HOWTO: UTM9 home on a Watchguard XTM5 Series

I got my hands on a Watchguard XTM505 as they're now EOL and decided that I liked UTM more than pfSense (DPI included for one) so did some research on how I could install it.  Noticed that there was some interest online but either no-one had done it, or had but hadn't shared the experience, so I've put together this guide in case anyone else wants to do it.  It's nice to share.  I have to say, it's quite an elegant solution once it's all said and done.

Ironically, I had to install pfSense to flash the BIOS but otherwise was a pretty straightforward install.

So onwards as follows;

Pre Reqs:

• 1GB or bigger CF card (I used a SD>CF adapter as I only had SD cards)
• Upgraded RAM to 4GB (Might get away with less)
• Upgraded CPU (I used an Intel E5700, £3 on eBay!)
• SATA HDD/SSD (I used an Intel SSD I had lying around. Will probably replace it with a 60GB KinDian SSD from Amazon as they're only £15 and get pretty decent reviews)
• Console cable (115200,8,N,1)

Note that I initially installed this on the standard hardware (1GB RAM) and a 60GB 5400rpm HDD but found it to be quite laggy. 1GB definitely isn't enough and I wan't sure the HDD was good enough to keep up once all the protections were enabled. I'm not going to use the web cache feature so I think SSD is the way to go.

Useful links for technical reference: 

• http://www.lannerinc.com/phocadownload/user-manuals/FW-7581%20User%20Manual.pdf FW-7581 User Manual as this is basically the same board as in the XTM5 but with an upgraded CPU (XTM5 is based on the Lanner FW-7580)
• https://www.watchguard.com/docs/corporate/wg_xtm5De-MFR_instructions.pdf
• http://www.triebwerk23.de/joomla/index.php/firewalls/watchguard-xtm-5-xtm-505-515-525-545-pfsense-64-bit (German, I had to use Google translate)
• https://www.fastvue.co/sophos/blog/creating-your-own-sophos-utm-bootable-usb-installation-drive/

First install pfSense!

https://alpha-labs.net/2017/08/pfsense-on-watchguard/

Follow up to the “Watchguard Configuration” section as we only need to get to the point that the BIOS has been re-flashed with an unlocked version.  Make sure you remove the CMOS battery and unplug for about 30 seconds after confirming that the BIOS update hasn’t created a nice red brick.

Summary of commands to update the BIOS;

Boot pfSense then select option 8 for a shell.

pkg install flashrom

rehash

fetch https://misc.alpha-labs.net/pfsense/xtm5_83.rom

flashrom -p internal -r backup.rom

flashrom -p internal -w xtm5_83.rom

To install UTM9:

• You need VGA output as the UTM installer outputs gibberish to the console. I used a breadboard to junction the Green, hsync, vsync and ground pins on J9 to a VGA cable. Feel free to wire up all 3 colours. but you don’t really need them.
• Attach a USB keyboard
• Power on and go in to the BIOS and disable always boot from CF. Also tweak as required.
• Use Rufus to flash the UTM ISO to a bootable SD/CF (Tried using Etcher on my Mac but it didn't boot)
• Put the card in the XTM and boot to the UTM start screen
• Press ALT F2 to get a shell
• Find the drive containing the ISO image
  • dmesg | grep sd (or sda…sdb…etc) (Will probably be sda)
• Mount the drive into /install [mount /dev/sda1 /install] (or whichever drive “sd” number you got from the previous step)
  • Verify that the correct drive is mounted by typing [ls /install/install] It should show "install.tar" among other things
• ALT F1 back to the installer and install as normal
• Enjoy your new Watchguard UTM Appliance!

The only thing that irks me is the BIOS image puts “pfSense v1.8” on the LCD and I don’t know how to change it. :(

Also, the XTM5 has a Cavium 1605 SSL/IPsec accelerator card but I don't know if UTM9 supports it. Anyone know?

VGA Port connection (The VGA pins are relative to looking at the male connector end, not the solder side. 1 is top left)

Hope this helps! :)

D