WatchGuard Firebox x500 - HDD for Snort

Sit_RP

Steve,

That is what I am reading on the Internet. It suppose to be 44 pin IDE. I was trying to use Toshiba 2.5 2A02 hard drive, but it doesn't fit that connector. So trying to figure out whether connector on the box is not 44 pin, or connector on the hard drive is not 44 pin. If you can confirm that Firebox X500 uses 44 pin that would be great.

Also, do you know what should be a good size for running IDS signatures?

http://www.amazon.com/MK1031GAS-Toshiba-Super-Slimline-HDD2A02/dp/tech-data/B000JKZWOK/ref=de_a_smtd

stephenw10

Ok, I opened my X700 (same box).
On the motherboard itself there are two IDE connectors at the back right just behind the CF card. One is labelled IDEA1, that is a 44-pin laptop style connector, the other is labelled IDEB1, that is a standard 40-pin IDE connector.
The hard disk caddy and it's carrier is connected to the 44-pin socket. The very short piece of cable used should be sufficient to connect your drive. However I tried connecting a drive I had to hand and the master/slave select pins on the back of the drive obstructed the cable connector. Is that the issue you are seeing?

The Snort signatures should not be more that a few GB. If they are the firebox will struggle because it doesn't have enough RAM to hold them usefully. 256MB (512MB max.) is a small amount of RAM for Snort which is very memory hungry. You will have to be careful not to load too large a signature base.

Steve

Sit_RP

Steve,

The male connector on the hard drive is too big for 44 pin IDE on firebox (short wire from mother board that attached to the hard drive bay).

I have 512 of RAM. You don't think it will be sufficient to run Snort on this device?

Sit_RP

I found out what interface is on the drive. Its an ATA-6. That would explain why it doesn't fit. Sorry I don't play around with hard drives often.

But yeah do you think IDS will work on this box if it has 512mb of RAM?

stephenw10

Do you mean the plastic part of the connector is too large to fit or it has too many pins or the pin spacing is wrong?

Snort will run but you will have to be careful not to ask too much of it. If it starts using swap space because it ran out of RAM it'll slow down dramatically!

Steve

Edit: Ah, ATA-6. It should still fit physically though.  :-\

Sit_RP

Firebox connector is too small. The number of pins looks similar but spacing between the pins is different.

stephenw10

Weird. Googling for images of that drive it looks standard.
There are two groups of pins. 44 pins (in two rows of 22) that the connector should fit onto. Separately there are 4 pins that are used for master/slave/cable selection. The connector on the firebox cable is quite wide, because it doesn't have to connect to a drive normally, and it obstructed by any jumpers on the select pins on my sample drive.

Any chance of a photo?

Steve

Sit_RP

Yeah I will upload them later when I have access to the box. I will attach pictures of the wire and connector next to it. The male on HDD is bigger size than femal connector. Spacing is wider and the connector is longer.

stephenw10

So more like a standard desktop IDE connector? I've never seen a 2.5" IDE drive with anything other than the normal 44-pin small pitch connector. I await the photos.  :)

Steve

Here's a picture of my drive and cable for comparison. It's a 20GB Toshiba drive.

Erm… photo a bit bigger than expected!


Sit_RP

Steve,

I figured it out. I was being stupid…honestly...

Quick question, which pins need a jumper to configure this drive in the slave mode. I need to figure out how I can upload signatures to the IDE but run pfsense of the current CF card.

Thanks for your help...kinda wasted your time...

Sit_RP

Yeah…so far the box is not detecting the drive when I ssh into the shell and do "mount" and "df"...

Sit_RP

Oh man. I feel like all odds are against me here…I can't find serial cable to get into BIOS... ::)

stephenw10

The jumper setting for master/slave is different for each drive but there is usually some instruction marked on the drive itself.
There is also a jumper on the motherboard I have a feeling could be something useful here, I don't have the box to look at right now.

If you get the box detecting the drive much the easiest way to use it is to boot from the HD exclusively, remove the CF card. Using both media types is not really a supported option. It can be done but there is some command line tweaking necessary and it probably wouldn't survive an update.

Accessing the bios on that box is not easy, you cannot do it with just a serial cable. There is no console redirect. You have to use a PCI graphics card and a keboard header connector.  :(

Steve

Sit_RP

Is there a way to copy the content of the CF card to the hard drive? Fresh install is not going to work here for me since I have multiple patches installed on the CF card that fix issues with LED and LCD.

Sit_RP

Steve,

Let me know if there is a way to port everything that I got on my CF card to the IDE hard drive. Let me know if I should create a separate thread in different category. Thanks for your help.

stephenw10

No there's no way to move everything from Nano install to the full install. However you can backup and restore your config file to the new install. The config file is supposed to contain everything but if you have used the old manual LCD install and put WGXepc on there these will need manual reinstatement. Think of it as a good excuse to document all your custom changes.  ;)

This is your thread so if the topic has changed slightly I don't think it's a problem.

Steve

Sit_RP

Steve,

Thanks for all your help. I think I will leave my Firebox alone for now. I am thinking about putting Snort on my Windows Server 2008. Looking at different typologies here. Looks like just need another NIC on it and SPAN a port on a switch. I am not very good with Linux…PfSense is awesome though...