WatchGuard Firebox Review

Competent, basic front-end; the ports that I have assigned appear to be unattainable to outsiders

What is our primary use case?

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

What is most valuable?

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

What needs improvement?

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

For how long have I used the solution?

I've been using Firebox for two or three years.

What do I think about the stability of the solution?

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

What do I think about the scalability of the solution?

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

Which solution did I use previously and why did I switch?

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

How was the initial setup?

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

What about the implementation team?

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

What's my experience with pricing, setup cost, and licensing?

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

Which other solutions did I evaluate?

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

What other advice do I have?

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

Which deployment model are you using for this solution?


Which version of this solution are you currently using?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More WatchGuard Firebox reviews from users
...who work at a Manufacturing Company
...who compared it with Meraki MX
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: August 2021.
535,544 professionals have used our research since 2012.
Add a Comment
ITCS user