBF for routing traffic to remote site equiped with remote Riverbed Mean:

server - palo - riverbed - palo - Ipsec tunnel - Remote site

server - palo - IpSec tunnel - Remote site.

and if install a ne remote Riverbed, just add subnet ini pbf rule.

Meke sense ?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!