Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - blazarov

Pages: [1]
1
Deployment / Re: Suggested deployment between two firewalled sites
« on: July 30, 2018, 03:31:33 PM »
Hi Again,
since disabling RPF check and enabling Asymmetric flows was not acceptable solution we have delayed the implementation.
Meanwhile another migration took place and the now the infrastructure on both ends, i believe, allows for better integration with WanOS.

Please look at the attachment.

Currently the connection works as in the diagram, except for the WANOS appliances. On both sides there is a separate VPN router and there is a /24 transport network between the firewall and that VPN router. Currently there is a static routing between the VPN router and the firewall in that transport network.
i was thinking of deploying the WANOS in the transport network and force the traffic to traverse the appliance using static routes and probably tracking for bypass in case of failure.
Will this work? WIll all optimization features work that way?
Will the two WANOS correctly discover themselves?
Thanks in advance! Will appreciate your responses and suggestions!

2
Deployment / Re: Suggested deployment between two firewalled sites
« on: May 09, 2018, 12:10:04 PM »
Yep, RPF was exactly what i was worried for. I know how to do it (Palo Alto on left side, Fortigate on right side), butf or now i really dont want to disable RPF.

Also usually stateful firewalls (esp. NGFW) track ingress and egress interfaces for each session and set them during initial session establishment. This deployment approach, i believe, will mess up that logic too.

One extra question on licensing:
Customer bought "Plus 10/100" license. What will this license give us in terms of maximum bandwidth and how does it measure it - before or after optimization?

3
Deployment / Re: Suggested deployment between two firewalled sites
« on: May 09, 2018, 10:59:05 AM »
Thanks for the suggestion, i imagined similar approach as well. That would probably work, however i should verify if that will not break the stateful firewall session mapping in terms of ingress/egress interface for each session.
I just hoped i can get around with something with less overall impact, so i can first test it and introduce it in a phased approach.
IPSec directly on the WANOS suits better the overall architecture design, but since its purely software on VM i have no idea will it perform good enough in terms of throughput.
Max speed per TCP session varies a lot depending mostly on end-host OSes. Usually, worst case is newer (2016) Windows server versions where i believe their intelligent TCP stack features are intervening. With careful TCP tuning on the end-hosts, even on windows 2016 server I am able to achieve the desired speed even in a single session, but there are too many hosts on both sides, not all of them under my control, so OS tuning is not a solution.
All the Linuxes usually perform excellent too.

4
Deployment / Re: Suggested deployment between two firewalled sites
« on: May 09, 2018, 06:46:20 AM »
Hi,
My calculations result in bandwidth-delay product for this particular link is > 750KB, so it definitely qualifies as LFN as per RFC1072 :)
Aside from theory, real life shows the typical undesirable LFN effects, such as poor TCP performance, also very dependent on the endpoint OS'es, hence the use case for WANOS.

Regarding PBR - what bothers me is the right-hand network. As you can see all subnets are directly connected to the firewall which acts as their default GW for the segment. The same firewall terminates the IPSec to the remote site, no hops in between. In this case I dont see any good PBR implementation, am I missing something?

5
Deployment / Suggested deployment between two firewalled sites
« on: May 08, 2018, 02:07:18 PM »
Hello,
I am a network engineer and a customer of mine likes WANOS and is looking for a deployment.
The environment is much more complex than all the examples in the documentation, so i am still wondering what would be a good approach and will it even work at all.

the objective is to implement WAN optimization between two sites connected by a long fat pipe (300+ Mbps; 20+ ms latency).
Currently the sites run IPSec VPN.

Now my question is on the actual WANOS appliances deployment. The customer requires virtual appliances.

Attaching a sample topology diagram.

Initially i though i would deploy the two appliances in Tunnel mode and put their WAN directly in Internet and totally replace the IPSec on the firewalls.
From my quick research it seems WANOS can not encrypt the traffic, so this is not acceptable - we should still retain the current IPSec and just use the optimization of the WANOS.

Since it will be a virtual appliance bridge deployment makes little sense to me, because there are too many VLANs on both sides and VLAN configuration will be very tricky and fragile.
so we're left with router/tunnel mode. obviously we need to route both directions of the traffic through the appliance - how would you suggest to do that?
changing servers default gw is not acceptable (critical environment) so are we looking at some sort of PBR?

Pages: [1]