Policy Manager 12.6.1 corrupts Fireware 11.7.4 config

A client is on an XTM 25 running 11.7.3 (upgrading to a T20 SOON). I am unable to open his config in PM 12.5.3 or 12.6.1 and then save it without it corrupting the file's password length, change them from 32 to 97 characters without any config changes being made. All I have to do is connect, download the config in PM 12.6.1 and save it, and POOF!...97-character password hashes. Both configs were opened in Notepad++ to compare them.

The XTM 25 won't save the changes to the box using either PM 11.7.4 or 12.6.1 after that happens, and it gets this error:

Error communicating with Firebox x.x.x.x
INTERNAL_ERROR: Error Line 12: The element "password" has a length of 97, which exceeds the maximum length of 32.

Why can't 12.6.1 manage Fireware 11.7.3? It has the OS Compatibility set to 11.4 - 11.8.x so it should work.

Gregg Hill


  • Options

    WebUI works great.. :)

    Adrian from Australia

  • Options

    I don't need the slow-as-molasses web UI when I can just use PM 11.7.4 instead.

    What I wanted to do was use PM 12.5.3 or 12.6.1 to create aliases and then import dozens of IP addresses and IP ranges into them. How long does it take you to use the web UI in 11.7.3 to populate an alias with 100 IP addresses? I am trying to test it now, but I have to get Flash Player first.

    The web UI is VERY frustrating to use, CONSTANTLY requiring resizing columns so I can see the policy names, taking 1-2 seconds to change screens, etc. EVERYTHING that I do in the web UI is slow or requires the same steps over and over and over and over again. In PM, I resize my columns ONCE.

    OMG, it just took 20 seconds to change from Firewall Policies to the System menu. Yep, that makes me want to use the UI all day!

    Gregg Hill

  • Options


    It took over 90 seconds to TRY to change from the System menu to Aliases, but the page never loaded. Please don't bring up the web UI again! And now it is unresponsive and I cannot even get back into it at all. Wonderful.

    Gregg Hill

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg

    Do you have Firebox-DB users on this firewall?
    Do any of them have long passwords?

    It's likely an issue with how passwords are hashed into the config file on older vs newer versions. We'd need to see the config file to be sure. Upgrading the firewall to a newer fireware version that supports the better hashes (11.9.x or better) would likely resolve the issue.

    -James Carson
    WatchGuard Customer Support

  • Options


    Yes, the client does have Firebox-DB users and it is those users whose passwords get changed from a 32-character hash to 97-character hash. If I just use PM 11.7.4, it works fine, staying at 32 characters, but PM 12.1.3 or higher instantly changes the hash to 97 characters when saving the config pulled from the 11.7.3 XTM 25. I have not tried any PM version in between 11.7.4 and 12.1.3.

    Why would it do that with the OS Compatibility is set to 11.4 to 11.8.x ? It should know that those need to remain at 32 characters.

    My client is going to let me know when he gets a T20 and we'll go from there, but this SHOULD work now, even using PM 12.6.1 to manage 11.7.3 Fireware. He has always bought used devices and I am not sure where he is going to get the T20...he has not asked me about its pricing.

    I can email you the config file.

    Gregg Hill

Sign In to comment.