January 21st, 2002, 12:58 PM
Symantec (was Axent/Cobalt) VelociRaptor
Hello all. I work as a network security analyst (and general network, security, why-is-this-not-working guy) at work. Over the summer, we tried to bring up a firewall to replace our old *NIX IPchains software solution. I wanted hardware/appliance level solutions, so I went to Cisco's page. Now, the PIX's look GREAT, but we don't have $15K (we're in the EDU sector).
I went to Axent's web site (now swallowed by Symantec) and looked around and, after a couple of e-mails, managed to get a VelociRaptor 1.0 for $1.5K (they wanted $5K, I think). After the box came in, I imaged the hard drive (it's a "hardened" Linux solution) and threw it into pre-production. And! - it wouldn't route packets. "No problem", I thought, "I'll just screw with it via the windows MMC snap-in tool. .... Which wouldn't change the routing tables. I then thought, "this is stupid ... I'll just tweak the routing tables for our network ... no sweat". Turns out it didn't like that at all.
This goes on for a couple of weeks, boss is starting to think that I'm an idiot. So he tries to configure the thing (after we restore it to default configuration). After a week of hearing swearing and thudding in the other room, I stop in on him. Not only is he pissed off (he's quite good at beating on something and *making* it work), but he wants blood. So I call up tech support (July 4). I get one of 2 employees working there that day. The conversation went something like this:
ME: Hello, I'm with xxxx and we just bought a VelociRaptor firewall appliance a couple of weeks ago. We're experienced network admins and security personnel, but we cannot get the box to route packets. Is there a trick to this?
Joe (I think that's who it was): Can I have your product number?
ME: Ummm ... okay. But I think it's DOA ... I can't imagine a company *shipping* something like this. Let's see ... <I give him our product number ... like a serial number, but tied to their software, not the hardware>
Joe: Hmmm. I don't see a support contract on that box ...
ME: Right. But ... do we need a contract? I think this unit was shipped DOA.
Joe: What's wrong with it?
ME: It isn't routing packets at all between interfaces, even though I've set them up properly, both according to it's Linux OS and the Windows MMC snap-in tool. Should we be looking at RMA'ing the unit? I can't imagine that this is how they *all* work...?
Joe: Sorry ... I can't do anything without a service contract. Maybe you should call back later on in the week; I'm one of about 2 guys here today.
ME: <bewildered> ... ... Okaaaaay ... I'll have some screenshots of it not routing, and all logs in the unit, ready for personell when I call back.
And the conversation went something like that. Anyway ... after speaking with quite a few people, and finally the manager of Symantec's VRFW group, I was told that "without a service contract, we can't do anything for you". When I said that the unit *had* to be defective, I was again asked for a contract number. I reitterated the fact that a consumer does not have to have a "contract" when they are within the 30-day warranty limit, given by the manufacturer (at that time, Symantec). <sigh>
Long story short: We gave up on the VR, dumped it into a corner, and bought a Watchguard Firebox (the larger one with the lights on the front). It worked from day 1 and it's been great to use. As I use a border/gateway router, this helps me isolate problems ... because (something I didn't mention above) the VR would **intermittently** start to work, then would crap itself within the space of 1-4 packets. <sigh>
I subbed to the firetower FAQ-group, too. SO - how has anyone else found the Axent-***-Symantec VelociRaptor 1.0 unit? Is this crap or did I just get a DOA unit? For me, the jury's still out.
Thanks - ~N~
January 22nd, 2002, 10:54 PM
Yeah. Has anyone else had experience with the VelociRaptor FW appliance?
February 11th, 2002, 06:45 PM
I'm going to use this as an IDS with *NIX and hogwash installed. Hell, it's just sitting here doing nothing right now ... wish me luck, guys.
February 16th, 2002, 09:51 PM
I have been using raptor firewalls for about 3 years now.
Have you worked with the Raptor firewalls in the past? I would be interested in seeing any screen shots of the config you might have.
I love our Raptor firewall 6.5.
About a year and a half ago, I took the Raptor Firewall Advanced Administration class(was a waste of my time and money) and we had a chance to look at the velociraptor.
I had no trouble setting up the ones we had in class. Except for some confusion about which unit was whose to configure, and stuff like that.
My only reservation about buying one was that if it broke, we wouldnt have another one for at least a day. With our current raptor firewall, I have a second one ready to go, and it didnt cost us any extra money.
The only real thought I have about it, is, if they have it running on red hat linux(very specific hardware, could be why they havent done this) why dont they release the non embeded raptor firewall for linux as well.....