Symantec Security Gateway 5420

Dayblade

So, I am a rather new pfSense kid on the block, however that has not stopped me from changing out software/hardware whenever possible to get pfSense out there!

That being said, while shopping on eBay the other day for another Firebox, I stumbled upon a different security appliance that I thought would make a great addition at work.  So without further adieu, the addition of the Symantec Security Gateway 5420 can be added to the security appliance installed list with success! (at least for me!  ;D )

So notes on the installation for anyone thinking of trying this in the future:

1. Disable ACPI upon/during/after installation – seems the HD controller on the IWill board does not enjoy it much.
2. Remove the SSD drive as well as unplug / remove the original HD that came with the appliance (just in case stuff doesn't work :P)
3. Unplug the COM port cable that is located near the external com port connector -- this seems to drive the external display in which trying to run a console can be a bit confusing at times :P

Otherwise --- here is a screenie or two -- as well as a dmesg:
(pictures are from Matias Soler which gave me the idea that it could be done, his blog can be read here: http://gnuler.blogspot.com/)

dmesg report:
Copyright 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-RELEASE-p8 #0: Thu Jan  8 22:14:43 EST 2009
    sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense_wrap.7
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 2.00GHz (1992.62-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0xf29  Stepping = 9
  Features=0xbfebf9ff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x4400 <cnxt-id,xtpr>real memory  = 528416768 (503 MB)
avail memory = 507404288 (483 MB)
wlan: mac acl policy registered
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cryptosoft0: <software crypto="">on motherboard
cpu0 on motherboard
pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard
pir0: <pci 14="" interrupt="" routing="" table:="" entries="">on motherboard
pci0: <pci bus="">on pcib0
vgapci0: <vga-compatible display="">mem 0xc0000000-0xc7ffffff,0xe0200000-0xe027ffff irq 11 at device 2.0 on pci0
uhci0: <intel 82801db="" (ich4)="" usb="" controller="" usb-a="">port 0xe000-0xe01f irq 11 at device 29.0 on pci0
uhci0: [GIANT-LOCKED]
uhci0: [ITHREAD]
usb0: <intel 82801db="" (ich4)="" usb="" controller="" usb-a="">on uhci0
usb0: USB revision 1.0
uhub0: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usb0
uhub0: 2 ports with 2 removable, self powered
uhci1: <intel 82801db="" (ich4)="" usb="" controller="" usb-b="">port 0xe020-0xe03f irq 10 at device 29.1 on pci0
uhci1: [GIANT-LOCKED]
uhci1: [ITHREAD]
usb1: <intel 82801db="" (ich4)="" usb="" controller="" usb-b="">on uhci1
usb1: USB revision 1.0
uhub1: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usb1
uhub1: 2 ports with 2 removable, self powered
uhci2: <intel 82801db="" (ich4)="" usb="" controller="" usb-c="">port 0xe040-0xe05f irq 9 at device 29.2 on pci0
uhci2: [GIANT-LOCKED]
uhci2: [ITHREAD]
usb2: <intel 82801db="" (ich4)="" usb="" controller="" usb-c="">on uhci2
usb2: USB revision 1.0
uhub2: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usb2
uhub2: 2 ports with 2 removable, self powered
ehci0: <intel 82801db="" l="" m="" (ich4)="" usb="" 2.0="" controller="">mem 0xe0280000-0xe02803ff irq 5 at device 29.7 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <intel 82801db="" l="" m="" (ich4)="" usb="" 2.0="" controller="">on ehci0
usb3: USB revision 2.0
uhub3: <intel 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usb3
uhub3: 6 ports with 6 removable, self powered
pcib1: <pcibios pci-pci="" bridge="">at device 30.0 on pci0
pci1: <pci bus="">on pcib1
fxp0: <intel 100="" 82551="" pro="" ethernet="">port 0xd000-0xd03f mem 0xe0000000-0xe0000fff,0xe0020000-0xe003ffff irq 11 at device 0.0 on pci1
miibus0: <mii bus="">on fxp0
inphy0: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: Ethernet address: 00:d0:68:02:e7:93
fxp0: [ITHREAD]
fxp1: <intel 100="" 82551="" pro="" ethernet="">port 0xd040-0xd07f mem 0xe0001000-0xe0001fff,0xe0040000-0xe005ffff irq 7 at device 1.0 on pci1
miibus1: <mii bus="">on fxp1
inphy1: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus1
inphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: Ethernet address: 00:d0:68:02:e7:94
fxp1: [ITHREAD]
fxp2: <intel 100="" 82551="" pro="" ethernet="">port 0xd080-0xd0bf mem 0xe0002000-0xe0002fff,0xe0060000-0xe007ffff irq 9 at device 2.0 on pci1
miibus2: <mii bus="">on fxp2
inphy2: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus2
inphy2:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp2: Ethernet address: 00:d0:68:02:e7:95
fxp2: [ITHREAD]
fxp3: <intel 100="" 82551="" pro="" ethernet="">port 0xd0c0-0xd0ff mem 0xe0003000-0xe0003fff,0xe0080000-0xe009ffff irq 10 at device 3.0 on pci1
miibus3: <mii bus="">on fxp3
inphy3: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus3
inphy3:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp3: Ethernet address: 00:d0:68:02:e7:96
fxp3: [ITHREAD]
fxp4: <intel 100="" 82551="" pro="" ethernet="">port 0xd100-0xd13f mem 0xe0004000-0xe0004fff,0xe00a0000-0xe00bffff irq 11 at device 4.0 on pci1
miibus4: <mii bus="">on fxp4
inphy4: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus4
inphy4:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp4: Ethernet address: 00:d0:68:02:e7:97
fxp4: [ITHREAD]
fxp5: <intel 100="" 82551="" pro="" ethernet="">port 0xd140-0xd17f mem 0xe0005000-0xe0005fff,0xe00c0000-0xe00dffff irq 10 at device 5.0 on pci1
miibus5: <mii bus="">on fxp5
inphy5: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus5
inphy5:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp5: Ethernet address: 00:d0:68:02:e7:98
fxp5: [ITHREAD]
ubsec0 mem 0xe0010000-0xe001ffff irq 9 at device 6.0 on pci1
ubsec0: [ITHREAD]
ubsec0: Broadcom 5823
isab0: <pci-isa bridge="">at device 31.0 on pci0
isa0: <isa bus="">on isab0
atapci0: <intel ich4="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xe060-0xe06f mem 0xe0280400-0xe02807ff at device 31.1 on pci0
ata0: <ata 0="" channel="">on atapci0
ata0: [ITHREAD]
ata1: <ata 1="" channel="">on atapci0
ata1: [ITHREAD]
pci0: <serial bus,="" smbus="">at device 31.3 (no driver attached)
pnpbios: error 1 making BIOS16 call
orm0: <isa option="" roms="">at iomem 0xc0000-0xcafff,0xe0000-0xeffff pnpid ORM0000 on isa0
ppc0: parallel port not found.
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A, console
sio0: [FILTER]
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
sio1: [FILTER]
speaker0: <pc speaker="">at port 0x61 pnpid PNP0800 on isa0
unknown: <pnp0c01>can't assign resources (memory)
unknown: <pnp0501>can't assign resources (port)
Timecounter "TSC" frequency 1992624860 Hz quality 800
Timecounters tick every 10.000 msec
Fast IPsec: Initialized Security Association Processing.
ad0: 38166MB <wdc wd400jb-00fma0="" 13.03g13="">at ata0-master UDMA100

Hope this helps
Dayblade</wdc></pnp0501></pnp0c01></pc></isa></serial></ata></ata></intel></isa></pci-isa></i82555></mii></intel></i82555></mii></intel></i82555></mii></intel></i82555></mii></intel></i82555></mii></intel></i82555></mii></intel></pci></pcibios></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></intel></vga-compatible></pci></pci></host></software></cnxt-id,xtpr></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>

Darkk

Great write up btw.  8)

Couple of questions though.  It seems the unit contains several cooling fans.. Are they loud?

Also did the LCD display work?

emerio

The fans are not that noisy.  The only fan that is noisy is the blower on the CPU.

I have attempted to install pfSense on this device but haven't gotten very far.  OP, can you explain further how you installed this?  The farthest I got was to put the img on the hard drive and boot that way.

focalguy

Success!

I'm glad I happened into this post yesterday. We had a Symantec Security Gateway 5420 that was donated sometime this last year. I researched it a little bit and saw there was no more support for it and I didn't really see any reason to set it up. Seeing this post, I went back to check if it was the right model number and it was! I had a few hangups but eventually got it installed. I'll post the steps I used later but for now here is a few things:

Link to english translated blog: http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fgnuler.blogspot.com%2F2008%2F08%2Freciclando-un-appliance.html&sl=es&tl=en&history_state0=

emerio, for me, I installed 1.2.3-RC3 from the CD in another machine. I had to choose the "Easy Install" in order to get to choose the Embedded Kernel. Choosing this re-directs the output to from VGA to Serial. After the setup finishes, choose reboot and then when the computer has restarted to the BIOS screen turn it off and place the drive in your 5420 box. Connect to the terminal at 9600bps with a serial cable and you should see the startup prompt.

Darkk, I haven't been able to get the LCD to work with LCDproc yet but I'm going to keep trying for a bit.

Darkk

Sweet!!  Keep us posted and I'd be curious if you were able to finally get the LCD display working.

emerio

Thanks for the tip focalguy, I will try that.  Just need to find a machine that has IDE in it :)

emerio

Fantastic, worked like a charm!  For any others curious, it is pretty much exactly as focalguy described.  I used HyperTerminal with 9600 8-N-1.  Make sure you disable ACPI and have your hard drive plugged in to Primary!!  I had it plugged in to Secondary and it failed.

focalguy

Great! That is true, I had to mess with the jumpers as well. I also got the "mountroot>" prompt. If you type "?" at the prompt it will tell you the possible partitions it sees and you can type the correct one to get it to boot. I can't find an online reference of this problem but it was in the nice new pfSense book I just purchased! After you get it to boot, you need to edit the /etc/fstab file to change the partition it looks for every time it boots.

emerio

One tip that I must reiterate is to disable ACPI.  To do this, once you are in the Web GUI go to Diagnostic | Edit File.  For Save/Load from path: enter /boot/device.hints.  Hit Load.

At the bottom of the displayed file in the text area add:

hint.acpi.0.disabled="1"

Leave unmodified the other lines.  Hit Save.  This will allow you to boot without problem because ACPI will be disabled.

emerio

One odd thing I did notice was that when ACPI was not disabled and pfSense was booting (or trying to) the LCD display statistics!  It gave me load information and allowed the use of the front panel.  I haven't been able to get back to that point with pfSense booting but it looks promising.  I have no idea where it was getting the stats from, however.

focalguy

Yes, that is interesting. I forgot I did the same thing with disabling ACPI but maybe I didn't look at the LCD panel before I made that change. Did you notice any problems with booting without ACPI disabled? I feel like I missed the key press once before changing the device.hints file and it still booted.

I've tried LCDproc but I still can't get it working. I'd be interested if you can get that displaying correctly. Seems like it's not choosing the correct output device.

emerio

Without ACPI disabled the boot failed.  It would hang at disk mount.

When your box is booted does it still say Symantec 1.03 OK on the LCD?

focalguy

Ok. I found another one of these boxes in the back so I'll be setting it up again and I'll check out the ACPI thing again.

Yes, my box does say that exact message on the LCD screen from when the power is turned on.

Unplug the COM port cable that is located near the external com port connector – this seems to drive the external display in which trying to run a console can be a bit confusing at times

I'm also not sure about these instructions. I haven't noticed any difference when that cable is unplugged or plugged in.

emerio

LCD update…

I was able to write to the LCD display.  The actual device (on my box anyways) is /dev/cuad1

From SSH I entered "echo "test" > /dev/cuad1"  and it will show up on the bottom line of the LCD.

I also changed the LCDProc file /usr/local/pkg/lcdproc.inc.  I made the change below.

case "com2":
$realport = "/dev/cuad1";
break;

So, we just need a driver that simply echos to this device statistics that we want....

emerio

@focalguy:

Unplug the COM port cable that is located near the external com port connector – this seems to drive the external display in which trying to run a console can be a bit confusing at times

I'm also not sure about these instructions. I haven't noticed any difference when that cable is unplugged or plugged in.

Hasn't caused me any trouble either.

focalguy

Good work getting LCD working! I was actually looking at that file the other day but ran out of time before I tried any changes. Have you tried all the drivers to see if one works?

Hopefully I'll have a chance to try out the LCD tomorrow.

emerio

I tried a few.  I was looking for a simple "driver" in lcdproc.inc but none seem to do the trick.  Seems like it would be incredibly easy to write a driver for this but I am out of steam for today.

focalguy

Any luck on the driver emerio? I haven't been able to test the LCD panel any more but I did get it to display by echoing the same command you had.

I posted some detailed instructions on my blog for this install. Hoping to get it into the wiki eventually It's now in the wiki here: http://doc.pfsense.org/index.php/Install_pfSense_on_Symantec_5420_Security_Gateway. Hope that will help someone. Only difference is a few photos on my blog.
http://blog.oliverhansen.com/index.php/2009/11/18/install-pfsense-on-symantec-5420-security-gateway/

emerio

Nice addition to the wiki  8)  I haven't messed with the LCD since it is locked away in a room in the basement.  I did hook up a pertellian x2040 USB to the box.  Supposedly this uses the hd44780 which is in LCDProc.  I could not get this to work, either.

emerio

Is anyone making use of the PCI slot?