Re: [fw-wiz] Opinion: Worst interface ever.

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Opinion: Worst interface ever."
• In reply to: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Next in thread: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Reply: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Reply: Jan Tietze: "Re: [fw-wiz] Opinion: Worst interface ever."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: StefanDorn@bankcib.com
Date: Tue, 5 Jul 2005 10:16:07 -0400 (EDT)

On Tue, 5 Jul 2005 StefanDorn@bankcib.com wrote:

> > I can't even imagine trying to audit the "we'll pick the most exact
> match"
> > ruleset evaluation of one of these beasts. If I thought there was any
> > chance the old software would work with the new box, I'd be loading that
> > tomorrow. My "same vendor" rationale is right out the window- the two
> > products aren't even close- other than the fact they're both red.
>
>
> The 7.x series of software does this- precedence is based on how specific
> each rule is. The most specific rules are evaluated first, and so on. Of

But what counts as specific? Is a port more or less specific than an
address? Is a protocol less specific than a user? If they do an ASIC
rev, is my happy little ruleset going to do something different if I have
to replace a box?

> course, the software itself does nothing to show you the order they are
> in. I think I recall reading that in the newer "Fireware Pro" software,
> you can manually set precedence. Maybe it hasn't been implemented yet.
>

I think their marketing department needs smacked. I didn't even start to
go on about having three interfaces in the box I can't use unless I pay
more money.

> > While I'm ranting- what's with support hours from 9-6pm *at my
> > location*?
> > Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
> > scheduled for when the users are still working!
>
> The good news is, they have a support forum with some pretty helpful
> Watchguard people moderating it, and even a few customers who try to help
> people out. Bad news is, I've yet to get a question completely answered
> via their incident response system. Barring disaster, I generally try to
> figure a problem out myself, since every time I contact support they
> immediately request that I let them connect and play with the
> configuration..which isn't going to happen. It makes me wonder if
> outsourcing can really be worth it, considering the fact that it generally
> results in customers getting irritated with it and then requesting a US
> representative anyway. Why not just get it right the first time?
>

I'm glad I'm not the only one left with that impression. I'm going to go
back over my personal evaluation criteria and tweak the support parts to
match what I see as good. I also think that I'm going to go back to
building more open source based firewalls- the idea behind a commercial
product is support and consistency. I'm not seeing good things in either
department.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Opinion: Worst interface ever."
• In reply to: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Next in thread: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Reply: StefanDorn_at_bankcib.com: "Re: [fw-wiz] Opinion: Worst interface ever."
• Reply: Jan Tietze: "Re: [fw-wiz] Opinion: Worst interface ever."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]