Re: [fw-wiz] Opinion: Worst interface ever.

From: Paul D. Robertson (
Date: 07/05/05

  • Next message: Dave Piscitello: "Re: [fw-wiz] Opinion: Worst interface ever."
    Date: Tue, 5 Jul 2005 10:16:07 -0400 (EDT)

    On Tue, 5 Jul 2005 wrote:

    > > I can't even imagine trying to audit the "we'll pick the most exact
    > match"
    > > ruleset evaluation of one of these beasts. If I thought there was any
    > > chance the old software would work with the new box, I'd be loading that
    > > tomorrow. My "same vendor" rationale is right out the window- the two
    > > products aren't even close- other than the fact they're both red.
    > The 7.x series of software does this- precedence is based on how specific
    > each rule is. The most specific rules are evaluated first, and so on. Of

    But what counts as specific? Is a port more or less specific than an
    address? Is a protocol less specific than a user? If they do an ASIC
    rev, is my happy little ruleset going to do something different if I have
    to replace a box?

    > course, the software itself does nothing to show you the order they are
    > in. I think I recall reading that in the newer "Fireware Pro" software,
    > you can manually set precedence. Maybe it hasn't been implemented yet.

    I think their marketing department needs smacked. I didn't even start to
    go on about having three interfaces in the box I can't use unless I pay
    more money.

    > > While I'm ranting- what's with support hours from 9-6pm *at my
    > > location*?
    > > Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
    > > scheduled for when the users are still working!
    > The good news is, they have a support forum with some pretty helpful
    > Watchguard people moderating it, and even a few customers who try to help
    > people out. Bad news is, I've yet to get a question completely answered
    > via their incident response system. Barring disaster, I generally try to
    > figure a problem out myself, since every time I contact support they
    > immediately request that I let them connect and play with the
    > configuration..which isn't going to happen. It makes me wonder if
    > outsourcing can really be worth it, considering the fact that it generally
    > results in customers getting irritated with it and then requesting a US
    > representative anyway. Why not just get it right the first time?

    I'm glad I'm not the only one left with that impression. I'm going to go
    back over my personal evaluation criteria and tweak the support parts to
    match what I see as good. I also think that I'm going to go back to
    building more open source based firewalls- the idea behind a commercial
    product is support and consistency. I'm not seeing good things in either

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: Dave Piscitello: "Re: [fw-wiz] Opinion: Worst interface ever."