Palo-Alto and Cisco WAAS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo-Alto and Cisco WAAS

Not applicable

Hello,

We are migrating to a Palo-Alto 4020 cluster from our PIX firewall cluster. I have a question regarding Cisco WAAS and WCCP v2 traffic. The front end router redirects to a Cisco WAE via WCCP services 61 and 62. Both WCCP and the WAE mark the original packet using the TCP options field and also change the packet sequence numbers.

My question is how will the PA treat this traffic ? If it drops it, how can I configre the PA to allow it through ?

Best regards

Stephen

1 accepted solution

Accepted Solutions

L6 Presenter

According to Applipedia (http://apps.paloaltonetworks.com/applipedia/) wccp exists as its own application:

"

Description
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.

Category     networking
Subcategory     ip-protocol
Risk         3
Standard Ports     udp/2048
Technology     network-protocol

Evasive             no
Excessive Bandwidth         no
Prone to Misuse         no
Capable of File Transfer     yes
Tunnels Other Applications     yes
Used by Malware         no
Has Known Vulnerabilities     yes
Widely Used             no

"

In case this isnt enough in your case you can setup security rules that ignores the appid by setting appid:any and then just act on service configuration (PA name for tcp/udp-ports) along with src/dstip and so on.

Using appid:any can also be used in order to find out how PA will detect the flows. One problem might be that it at first is detected as wccp but later detected as the actual payload (lets assume its web-browsing or whatever) which means that you might end up with enabling both appid's for it to fully utilize application firewalling.

In case your traffic isnt correctly detected you can contact your Sales Engineer or request app enhancement from the Apps and Threats Research Center:

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

View solution in original post

2 REPLIES 2

L6 Presenter

According to Applipedia (http://apps.paloaltonetworks.com/applipedia/) wccp exists as its own application:

"

Description
Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.

Category     networking
Subcategory     ip-protocol
Risk         3
Standard Ports     udp/2048
Technology     network-protocol

Evasive             no
Excessive Bandwidth         no
Prone to Misuse         no
Capable of File Transfer     yes
Tunnels Other Applications     yes
Used by Malware         no
Has Known Vulnerabilities     yes
Widely Used             no

"

In case this isnt enough in your case you can setup security rules that ignores the appid by setting appid:any and then just act on service configuration (PA name for tcp/udp-ports) along with src/dstip and so on.

Using appid:any can also be used in order to find out how PA will detect the flows. One problem might be that it at first is detected as wccp but later detected as the actual payload (lets assume its web-browsing or whatever) which means that you might end up with enabling both appid's for it to fully utilize application firewalling.

In case your traffic isnt correctly detected you can contact your Sales Engineer or request app enhancement from the Apps and Threats Research Center:

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

Hello Mikand,

Perfect answer. Thank you very much.

Best regards

Stephen

  • 1 accepted solution
  • 3117 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!