Bag Yourself a Cheap Firewall The Symantec FW100 and FW200(R) Appliances

KB ID 0000109 

Problem

OK to be honest, before I went to work for my current employer I didn’t even know Symantec made hardware firewall’s, and at the time of writing they no longer make “Low End” firewall’s and corporate support for them has all but ended. With this in mind there are a load of them currently being replaced with newer firewall’s and they are either getting thrown in cupboards “In case of emergency” ending up on eBay, or worst of all going in the skip.

So why would you want one then?

Because in true Petenetlive fashion you can pick them up for nothing, or for a few pounds on eBay, and they make an excellent firewall for your Home PC, Home network or Small business.

Fair enough but what’s the difference between the two?

Basically both firewall’s can function as a hardware firewall and do site to site VPNS, the FW200 however can have 2 WAN connections and the 200R supports client to gateway VPN connections using the Symantec Client VPN software. Both appliances have a built in switch, on the FW100 its a four port and on the FW200 its an eight port.

FW100 (Top) and FW200 (Bottom)

To see what the Warning Lights and Symbols mean CLICK HERE

Right I’ve bought one now what the hell do I do with it?

That depends on what you want it for, there are a number of things a firewall can do, you can simply run through the basic setup and it will protect you PC/Network, or you might want to set up a permanent connection from home to your office (Site to Site VPN). Or you might want to access your PC’s at home or in the office from anywhere in the world with an internet connection (Client to Gateway VPN – FW200R only) You may have a server at home or an Xbox and want to Port forward particular traffic to a particular PC/Server or games console.

You can do as much or as little as you like with it, Ill outline the basic things you may want to do below

1. Reset to factory Settings

2. Connect to the firewall for administration

3. Update the firmware

4. Basic Setup

5. Port Forwarding

6. Site to Site VPN

7. Client to Gateway VPN

8. Client VPN Software

Solution

Reset to Factory Settings

If you have got an appliance of ebay or been given it by work then chances are you wont know its settings and the password to get in an manage it so before you do anything you need to reset the appliance back to its factory settings. Read the ENTIRE procedure before you do anything!

Factory Settings

1. Inside IP address set to 192.168.0.1

2. Inside Subnet Mask set to 255.255.255.0

3. Password is set to {Blank} – That’s NO Password.

4. Outside Interface(s) set to obtain their IP address dynamically.

5. Appliance turns on its internal DHCP server and leases addresses from its switch ports.

6. All traffic will be allowed out

7. No traffic will be allowed in (unless its a reply to traffic instigated inside).

On the back of the alliance you will see a row of “dip” switches, you can turn on (down) and off (up) With the unit powered off make use a pen, or paperclip and have a couple of practice flicks on switch 1

Procedure

1. Power off the appliance

2. Drop dip swich1 to ON

3 Power on the appliance and watch the backup/active LED Light come on (This one )

4. As soon as the LED goes out flip dip switch 1 up(off) , down (on), and up(off) again – note you only get 12 seconds!

5. If you have carried out the procedure correctly then the Error LED will come on (This one )and then alternate with the LAN/WAN Status LED (This one ).

6. The Appliance will reboot let it do so then remove the power, wait a few seconds, and power it up again.

Connect to the Firewall for Administration

Assuming you have just reset the firewall then its internal IP address will be 192.168.0.1, then simply connect your PC or Laptop to the firewall using a standard ethernet cable to any of the ports labelled LAN

Your PC should be set to get an IP address dynamically – Or Manually set an IP address in the 192.168.0.2 to 254 range. Then open a web browser and go to http://192.168.0.1

Standard front Page here on a FW100

And here on a FW200 (note the second WAN settings)

Note: You can manage these firewall’s from outside for example from work, BUT you need to enter the IP range that you will be administering from, to do this Select the “Expert Level” section and enter the range (note if you only have 1 IP add it in the start and End IP address section. you then access the device from http://public_IP_address:8088

Remember this is a firewall always set a password for access, select the “Config Password” Section then type and re-type a password. Then Press Save

Now to access the firewall the username is admin and the password you set above.

Upgrade the Firmware

You might wonder why bother – well I’ve used these firewall’s in anger on corporate networks, and I’ve seen strange problems with VPN’s and other bugs that have been fixed by simply upgrading the firmware – remember these are old firewall’s so the last version of firmware released for them (Called 18F was released Nov 2005) The FW100 firmware is here  vpn100_build18f and the FW200 firmware is here vpn200r_build18f. You will also need the nxtftpw.exe program you can download that here nxtftpw.

To check your Firewall’s Firmware version connect to the firewall as above and Select the Status section > Then the Device section. here you will see the firmware revision. This one says V1 Rel 8D so its version 18D we are going to upgrade it to 18F.

To Prepare the firewall for firmware updating, Power it off and drop dip switches 1 and 2 on the back. Then Power the firewall back on again.

On your PC launch nxtftpw.exe and enter the following information, under Server IP enter the IP address of the firewall. An in Local file navigate to the firmware file on your PC.

Warning: there are two versions of the firmware file, one looks like vpn100_18F_app.bin the other looks like vpn100_18Fall.bin use app.bin the all.bin will erase the configuration as well!

Click PUT.

It might take a while and say its re tying a few times, be patient, when its finished it will say SUCCESS at the bottom.

Wait a couple of minutes, when the lights on the appliance all return to normal shut it down. Lift all the dip switches again and power back up.

Log back into the firewall and Check the firmware revision on the Status Tab > Device Section to make sure the version is correct, it should say V1 Rel 8F.

Basic Setup

For a simple home user you will want to set an external IP with a default gateway, some DNS settings. Then set your internal IP.

Main Setup Tab

If your ISP supplies your IP address via DHCP you don’t need to do anything that’s the default – note if you have a router that needs PPPoE settings these can be set up on this tab as well. Click Save when finished

Static IP & DNS Tab

Or if you have a static IP address enter it here with the subnet mask and the default gateway supplied by your ISP. Also note you can statically assign DNS servers here too, then your internal clients can point directly to the Symantec Firewall for their DNS settings. Click Save when finished

LAN IP & DHCP

Set your inside interface here – Note you can also set the firewall up as a DHCP server for your network as well. Click Save when finished.

Port Forwarding

Not all port forwarding is used for servers and complicated communications, simply downloading torrent software or playing online games may require you to forward a port to one of your clients. For this example I’ll port forward TCP Port 3389 (that’s RDP for the non tech’s do you can connect to your PC and server from outside – note doing this in the real world has security implications and is done at your own risk).

Custom Virtual Servers Tab

You need to give the protocol you are forwarding a name, like RDP, Tick Enable, Enter the IP address you want to forward it to, Then enter the port number into ALL FOUR box’s. When done click “Add.”

This is what you want to be seeing 🙂

You will see the rule added at the bottom of the page – Note: As I said this is quite a security hole, so you can tick and un tick enable, then tick update to turn on and off as required.

Site to Site VPN

A site to site VPN connects one network to another securely, across an insecure network (in almost every case the insecure network is the public internet) So you can connect two offices together, or connect your home PC(s) to the office network. You need a device at both ends that can terminate a VPN. At our end we have the Symantec the other can be your corporate firewall or a VPN server.

To form a VPN you need both ends to agree a “Policy” as there are different methods of forming a VPN, the device at the other end must use the SAME settings as you do.

OK what do I need to know?

Encryption method: We will use 3DES Hashing Method: We will use SHA1 Diffie Hellman Group: we will use Group 2 IP address of the other Firewall: We will use 123.123.123.123 Network address of the Other network (the far one you are connecting to): We will use 10.1.0.0 Subnet Mask of the Other network (the far one you are connecting to): We will use 255.255.0.0 A Pre shared Key: we will use qwertyuiop123

Note: This firewall uses a system called PFS. Tell the Firewall administrator at the other end of the tunnel to make sure that end has it enabled.

VPN Dynamic Key Tab

Give it a descriptive name > Tick Enable > PPPoE Session set to Session 1 > Select Main Mode > ESP 3DES SHA1 > SA Lifetime to 475 > Data Volume Limit to 2100000 > PFS enable

Gateway Address set to the IP of the other firewall > ID Type to IP Address > Pre Shared Key to qwertyuiop123 > NETBIOS Broadcast to Disable > Global Tunnel to Disable > Remote subnet to the network at the other end of the tunnel > Remote Mask to the mask at the other end of the tunnel. > Click Add

Hopefully you will see this.

You will then see the tunnel appear at the bottom of the screen.

And the connection will change colour and say “Connected” when the tunnel comes up.

Client to Gateway VPN (200R Only)

In a client to gateway scenario, you install the client software on a laptop or remote PC, you then use that software to connect to your network behind the firewall. With this method you can securely connect many clients to one firewall.

OK What Do I need to Know?

A username: We will use Jane A shared secret: We will use 1234567890qwertyuiop

VPN Dynamic Key Tab

This sets the levels and method of encryption used by your remote clients, Type the name clients into the name box > Enable > Session 1 > Aggressive mode > ESP 3DES SHA1 > 475 Mins > 2100000 > PFS enable > Gateway Address to 0.0.0.0 > ID Type to Distinguished Name. Click Add

VPN Client Identity Tab

Enter the username > Tick Enable > Type in the shared secret > Tick Add > The user will be displayed at the bottom.

Obviously this procedure is carried out on the remote PC/Laptop

Once you have the software installed (Note you need to le a local system administrator to this bit – or the software wont let you in) Fire up the software and give yourself a username and password (This can be anything – its just to log into the software NOT bring up the VPN). You will be asked to confirm the password.

This is the main screen, you can save many tunnels to many firewalls, but we are just dealing with one, click new.

On the gateway tab, in IP address enter the IP of the outside of the firewall > Make sure download VPN policy is NOT checked > enter your shared secret 1234567890qwertyuiop (as set up on the firewall > Your client phase 1 ID is the name on the firewall – in the example above that’s “jane”

Click the Advanced Tab > Under Gateway Phase 1 ID re-enter the IP address of the outside of the firewall.

Click the Tunnels Tab > Click New.

Tunnel name HAS TO match the policy you created on the firewall (in out case “clients”) Then enter the network address and subnet mask of the network BEHIND the firewall you are connecting to. > OK > OK.

Back at the main screen click the Policies Tab > Set “Port Control Type” to “Wide Open”.

Click the Gateways Tab > Log Off > Close and restart the client software > Select the tunnel and click connect > In the progress log when you see a message stating “security gateway connected”.

Related Articles, References, Credits, or External Links

NA

Backup Exec Error – Exchange Backup “The VSS Writer failed 0x800423f3”

KB ID 0000307 

Problem

Backup Exec Exchange Backup fails with the following error,

Final error: 0xe000fed1 – A failure occurred querying the Writer status. Final error category: Resource ErrorsWriter Name: Exchange Server, Writer ID: {76FE1AC4-15F7-4BCD-987E-8E1ACB462FB7}, Last error: The VSS Writer failed, but the operation can be retried (0x800423f3), State: Failed during freeze

 

Solution

The Microsoft VSS writer that Backup Exec is using is in a failed state.

1. Drop to command line > Start > run > cmd.

2. Issue the following command,

[box]vssadmin list writers[/box]

3. Look for the Exchange writer – and see what state its in.

4. As you can see this one has failed – Reboot the server, 99% of the time that wil fix the error, if not see here.

Related Articles, References, Credits, or External Links

NA

Backup Exec – Cannot Display Job Logs “{name} contains an invalid path”

KB ID 0000334 

Problem

While attempting to open a Backup Exec job log, you see the following error.

Error
C:DOCUMEN~1ADMINI~1.COMLOCALS~1Temp1hist{logname} contains an invalid path.

Solution

1. Nice quick one, update the Microsoft XML Parser to a version greater than Version 6 SP 2.

2. If that fails to resolve the problem, click Start > run > appwiz.cpl {enter} > Locate Backup exec > Change.

3. Next > Select Repair > Follow the onscreen instructions.

 

Related Articles, References, Credits, or External Links

NA

Backup Exec – Error “0xe0009585 – Unable to open a disk of the virtual machine”

KB ID 0000349 

Problem

Seen while using Backup Exec 2010 R2, while attempting to backup an Exchange 2010 server (on Windows server 2008 R2) in a VMware virtualised environment (using the VMware Backup Exec Agent).

Click for Larger Image

Errors Read

Job Completion Status

Completed status: Failed
Final error: 0xe0009585 – Unable to open a disk of the virtual machine.
Final error category: Resource Errors

Errors

Backup- VMVCB::”Virtual infrastructure”
V-79-57344-38277 – Unable to open a disk of the virtual machine.

VixDiskLib_Open() reported the error: You do not have access rights to this file
V-79-57344-38277 – Unable to open a disk of the virtual machine.

VixDiskLib_Open() reported the error: You do not have access rights to this file

Solution

This involves two reboots of the target machine start planning downtime, or warning your users.

1. Go to the Virtual Machine that you are trying to backup (in my case the Exchange server)

2. Start > run > appwiz.cpl > Locate and uninstall the VMware tools > when prompted to > reboot.

3. Reinstall the VMware tools but this time choose “CUSTOM INSTALL” > Locate the “Volume shadow Copy Service”.

4. Change the drop down so that this option will not be installed > complete the VMware tools installation and reboot when prompted.

 

Related Articles, References, Credits, or External Links

NA

Backup Exec Job Fails With an E000FE30 Error

KB ID 0000382 

Problem

A common error on Backup Exec version 12, essentially the media server is losing communication to the Backup Exec remote agent Note: Even if you only have one server it will still be running a remote agent!


Errors:
Final error: 0xe000fe30 – A communication failure has occurred
Final error category: Server Errors

V-79-57344-65072 – The Exchange Store service is not responding. Backup set canceled.

V-79-57344-3844 – The media server was unable to connect to the Remote Agent on machine {server name}

Remote Agent not detected on {server name}

Note: You may also see error E0000F04

Solution

1. Firstly make sure the Backup Exec Remote Agent service is running under the local system account. Start > run > services.msc.

2. Now locate your Backup Exec Install Media, locate the Remote agent for Windows folder (usually in winntinstall). The one you pick depends on weather your running 32 bit or 64 bit software. Open the appropriate folder.

3. On a x32 bit server run double click the following two files, setupaa.cmd and setupaofo.cmd (noting will happen other than a command window will flash up).

3. On a x64 bit server run double click the following two files, setupaax64.cmd and setupaofox64.cmd (noting will happen other than a command window will flash up).

4. Finally on launch Backup Exec and click Tools > Live Update > follow the instructions, Note: you may be asked for a reboot when its finished.

 

Related Articles, References, Credits, or External Links

NA

Backup Exec Error – ” The backup-to-disk folder that was specified for this job must be on a local NTFS volume”

KB ID 0000574 

Problem

I got this when backing up to an HP RDX removable disk backup system. The drive WAS formatted as NTFS, but the job failed with the following error;

Error:

V-79-57344-4608 – 0xe0001200 – This operation requires a backup-to-disk folder on a local NTFS volume on the media server. Check the job log for details

V-79-57344-4608 – The backup-to-disk folder that was specified for this job must be on a local NTFS volume. Create a new backup-to-disk folder on a local NTFS volume or modify the current folder, and then submit the job again.

Note: Seen on Backup Exec 10.x and 11.x

Solution

In my case the problem was because I was backing up Exchange (2003 on an SBS 2003 server) and it had the GRT option enabled. (Though in these older versions of Backup Exec they didn’t call it GRT).

With Removable Backup to disk Folders you cannot use GRT. Sorry either use a tape or a normal backup to disk folder. And that’s for Exchange, Active Directory and Sharepoint.

1. From within Backup Exec > Tools > Options > Microsoft Exchange > Remove the tick from “Enable the restore of individual mail messages and folders from Information Store backups” > OK.

2. That’s fine for all NEW jobs but if you already have your backup job create you need to edit it. Navigate to Job Monitor > Right click the relevant job> Properties > Microsoft Exchange > Remove the tick from “Enable the restore of individual mail messages and folders from Information Store backups” > Submit > OK.

 

Related Articles, References, Credits, or External Links

NA

Backup Exec – Using RDX Drives

KB ID 0000578

Problem

While I like RDX drives, (they have advantages over magnetic tape), but they do have a drawback, throughput.

As you can see the removable drive/cartridges are just 1TB SATA Drives in a protective jacket, with a “write protection switch” on them.

So they should be perfect as a backup medium, the problem is, the drive carrier itself runs off the USB bus, so they can’t run faster than 48MB a second (I’ve not seen a server that has USB 3 on it yet). HP literature says that its backup rate is 108GB an hour. However for a small business that can be more than acceptable. It’s advantage, if it keeps the client that wants to take his backups home with them on a “Tape” happy (Because that’s what they have always done).

So the other week I found myself with a shiny new RDX Drive and an old SBS 2003 Server running Backup Exec 11d.

Solution

Note: If you are running Backup Exec versions 10 or 11 you CANNOT perform backups with GRT. If you want this functionality then you need to upgrade to a newer version (GRT to RDX drive works fine with Backup Exec 2010 R3).

1. Once you have physically installed the drive and connected it to the servers internal USB interface, you should see the drive listed below disk drives.

2. With an RDX Cartridge loaded it behaves just like a 1TB Drive (because that’s exactly what it is).

3. To use the drive in Backup Exec you need to create a new “Removable Backup-to-Disk Folder”.

4. Give the removable folder a sensible name, and I set the maximum size to 1023GB to make sure it can’t try and outgrow the drive.

5. Once complete it will create “Media” in the removable folder that it names incrementally as it sees new cartridges, in the FLDR000001, FLDR000002, etc, format. Treat these the same as any other backup media, i.e. you can add them to media groups for different backup jobs.

Related Articles, References, Credits, or External Links

NA

Backup Exec Job Failed Error ‘A device attached to the system is not functioning’

KB ID 0000871 

Problem

I Replaced a tape drive for a customer a couple of weeks ago. With the new one fitted I backed up a few files and restored them to make sure the new drive was OK, and checked the backups the following morning. They had failed with the following on the job log. (Click for larger image).

Job ended: xxxxxxxxxxxxxxxx
Completed status: Failed
Final error: 0xe00084f4 - An unknown error has occurred.
Final error category: System Errors
For additional information regarding this error refer to link V-79-57344-34036
Backup- C:Storage device "HP 0003" reported an error on a request to write data to media.
Error reported:
A device attached to the system is not functioning.
V-79-57344-34036 - An unknown error has occurred.
Backup
A selection on device DC3SQL2008 was skipped because of previous errors with the job.
A selection on device Shadow?Copy?Components was skipped because of previous errors 
with the job.
A selection on device System?State was skipped because of previous errors with the job.

 

At first it appears that the replacement drive is causing problems so I had a look in the servers event log and found the following;

Event ID 34113

Log Name: Application
Source: Backup Exec
Date: xxxxxxxxxxxxxxxxxx
Event ID: 34113
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxxxxxxx
Description:
Backup Exec Alert: Job Failed
(Server: "DC3") (Job: "DC3- Daily") DC3- Daily -- The job failed with the following error: 
An unknown error has occurred.

Event ID 57665

Log Name: Application
Source: Backup Exec
Date: xxxxxxxxxxxxxxxxx
Event ID: 57665
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxxxxxxxxxxxxxx
Description:
Storage device "HP 0003" reported an error on a request to write data to media.

Error reported:
A device attached to the system is not functioning.

Event ID 10

Log Name: Application
Source: Microsoft-Windows-WMI
Date: xxxxxxxxxxxxxxx
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxxxxxxxxx
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE 
TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" 
could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. 
Events cannot be delivered through this filter until the problem is corrected.

Solution

It’s been such a long time since I’ve seen this happen that I struggled with it for a while. The reason I was seeing these errors was, this was an HP Server and Tape Drive. When you install all the HP Insight monitoring agents and software, it can cause this problem with Backup Exec.

1. Start > Run Services.msc {enter}

2. Locate and disable the services shown below.

3. Retry your backup job.

Related Articles, References, Credits, or External Links

NA

Symantec AntiVirus Asks For Password During Uninstall

KB ID 0000894 

Problem

I was finishing off a domain migration this week and was changing the clients over to McAfee. On one machine I found it had Symantec AntiVirus. When I tried to remove it, it asked for a password.

One of the other machines had Symantec Endpoint Protection installed and this did the same.

As expected, no one knew what this password was, and the default password ‘symantec’ didn’t work.

Solution

The same fix worked for both of them, and its painfully easy. While still being asked for the password, do the following.

1. Launch Task Manager, (Press Ctrl+Alt+Delete, Or right click the taskbar, or simply run Taskmgr.exe).

2. Select the processes tab, Locate the MSIEXEC.EXE service. Note: There may be more than one, if so select the one that running under the user account that you a logged on as DO NOT select it is it is running under the SYSTEM account. End the process.

3. Now the password request box will have disappeared, and the uninstall process will complete on its own.

Related Articles, References, Credits, or External Links

NA

Exchange Install Error ‘Setup cannot continue with the upgrade because the ‘beremote’

KB ID 0000475 

Problem

Seen when attempting to install Service Pack 3 on Exchange 2007. On a server that’s also running Symantec Backup Exec.

Hub Transport Role Prerequisites
Error:
Setup cannot continue with the upgrade because the 'beremote' () process (ID: xxxx) 
has open files. Close the process and restart Setup.
Client Access Role Prerequisites
Error:
Setup cannot continue with the upgrade because the 'beremote' () process (ID: xxxx) 
has open files. Close the process and restart Setup.

Mailbox Role Prerequisites
Error:
Setup cannot continue with the upgrade because the 'beremote' () process (ID: xxxx) 
has open files. Close the process and restart Setup.

Solution

1. First make sure you are not currently running any backups with Backup Exec.

2. Click Start > In the Search/Run box type services.msc {enter} >The services console will open.

3. Locate the “Backup Exec Remote Agent for Windows” Service > Right Click and stop it. (Note: In the example above I’ve stopped all the Backup Exec Services, just to be on the safe side).

4. Now try again to install the service pack.

 

Related Articles, References, Credits, or External Links

NA