If the device that is running WAAS software does not need to provide
Edge Services, then disabling Edge Services is a viable workaround. When the
Edge Services are turned off, CIFS clients may not benefit from the response
time reduction that is associated with the operation of the CIFS cache,
preposition and other CIFS latency optimizations. However, other Layer 4
optimizations will continue to apply according to the application policy
In order to disable Edge Services, which includes the CIFS accelerator
and CIFS auto discovery features, follow the steps below.
Log in to WAAS Central Manager.
Select the "Devices" tab.
Select the "Devices" category (or "Device Groups" if using multiple
devices in groups).
Choose target device or group.
Choose "File Services" located in the left column under "Contents."
Choose "Edge configuration" located under "File Services."
Uncheck "Enable Edge Server."
Transit ACLs (tACL)
Filters that block access to TCP ports 139 and 445 packets should be
deployed at the network edge as part of a transit access list, which will
protect the router where the filter is configured as well as other devices
behind it. Filters should also be deployed in front of vulnerable network
devices so that TCP ports 139 and 445 packets are only allowed from trusted
CIFS Clients to trusted CIFS Servers.
Further information about transit ACLs is available in the white paper
"Transit Access Control Lists: Filtering at Your Edge" at the following link:
Further information about configuring ACLs on the WAAS client is in the
"Creating and Managing IP Access Control Lists for WAAS Devices" chapter of the
WAAS Configuration Guide at the following link:
Additional mitigations that can be deployed on Cisco devices within the
network are discussed in the Cisco Applied Mitigation Bulletin companion document for
this advisory available at the following link: