Watchguard again

[altivo]

What is it with these computer hardware/software vendors? Why do they believe that we have nothing to do but comply with their eccentric ideas of how things should work?

In order to upgrade the "appliance software" contained in our Watchguard firewall, I am apparently expected to bring the entire network down for hours or days while I figure out their inadequate documentation. Not only that, but they provide no simple means to convert the existing configuration to the format required by the new software. Instead, their migration guide tells me to rebuild the entire friggin' thing from scratch, on a new and badly documented user interface that is probably just as unreliable as the old one.

Their software spews cryptic messages into a log, but they provide NO documentation whatsoever on what those messages mean. Their configuration program offers lots of little checkboxes and options, but not one of their manuals, not even the "Reference Manual" tells you what those options mean or what they refer to, let alone offering any explanation of why you would want to use them (or not.) What is "aggressive mode?" What do they mean by "Clear type of service?" In some cases, the manual doesn't even mention these options, and in the screen shots the check box doesn't even appear.

The only day of the week when I could leave the network down for hours on end is a Sunday. And of course, once the network is down, you lose all access to the vendor's support site (not that it is much good anyway, I guess, since it's badly indexed and contains next to nothing of use.) So I could work on a Sunday and take another day off, except... Everybody else is taking days off so there is no other day I can take off without leaving a gap in coverage.

No wonder people become Luddites.

Comments

[keeganfox.livejournal.com]

I feel your pain. That's starting to sound like my job. They've made it mandatory for us to use Tool Accountability System but it's got no documentation beyond the setup guide, and it's barely adequate. You get error messages telling you you have an "undefined error". E-mail the support center and they told me to "bundle" the database backup and send it to them for analysis. Kinda hard to do when it's not making the backup like it should...

Then there's the equipment management side of things. I have to take some computer based training, which sounds good, but it's "monkey see, monkey do". Useless claptrap like "Now put "F" in the Condition Code block" but no further explanation of anything. Why do I want to put F? What about A through E? Will it always be F? What does F mean?

Of course none of that keeps my overachiever, no life (actual quote "I can't stand to be around the house") boss from pestering me why things aren't getting done, and of course trying to explain that I'm just figuring it out as I go isn't good enough.

[altivo.livejournal.com]

Yep. And at least in my case, doing all this serves no useful purpose at all. The network admin at the head library wants to use VPN, and no one will tell him to forget it. So he mandates it, and when anyone else has a problem, he just says "Well, what are you going to do about it?"

His solution? Everyone should scrap their equipment and software and buy the exact same thing he is using, and all to achieve a level of security that serves no useful purpose, since the data being exchanged is not at all sensitive. Names and telephone numbers that are listed in the public directory. Barcodes and book titles that are listed in the publicly accessible catalog. No financials, no social security numbers, nothing of that sort at all.

[avon-deer.livejournal.com]

MY all time bug bear is when management make us replace things that work with things that don't. VNC worked perfectly well at work, but we were made to replace it with SMS Viewer, which...doesn't. Our old Linux firewall worked fine, but no, we had to rip it out and stick in everyone's favourite.

I am just glad it's not my job to upgrade it. I feel for you.

[altivo.livejournal.com]

Ugh. I think that model can't even be upgraded any more. They quietly "dropped" support for it.

[avon-deer.livejournal.com]

Good..maybe we'll get a better one.

[altivo.livejournal.com]

Actually, I'm guessing that is a Watchguard II (no longer supported.) If it's a Watchguard III, they'll probably be dropping support for it any old time now. The trouble is, that's just planned obsolescence. The replacement models aren't any better, they're just "different."

When it gets replaced, you want to try to not get Watchguard at all. Their products are garbage, and their support is worse.

[altivo.livejournal.com]

Check new comments at the bottom. My rant actually attracted the attention of someone at Watchguard, for what that's worth.

[cabcat.livejournal.com]

*watches the angry horse stampede about the place and keeps well out of trampling distance*

It sounds like a terrible system O.O

[altivo.livejournal.com]

It's all right if you only want to do basic stuff. Making it do cutting edge stuff while talking to another vendor's product, however... Forget it.

Welcome to the future

[animist.livejournal.com]

I deal with this a lot in industrial automation. Often I get really informative sounding errors that the vendor that sold it to me has no idea what the error means. And this is gear by top-rate companies in industrial and scientific control - like Yokogawa.

It's like Space balls "Even in the future nothing works!"

Re: Welcome to the future

[altivo.livejournal.com]

They've all learned from Microsoft, who can sell stuff even when it repeatedly crashes during their big sales demos.

[farhoug.livejournal.com]

Replace the old firewall with a quick setup of a linux box while you poke the Watchguard... and "forget" to install that pesky red box back in? =)

[altivo.livejournal.com]

Unfortunately, no. This is all driven by insistence that we use IPSEC and VPN for connection to the library consortium. This turns out to be unreliable with the current version of software that is installed here. Of course no one can guarantee that it will be any better even after this horrendous "upgrade", just different.

Linux, which sensibly sticks to standards that are well-established and settled for the most part, doesn't have a way to do IPSEC as far as I can tell. It would work fine for every other feature of the firewall we use.

The real problem is that we have to make Watchguard talk to Cisco. Each vendor blames the other when it doesn't work, and no useful information is forthcoming.

[farhoug.livejournal.com]

Yeah, and whatever IPSEC solution linux world might have, it would probably be incompatible anyways with the current system in the other locations. They've been catching up pretty impressively though on that track, hopefully they'll manage to come up with something suitable.

Actually, there's a box in the corner of the kitchen waiting for me to get it running with some sort of VPN connection thingie, that can talk with the regular MS stuff. Gotta delve a bit more into the subject still, but I gather it'll be... interesting. But the executive staff need their sales figures 24 hours a day anyways, I guess they can't even function otherwise... =)

[altivo.livejournal.com]

I have PPTP VPN working just fine from Slackware to the Watchguard, using the same protocols that Windows would use. So it works with Linux as a client at least (the Watchguard is Linux too, technically, but it's designed to work with Windows as a client and Windows Networking at the server end.) The same connection works from Windows XP or Windows 98 as a client, so Linux is caught up with Microsoft on that.

The trouble with IPSEC seems to be that each vendor has interpreted it differently. If Watchguard can't talk to Cisco without erratic behavior, then Linux probably would have the same difficulties.

[farhoug.livejournal.com]

Good to know, maybe it won't be too hair-raising experience then.

[altivo.livejournal.com]

I think I have a web link to a good set of instructions for setting it up. It's on the machine at home though. I'll check and let you know.

[altivo.livejournal.com]

Here's that link:

http://www.linuxhelp.net/guides/vpn/

It uses a Linux package called "poptop" or pptp. You need the pppd configuration already set up, then you set up pptp to run over it. Since I use pppd for dialup to my ISP, it was pretty easy to add pptp.

I have scripts for pppd set up so that the command "pppd call elink" dials Earthlink and establishes the basic internet connection on ppp0. Then "pppd call libvpn" makes the pptp connection to the Watchguard at the library as interface ppp1, adding appropriate routing.

The machines I use over vpn are defined in /etc/hosts with their local IP addresses for inside the library firewall. Thus "ssh hdl002s" connects to my own desktop Linux once the ppp1 link is up, and "smbmount" will mount shares off either the Win2K servers or my own machine. Xwindows clients are usable too, but really too slow to bother with over dialup. On a faster connection they'd be fine.

[farhoug.livejournal.com]

Hmm, that's looks pretty straightforward. And quite handy too. ^^

Thanks for the advise, otherwise I'd probably have ended wrestling with penguins for quite a while too. I usually end up choosing the most complex route myself anyways. =)

[altivo.livejournal.com]

I hope it helps. When you get ready to try it, let me know if you want copies of my pptp scripts. I'll be glad to send them along if you like. The actual pptp script works whether I'm on dialup or using a direct ethernet link to the net. It doesn't care. A good example of network layers, I guess.

[corelog.livejournal.com]

Ridikkulous!

The "migration" consists of rebuilding the whole thing from scratch? Now, if you were re-compiling a kernel or something, I could understand it. But there's absolutely no reason to be rebuilding configs and all from scratch, as far as I can see.

What a clusterfuck.

[altivo.livejournal.com]

The really irritating thing about this product is that it runs Linux internally. You have to dig really deep in the documentation to figure that out, though. They don't admit it because their entire market is Windows addicts. Consequently, you can't get at the Linux environment, and they don't even have an interface to control it that runs on a Linux system. I have to have a Windows-based system in order to talk to the darned thing, and worse yet, in order to collect the log messages from it, since it won't talk to a standard UNIX log daemon. (Obviously, I did not choose this hardware.)

The configuration environment is all GUI-based. There is no way to see the whole configuration laid out at once. You can only see bits and pieces of it at any one time.

The format of the configuration file changed from version 7 to version 8. OK, do that if you want. But the same rules have to be encodable in version 8, so why not provide a translation utility? Answer: because they don't have to. It's the Microsoft way of doing business. No matter how badly you treat your customers, they'll still come back again for more.

Contact from WatchGuard

[(Anonymous)]

Hi,

Your posting was forwarded to me by a co-worker at WatchGuard. I am a product manager at WatchGuard and would like to discuss your experience if you are interested in doing so. We realize we're not always going to please everyone, but we definitely want to do much, much better than the experience you describe here.

If you'd like to discuss, please contact me at 206-613-6647. (Any of the commenters are welcome to do so as well.) It's not always fun for us to hear negative commentary, but it's important.

Best regards,

Tim Helming
Senior Product Manager
WatchGuard Technologies

Re: Contact from WatchGuard

[altivo.livejournal.com]

Sorry, Tim, but I'm not calling Seattle on my nickel to listen to excuses or sales pitches. Just consider the fact that you can't document a check box that says "PFS" by just saying "Check here if you want PFS" or even "Check here to select perfect forward security." You have to tell what that means, or give a reference to some other source that explains it. You also have to tell what the typical or default value would be.

The fact that so many of these options keep moving around wildly from place to place in the configuration as each version changes says to me that in fact, no one there at Watchguard is quite sure what they mean either.

I didn't get anything intelligible out of your support site, nor any other means I tried, other than a couple of spots that said Watchguard products have difficulty initiating IPSEC with a Cisco product at the other end. I can tell you that is certainly true. But why? And why can't you do anything about it? More to the point, why is there no straightforward information on how to set up both ends of such a connection? It has to be a fairly common requirement. If all your customers are paying as much for your products as we are, you can certainly afford to buy a Cisco and find out how to make it work by manipulating BOTH ends.

When you put an error message into the log, it jolly well needs to be explained somewhere. "Received a packet for an unknown SA" is not intelligible. The fact that it doesn't tell the source address, or the target address, or any other information to help identify precisely to what it refers makes it useless. And if you Google that message, you'll see that I'm not the only one who has complained about it. No one has received a satisfactory answer.

Nor is there any explanation for why, when I have no HTTP proxy enabled at all, I'm getting messages about incoming packets being rejected by the HTTP proxy. I want those packets to get through. But nothing in the message tells me what part of the configuration is rejecting them.

IBM knew that error messages must be precisely documented as to where in the product they originated, and to which configuration elements they pertain. In the 70s and 80s, most vendors followed their example. But now everyone follows Microsoft's abysmal example of not documenting anything until thousands of customers start howling about it. Even their own support people usually can't answer such questions. And, I've found, neither can Watchguard's support.