We just raised a $30M Series A: Read our story

WatchGuard Firebox OverviewUNIXBusinessApplication

WatchGuard Firebox is #3 ranked solution in top Unified Threat Management (UTM) tools. IT Central Station users give WatchGuard Firebox an average rating of 8 out of 10. WatchGuard Firebox is most commonly compared to Fortinet FortiGate:WatchGuard Firebox vs Fortinet FortiGate. WatchGuard Firebox is popular among the small business segment, accounting for 87% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a comms service provider, accounting for 34% of all views.
What is WatchGuard Firebox?

WatchGuard's approach to network security focuses on bringing best-in-class, enterprise-grade security to any organization, regardless of size or technical expertise. Ideal for SMBs and distributed enterprise organizations, our award-winning Unified Threat Management (UTM) appliances are designed from the ground up to focus on ease of deployment, use, and ongoing management, in addition to providing the strongest security possible.

WatchGuard Firebox Buyer's Guide

Download the WatchGuard Firebox Buyer's Guide including reviews and more. Updated: November 2021

WatchGuard Firebox Customers

Ellips, Diecutstickers.com, Clarke Energy, NCR, Wrest Park, Homeslice Pizza, Fortessa Tableware Solutions, The Phoenix Residence

WatchGuard Firebox Video

Pricing Advice

What users are saying about WatchGuard Firebox pricing:
  • "I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it... It works out to $100 or $200 a year if you buy several years at once. It's fair."
  • "I usually tell people that it's really affordable as well, particularly compared to Cisco."
  • "The pricing of WatchGuard is probably a little higher than the SonicWall, but it makes up for it in dependability. It's worth it to me, especially since it's not much higher. For just a little bit higher price you get the dependability of the firewall with the WatchGuard brand."
  • "The cost was somewhere in the vicinity of $2,000 to $3,000 for each one..."
  • "They license it. When we buy it, we buy it with a three-year license. That's the most cost-effective way to do it. So, if you're going to buy it, then buy it with the three-year licensing."
  • "WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device... unlike other brands whose method of hardware and software licensing would have doubled our cost."

WatchGuard Firebox Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Peter Galgano
Owner at a construction company with 51-200 employees
Real User
Top 20
Competent, basic front-end; the ports that I have assigned appear to be unattainable to outsiders

Pros and Cons

  • "The ports that I have assigned appear to be unattainable to outside 'mal-actors,' unless they have an address registered on the internet that this thing is expecting. That's a layer of security."
  • "I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that."

What is our primary use case?

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

What is most valuable?

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

What needs improvement?

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

For how long have I used the solution?

I've been using Firebox for two or three years.

What do I think about the stability of the solution?

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

What do I think about the scalability of the solution?

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

Which solution did I use previously and why did I switch?

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

How was the initial setup?

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

What about the implementation team?

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

What's my experience with pricing, setup cost, and licensing?

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

Which other solutions did I evaluate?

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

What other advice do I have?

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Kelly Carlisle
Manager IT at a hospitality company with 501-1,000 employees
Real User
Top 20
Automated reports, generated regularly, enable me to see metrics showing what the box is doing

Pros and Cons

  • "WatchGuard has a very easy VPN and branch office VPN setup, so we use those pretty extensively."
  • "Regarding the reporting, I was in the Dimension server earlier today. It's very powerful. I like it. And the management features are easy to use. I like the fact that I can open up the System Manager client or I can just do it through the web if I'm making a quick change."
  • "Once you start getting into proxy actions and setting up: "Okay, cool. Once this rule gets triggered, what actions have to happen?" I do know a few people who use WatchGuard and they still have to get assistance when they look at that. So I would file that as a con for WatchGuard. Proxy actions can be a little bit complicated."

What is our primary use case?

WatchGuard Firebox is our edge firewall.

Currently, we are using the M470 and we have used many models in the past.

How has it helped my organization?

The solution provides our business with layered security. An example would be the intrusion protection on anything that is internet-facing. We host our own mail server and I regularly see that WatchGuard has swatted away attempts to get in from bad actors. I have to have that open because people have to connect on their cell phones. Obviously they have to send and receive mail. So I sleep a lot better knowing that something is watching the few things that I do need to present to the internet. I feel much better having something protecting and monitoring all traffic that passes through.

We have an interesting environment. There is actually a completely separate computer domain, an entirely separate network that belongs to a regulatory body. We work at a casino and our gaming commission has to be able to get into some of our systems and monitor some of our activities. Obviously we don't want them to just plug directly into our network, so we have created a DMZ where they can come into our network via the WatchGuard. That way, I get to see all of their activity as well and monitor what they can get to. We give them access to what they need and nothing more.

The solution also simplifies aspects of my job by having automated reports generated weekly, for review. I like the fact that they get delivered and I get to see the actual metrics of what the box is doing. The reporting features reassure me that it is working.

In terms of saving time, I have used Cisco firewalls in the past and I would say that it is easier to construct policies with WatchGuard than it is in Cisco, particularly Cisco's ASDM (Adaptive Security Device Manager). It probably takes about half the time with WatchGuard. Usually we're just modifying something, adding or removing somebody from a web blocker category. It's very easy to maintain.

As a casino, we have one site and that's it. There are no mobile workers. We usually don't have any remote access and we don't need collaboration tools because we all work in the same building. But now that we're trying to get some people to not come in [due to the Corona virus situation] and we're running on a skeleton crew, we are able to maintain productivity by leveraging the native VPN clients and access provided by WatchGuard. We didn't have to buy anything. We had all the infrastructure ready to go and then I slapped a policy together last Tuesday and we've been using it ever since. It was very easy.

What is most valuable?

  • One of the most valuable features is the Gateway AntiVirus. We scan all traffic as it's coming through.
  • We also use spamBlocker to scrub spam.
  • We use content filtering, which is critical in any corporate environment to make sure that people don't surf things they're not supposed to.
  • WatchGuard has a very easy VPN and branch office VPN setup, so we use those pretty extensively too.

It's very easy to use.

And our internet bandwidth does not exceed its throughput, so it is probably still a little overbuilt. It's definitely not a bottleneck. There is no problem with throughput.

In terms of performance, WatchGuard has always worked well for us. We've gone through about six different models in the last nine years, not all at our primary site. We had a couple of satellite offices that were using smaller models. They have all worked very well. There was only one time that we had a performance issue and it turned out that it was due to a hardware replacement being required, and that was handled expeditiously.

Regarding the reporting, I was in the Dimension server earlier today. It's very powerful. I like it. And the management features are easy to use. I like the fact that I can open up the System Manager client or I can just do it through the web if I'm making a quick change.

What needs improvement?

WatchGuard could be a little more robust in reporting. I get requests a lot to figure out people's internet traffic. We want to know what people are doing when they are on the internet. There is still a little bit of fine-tuning that can be done to that process.

For how long have I used the solution?

I took over the admin role here back in 2011, so I've been using it for close to 10 years.

What do I think about the stability of the solution?

It's very solid. We don't reboot it very often and we don't seem to need to.

What do I think about the scalability of the solution?

We went from a single appliance to a high-availability cluster, just last year. Managing the cluster is just as easy as it was to manage one unit.

It is doing everything we've asked of it so far, but we do plan on increasing usage. There are a few features that came out last year or maybe a little bit before that, features that we want to start using, such as WatchGuard's DNS. That will make sure that we're not asking for any bad players. At the moment we're still using Google DNS. And we haven't rolled out the endpoint security that came with it, but we are going to start using that as well.

How are customer service and technical support?

I've never had to use their technical support. I've only used their online help. I've been able to find everything I need in the forums and the Knowledge Base.

How was the initial setup?

The initial setup is straightforward. The wizards walk you through it, and I have found an answer to anything that I've ever had a question about in the Knowledge Base online. I don't think I've ever had to call for support personally. The documentation is awesome.

As for setup time, I usually have traffic passing through it within an hour or two. 

I know what traffic I want to allow out and I always start with just the stuff that I need to. I always start with the most restrictive, as far as policies go. The first thing I do is get rid of all the Any-Any rules and then I start locking it down. I love the way that it integrates with Active Directory. I base my internet usage and my web blocker policies on Active Directory security groups, and I can have all of that stuff set up ahead of time before I ever get ready to roll out the appliance itself.

Back in the day, we used to have a warehouse. We used to have a uniform shop that was offsite and I was responsible for setting up the tunnels of those sites. We recently relocated some administrative offices for the tribe that owns the casino that I work for, and we decided when they were moving that we would upgrade the firewall that they had. We purchased a WatchGuard so that it would be manageable, because we were already familiar with it from using it at our site. We dropped it right into place and I had traffic passing through it within minutes. I was done with it, doing all the other rules, within a couple of hours. I was onsite for all of those. I've never preconfigured one and then sent it out into the wild.

What about the implementation team?

We use Variable Path, out of San Francisco. Our rep is Jason Chang. Our experience with them was very good. I would recommend them.

What was our ROI?

It's hard to measure ROI. But I've never had to go in front of upper management and tell them that we were breached. That is probably the conversation I would least like to have with them.

Otherwise, regarding return on investment, having the infrastructure already here and having more capabilities than we're using right now allow me to react very quickly. As I said, I was able to get some people working from home last week. It literally took us a day from going from zero people with remote access to a core group of about 12 people having remote access.

What's my experience with pricing, setup cost, and licensing?

Getting a WatchGuard for the first three years pays for the hardware. I think it's cheaper to keep doing hardware upgrades at every software renewal, rather than just pay for maintenance to keep a piece of hardware going. I usually tell people that it's really affordable as well, particularly compared to Cisco.

In addition to the standard cost, we usually get the Total Security Suite. We go top-shelf on all of the subscription services.

Which other solutions did I evaluate?

WatchGuard was brought in by one of my predecessors. I left this company for a little while and went to go work for a credit union, and that was a completely Cisco shop, so I got to experience both of them at different times.

I don't think I've actually used anything other than the Cisco ASA. With the WatchGuard it's easier to create policies, that's for sure. I like the flexible stability of being able to leverage objects in Active Directory. I also like being able to not have to create all my policies using IP addresses, and that I can actually do web domain name lookups every time. That's very handy for large, distributed stuff where you have no idea where the actual source is going to be coming from. The cloud bounces traffic from all over nowadays. So crafting rules with fully qualified domain names, FQDN, is definitely something that I did not have in my Cisco ASA.

The Cisco was a little less confusing and more straightforward. It didn't do all of the things that the WatchGuard does, so in that sense it was a little bit easier to understand. That is particularly true once you start getting into proxy actions and setting up: "Okay, cool. Once this rule gets triggered, what actions have to happen?" I do know a few people who use WatchGuard and they still have to get assistance when they look at that. So I would file that as a con for WatchGuard. Proxy actions can be a little bit complicated.

What other advice do I have?

Invest in some Professional Services. Although you can absolutely pull it out of the box and deploy it — and we've done that before — it's always good to have somebody that you can ask about best practices and run a few scenarios by them. We ended up purchasing four Professional Services from our local reseller. It was good. Although they didn't really provide any answers, they were there to say, "Oh no, you're doing the right thing." It was more reassurance than anything. But I would definitely recommend springing for some Professional Services. That will make the whole process go a lot easier.

A small subset of my staff, maybe three or four people, is involved in deploying and maintaining the solution. They're all IT administrators.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,136 professionals have used our research since 2012.
GT
Director of Information Technology at a retailer with 201-500 employees
Real User
Top 20
Allows me to schedule rebooting of the wireless accent points on a regular basis, making it set-and-forget

Pros and Cons

  • "Among the most valuable features is the ease of use — love the interface — of both the web interface and of the WatchGuard System Manager."
  • "If they could make the traffic monitoring easier that would be great. I don't use it that frequently, but I would like to see some improvements in the ease of use of that component, so it makes more sense. I know it's a technical component so there's going to be some difficulty trying to make that easier."

What is our primary use case?

We have multiple sites. We're in the wine business. Our corporate office is where we have accounting and marketing. Our executives are based there as is IT, HR, and payroll. That's where we have the big M200. We have five wineries that we support. Each of the wineries has a WatchGuard on it and we connect them with the business office VPN. 

We share files across our VPN and we also authenticate our users. Not all of our sites have file servers so we use the business office VPN to get them authenticated onto their machines. We also use that to go out and work on their machines if they have problems or we send files out to them and install software remotely, etc.

We also have 11 tasting rooms where we sell our wine, and each of those has a smaller WatchGuard in it. We support the computers that they use in the back office of the tasting rooms. We also support their iPads and the machines that they use to print off orders and FedEx labels and to do inventory stuff. 

We have two hospitality sites where we will take our distributors to talk to them and educate them about the wine industry and what we're doing in the industry. We provide them with internet while they're there. Some of our people will go to these sites to do retreats and planning. We have WatchGuards there to support them so they can get back to the files they need and get authenticated.

We're using a whole variety of models. We've got a couple of M200s, multiple 30s and multiple 15s. We also have about 15 of the AP120s.

How has it helped my organization?

The solution simplifies traffic management. It has features that let me automatically reboot the wireless access points on a weekly basis. For us, that has been really beneficial. Prior to that we had a range of different wireless access points and there was no way to have them all reboot. So people would just have bad experiences using them and we'd have to go in manually and reboot them. Once we started using the WatchGuard wireless access points, we just scheduled them to reboot automatically. 

Both the throughput and the fact that they support the two different radio frequencies have been great for us. It has paid for itself because we don't have to deal with them anymore. They're a set-it-and-forget-it type of deal.

The solution has saved me time, but it would be hard to come up with a specific amount of time. The bottom line is that I just don't have to deal with it.

What is most valuable?

  • Among the most valuable features is the ease of use — love the interface — of both the web interface and of the WatchGuard System Manager.
  • It's a stable platform. The devices are pretty rock-solid.
  • Education: They do host regular webinars where I can go in and learn more about the product and new features.

Also, the throughput is good value for the money. Our corporate office is basically shut down [due to COVID-19]. We've got 100 people who have been working from home over the last month and we're using the SSL VPN connection to get in, get authenticated, to get to our files, update passwords, etc. The throughput has been good for that.

I'm impressed with the solution's reporting and management features.

What needs improvement?

If they could make the traffic monitoring easier that would be great. I don't use it that frequently, but I would like to see some improvements in the ease of use of that component, so it makes more sense. I know it's a technical component so there's going to be some difficulty trying to make that easier.

Also, if they could provide more examples in their documentation, that would help. Sometimes they will say, "Hey, go in and set this up," and it would be so much easier to do it if they put in a couple of examples and showed me. Imagine instructions on how to change a tire and the steps you go through. Give me some pictures or some examples of how you change the tire. Where do you put the jack so it doesn't tear up the fender on your car? I'm a person who loves looking at examples cause I can look at things and see how they applied them and then learn from them.

Even if they put in some snapshots and said, "Here's how this should look after you put this information in," that would help. It would be confirmation that this is accurate and this is going to work. 

Finally, when we did the split tunneling, as it turned out, that was an all-or-nothing, global setting. As soon as I did that it impacted everybody. What I was hoping to do was to set that up so that I could do a pilot group and, once it was working, I could turn it on for everybody. We needed to get it going and it was all-or-nothing. We did that on a weekend and it ate up my weekend time.

For how long have I used the solution?

In my current position, I have been using WatchGuard Firebox since 2016. Prior to that, I was at another place and I used a WatchGuard for about 12 years.

What do I think about the scalability of the solution?

The scalability is fine but we're not experiencing a whole lot of people using it. Our Seattle office is probably the one where it is used the most and the M200 is fine. Our corporate office has close to 70 or 80 people. And we're spread out nationwide, with people getting back into the corporate office to get files. We have our wineries where there are another 40 people or so. Some of them are smaller and would have 12 or 15 people. And the tasting rooms are typically three people.

We opened up two new tasting rooms in the last year and we've got two more that are going to be opening up and, in my requirements, I always put in WatchGuard.

How are customer service and technical support?

For everything that I've dealt with, their technical support has been really great about helping out and helping me fix things. I just worked two weeks on a project to split our VPN tunnels out and the WatchGuard technical support guys helped me with that a couple of times.

Which solution did I use previously and why did I switch?

WatchGuard was already installed here when I came onboard and that was one of the reasons I got hired. I'd had experience with WatchGuard before and I knew about the product and I could support it. They brought me in for that. And now, over the last four years, I've gone through and upgraded the hardware. The hardware was older hardware, it was out of date, so I went through an upgrade and got it back on a maintenance plan.

In working with our WatchGuard vendor, they're the ones who emphasized that we should be getting off of Remote Desktop Protocol from Microsoft because it was being hacked so badly. They're the ones who said that WatchGuard has this SSL VPN and it's free, so they just configured it and away we went.

How was the initial setup?

For me, the setup is straightforward. Part of that is that I've just done it so frequently. On average, deployment of these devices takes me about 15 or 20 minutes. I know what I've done on other machines, so I just do the same thing again on new ones.

For deploying them to distributed locations, we order from our vendor. When it arrives I get it authorized on our account, go in and set up some basics, and set it up so I can get to it remotely. Then I ship it off. I've got some hands-on people, operations people, at the winery who will take it and start to plug it when they get it.

For maintenance of the solution there are three of us on the IT team.

What was our ROI?

The fact that they're reliable pieces of equipment is part of the ROI. I know when I go back into it, it's not like it's going to drop how it's been programmed. 

It also has a great function for my needs because I work remotely to many other places in Idaho, Eastern Washington, New Mexico, etc. I know I can get into that box remotely and it's going to have the configuration that I set up.

What's my experience with pricing, setup cost, and licensing?

I'd love it to be cheaper, but as long as long as they're being fair with me, it's a good value.

Which other solutions did I evaluate?

I've never had a need to evaluate other options.

What other advice do I have?

Take a good hard look at it. The interface is pretty easy to work with. The devices are consistently good. It has a lot of features and the boxes are hard-working. They just work.

I recommend WatchGuard to people when I'm at industry trade shows when anybody asks me. I think it does provide me with layered security, but I don't spend a lot of time looking into that. It's just part of my total solution package. The value that I get out of it is consistent management. It's a good product. Whatever kind of additional security they provide to me is just a bonus.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jason Markle
IT Director at a healthcare company with 1-10 employees
Real User
Top 20
I don't have to worry about malicious attacks or vulnerabilities in our facility

Pros and Cons

  • "The policy monitoring and allowing different traffic flows are the most useful features for us; regulating which traffic comes in and out."
  • "I'm not really impressed with the reporting side of it. It may be something I just haven't figured out very well, but it's hard to filter down on reporting of the actual valuable information that you would want. There is a lot of information out there so you have to have some kind of tool capture it and then filter through. So far, I haven't found the reporting side of the WatchGuard to be that user-friendly."

What is our primary use case?

We're a hospital and we use it for developing our incoming and outgoing policies, and we also use it for VPN.

How has it helped my organization?

It helps keep unwanted traffic from coming in, or traffic from going out that we don't want to see out there. If we have unwanted traffic coming in, traffic that we don't need as a facility, then we would be opening ourselves up to security problems and vulnerabilities. It helps because malicious attacks coming in are things I don't have to worry about. So far the WatchGuard has done a good job at blocking all that.

In terms of simplifying my job, the simplest device is one that you can put in place and not have to worry about it. That's the WatchGuard. It's there, it's working. I don't have problems with it so it's "out of sight, out of mind."

It also saves me time, by doing what it's supposed to do. I don't have to mitigate problems that it allowed through. I couldn't tell you how much time it has saved me. It really would depend on what kind of problems I might experience.

What is most valuable?

The policy monitoring and allowing different traffic flows are the most useful features for us; regulating which traffic comes in and out.

In terms of the throughput and performance, we don't have a problem or any bottleneck there. We downgraded the size of our appliance because we're a small facility, and what we had before was actually too big. The one we are now going with seems to be doing a great job.

The management feature is pretty nice.

What needs improvement?

I'm not really impressed with the reporting side of it. It may be something I just haven't figured out very well, but it's hard to filter down on reporting of the actual valuable information that you would want. There is a lot of information out there so you have to have some kind of tool capture it and then filter through it. So far, I haven't found the reporting side of the WatchGuard to be that user-friendly. I would definitely like to see better reporting tools from WatchGuard. That would be a very high priority for me.

Also, setting up the site-to-site VPN is pretty easy with the WatchGuard, but the client VPN setup is not very friendly. If you have a client-to-device VPN that you need to set up for a mobile user there are different protocols that they will accept but none of them are a plug-and-play type of option.

For how long have I used the solution?

The organization has had WatchGuard, different versions, for 12 years. I've used WatchGuard, myself, for about seven years. We got the Firebox approximately three years ago.

What do I think about the stability of the solution?

The stability is great. I've not had any problems. In three years, we've had to restart the device maybe twice. We've had to restart it more than to clear out any cache, because you don't want anything building up in cache memory. But we've only had two problems where we needed to restart the device. And it actually restarts really fast. It doesn't have much downtime at all.

What do I think about the scalability of the solution?

It's used extensively. This is the only firewall we have in the facility, between the hospital, nursing home, and home health. It handles all the traffic that comes from all three campuses here. I don't see us expanding enough to worry about getting another device. This one seems to be doing exactly what it needs to do.

How are customer service and technical support?

I've only had to use their technical support twice in quite a few years, so it would be hard for me to rate. But they were responsive when I did have a problem. I haven't had any problems with support at all.

Which solution did I use previously and why did I switch?

I moved here in 2013 and the company was using the WatchGuard at that point.

How was the initial setup?

With this newest device, the initial setup was pretty straightforward. We were able to copy the configuration from the old device. That's a good thing about it: the configuration file is able to transfer from an old device to a newer device and just continue going. It takes a long time to build up different traffic policies, and to make exceptions for different websites. If you had to do that every time you got a new device, that would be a problem. Luckily, with this, you're able to save your configuration file and transfer it to the new device.

The deployment of this new device took 30 minutes, at most. There are only three people in our IT department, but the deployment only required me to be involved. The other two guys are network technicians. All three of us can go in and modify policies or do whatever we need to do, but it generally doesn't take much maintenance.

I got on the phone with WatchGuard to make sure that everything would transfer over and they assured me that it would. And as far as the switching over to the new device goes, most of the planning required was just letting users know that the internet was going to go down for just a little while. We planned it for a period of slow usage here at the hospital where we could bring it all down, copy the config file, move it to the new device, put it in place, and swap the connections over. It came right up. We had to import the new key and got it activated. But other than that, everything worked.

What was our ROI?

ROI on this type of solution is a hard number to quantify. We've not had a problem so that in itself is a return on investment. If you don't have an issue how do you calculate what your return of investment would be? How do you quantify the peace of mind? But we've not had to spend a lot of time troubleshooting.

What's my experience with pricing, setup cost, and licensing?

The pricing of WatchGuard is probably a little higher than the SonicWall, but it makes up for it in dependability. It's worth it to me, especially since it's not much higher. For just a little bit higher price you get the dependability of the firewall with the WatchGuard brand. 

And with this appliance you also get a certain number of VPN tunnels. With this one, it's something like 500, not that we would even use that many. Whereas with SonicWall, at the time we were using it, it came with 10 and then anything over that had to be purchased.

Money-wise, it's a one-and-done with the WatchGuard. With SonicWall, there were a few things that you had to pay extra for to get. 

The subscription services with the WatchGuard are pretty nice.

Which other solutions did I evaluate?

I used the SonicWall at another hospital in southwest Arkansas. 

WatchGuard has come quite a way, as far as the Fireware Web UI goes. The GUI application has become better, making it easier to navigate through setting up policies and setting up VPN tunnels, etc. SonicWall had been there quite a while longer than WatchGuard, in terms of being user-friendly. But I can't complain about the WatchGuard now. When I first moved here, it was very cumbersome to navigate through, but with the Web UI it's really improved.

They do have a client that you can connect to the WatchGuard if you want to use that client. It's still kind of clunky for navigating and I very seldom use it anymore. They call it the WatchGuard System Manager. It's not quite as friendly as the Web UI. It's usable, it's just not really friendly. But the Web UI is very well done.

What other advice do I have?

My advice would be go for it. We've not had any problem with it. We've been very pleased, especially with the newer WatchGuard we've put in place. It's very responsive. It works great. It may have a little bit of a curve on learning it, but once you learn it, it's hard to say you'd want to go back to something else.

It took me a little bit to get used to WatchGuard. I was familiar with SonicWall before I moved into this role. But now that I've used it for almost seven years, I've gotten to know it pretty well and it works great. Once you get used to what I would call the idiosyncrasies of WatchGuard, as opposed to the SonicWall, it's pretty easy to configure. Using the WatchGuard web UI also makes it a lot easier to configure.

It provides us with somewhat layered security. It is the firewall between us and the outside world. With our subscription we do have the Gateway AV, so it does watch for things of that nature. We have certain policies in place that help with the layered part of it. But it's just one of many layers. We have other things in place to help, but it's definitely something I wouldn't want to do without.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
GH
Network Administrator at a retailer
Real User
Provides us with more secure site-to-site VPN, remote access ACLs, and client-to-VPN

Pros and Cons

  • "It's hard to pick one feature over another. But if I had to pick one, the UTM would be the most valuable because of the notification. I get notified via email if there is any type of threat detection or alert, telling me something is wrong."
  • "Websense is an application that monitors and filters internet traffic. Websense was derived from WatchGuard. But when you go to WatchGuard to actually implement that particular feature, you have to use some type of additional feature and you have to pay for it, unfortunately. I think it should be free or free in the WatchGuard box itself, as an option. It would be nice if they didn't charge us for that."

What is our primary use case?

We have four locations and at every one of them we use WatchGuard. We use them as firewalls and for UTM. They provide protection in terms of detection and prevention. And we also use them for site-to-site VPN, as well as for direct connect, VPN to AWS, and to AWS using VLAN tagging.

How has it helped my organization?

One of the main ways it has helped is that we use site-to-site VPN a lot, as well as remote access ACLs and client-to-VPN. Prior to WatchGuard, for example, we used to use Remote Desktop, which is not very secure, or RD Web, which is also not very secure. We installed the client VPN on everyone's remote computer and they can access our local area network. That is much better than using the other solutions. It's an improvement for the user and it's less risky for us. It gives us peace of mind that we're using the proper channels to access our network.

What is most valuable?

It's hard to pick one feature over another. But if I had to pick one, the UTM would be the most valuable because of the notification. I get notified via email if there is any type of threat detection or alert, telling me something is wrong.

For me personally, because I'm Cisco-Certified, it was very easy to take this over. I think it's a lot easier to work with because it's a GUI and not a CLI. I cannot speak for other users or other administrators, but it's pretty simple.

Based on our needs, the throughput is pretty solid. We haven't had any issues as far as the throughput is concerned. This particular box maxes out at 2 GBs and we only have 1 GB so we haven't had any latency.

I manage it using the System Manager, based on the firewall access control that I have. I've been able to manage it and use it without any problems.

What needs improvement?

Websense is an application that monitors and filters internet traffic. Websense was derived from WatchGuard. But when you go to WatchGuard to actually implement that particular feature, you have to use some type of additional feature and you have to pay for it, unfortunately. I think it should be free or free in the WatchGuard box itself, as an option. It would be nice if they didn't charge us for that.

And if they won't offer it for free, they should offer something better. It definitely needs a big improvement because it's very unfriendly. It's called Dimension Basic and there is a reason they call it basic, because it gives you very basic information. Let's say you want to track someone's internet activity or where they've been going. Websense gives you detailed information as far as the source. But this one only gives you very basic information and, on top of that, it's a free version for only a few months and then you have to pay for it. So not only is the version very basic but you still have to pay for it. That, in my opinion, has room for improvement.

Everything else that we have, the live security services and network discovery and all the spam blocking, threat protection, and the web blocker, is included.

For how long have I used the solution?

We've been using Firebox for as long as I can remember. I inherited this position close to 13 years ago and they'd been using it before that.

What do I think about the stability of the solution?

For the most part, everything seems to be working without any issues. That's why we've had it for this long, close to 17 years for the company and, under me, for 13 years. There are more pros than cons.

We haven't had any issues. I always buy an additional box as a Hot Standby. I have never had to use it, and thank God for that. So it's been very stable. We keep them for a maximum of three to four years and then we upgrade to a newer one. For the time that we keep the box active, we don't have any issues.

What do I think about the scalability of the solution?

In terms of scalability, as far other features go, we're stuck with what we have on the physical appliance. For example, we had one that was set to 300 MBs for throughput and when we wanted to upgrade, we couldn't obviously use that same box. It wasn't really scalable. So we had to upgrade to a newer version.

We have four locations and approximately 400 users. We don't have any firm plans to increase usage. The owner of our company just acquired another company and that may make a difference. WatchGuard is the main component that we use. The subscription for all four of the WatchGuards that we currently have ends in 180 days. We're just going to upgrade to the newer version, if it's available. 

How are customer service and technical support?

There was an incident, back in the day, where I called for support and the guy sort of brushed me off. It was very uncomfortable but it could have been an isolated incident. I don't want to say that all the support engineers are the same. But this particular guy was either drunk or rude.

Other than that, it's been very smooth sailing for us, as far as support goes.

Which solution did I use previously and why did I switch?

We have always been using Cisco. They decided that WatchGuard would be beneficial to keep because it's GUI and it's a lot easier to work with than other products, especially for junior admins.

How was the initial setup?

I set it up all the time and it's very straightforward. It's very easy to set up and very easy to migrate over to a newer version. It's really simple. I've only done a new deployment once. 

For upgrades, you save the configuration and you upload it to a new file, or you just open a new file and browse to the configuration file that you saved. It usually takes 10 minutes at the most.

But the first deployment, because it was obviously more involved, took a few hours. Setup included the site-to-site VPN, the client VPN, the actual interfaces, the static NATs, a lot of the firewall policy, the internet certificates, and the policy routing; the basic components of any router.

Deploying WatchGuard to distributed locations is mainly the same. Obviously, there are differences in the IP addressing and the network addresses. And you have to take care of the VPN connection between the two, to be able to communicate using the site-to-site VPN. There is also web blocking. We have certain policies for denying access to certain sites or certain applications. We don't allow, for example, weapons or sex or any of those kinds of solicitation sites. We then set the external and internal interfaces and then do the routing. In the some of those locations we use the WatchGuard as a DHCP server, so we set that up as well. The rest is all pre-configured.

What's my experience with pricing, setup cost, and licensing?

We have had two-year deals in the past, but recently we decided to go with annual. The cost was somewhere in the vicinity of $2,000 to $3,000 for each one, depending on if they had a special at that time or if they were doing an in-place upgrade or with the same router.

Which other solutions did I evaluate?

They figured if they were going to get something different then it would have to be something very user-friendly for the administrators, because I'm the only one who is certified to work on Cisco. We evaluated the Barracuda NextGen Firewall. We also looked into Juniper and the Meraki firewall, because all our switches are Meraki switches. 

But we decided to stay with the WatchGuard. The prices were a little bit better than Meraki and, since everything was pre-configured, to upgrade to a newer WatchGuard all we had to do was just save the config file and upload it to the new one, and that was the end of that.

What other advice do I have?

Educate yourself. Read documentation and watch videos online. Since the administrators are going to use it, they should educate themselves on WatchGuard. Keep a cheap, old box for training. I train my administrators on an older box and I give them a network to train on.

We have been attacked with ransomware in the past, and it was kind of disappointing because, when I talked to Cisco support they said that they recommended purchasing end-point protection with a ransomware interceptor, so we ended up getting Sophos. So alongside the WatchGuard, we have Sophos' ransomware interceptor and end-point protection. We use them, on top of the WatchGuard, as a secondary line of defense.

It has been smooth sailing as far as the product itself is concerned. That's why we keep renewing it. We either renew it or we upgrade to the newest version if they have a special. We also use it for Hot Standby. It's been good.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SR
President and Owner at Peak Communication Systems, Inc.
Reseller
Top 20
Its stability and reliability help us save time and man-hours

Pros and Cons

  • "It saves us time in the respect that we now have the template built for it so we can get in and get it done. We've had much less problem supporting Voice over IP technologies from different companies. Because our client base has grown over the years, we're probably saving 20 to 30 man-hours a month now that we've got this on a good stable level."
  • "The pricing could be improved. It is definitely one of the more expensive products."

What is our primary use case?

We use it in my company and for my clients as well. We sell Internet access, so we use them as a firewall to hopefully protect our clients. We work with one of our partners, who is a certified WatchGuard engineer, and have come up with a fairly good plan to get these completely fired up and working. That makes a huge difference.

We're now up to the 7 Series. We've gone through WatchGuard 3 Series, 5 Series, and 6 Series. So, we've gone through several different versions over the years.

How has it helped my organization?

Firebox's reporting and management features have been very helpful to us. Unfortunately, we don't always have them turned on at the right time. That's something we have to be aware of. However, once they're turned on, they seem to do really well in identifying things across the board for us. We can usually hunt down problems very quickly and go from there.

The solution provides our business with layered security.

We do most of our services now as Voice over IP services. We do not do computer services. We have been able to slowly pair down exactly what we need to program within Firebox to give us the best quality of service for our customers. 

What is most valuable?

We can open or close individual ports, which most can, but I like the way that this programs. Meaning its GUI interface versus Cisco's, where their interface is still not all that great. We just become very comfortable with WatchGuard over the years because we know what to do with them.

We have found it to be very usable and friendly. We can use it for identifying and hunting down. If we run into a problem for some reason, the reporting capability makes it much easier for us to ID where problems may be.

Depending on what specific model you get, along with how deeply reprogrammed and restrictive we make it, their throughput is pretty good. Though, the models are all pretty close to the same. We get about an 85 to 90 percent throughput, depending on which of their security platforms we install. Some will take a little bit more and some will take a little less.

What needs improvement?

The pricing could be improved. It is definitely one of the more expensive products, though you can't really compare it to Ubiquiti or SonicWall.

For how long have I used the solution?

About 15 years.

What do I think about the stability of the solution?

Its stability and reliability make it a good product for us.

Over the last 15 years, there has been only one Firebox in which we've had any hardware problems and one box in which we have had a software problem. In both cases, WatchGuard overnighted a new box to us so we had it the next day, then we were able to repair or replace, as necessary.

They seem to be fairly stable. Like anything else, it's an electronic device that can last for 10 minutes or 10 years.

What do I think about the scalability of the solution?

They have put together a good process where we can go in and see, based on the processor power of Firebox, which one we would want to use on what circuit size. They have it from very small to extremely large.

We have four telephone technicians in the company who have had the training and capability to work on Firebox.

For us, a large environment is somebody with 250 or 300 users inside the company.

How are customer service and technical support?

Our partner has used their support. It's really good support. If they don't answer immediately, they get back to you very quickly, usually in less than an hour.

Which solution did I use previously and why did I switch?

We see cases where several of our clients are switching from a different firewall to WatchGuard. With Cisco, it depends on who's supporting it. SonicWall seems to give us a bit more problems when it comes to interfacing with IP telephone devices or if we're doing SIP trunking.

How was the initial setup?

Firebox stabilizes it so we know we get better support for the platform and user when it comes to Voice over IP. We find a lot of them don't give us the ease of setting it up. Now that we know we have it down to what we're doing so the platform stays stable, we can imply good quality of service for the customer and keep going on so they continually get good performance on their network.

In the beginning to set this solution up, it takes four to six hours. That is to get a brand new one out of the box and make sure it's got all the latest and greatest revisions on it, then setting it up. That also depends on the size of the client that you are supporting with it.

We have a template built for it. Once we upload the template, we go in and adjust it accordingly.

We have a few Fireboxes deployed to distributed locations, not a lot. However, it does work well in a distributed environment. We have one customer who has five offices in five different states. He has Firebox for all of them and it seems to work pretty well.

Deploying to distributed locations is easy enough. We have a template. We just get the IP addresses for the network and update the template, so it has the appropriate addresses. We can either have one of their folks do it because this happens to be a tech company, not necessarily IT. However, a tech company is knowledgeable enough. We can send it out there and tell them what to plug in where and turn it on. Then, if we're really lucky, it comes up without any problems at all because we've already set it all up before we take it out to them. So, the deployment becomes easy depending on how you want to address it. There have been times where we've gone out to deploy them in different locations. Most of the time, depending on the company, we can set it up to deploy, then just plug and play.

What about the implementation team?

Make sure you have a good, qualified, trained engineer to help you initially get it set up. I do not recommend you doing it on your own unless you're somewhat trained in the terminology and capabilities of the particular product.

We have an engineering specialist, who has been certified by WatchGuard, secure attack vectors for us.

Once we get done putting the solution in and getting it set, there are times that the local IT support may be different from ours. They may go in and make a few minor tweaks to it. We try to keep that to a minimum because it is just one of those situations where we would like not to have too many hands in the pot.

What was our ROI?

It saves us time in the respect that we now have the template built for it so we can get in and get it done. We've had much less problem supporting Voice over IP technologies from different companies. Because our client base has grown over the years, we're probably saving 20 to 30 man-hours a month now that we've got this on a good stable level.

What's my experience with pricing, setup cost, and licensing?

They license it. When we buy it, we buy it with a three-year license. That's the most cost-effective way to do it. So, if you're going to buy it, then buy it with the three-year licensing. Only the person buying it can determine which level of licenses they have. That's something to truly consider.

There are no additional costs unless you choose their advanced licenses or different levels that they have for security. You can add on more security licenses with what you have in Microsoft today, but we have not been adding those on.

Which other solutions did I evaluate?

Our experience has been that Firebox actually performs a little better than some of its competitors as far as throughput goes. However, it depends on how much of their security software you get loaded, because they have different versions.

We have used other products. We've used SonicWall, Ubiquiti, and Cisco PIX. My personal favorite happens to be WatchGuard. Also, if we compare WatchGuard against Ubiquiti or Cisco PIX Firewalls, its ability to add multiple IP addresses and ports is much simpler than those. I can run several different networks off of ports that come on the hardware device. Depending on the model, there are anywhere from four to eight ports on the device, so you can plug it in at different levels.

What other advice do I have?

It is a great piece of hardware.

The learning curve for this solution depends on your background. If you have some technology background, implementing it will probably be okay. They have a WatchGuard academy. If you have no background at all, I wouldn't suggest you do it. In comparison, when you get trained with Cisco, there are several different classes to go through and each class is several hours long.

I would rate it as a nine or nine point five out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Scott Morin
Owner / CEO at Midwest Technology Specialists LLC.
Consultant
Top 5
Enables us to drop a lot of traffic and reduce a lot of load on otherwise poorly performing Internet connection

Pros and Cons

  • "As a whole, it has a very low requirement for ongoing interaction. It's very self-sufficient. If properly patched, it has very high reliability. The total cost of ownership once deployed is very low."
  • "The data loss protection works well, but it could be easier to configure. The complexity of data loss protection makes it a more difficult feature to fully leverage. Better integration with third-party, two-factor authentication would be advantageous."

What is our primary use case?

Our primary use cases are for the firewall and for limited routing for small to medium-sized businesses. 

How has it helped my organization?

I had a client that was saturated with RDP, remote desktop attempts, while using a standard low, consumer-grade firewall. Putting in WatchGuard allowed me to drop a lot of that traffic and reduce a lot of load on their otherwise poorly performing Internet connection.

Reporting PCI and HIPAA compliance reporting, firmware updates, cloud-based firmware updates all make for visibility within the client site much easier. I can provide comprehensive reporting on user activity and user behavior which goes along with user productivity. It has excellent mobile SSL VPN capabilities that have allowed for very rapid deployment of remote workers during our current situation.

As a whole, it has a very low requirement for ongoing interaction. It's very self-sufficient. If properly patched, it has very high reliability. The total cost of ownership once deployed is very low.

It absolutely saves us time. All firewalls can be deployed with a very basic configuration in a reasonable amount of time. The uniform way in which WatchGuard can be managed allows for the deployment of much more comprehensive configurations more quickly. When it comes to troubleshooting and identifying any kind of communication issue, they use a hierarchal policy layout. It allows you to manipulate the order of precedence, simplifying troubleshooting by tenfold. Compared to a competitor, I spend less than 10% of the amount of time on WatchGuard that a similar task would take on a Meraki, a FortiGate, or a SonicWall.

What is most valuable?

The most valuable features are: 

  • The unified threat management bundle
  • Advanced threat detection and response
  • APT Blocker
  • Zero-day threat detection.

With most Internet traffic being encrypted, it is much more difficult for firewalls to detect threats. Some of the advanced features, such as the APT Blocker and the advanced threat protection, use advanced logistics to look for behavioral, nonpattern related threats. And the threat detection and response has the capability of working with the endpoints to do a correlated threat detection.

For most people, they don't think about one workstation having a denied access, but when multiple workstations throughout a network have requests that are denied in a short period of time, one of the only ways you can detect that something nefarious is going on is through a correlated threat detection. And WatchGuard has that capability that integrates at the endpoint level and the firewall together, giving it a much better picture of what's going on in the network.

It is the single easiest firewall to troubleshoot I have ever worked with. It deploys very rapidly in the event that a catastrophic failure requires the box to be replaced. The replacement box can be put in place in a matter of minutes. Every single Firebox, regardless of its size and capability, can run the exact same management OS. Unlike some of the competitors where you have dissimilar behavior and features in the management interface, WatchGuard's uniform across the board from its smallest appliance to its very largest, making it very, very simple to troubleshoot, recover, or transition a customer to a larger appliance.

It absolutely provides us with layered security. It has one of the most robust unified threat bundles available with Gateway AntiVirus, APT Blocker. It does DNS control. It does webpage reputation enabled defense. It effectively screens out a lot of the threats before the user ever has an attempt to get to them.

Externally it does a very good job of identifying the most common threat vectors, as well as different transported links, attachments, and things of that nature because of the endpoint integration. It helps protect from internal and external threats, along with payload type, and zero-day threats.

The cloud visibility feature has improved our ability to detect and react to threats or other issues in our network. It has improved firmware upgrades and maintenance reporting as well as investigating and detecting problems or potential threats.

It has reduced my labor cost to monthly manage a firewall by 60%.

What needs improvement?

The data loss protection works well, but it could be easier to configure. The complexity of data loss protection makes it a more difficult feature to fully leverage. Better integration with third-party, two-factor authentication would be advantageous.

For how long have I used the solution?

I have been using WatchGuard Firebox for fifteen years. 

We mostly use the T series: T30s, T70s, some M3, and 400 series.

What do I think about the stability of the solution?

It is the most stable firewall I work with. The incidence of failure is very low, maybe once every two years.

What do I think about the scalability of the solution?

It's very scalable. Because it has the unified configuration interface and the unified tools, or the common tools that are used from the smallest to the lowest, a ton of time and configuration, and thereby money, is saved during an upgrade, for example. The time to take an upgrade to a new appliance is a fraction of the time it would be with a competitor because of the direct portability of the configuration from the prior firewall.

We have one engineer and one part-time technician to maintain approximately 75 WatchGuards for limited, physical installations and onsite. It is very reasonable for one or two engineers to manage 200 to 300 WatchGuards. It's very reasonable.

We have just a single location in which we do use the T70 box and WatchGuard is in place at 95% of our clientele. We do not replace viable commercial-grade solutions until such time that they are ending their licensing or whatever. We do not replace FortiGates or SonicWalls while they're still viable. However, when the opportunity to replace one arises, it is our first suggestion to the client.

How are customer service and technical support?

I do not or have not had to use technical support very often, but I find it to be excellent. They're very responsive and very knowledgeable. I get engineers from a similar time zone. They're very skilled engineers and very invested in end-user satisfaction. Even though they are 100% channel-driven, they take end-users satisfaction very seriously.

Which solution did I use previously and why did I switch?

The complexity of configuring a Sonic Wall, for example, is much, much greater than that of a WatchGuard. Identical tasks can be completed in a WatchGuard in a fraction of the time as a SonicWall. When comparing similar models, the performance of Meraki is far inferior to the WatchGuard. Its capabilities are inferior to WatchGuard. It's a simple cloud interface. Meraki's simple cloud interface is probably more appropriate for a less experienced engineer. FortiGate lacks some advanced features that WatchGuard has, but my predominant issue with FortiGate is that when all the unified threat management utilities are enabled, performance on FortiGate is inferior. Although it has capabilities, when fully enabled it does not perform as well as WatchGuard.

How was the initial setup?

The initial setup is very straightforward. I'm able to deploy a standard template after activating the device. The activation is very simple and takes just a few minutes. Then a base configuration can be applied once the firmware has been updated and a box can be prepared for initial deployment within 7 to 10 minutes after it boots. 

It took 45 minutes to set up.

In terms of the implementation strategy, I have an implementation baseline of minimum acceptable settings and then it is adjusted based on client needs.

We deploy it to distributed locations in one of two ways. The device can be drop-shipped to the user or the endpoint and a cloud configuration deployment can be pushed to the box. My preferred method is to receive the box, perform a firmware update and a base configuration, and then ship the box.

I would recommend working with a partner for an expert-level deployment. It greatly reduces the time to deploy it. An experienced engineer can then deploy the product very rapidly and can often provide instruction on how best to maintain the product. But otherwise, the deployment is very straightforward.

What was our ROI?

They are very low maintenance, they have a very high rate of my end-user satisfaction. I'm able to provide excellent levels of service to my end-users and my customers. I would say that they have a very high value and a good return on the investment.

What's my experience with pricing, setup cost, and licensing?

Generally speaking, I find the three years of live and total security to be the best option. By going with their total security, you do get the endpoint protection component of the threat detection and response. Typically the trade-in options, depending on your prior firewall, are options that they should request or pursue when dealing with their provider. Those programs are usually available, but they're not always offered by a provider unless you ask.

What other advice do I have?

I would rate WatchGuard Firebox a ten out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
FelixCheung
IT Director at Wise Ally Holdings Limited
Real User
Top 20
Enables us to control what kind of applications each staff member and department is able to access, but UI is not user-friendly

Pros and Cons

  • "Because we bought two firewalls... we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations."
  • "The UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings."

What is our primary use case?

The purpose is to enhance the application control and internet access control of our company in our office and factory.

How has it helped my organization?

Firebox provides our business with layered security. Before implementing the firewall, we didn't have any control over application access. Now, by using the Firebox, we can control each staff member and department and what kind of application they're able to access on the internet, especially with the popularity of cloud SaaS systems. It has really reduced the degree of risk in accessing those unauthorized, and potentially risky, destinations. WatchGuard provides a pre-built database that can protect against gambling domains, for example. But the accuracy of that database still needs to be improved because, in many cases, the categorization of the website is not exact.

It has also helped with productivity. It reduces the time our networking staff spends implementing things. It has saved about 20 percent of our time. We're also doing more control than before, so we have made some effort to configure the policies, which was something we'd never done before. Previously, we didn't have any control, so we didn't have to spend time configuring or troubleshooting application control policies.

What is most valuable?

There wasn't one particular valuable feature. What I like is that 

  • its pricing is competitive when compared with other brands, 
  • it has all-in-one features for intrusion detection
  • it has application control 
  • it has email control.

Also, the load balancing and failover features cost only 20 percent more than a single instance of Firebox. Those are the main reasons we chose it.

Because we use cloud applications like Office 365 and Salesforce, we don't want all our staff accessing the whole internet. We use the application control so that they are only able to access the company-authorized cloud applications.

Because we use the firewall to monitor the external traffic as well as the internal traffic, we bought a fairly large model, the M570. We turned on most of the features and the performance is comfortable. It can reach the throughput, the performance specified on the data sheet.

Also, because we bought two firewalls, which I know is not that many — not like in the retail industry where they have many firewalls in their retail stores — still, we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations.

What needs improvement?

The reporting features are not as flexible as I thought before I bought it. You can retrieve some simple statistics from the centralized reporting server. But let's say I want to look at the volume of internet access among our staff. There are no out-of-the-box reports or stats or any unit of measurement that show internet access for particular staff. There is no report that shows how long they're on or the volume of traffic, especially in a particular period. It's not necessary that it have very modern BI analytics, but at this point I'm a little bit disappointed with the reporting. One of the purposes of implementing the firewall was to do more application control and reduce the risk involved in employees accessing the internet. We want to measure and know how much time of our staff spends accessing and browsing and using internet resources.

For how long have I used the solution?

We bought WatchGuard Firebox last year and implemented it in our Hong Kong office and China-based factory. In the factory we have larger coverage and we use the M570. For our Hong Kong office we use the M370.

What do I think about the stability of the solution?

It's stable. So far, there have been no incidents.

What do I think about the scalability of the solution?

Our case is quite straightforward. We only use two nodes. We still need to expand to one or two more factory locations, as well as our office. We will scale out the same solution.

I do have previous experience in the retail industry. In that industry, where you need to implement many firewalls in multiple retail stores, I doubt the management tools of the Firebox would be able to scale out for that use case. But for our use case it's good.

How are customer service and technical support?

We haven't had any issues so we haven't contacted their technical support. It's been quite stable over the year since we implemented it.

Which solution did I use previously and why did I switch?

There was no application control in our old solution and we wanted to reduce the risk of being attacked from outside. So we looked for a UTM model and the cost-benefit of the WatchGuard Firebox was one of the best.

I did a little bit marketing research locally and listened to recommendations from some partners in Hong Kong.

How was the initial setup?

The initial setup was quite straightforward. It's a typical UTM.

Our implementation took about two months.

In terms of our deployment strategy, we implemented one of the firewalls. We replaced our old firewall, enabling only the internet access and left the major email traffic access. Then we defined the control by defining more specific application policies. Once it was successful, we used the same method to deploy the other firewall to our China side.

We have one person who maintains the Fireboxes, but it's really less than one because he does other administration and is not only dedicated to firewall administration. We have about 100 people in the Hong Kong office and on the factory side there are 400.

What about the implementation team?

We had one internal staff member and an external consultant from BARO International for the deployment. Our experience with BARO was good. They understood our requirements and were able to translate them into an actual solution and deploy it.

What was our ROI?

We have seen ROI using WatchGuard.

What's my experience with pricing, setup cost, and licensing?

We needed a firewall to control our internal network and the external access and we needed to implement load balancing and failover as well. Going with WatchGuard "increased" our budget.

WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device and the licensing scheme didn't charge double. They only charge for one license, unlike other brands whose method of hardware and software licensing would have doubled our cost. That was a major consideration.

Which other solutions did I evaluate?

We looked at Juniper, Check Point, and one more that was the most expensive.

The usability of the Firebox is good. But the UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings. When I used the Check Point a few years ago, the UI usually guided me on how to define a policy from the source to the target, and what the objects were, and how to group objects, and everything could be seen from a simple, table-based web UI. 

The interface of the Firebox is clumsier. The settings are like a tree structure, and you need to drill down to each node in order to get to the property. It serves the same purposes, but I won't memorize all the settings. A more user-friendly user interface would reduce the number of things I need to memorize and guide me in configuring policies. It's quite good, but is not the best I have seen.

The other brands provide more professional features for reporting, the application control, and the scalability. But the strong point of WatchGuard is their all-in-one features that are suitable for our size of company and our budget.

What other advice do I have?

WatchGuard is not the best. We already knew that, but it comes with most of the features we need. Although it's not the most user-friendly, we sacrificed that to keep the core features to increase our control while maintaining our budget. Honestly, there are no particular features of the WatchGuard that impressed me to say, "I must choose a WatchGuard." But when I needed several things to come together, then I really had no choice.

I would rate WatchGuard Firebox at seven out of 10. It's good, it's better than a six, but from the management point of view, it has not totally satisfied my expectations so it's below an eight or nine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.