[fw-wiz] Opinion: Worst interface ever.
From: Paul D. Robertson (paul_at_compuwar.net)
To: firstname.lastname@example.org Date: Tue, 5 Jul 2005 08:54:40 -0400 (EDT)
I spent some time last week installing a new Watchguard X series appliance
at a customer site. It's the single most frustrating firewall install I
think I've ever done. Now, I've got a lot of not-my-favorite things on my
firewall list, but Watchguard has pretty much moved near the top just
based on the software interface.
I have a second customer co-located with this one, and they have a
Watchguard V series appliance with the Vcontroller software. I figured
I'd make it easy on anyone administering both sites by using the same
firewall vendor. While the V series software isn't the prettiest thing,
it's at least intuitive and functional to me.
The new Watchguard software "automatically" decides ruleset evaluation
order, and there's no easy way that I can find to figure out what order
something's going to be evaluated in. Worse-yet, the logging software for
Windows doesn't even appear to be on the CD with the other software, so
"check the logs" starts to become an exercise in futility (thank goodness
I had a Linux box in the DMZ that I could syslog to- if it didn't support
syslog, it was getting shipped back!)
In the old software, it took me a whopping half a minute to set up an
inbound rule with authentication and NAT *without* reading the
documentation. In the new software we're talking ~45 minutes *following*
the documentation to get it set up and actually functional (set up was
easy, functional seemed to be rather quirky, and I'm still not sure why.)
Calling for support got me a "we just outsourced out support to India,
if you want a call back from US support press $foo" message that gets you
to a receptionist who happily transfers you to hold music in India. I got
it working (but not figured out) while on hold, so I decided that I didn't
want to experience support that came with a "if you can't understand"
warning up front- mostly because I was too upset to deal with some 1st
level support person who was new at their job in any type of civil manner
even without potential communication issues.
The firewall functions fine, tests just fine, and once it's configured,
seems to do the right thing. However, I've installed a fair number of
firewalls in my day, and this is the only time the experience has been so
frustrating that even after a long weekend, I'm *still* agitated over the
experience enough to rant about it.
I can't even imagine trying to audit the "we'll pick the most exact match"
ruleset evaluation of one of these beasts. If I thought there was any
chance the old software would work with the new box, I'd be loading that
tomorrow. My "same vendor" rationale is right out the window- the two
products aren't even close- other than the fact they're both red.
Maybe I'm too stupid for the new interface. Maybe I can't follow the
instructions in the manual well. As I said, the product functions just
fine, I just can't deal with the interface at all.
Adding to my frustration, every link in the manual requires you to have
authentication credentials for their Web site. Of course, in my case, the
person who set all that up was out for the holiday weekend, making finding
additional information a "call support" type of activity.
While I'm ranting- what's with support hours from 9-6pm *at my location*?
Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
scheduled for when the users are still working!
I'll be happy to approve responses from anyone who feels the least bit
slighted by my opinions, or who wants to address any of this directly.
I'll also happily take personal e-mails on the issues.
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firewall-wizards mailing list