WatchGuard Firebox Reviews

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

I've been using Firebox for two or three years.

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

We use it to protect our web stations and service. 

We established a branch office VPN to our branch office. Since last month, we have added Mobile VPN tunnels to our headquarter.

We have the ability to use it for connecting to our terminal services, then to the Fireboxes, so we can create user-based policies, which are very important at this time. We can control who has access to management servers and machines that are not for general use by users.

We use a normal packet server. We are also using a proxy service and IPS, so all features are possible with these devices. We have seen many attacks from specific IP addresses that were all blocked. Most times, these were IPS traffic port scans. All this traffic is normally blocked from our side.

The solution simplifies my business. Normally, for administration, we are using Watchguard System Manager on Windows since it's easy to create new policies. In a short amount of time, you can create new policies based on new requirements. For example, in the last few months, many requirements changed due to the coronavirus, adding the use of new services, like Office 365, and eLearning tools, like Zoom.

With Firebox, the monitoring is good. On the Dimension servers, I can see where the IP addresses send and receive a lot of the traffic so I can analyze it. I am also able to see where attacks are coming from. It's good to see visually what policies are most in use and which traffic was blocked. Its easy to visualize policies. The dimension server shows which policy is used and the data flow through the firebox.

For our requirements, WatchGuard has very good features available in its software.

It is good for administrating devices. It is reliable and easy to use. Most of the time, the results are what I expected.

The performance of the device is good. The time to load web pages has not been slowed down too much. With additional security features, like APT and IPS, WatchGuard Fireboxes need a moment to check the traffic.

For reporting, we use the Dimension server from WatchGuard where we have many options to analyze traffic. It has a good look and feel on all websites that WatchGuard creates. All pages have the same system, so it's easy to use because the interface is uniform throughout the entire solution.

We are using some of the cloud visibility features. What we use on that cloud is DNSWatch, which checks the DNS records for that site. It is a good feature that stops attacks before they come into the network. For most of our clients, we also run DNSWatchGO, which is for external users, and does a good job with threat detection and response. It is a tool that works with a special client on our workstations. 

Sometimes I would like to copy a rule set from one box to another box in a direct way. This is a feature that is not present at the moment in WatchGuard.

I'm missing a tool by default, where you can find unused policies. This is possible when a) you adminstrate the firebox with dimension, or b) you connect it to Watchguard's cloud.

We have been using this solution for a long time (for more than a decade).

The stability is very good. I normally only do a reboot of a Firebox when I upgrade the boxes with new software, so they run sometimes two or three months without a reboot.

It is scalable to many environments. With all our locations, we found this solution works.

For the moment, we have around 80 users total at all our locations. The traffic at our headquarters per day is 300 gigabytes.

Our number of Fireboxes has been constant over the last few years, as we don't have new locations. We are a sports organization, so we are not expanding.

WatchGuard's support is very good. Over the years, there have been only one or two tickets that were not solved.

When you start as a new customer, you should start with a bit of support from your dealer so you have some training on the boxes and how to manage them.

Before using WatchGuard, we had a Linux server with iptables. We switched to Firebox because it is much easier to administrate. It has real boxes with a graphical interface, instead of command line administration.

It is relatively easy to set up a new box. In my experience, you have a basic rule set. When you start with a new box, you can quickly make it work, but you always need to specify the services that you need on the boxes. You need some time to create the right policies and services on the box. This is the process for all Fireboxes that you buy.

When you have a small branch office with a small number of policies, you can make them active in production in one or two hours. With complex requirements at your headquarters where you have several networks with servers, web servers, and mail servers which can be accessed from the outside, the configuration will need more time because the number of policies is much higher.

The implenetation was done by the vendor. For us the solution was ok. At this point my knowledge about firewall was not on the level I have today.

It saves me three or four a month worth of time because it stops malware. I don't need spend time removing malware from the client.

I think the larger firewall packages are much better because a normal firewall is not enough for these times. You need IPS, APT, and all the security features of a firewall that you can buy.

We evaluated some other solutions.

Administration of Fireboxes is only a small part of my job. I have been the network administrator since 1997. While the solution does make less work, I still need a little time to monitor all solutions. 

I would rate this solution as a nine (out of 10).

Our primary use cases are for the firewall and for limited routing for small to medium-sized businesses. 

I had a client that was saturated with RDP, remote desktop attempts, while using a standard low, consumer-grade firewall. Putting in WatchGuard allowed me to drop a lot of that traffic and reduce a lot of load on their otherwise poorly performing Internet connection.

Reporting PCI and HIPAA compliance reporting, firmware updates, cloud-based firmware updates all make for visibility within the client site much easier. I can provide comprehensive reporting on user activity and user behavior which goes along with user productivity. It has excellent mobile SSL VPN capabilities that have allowed for very rapid deployment of remote workers during our current situation.

As a whole, it has a very low requirement for ongoing interaction. It's very self-sufficient. If properly patched, it has very high reliability. The total cost of ownership once deployed is very low.

It absolutely saves us time. All firewalls can be deployed with a very basic configuration in a reasonable amount of time. The uniform way in which WatchGuard can be managed allows for the deployment of much more comprehensive configurations more quickly. When it comes to troubleshooting and identifying any kind of communication issue, they use a hierarchal policy layout. It allows you to manipulate the order of precedence, simplifying troubleshooting by tenfold. Compared to a competitor, I spend less than 10% of the amount of time on WatchGuard that a similar task would take on a Meraki, a FortiGate, or a SonicWall.

The most valuable features are: 

• The unified threat management bundle
• Advanced threat detection and response
• APT Blocker
• Zero-day threat detection.

With most Internet traffic being encrypted, it is much more difficult for firewalls to detect threats. Some of the advanced features, such as the APT Blocker and the advanced threat protection, use advanced logistics to look for behavioral, nonpattern related threats. And the threat detection and response has the capability of working with the endpoints to do a correlated threat detection.

For most people, they don't think about one workstation having a denied access, but when multiple workstations throughout a network have requests that are denied in a short period of time, one of the only ways you can detect that something nefarious is going on is through a correlated threat detection. And WatchGuard has that capability that integrates at the endpoint level and the firewall together, giving it a much better picture of what's going on in the network.

It is the single easiest firewall to troubleshoot I have ever worked with. It deploys very rapidly in the event that a catastrophic failure requires the box to be replaced. The replacement box can be put in place in a matter of minutes. Every single Firebox, regardless of its size and capability, can run the exact same management OS. Unlike some of the competitors where you have dissimilar behavior and features in the management interface, WatchGuard's uniform across the board from its smallest appliance to its very largest, making it very, very simple to troubleshoot, recover, or transition a customer to a larger appliance.

It absolutely provides us with layered security. It has one of the most robust unified threat bundles available with Gateway AntiVirus, APT Blocker. It does DNS control. It does webpage reputation enabled defense. It effectively screens out a lot of the threats before the user ever has an attempt to get to them.

Externally it does a very good job of identifying the most common threat vectors, as well as different transported links, attachments, and things of that nature because of the endpoint integration. It helps protect from internal and external threats, along with payload type, and zero-day threats.

The cloud visibility feature has improved our ability to detect and react to threats or other issues in our network. It has improved firmware upgrades and maintenance reporting as well as investigating and detecting problems or potential threats.

It has reduced my labor cost to monthly manage a firewall by 60%.

The data loss protection works well, but it could be easier to configure. The complexity of data loss protection makes it a more difficult feature to fully leverage. Better integration with third-party, two-factor authentication would be advantageous.

I have been using WatchGuard Firebox for fifteen years. 

We mostly use the T series: T30s, T70s, some M3, and 400 series.

It is the most stable firewall I work with. The incidence of failure is very low, maybe once every two years.

It's very scalable. Because it has the unified configuration interface and the unified tools, or the common tools that are used from the smallest to the lowest, a ton of time and configuration, and thereby money, is saved during an upgrade, for example. The time to take an upgrade to a new appliance is a fraction of the time it would be with a competitor because of the direct portability of the configuration from the prior firewall.

We have one engineer and one part-time technician to maintain approximately 75 WatchGuards for limited, physical installations and onsite. It is very reasonable for one or two engineers to manage 200 to 300 WatchGuards. It's very reasonable.

We have just a single location in which we do use the T70 box and WatchGuard is in place at 95% of our clientele. We do not replace viable commercial-grade solutions until such time that they are ending their licensing or whatever. We do not replace FortiGates or SonicWalls while they're still viable. However, when the opportunity to replace one arises, it is our first suggestion to the client.

I do not or have not had to use technical support very often, but I find it to be excellent. They're very responsive and very knowledgeable. I get engineers from a similar time zone. They're very skilled engineers and very invested in end-user satisfaction. Even though they are 100% channel-driven, they take end-users satisfaction very seriously.

The complexity of configuring a Sonic Wall, for example, is much, much greater than that of a WatchGuard. Identical tasks can be completed in a WatchGuard in a fraction of the time as a SonicWall. When comparing similar models, the performance of Meraki is far inferior to the WatchGuard. Its capabilities are inferior to WatchGuard. It's a simple cloud interface. Meraki's simple cloud interface is probably more appropriate for a less experienced engineer. FortiGate lacks some advanced features that WatchGuard has, but my predominant issue with FortiGate is that when all the unified threat management utilities are enabled, performance on FortiGate is inferior. Although it has capabilities, when fully enabled it does not perform as well as WatchGuard.

The initial setup is very straightforward. I'm able to deploy a standard template after activating the device. The activation is very simple and takes just a few minutes. Then a base configuration can be applied once the firmware has been updated and a box can be prepared for initial deployment within 7 to 10 minutes after it boots. 

It took 45 minutes to set up.

In terms of the implementation strategy, I have an implementation baseline of minimum acceptable settings and then it is adjusted based on client needs.

We deploy it to distributed locations in one of two ways. The device can be drop-shipped to the user or the endpoint and a cloud configuration deployment can be pushed to the box. My preferred method is to receive the box, perform a firmware update and a base configuration, and then ship the box.

I would recommend working with a partner for an expert-level deployment. It greatly reduces the time to deploy it. An experienced engineer can then deploy the product very rapidly and can often provide instruction on how best to maintain the product. But otherwise, the deployment is very straightforward.

They are very low maintenance, they have a very high rate of my end-user satisfaction. I'm able to provide excellent levels of service to my end-users and my customers. I would say that they have a very high value and a good return on the investment.

Generally speaking, I find the three years of live and total security to be the best option. By going with their total security, you do get the endpoint protection component of the threat detection and response. Typically the trade-in options, depending on your prior firewall, are options that they should request or pursue when dealing with their provider. Those programs are usually available, but they're not always offered by a provider unless you ask.

I would rate WatchGuard Firebox a ten out of ten. 

We use it for our firewall as well as for our branch office VPNs.

The WatchGuard devices allow us to self-manage our network and our branch office VPNs. As a result, we've saved ourselves a lot of money, without compromising our security. It provides a much more economical and effective solution. We used to have an MPLS network which was a cloud-based firewall system and it cost us a small fortune every month. But when we implemented all these firewalls and got it all configured, up and running, we literally saved ourselves $10,000 a month.

It makes managing the network a lot easier. It takes care of our network for us.

Once it was set up and running, it began to save us time. It works, and we spend very little time managing it. We have very few issues with it. We might spend an hour a month managing it, if that.

The firewall aspect and the branch office VPNs are the most valuable features. They just plain work. We don't have any issues with it. We don't have to spend a lot of time maintaining it. You set it up and, for the most part, you can forget about it.

In terms of the usability:

• It's user-friendly with an easy user interface.
• It has a lot of features.

The throughput the solution provides is good.

In addition, WatchGuard provides our business with layered security. It certainly protects our network, blocks unwanted incoming traffic and, at the same time, can manage outbound traffic too.

We use WatchGuard to manage our failover for internet. If a primary internet goes down, it does a failover to the secondary the internet. However, what it doesn't do so well is that if the primary internet has a lot of latency but it's not completely down, it doesn't do a failover to the backup in a timely manner.

The stability is great. 

We don't really have any experience with the scalability. We implemented the appropriate devices for our size and we haven't really grown to the point that we've had to upgrade devices. The scalability is fine in the sense that we have some locations with more people, and WatchGuard has a slightly beefier device than we use at some of our smaller locations. All in all, it works well.

All of our networks are managed by WatchGuard. If we add locations we'll be using it for them as well in the future, although we don't have new locations on the horizon. We use it every day because it manages our network. Because all of our network traffic runs through WatchGuard, everybody uses it. But they're not using it for a specific function, other than to communicate between locations.

The customer service is good. If we have an occasional issue there are helpful. They help us resolve problems. Overall, I'm pleased.

We had a third-party MPLS network that managed all of the cloud-based software but it was very expensive. It was similar in effect, but it was a third-party, as opposed to WatchGuard which is self-managed. The main reason we switched was the pricing.

The initial setup was a little complex. But once we understood how it works and after we got the first one configured, the rest of the firewalls were pretty easy. It is pretty straightforward. It is just a matter of learning it initially: understanding the nuances of the application and the user interface, understanding how to set it up and understanding what does what and the naming of features. That initial learning curve was a little steep, but once we got into it, it made a lot of sense.

Company-wide, our deployment took about 30 days.

Our initial implementation strategy was to do a backup to the internet and ultimately remove our MPLS and use the branch office VPN to manage it ourselves.

We were helped by an authorized WatchGuard reseller on the initial setup. Once we got through the first one, we took over from them internally. The reseller was NetSmart. Our overall experience with them was very good.

We still have a relationship with them. We do a lot of our stuff in-house, but if we have something that we need a little bit of help with, we do reach out to them from time to time. But doing so, for us, is pretty rare at this point.

We have absolutely seen return on investment. We saved a small fortune switching over. It paid for itself, literally, within the first couple months.

When we bought them we got a three-year license for each device. The two larger devices are about $1,000 each and the smaller ones are about $500 or $600 each. 

There are some additional software features that you can add on and pay for, but we don't use them. 

We didn't evaluate other options. The WatchGuard reseller was a company we had done business with before and they recommended it right out of the gate. We went with that.

It's worth it, depending on your current network environment. If you are in the same situation we were in, it's really a no-brainer going from the MPLS network to self-managing it with simple broadband internet. It works great. To be honest, you'd be crazy not to do it. The advantages of WatchGuard over MPLS are that it's cheaper and you have more control because it's self-managed. The only con is that it does require a little bit of maintenance that you wouldn't otherwise have to do, but it's minimal.

In terms of distributed locations, we have a firewall at all of our locations. Once we got it set up we'd visit a branch, install it, test it, and implement it.

As for maintenance, it requires just one person, a network administrator. We manage it ourselves and there's not a whole lot to it.

Production business use at multiple interconnected locations.

It is one of the layers of our security and it definitely does protect us from many attack vectors. Between the antivirus scanning, the blocking, and DNSWatch, it is protecting us from a number of attack vectors. It is also provides useful diagnostic tools for identifying and troubleshooting issues. A recent example was when a few LOB network devices were having issues which was affecting operations. ZazaThe ability to search the realtime and historical logs helped me to navigate, zone in, and identify the ultimate issue. It ended up not being the firewall, but fast access to the logs helped me determine and prove that to be the case.

Because of the way it's organized and the user-friendliness of the device, it does make my job managing the firewall profiles and security a lot easier. There's nothing you have to do through the command line. Being able to definitively know what the configuration is, visually, being able to edit it offline without affecting production have all been big time-savers for me. When I had to do two firewalls which had similar configurations it saved me at least 20 hours of setup work. Templates allowed me to create and define a bunch of objects once and use them in both places.

Overall, per month, Firebox will save me four to five hours, depending on if there's something I have to investigate.

The Application Control and web blocker have been very valuable because they let me control the outgoing traffic of my users and keep them off of both productivity wasters and sources of vulnerabilities in my environment. 

I like the High Availability feature because it allows a firewall to fail while keeping the environment up and running.

In terms of its usability, it's very straightforward to use, once you understand the way they look at a firewall and the design choices they made.

The throughput the solution provides is excellent. I have not had any performance-related issues with any of the fireboxes I've used.

I like their management features a lot. Their System Manager server as well the System Manager software make managing them, and tracking changes, very easy and complete. In terms of the reporting, I am just starting to look at the reports in Dimension and they look pretty well-organized and useful.

The product could have some more predefined service protocols in the list, which don't have to manually be defined. But that's very low hanging fruit.

The documentation for the System Manager/Dimension configuration, could be a little bit clearer. The use case where you have multiple sites with multiple firewalls, and one site that has the System Manager server and the Dimension server, wasn't really well defined. It took me a little bit of digging to get that to actually work.

It's pretty rock-solid. I've never had to reboot one because it was acting in an unstable manner and have some that I ran through their entire usable lives without issue.

The scalability is good, assuming you buy the right model. They make it easy to trade up to a bigger model without having a big, financial impact, giving you a discount to trade up. 

The times I've used technical support it was excellent.

I moved from FortiGate. The reasons i switched include price - WatchGuard is a lot more cost-effective than FortiGate - and complexity. FortiGate is very complicated, had little documentation which relied heavily on cookbooks, and a lot of command-line required to get some common things to work. WatchGuard is very well-documented and everything fits within their configuration. Nothing that I've encountered has to be done through the command line. And when your subscription expires on the WatchGuard, it will still pass traffic, if you configure it to. FortiGate will only allow one connection out. 

The initial set up was very straightforward. You take it out of the box, you plug it in, you download the software, and it starts working. That's what I consider to be the initial set up, and that was very easy and very fast.

The deployment took me a total of about 40 hours for two sites, two firewalls, and with an incredibly complicated configuration. The complexity was a product of the environment, not the firewall.

I utilized the template feature to make everything that could be the same, the same across both sites, which are connected locations.

In-house.

They are well priced for the market and offer discounts for competitor trades and model upgrades which are definitely worth taking advantage of.

FortiGate and WatchGuard were the only two I've evaluated recently.

I would definitely recommend using WatchGuard.

I would also recommend taking one of the courses that goes through all the features of the device and the way it is organized. Every firewall vendor looks at things differently. If you don't understand the way WatchGuard is structured, you may make a strategic mistake in setting it up and you'll have to tear some of it down and redo which is true of any firewall. Leanr and use the tools Watchguard  provides.

I used to do everything in WatchGuard through their Web UI but I now use the System Manager software because it is very valuable. It provides a lot of features that I had not realized I was missing. The System Manager Server is able to store previous versions of the configuration, and to force people to enter comments regarding what they changed when they save one. Being able to compare the configurations side-by-side, and have it tell you the differences are great tools that you should know about if you're going to start implementing a WatchGuard.

We primarily use WatchGuard Firebox for security and connections. It's a web and endpoint, and we have different connections to associates and customers through internal networks, which is a big part of it.

The performance has been satisfactory for all of them, and I appreciate how it simplifies configuration. While it does require a certain configuration process, once completed, it works seamlessly. Personally, I find the ease of configuration to be the most valuable aspect of this product.

We're primarily using the on-prem version, but we do use the cloud-based version a little bit as well. When I was with my previous company, we had many customers with WatchGuard devices, and the cloud-based services were quite good. One feature that I really liked was the ability to configure settings and push them straight to the cloud, which made it easier to distribute them to different firewalls.

One thing, which I have been finding a bit annoying, is that it's too dependent on the Windows operating system. The configuration systems and software required to access WatchGuard always run on the Windows system. As my workstation is Linux, I need to have access to Windows to use WatchGuard. It's a little inconvenient for me, but it's not a big issue. For me, that's the most annoying thing, and I would like it to be more Linux-friendly.

In the next release, I would like to see better software and configuration systems that could also be used on Linux.

I've been using it for about ten years. We are using the latest version of WatchGuard Firebox.

It's been a rock-solid solution with no issues. I would rate it a ten out of ten. The WatchGuard Firebox has been a reliable and stable solution for us. Only once in the ten-year period did we experience some issues with the product, but practically never any issues with the solution.

It is a scalable solution. I would rate it a nine out of ten.

Overall, there are around 50 to 70 users using WatchGuard Firebox in our local office. There are also people using this solution in our head office in other countries.

The customer service and support team was good.

Positive

I have used some SIP (Session Initiation Protocol) products and some Cisco products. But very little. Because most of the time, I use WatchGuard Firebox.

In the beginning, around ten years ago, it was a little bit challenging. However, the support was excellent in Finland, where I am located. The team who worked there provided good courses, and now, everything else is much more straightforward to install than before.

They are so easy to configure, from the littlest firewall to the biggest one. That's very good cohesion in the whole lineup of devices. It's easy to change the model if you need more performance, and you can easily change the hardware. From the very small five boxes to the bigger ones, it's easy to change the model if you need more performance. When you purchase the WatchGuard Firebox, you usually get the software with the option that the new hardware comes with.

course, it takes longer if you want to modify everything to ensure that your email gateway is working as it should and your VPN tunnels are set up properly. However, it's still very fast. So, I just quickly put the network cables in, and it starts working. But, of course, it's important to get everything working correctly, which takes some time, not because of the WatchGuard Firebox, but because you need to put every server you'll be using in working order and ensure that everything is working well with the firewall. It takes time. But once everything is set up, it's good to go.

In a new installation, it will always take time to get everything working as desired. There will always be something that needs to be done and different things you may want to enhance. But, with WatchGuard Firebox, you can get it working very quickly and then modify everything later.

Usually, we have two people for maintenance because there are usually other things happening at the same time. When we know that we need to do something bigger for the firewall, we exchange the hardware for a better or newer one or do software updates. The big picture of software updates is made in stock. So usually, one guy maintains the firewall, another update the servers, and they oversee the maintenance and anything else that needs to be done. The job role of the maintenance team is IT administrator.

We usually keep up with the support subscriptions and usually make a three-year contract or buy a 3-year subscription. And then, it's time to update the hardware at the same time. Our size of the firewall has been from €5,000 to €7,000. I don't exactly remember the price, but that size of hardware was what we needed.

I would definitely recommend using WatchGuard Firebox. Overall, I would rate the solution a nine out of ten.

We use it both for VPN tunnels and as a firewall.

Our company runs group homes. There are 140 or so sites and employees are traveling to those sites on a daily basis. They use the VPN tunnels going back to the main office to access the file servers. We also have about 12 remote locations connected by WatchGuards on both ends to create a VPN tunnel, with SD-WAN to allow traffic to go between those two sites, both for the file servers and for the phone system.

It gives us a higher sense of security. There is an easier workflow as well.

I estimate that 50 percent more users use the WatchGuard VPN than use the SonicWall VPN tunnels. Those users are able to work on documents out of the site or increase their workflow and do work while they're onsite instead of doing it later. It saves us a couple of hours per person per week.

Once it's set up, we don't have to touch it that much.

We enjoy its usability very much. It's very easy to use, especially compared to similar products. A lot more users use the WatchGuard appliance now than use the SonicWall appliance because of the ease of usability.

As long as you're using the correct model, since different models have different numbers of allowed tunnels, the throughput is enough.

In terms of management features, we have a Dimension Server set up. It's nice to be able to see where people have gone to and when they have gone there. Overall, the solution makes it easier to manage on my side. Setting up new policies, new devices, and setting up tunnels to the current devices, is easier.

The firewall secures the external perimeter.

There is a slight learning curve.

Beyond that, the only issue we've had in the past two or three years had to do with the number of current tunnel connections, and that was just an issue with our size of Firebox. We got a bigger Firebox. The old one was able to handle the load. It was just that we ran into a licensing issue. We had hit our number of concurrent tunnels. We have a lot of tunnels with the phone system. We have tunnels to and from each site for the phones to be able to talk. It was a little bit of a surprise when we came across this situation, but it's present in the documentation.

It didn't take us long to figure out that that was the reason we were having an issue. It was just our not having the forethought to make sure that what we had was able to expand to meet our needs.

We've been using WatchGuard Firebox for about eight years.

Stability is excellent. We've had no issues with the firewall going down because of the Firebox.

We haven't run into a scalability issue yet. There are over 1,000 employees including several hundred office staff. There are 20-some sites that we have connected. We had to step up to a 470 for the current VPN connections, but as long as we're on the right size Firebox, everything goes pretty well.

Whenever there's a new office site coming up, we typically add a new Firebox. We're looking at putting more Fireboxes in all of the group homes, so that's probably going to be 115 more deployments in the coming years. We plan on continuing to use it, but I don't see any issues with expanding.

We don't work directly with Cisco tech support. We work with a third-party company to handle support that we can't figure out.

We used SonicWall Next or Dell. 

The setup is pretty straightforward. It takes 15 to 20 minutes per box. We have to set up current tunnels and get a static IP address at the sites where we're putting the boxes. It requires one person for deployment and there is very little maintenance needed.

Deploying it to distributed locations is a matter of setting the Firebox up. If it's a replacement Firebox, we set it up with the same policies and ship it to the location. They can take it, unplug the old wires from the old box, put the new wires in, turn it on, and it's up and going.

There were other options. We took a look at Dell but this was the best one at the time. The usability and setup of the WatchGuard were better. Also, the maintenance was very minimal. It's almost nothing.

The other solutions had their features that were nice, but there wasn't anything that really drew us or made it stand out from WatchGuard. We're pretty happy with WatchGuard right now.

There are updates pretty regularly. There haven't been any big changes over the past few years. They've kept working, rather than taking steps backward or making things harder.

I use the solution in my company mainly for security management and also for VPN.

The most valuable feature of the solution is its ease of use. For budgetary purposes, it meets our requirements.

For most of the part, the tool's interface is quite simple. The product can improve in terms of layout to provide easier access and viewing to users, especially for the reports.

One of the things that I think is missing in the tool is the area of managing IPv4 traffic via the IPv6 tunnel. If a few features were added to the tool, it would be great for migrating our network from IPv4 to IPv6.

I have been using WatchGuard Firebox for three years.

Considering we have even used the tool in our company for the past three years, we don't see much problem with the devices, except with what we call the updating and patching processes, which require some downplay and everything. I think we are quite satisfied with the tool's performance in our company.

I do believe the solution provides devices with a profile for a much higher requirement, but it all depends on the number of users and everything. Currently, my company is not that big, but we are supported by good vendors. I do believe the tool is scalable in terms of the devices because the product does provide a much higher model, but we don't need it because we are quite a small company.

In my company, we have only around 200 users, so we don't have many staff members.

My company contacted the solution's technical support regarding the services, especially when we had some new requirements in terms of configurations and settings or when there were new protocol rules and policies and policies that needed to be implemented. I rate the support an eight out of ten.

Positive

Previously, we used Sangfor, which is a brand from China, for our firewall and internet access management, but we switched to WatchGuard Firebox three years ago. One of the biggest reasons to use WatchGuard Firebox was related to the area of expertise. Our team or staff had experienced some lack of knowledge in Sangfor. After my company figured out which product was easy to learn and after making some comparisons, we decided to go for WatchGuard Firebox.

Compared to Sangfor, I think one of the advantages of WatchGuard Fire is the VPN solution, which includes a certain number of licenses in the package. There is no requirement to purchase more VPN licenses. The con is that Firebox is a part of the existing solution provided by WatchGuard.

When it comes to the product's initial setup phase, our vendors support us, so they handle the setup process. We don't have many issues or problems during procurement or setting up all the configurations for WatchGuard Firebox.

The solution is deployed on the hybrid cloud model.

Last time, we got the tool ready within three days. After we provided all the information that the vendors required regarding the setup and configuration settings that we needed, they set it up within three days. A third party also provides the tool's maintenance services.

From the budgetary perspective, I believe the proposed price for WatchGuard Firebox was certainly much better than the other model that had been promoted to us before because the concerned department in our company procured the tool. I don't have any specific information on it.

I am not sure about the tool's price as the commercial part is under a different department. I think the tool is quite competitive compared to the other brands.

The tool's most effective for managing threats revolves around the area of the reporting services it offers, which is cloud-based reporting, so we can get a lot of information from the services.

I don't have much experience with other models, so I can't speak about WatchGuard Firebox's security. The good thing is that because it is easier to handle, and the company that supports us provides us with a lot of information, it is easier for us to operate the product.

WatchGuard Firebox VPN features significantly enhance operations, making it easier during COVID-19, when many people work from home. There are very good features, I recall, whereby you can access office resources without requiring employees to come to the office. The tool did help us a lot during COVID-19.

Our company has a data leakage prevention solution for our email. It is quite intuitive, but it's not WatchGuard Firebox.

Whether I would recommend the product or not is something that depends since I work in a small company where the income is not too much. Other companies of similar sizes might find some similarities with our organization, so I can recommend WatchGuard Firebox to such users or businesses. Bigger or corporate users who have much more requirement settings or a large number of users should look for a different brand that can support the large numbers.

I rate the overall tool an eight out of ten.