Symantec (was Axent/Cobalt) VelociRaptor
Hello all. I work as a network security analyst (and general network, security, why-is-this-not-working guy) at work. Over the summer, we tried to bring up a firewall to replace our old *NIX IPchains software solution. I wanted hardware/appliance level solutions, so I went to Cisco's page. Now, the PIX's look GREAT, but we don't have $15K (we're in the EDU sector).
I went to Axent's web site (now swallowed by Symantec) and looked around and, after a couple of e-mails, managed to get a VelociRaptor 1.0 for $1.5K (they wanted $5K, I think). After the box came in, I imaged the hard drive (it's a "hardened" Linux solution) and threw it into pre-production. And! - it wouldn't route packets. "No problem", I thought, "I'll just screw with it via the windows MMC snap-in tool. .... Which wouldn't change the routing tables. I then thought, "this is stupid ... I'll just tweak the routing tables for our network ... no sweat". Turns out it didn't like that at all.
This goes on for a couple of weeks, boss is starting to think that I'm an idiot. So he tries to configure the thing (after we restore it to default configuration). After a week of hearing swearing and thudding in the other room, I stop in on him. Not only is he pissed off (he's quite good at beating on something and *making* it work), but he wants blood. So I call up tech support (July 4). I get one of 2 employees working there that day. The conversation went something like this:
ME: Hello, I'm with xxxx and we just bought a VelociRaptor firewall appliance a couple of weeks ago. We're experienced network admins and security personnel, but we cannot get the box to route packets. Is there a trick to this?
Joe (I think that's who it was): Can I have your product number?
ME: Ummm ... okay. But I think it's DOA ... I can't imagine a company *shipping* something like this. Let's see ... <I give him our product number ... like a serial number, but tied to their software, not the hardware>
Joe: Hmmm. I don't see a support contract on that box ...
ME: Right. But ... do we need a contract? I think this unit was shipped DOA.
Joe: What's wrong with it?
ME: It isn't routing packets at all between interfaces, even though I've set them up properly, both according to it's Linux OS and the Windows MMC snap-in tool. Should we be looking at RMA'ing the unit? I can't imagine that this is how they *all* work...?
Joe: Sorry ... I can't do anything without a service contract. Maybe you should call back later on in the week; I'm one of about 2 guys here today.
ME: <bewildered> ... ... Okaaaaay ... I'll have some screenshots of it not routing, and all logs in the unit, ready for personell when I call back.
And the conversation went something like that. Anyway ... after speaking with quite a few people, and finally the manager of Symantec's VRFW group, I was told that "without a service contract, we can't do anything for you". When I said that the unit *had* to be defective, I was again asked for a contract number. I reitterated the fact that a consumer does not have to have a "contract" when they are within the 30-day warranty limit, given by the manufacturer (at that time, Symantec). <sigh>
Long story short: We gave up on the VR, dumped it into a corner, and bought a Watchguard Firebox (the larger one with the lights on the front). It worked from day 1 and it's been great to use. As I use a border/gateway router, this helps me isolate problems ... because (something I didn't mention above) the VR would **intermittently** start to work, then would crap itself within the space of 1-4 packets. <sigh>
I subbed to the firetower FAQ-group, too. SO - how has anyone else found the Axent-***-Symantec VelociRaptor 1.0 unit? Is this crap or did I just get a DOA unit? For me, the jury's still out.
Thanks - ~N~