So far this install is flaky as can be. The FW.SYS (Firewall kernel level driver) BSOD's the machine once a week and quits routing daily. We've upgraded to HFA2, we have the latest Dell drivers, and have all services off except for those required.
SmartDefense isn't the problem, that's been eliminated. The problem with the BSOD is always processing NDIS. Sometimes when routing stops, the fw ctl zdebug drop shows that inbound packet queue is full. This is getting ridiculous. I think R65 just isn't stable at this point in time. I have had open tickets for many weeks now.
Tuesday, October 30, 2007
Friday, October 12, 2007
Firewall-1
FW1 NGX R65 install onto Windows 2003R2 on a Dell 2950 with Broadcom NICs and an Intel E1000 add on NIC.
Thing's I have learned;
1) fw ctl zdebug drop will show drops not logged in the normal log viewer
2) They have previously had issues with Broadcom NICs, though R65 should have that fix. They recommend N1000 type cards from Intel.
3) Make sure your IP addresses are setup right.
4) Make sure Duplex is right. Double check.
5) NDISWAN must not be installed. That is your 0.0.0.0 in topology. Windows 2003 uses this for remote access and routing. FW1 isn't compatible with this.
a) Go into device manager and look at your Network adapters.
Select VIEW / SHOW HIDDEN DEVICES. Disable all the WAN MINIPORT items, including the VPN-1/Fireall miniport.
Disable the service Routing and Remote access. With the WAN MINIPORT items disabled, Routing and Remote access service will fail upon boot.
b) Go into the registry and go into HKLM\system\currentcontrolset\services\tcpip\parameters and make IPEnableRouter set to 1.
This will enable routing without the Routing and Remote access service. This is what FW1 wants. Reboot to get all these changes in place... You might also add to this registry location MaxUserPort and set it to 65534. Default in Windows 2003 is 5000 ports. So you can only have 5000 connections at a given moment. 65534 is the maximum possible, so set it to that in decimal. It's 0X0000FFFd in Hex. Google search this fact and you'll find it numerous places.
c) In this same place in the registry as b, go into Interfaces and for each interface configure DontAddDefaultGatewayDefault as a dword set to 0. This prevents the interface from ever having a 169.254.x.x address.
d) Instead of typing in every route table entry again, if you are moving firewalls, simply take the PersistentRoute portion of this registry and export it as a .reg and import it to your new firewall & then reboot. It's also a good idea to export this for backups every now and again.
Thing's I have learned;
1) fw ctl zdebug drop will show drops not logged in the normal log viewer
2) They have previously had issues with Broadcom NICs, though R65 should have that fix. They recommend N1000 type cards from Intel.
3) Make sure your IP addresses are setup right.
4) Make sure Duplex is right. Double check.
5) NDISWAN must not be installed. That is your 0.0.0.0 in topology. Windows 2003 uses this for remote access and routing. FW1 isn't compatible with this.
a) Go into device manager and look at your Network adapters.
Select VIEW / SHOW HIDDEN DEVICES. Disable all the WAN MINIPORT items, including the VPN-1/Fireall miniport.
Disable the service Routing and Remote access. With the WAN MINIPORT items disabled, Routing and Remote access service will fail upon boot.
b) Go into the registry and go into HKLM\system\currentcontrolset\services\tcpip\parameters and make IPEnableRouter set to 1.
This will enable routing without the Routing and Remote access service. This is what FW1 wants. Reboot to get all these changes in place... You might also add to this registry location MaxUserPort and set it to 65534. Default in Windows 2003 is 5000 ports. So you can only have 5000 connections at a given moment. 65534 is the maximum possible, so set it to that in decimal. It's 0X0000FFFd in Hex. Google search this fact and you'll find it numerous places.
c) In this same place in the registry as b, go into Interfaces and for each interface configure DontAddDefaultGatewayDefault as a dword set to 0. This prevents the interface from ever having a 169.254.x.x address.
d) Instead of typing in every route table entry again, if you are moving firewalls, simply take the PersistentRoute portion of this registry and export it as a .reg and import it to your new firewall & then reboot. It's also a good idea to export this for backups every now and again.
Subscribe to:
Posts (Atom)