04-02-2012 12:57 AM
Hello,
We are migrating to a Palo-Alto 4020 cluster from our PIX firewall cluster. I have a question regarding Cisco WAAS and WCCP v2 traffic. The front end router redirects to a Cisco WAE via WCCP services 61 and 62. Both WCCP and the WAE mark the original packet using the TCP options field and also change the packet sequence numbers.
My question is how will the PA treat this traffic ? If it drops it, how can I configre the PA to allow it through ?
Best regards
Stephen
04-02-2012 03:07 AM
According to Applipedia (http://apps.paloaltonetworks.com/applipedia/) wccp exists as its own application:
"
Description
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.
Category networking
Subcategory ip-protocol
Risk 3
Standard Ports udp/2048
Technology network-protocol
Evasive no
Excessive Bandwidth no
Prone to Misuse no
Capable of File Transfer yes
Tunnels Other Applications yes
Used by Malware no
Has Known Vulnerabilities yes
Widely Used no
"
In case this isnt enough in your case you can setup security rules that ignores the appid by setting appid:any and then just act on service configuration (PA name for tcp/udp-ports) along with src/dstip and so on.
Using appid:any can also be used in order to find out how PA will detect the flows. One problem might be that it at first is detected as wccp but later detected as the actual payload (lets assume its web-browsing or whatever) which means that you might end up with enabling both appid's for it to fully utilize application firewalling.
In case your traffic isnt correctly detected you can contact your Sales Engineer or request app enhancement from the Apps and Threats Research Center:
http://www.paloaltonetworks.com/researchcenter/tools/
From there you can click on Submit an app and provide details there.
04-02-2012 03:07 AM
According to Applipedia (http://apps.paloaltonetworks.com/applipedia/) wccp exists as its own application:
"
Description
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.
Category networking
Subcategory ip-protocol
Risk 3
Standard Ports udp/2048
Technology network-protocol
Evasive no
Excessive Bandwidth no
Prone to Misuse no
Capable of File Transfer yes
Tunnels Other Applications yes
Used by Malware no
Has Known Vulnerabilities yes
Widely Used no
"
In case this isnt enough in your case you can setup security rules that ignores the appid by setting appid:any and then just act on service configuration (PA name for tcp/udp-ports) along with src/dstip and so on.
Using appid:any can also be used in order to find out how PA will detect the flows. One problem might be that it at first is detected as wccp but later detected as the actual payload (lets assume its web-browsing or whatever) which means that you might end up with enabling both appid's for it to fully utilize application firewalling.
In case your traffic isnt correctly detected you can contact your Sales Engineer or request app enhancement from the Apps and Threats Research Center:
http://www.paloaltonetworks.com/researchcenter/tools/
From there you can click on Submit an app and provide details there.
04-02-2012 04:11 AM
Hello Mikand,
Perfect answer. Thank you very much.
Best regards
Stephen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
