RE: [fw-wiz] Skip the PDM

From: Wes Noonan (
Date: 11/24/03

  • Next message: Wes Noonan: "RE: [fw-wiz] PIX 500 as ROUTER ONLY"
    To: "'Sloane, David'" <>, "'Robert Fenerty'" <>, <>
    Date: Sun, 23 Nov 2003 18:11:16 -0600

    I couldn't disagree more. The Check Point GUI for SecurePlatform NG+AI has
    to be the most convoluted GUI I have ever worked with (NetScreen, PIX,
    SonicWall and ISA Sever included...). OK, many of the open source GUIs are
    pretty bad too... but considering so many of them are based on Check Point,
    that's not really a surprise.

    Let's see here... do I use SSH to manage the firewall, HTTPS, or their
    GUI... I'll take all of the above for $500 Alex. You do some stuff from the
    webui... other stuff (routing anyone) from the CLI and the GUI (CLI and the
    GUI, WTF is that?!?!)... and yet other stuff from the GUI alone (rule
    management for example, which is pretty nicely done by them to be fair).
    Couple this with the horrendous job that Check Point has done in terms of
    documentation and user guides (hey Check Point, are you listening? Write
    better user guides, provide actual configuration examples and syntax and by
    all that is good and holy get some stinking configuration examples on your
    website for people to use. See
    ftware_Configuration for an example of how to do it right) and you need not
    wonder how they got unseated as the market share leader in firewalls. Check
    Point really seems to be just one step ahead of firewall configuration hell
    in terms of GUI management (try to configure Check Point to tunnel SNMP
    traffic in IPSEC between the firewall and a local management station. Enjoy
    the next few hours...).

    OTOH, while PDM isn't some earth shattering entry into GUI management, the
    new GUI makes VPN configurations next to brainless (try doing that with
    Check Point... set up your rules, communities, etc. all manually. Ugh.) for
    most configurations. Is it as robust as the CLI? No, but it's pretty good
    for *most* implementations. Sounds like the original poster ran across some
    unconventional issues more than any kind of "the GUI sucks" situation (even
    if I have to agree that the PIX DHCP configuration is pretty convoluted, GUI
    or otherwise, and changing from the standard setup in the PDM isn't as
    smooth as it should be...). Is the PDM truly "consumer grade"? No probably
    not, but then Cisco's consumer grade offering is called "Linksys" ;-)

    Just wanted to offer perspective from the other side of the fence. :-)

    Wes Noonan

    > -----Original Message-----
    > From: [mailto:firewall-wizards-
    >] On Behalf Of Sloane, David
    > Sent: Thursday, November 20, 2003 10:37
    > To: Robert Fenerty;
    > Subject: RE: [fw-wiz] Skip the PDM
    > Robert,
    > Thanks for the informative post. I think many of us still use
    > commercial firewalls for a variety of reasons. I'm most familiar with
    > PIX and CheckPoint and the PIX 501 is a real contender as a firewall to
    > be shipped out to my company's remote SOHO users. This post confirms my
    > general perception about Cisco vs. (specialized vendor). Cisco makes
    > decent hardware, very good routing software, and barely-tolerable
    > management tools. If you want good gui management tools, you're better
    > off with Checkpoint.
    > Many people don't have time/staff/etc. to become experts in
    > roll-your-own firewall technologies (despite their appealing qualities)
    > and this kind of personal account can be quite helpful.
    > -David
    > -----Original Message-----
    > From:
    > [] On Behalf Of Robert
    > Fenerty
    > Sent: November 19, 2003 7:42 PM
    > To:
    > Subject: [fw-wiz] Skip the PDM
    > Hi,
    > Although I sense that many subscribers to this list are the of the
    > ipchains/linux ilk, I thought I'd tell you about my experience
    > configuring a PIX 501 at a client's site. A pretty standard setup,
    > which took me THREE AND A HALF HOURS to install. I think we can all
    > agree that I'm not a firewall wizard. Maybe an apprentice to the guy
    > who mixes the mortar for the firewall.
    > The PIX Device Manager (PDM) is a GUI-based app that runs as a web
    > server on the PIX 501. The 501's a tiny SOHO box with a Command-Line
    > Interface (CLI) fairly similar to those found on Cisco routers. The
    > differences tripped me up a bit; like grep options on HP-UX if you were
    > raised on Sun.
    > So to "speed things up" I tried using the PDM. Bad idea. In my network
    > design, the office network uses the 172.16.x.y network to avoid any
    > routing problems that might arise when remote workers with 192.168.x.y
    > home networks connect to the office via software VPN.
    > So I tell the GUI that the "inside" interface is, and the
    > DHCP pool starts at .2. Specify the gateway, DNS, etc. and you're done.
    > Right? Wrong. I'm guessing that the PDM just collects command lines
    > and sends them to the PIX.
    > The first error pops up when "ip address inside"
    > conflicts with the factory default DHCP pool, which starts at
    > So the interface IP isn't changed. And the request to
    > change the DHCP pool doesn't match the still-unchanged factory IP
    > address, so that's ignored too. At least the PDM pops up error messages,
    > and it was pretty obvious to me what was going on. So I fixed it
    > manually.
    > But the client paid $500 for this box. And a $100 Linksys or SMC box
    > wouldn't have had this problem. You'd think Cisco could do better.
    > Then the DHCP server on the PIX wouldn't vend IP addresses. No sniffer
    > handy, so I tried various debug options on the PIX. Finally got an
    > error message from the DHCPD saying that DHCP wasn't enabled. This was
    > odd, considering that "dhcp enable inside" and other dhcp settings were
    > in place. I don't know what I did to kick start it, but it eventually
    > started lending everyone IP addresses from its stingy pool of 32 DHCP
    > leases. It was pretty easy to setup the rest of it.
    > Anyway, the point of this message was to say that the PDM is a rotten
    > little piece of software that only confuses things. So skip the PDM.
    > Robert Fenerty
    > _______________________________________________
    > firewall-wizards mailing list
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Wes Noonan: "RE: [fw-wiz] PIX 500 as ROUTER ONLY"

    Relevant Pages

    • RE: [fw-wiz] Cisco PIX config beautifier???
      ... cisco does have a gui but I read somewhere that the guys that make ... firewallbuilder for iptables has also written a Pix version, ... responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted ...
    • Re: VPN/IPsec Passthrough durch Cisco PIX
      ... Aus unserem LAN sollen die Mitarbeiter mit SAP GUI 7.10 per Cisco VPN ... Auf der PIX? ... Auf einem Geraet hinter der PIX? ...
    • Re: Nokia and CheckPoint or Cisco?
      ... Its' GUI is flaky ... the entire config back out to the PIX ... That's the last time I ever used PDM to make ... IP390 and keep CheckPoint, or whether to look at something like the Cisco ...
    • Re: difference between netscreen x25 and cisco 515e
      ... configurable for experts that can use IOS instead of the GUI, ... company that doesn't want to learn a command line interface like IOS and ... > Netscreen is pretty weak compared to the PIX. ... Go to each website a look ...
    • RE: [fw-wiz] Skip the PDM
      ... I suspect that most people who buy PIX firewalls wouldn't use PDM to ... I don't consider the PIX a consumer-grade product anyway, ... configuring cisco routers and knows some firewall theory. ... DHCP pool starts at .2. ...