Try our new research platform with insights from 80,000+ expert users
IT Manager at WTS Media (Wholesale Tape & Supply)
Real User
Setup, and setting up the routing — normally very complicated processes — are intuitive
Pros and Cons
  • "[A] valuable feature would be the branch office. We have five offices throughout the United States, and it coordinates the connections of those offices."
  • "In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be more of an industry-wide issue — you get reports, but a lot of times you don't know what you're looking at. You're so overwhelmed with the data. You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to know."

What is our primary use case?

It's our main firewall. We have over 120 hosts that flow through it.

How has it helped my organization?

The biggest way that it has advanced us is that when we started adding additional locations, it became surprisingly easy to do that, to create branch-office VPNs. When I was first tasked with that, I was overwhelmed with it. I thought, "This is going to be really difficult." But it was really simple. I've never actually done this, but they have the ability to program a box and ship it out there. It'll identify it by its number and just do the setup automatically. I've never been brave enough to just let it go automatically, but when I do get it in my office and set it up for the branch office, it's just a matter of just plugging in the right numbers. It works and it's very stable. That enables us to do some incredible things.

WatchGuard has been mostly cost-effective compared to other firewall systems that are out there, given the power that it has and the ease. I complain about the usability, but things such as how to set them up and how to set up the routing up are, at least, intuitive. So that's been invaluable. It's one of the reasons why I haven't moved away from them or been tempted to move away from them. These setups are very complicated and WatchGuard makes it very easy.

It does simplify my job in the sense that it's easy to set up a VPN. Setting up a branch-office VPN is rather simple, but when I have remote users, such as myself or remote salespeople who are operating out of their homes, I can use whatever solutions are out there; the software that makes it easy for them to connect. That avoids my having to go out and buy really expensive solutions like TeamViewer or LogMeIn. They are always clunky, always hard to navigate around in. With WatchGuard, remote users can pop in straight through the VPN and then RDP into their remote desktops. And everything works very smoothly and rather quickly. Anytime you VPN it's not super-fast, but it has been rather efficient and is a huge advantage. It makes my job a lot easier because I don't have to try to troubleshoot somebody else's TeamViewer account.

WatchGuard has saved me time versus having to manually help people with their remote connections. It saves me about ten to 15 hours a month of work, not having to do all that.

What is most valuable?

The basic firewall features, or just the routing, are the most valuable because that's how we configure our network. 

The second valuable feature would be the branch office. We have five offices throughout the United States, and it coordinates the connections of those offices. 

And the filtering features are okay.

It layers security in the sense that it does isolate different networks. I have in-house web hosting and that's more of a DMZ-type thing sitting out in the open, so that it has to be isolated from our network. It has Gateway antivirus, which is important. It has Gateway spam protection, but I've never actually seen it do anything. That could be because our regular spam filters grab it before it gets a chance to. It's not a direct user-security thing. Another level of security is that I do keep our guest WiFi network separate from our main WiFi network. Even though WatchGuard doesn't manage our WiFi, it does play the traffic-cop between those two networks and keeps them separate. It's more IP-based routing security than anything else.

What needs improvement?

We have several branch offices. Those things run, you forget about them. My biggest gripe was when I went to update some of my devices, to try to make some speed improvements, not only did I get hit with, "You need to renew your LiveSecurity," but there was this reinstatement fee that they threw in on top of it. That really angered me, to the point that I canceled the entire order. I actually almost replaced some of those devices and I'm looking to replace them because of that type of thing. It's fair to pay for services like filtering, etc., but I don't feel it's fair to pay for updates to a product because they're patching and fixing and updating their product because of bugs. If I want to pay for the next version of something that gives me additional features, that's fair. But to have to pay a reinstatement fee and that sort of thing, I find it to be a very poor and unethical practice. We'd never do that to our customers. The reason I haven't thrown a huge fit is because everybody does it. SonicWall will do it; Cisco. All those guys do that kind of thing. 

I really don't like that, particularly because you're talking about a device that you paid $300 for, and the reinstatement fees are another $200-plus. I can just buy a brand-new device for that, get a faster unit, and get another year of stuff. Maybe that's what they're trying to encourage me to do. But there are firewall devices out there that I can buy that will do a lot of the stuff that I need to do in the remote offices, without having to purchase a yearly or three-year plan. I keep our main system up to date, but for the small edge units, it's just an unneeded expense. That's my biggest negative and biggest gripe about WatchGuard.

In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be more of an industry-wide issue — you get reports, but a lot of times you don't know what you're looking at. You're so overwhelmed with the data. You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to know. If it gives me a threat assessment such as, "You received an attack from North Korea," I don't know what that means. I know that an IP address from North Korea hit our server, and they tried a certain attack. Is that something I should take seriously or not? I don't know.

But that seems to be true with a lot of the solutions out there. They tend to report everything, and there's not a lot of control over getting rid of the noise. I've had it report threat attacks from devices within my network, from my own PC, in fact. So it's misinterpreting some things, obviously. Reporting is not something I rely very heavily on because of that. I look at it but I don't know what I'm looking at. Instead, I have a monitor that displays various things about my network, and I will have the main screen up just to see things like which host in the network is the busiest. I tend to use the main dashboard to get real-time information.


Buyer's Guide
WatchGuard Firebox
October 2024
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.

For how long have I used the solution?

I've been using this solution for over 15 years.

What do I think about the stability of the solution?

The solution is very stable. I don't think I've ever had one crash in 15 years.

I did have one fail, but that was just a hardware failure. That was one of the very first, early units. That was years and years ago. I've never had one fail since then.

What do I think about the scalability of the solution?

It's not very scalable. You get what you get. You buy for your application but if you grow, if you were to double your network bandwidth or the like, you would have to upgrade the product. That's because the hardware can't handle that. 

You could say it is scalable if want to add additional networks and that sort of thing. It makes that fairly simple. But you do need to buy the appliance that's applicable to your network.

It's used at all of our locations and it traffic-cops our entire network. But we're not adding any new networks. As we buy companies, which we've been doing, I usually pull their firewalls out and put these in, because that's what I'm familiar with, if I can't interface their existing firewalls with it.

How are customer service and support?

Their tech support, the few times I've used them, have been excellent. Their staff has been very knowledgeable. I've had several instances where, when fixing a problem, they've made suggestions about other things not related to that problem, as they inspected the setup.

They have a very good system for logging in securely and seeing configurations without being able to check it. That's been very helpful. I've always given an "A+" to their tech support.

Which solution did I use previously and why did I switch?

It was so long ago, but I used some PC-based proxies at the time. So there was something before this solution, but my first, actual, dedicated appliance was WatchGuard.

It might be that we purchased this back in the late '90s, because our previous solutions were back during the dial-up age. It wasn't until we started getting always-on internet in the late '90s or early 2000s that we looked at a firewall. Someone suggested WatchGuard.

How was the initial setup?

The initial setup is straightforward. Network setup is complex because setting up networks is complex. I will give them props for making a very complex task a little easier. I don't know a way you could make it any easier than they do. I have done network setups in other firewalls that I thought were way more complicated and more convoluted. We've set up a branch office with some SonicWall devices and my setup screen was a whole lot easier than theirs.

The deployment itself takes an hour, if that. I've done upgrades, but I haven't done a straight, flat-out deployment in a long time. But usually, when I deploy a branch office or upgrade the main unit, it's usually up and running within ten to 15 minutes in most cases. If I get something wrong, then it might go to an hour or so, but usually they're very straightforward. If it's a branch-office deployment, it's just a matter of plugging it in. It takes five to ten minutes. The configuration might take another ten to 15 minutes. The one thing that's difficult when you're setting one up is that you have to isolate a computer that you can connect directly to. They have things that make that easier, but I've never tried it.

Our implementation strategy, back then, was to bring branch offices online.

The process of deploying the product to distributed locations usually means that I bring the device in-house and preconfigure and test it before I send it out to a remote location. I'm usually onsite at remote locations to install it. So my process is to order the product, configure it locally, get it correct, and then install it onsite.

In terms of using it, there are maybe ten users and they use a VPN client. They directly interface with it. It's primarily me who manages it. I'm the only user who actually sets the configurations up in it.

What about the implementation team?

I purchased it from a retailer at CDW and did the deployment myself.

What was our ROI?

Being able to control network traffic and being able to monitor employee activity on the network are things you can't quantify, but there's definitely a cost that you could attach to each. If we have users that we find are spending too much time on social networks, we can address those issues, replace the employee if they don't comply, or help them with their productivity, etc. 

A firewall is a necessary evil. You've got to have one. It's one of the less expensive but powerful models. I've always been very impressed with that. There's a definite return on investment in terms of that the branch-office option. I didn't have to pay anything extra for that. It was just built-in. Those can get upwards of thousands of dollars with other solutions. One solution I saw was $15 a month per user. It would be astronomical if we tried to go that route.

I don't have a number, but the return on investment is good.

What's my experience with pricing, setup cost, and licensing?

I buy a three-year renewal on the main device, which is usually around $3,000 to $4,000. They usually upgrade the device when I do it. You get a big discount when you do three years.

If I were to renew my other devices — we haven't renewed them — it would probably be around a couple of thousand dollars for the little edge devices.

In addition to the standard licensing fees, we pay for the filtering software. There's a web blocker, Gateway antivirus, intrusion prevention. Those sorts of things are extra. They call it LiveSecurity. I do the LiveSecurity update and that includes a lot of those features. It's a type of a-la-carte scenario. You pick what you want, and that then includes maintenance and support.

Which other solutions did I evaluate?

I can't remember what we looked at, at that time. I have looked at more recent solutions like Untangled, SonicWall, and the like, just to see what else is out there.

What other advice do I have?

Make sure you buy the device that fits your environment. Don't try to do too much with too little. You can buy one of the edge devices, and you could technically run a large network on it, but it's not going to work as smoothly. Your firewall is your primary point of security from outside intrusion so you want to do it right. Be very meticulous about your configuration.

Straight-up, walking-to-the-console usability of the solution is not very user-friendly. It's not very intuitive. However, compared to other firewalls, it's very user-friendly. So it's more user-friendly than most, but it's just not something anybody could walk up to and use. If I had to walk someone through it remotely, it wouldn't be very easy for them to do.

Each upgrade of the device, and I've had about five of them — five main devices — has allowed an increase in bandwidth and performance. They tend to work fairly consistently, but as speeds have gotten faster, you've got to upgrade the device to keep up with it. They seem to be doing an adequate job at that.

I have used the solution's Cloud Visibility feature. I wasn't really blown away. I thought, "Okay, that's neat." I haven't really dug into it deeply. I don't really think about it in the context of detecting and reacting to threats or other issues in our network. I like to be aware of threats, but threats in networking terms are always not practical. For a company like ours, we know there are going to be internet probes out there, and they're going to hit our network. The WatchGuard identifies them and locks them down. There's nothing I can do about it. It's more along the lines of, "For your information, there was an attempted attacked last night."

What I'd rather have is internal threat assessment. I want to know: "This machine started doing something last night it wasn't supposed to do. It was sending out emails at two in the morning. It shouldn't be doing that." Since it's sitting here watching the network, I'm more concerned with internal threats, and people doing things they shouldn't be doing, than I'm worried about the external threats. 

I probably should be equally concerned about them but I've never found a really good solution on that. I have some customized things that I've done that try to send me alerts if certain behavior patterns are detected. I'm scanning through the logs, and if certain keywords pop up, then I'm alerted. That's been somewhat helpful, but most of the time I get more false positives than I get actual.

We have web filtering, so I'm looking to see if anyone is going to pornographic or hacker or peer-to-peer sites. I get alerts from that and it logs those. But most of the time, I'll get hundreds of alerts on sites for a user, and I'll go over and find that the user was looking for fonts and one of the ads happened to be on a server that caused a trigger. It was a complete false positive but I don't know how to filter all that out. So the alert becomes useless. That may be an industry problem.

I would rate WatchGuard at eight out ten. There is a need for improvements in the reporting. There needs to be more granular, built-in filtering in the reporting, so that you can drill it down to exactly the information you want. The second thing would be the cost-plan of renewals. They can have a security plan and they can have a renewal plan. But if you lapse and they charge a penalty on top of that, to me that's really unacceptable. I should be able to let a product lapse if I want to. It may not be a priority. It might be something I have in someone's home and then there's just a new feature I need to add. As I'm going down the road I should just be able to buy that when I want. To put in reinstatement fees is a big negative to me. Granted, they all do it, but they all shouldn't do it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Product Manager of IT Ops and Management at ManageEngine A division of Zoho Corporation.
Real User
Top 10
Has an easy configuration and an intuitive user-interface with transparent licensing
Pros and Cons
  • "WatchGuard Firebox offers a satisfying VM and hardware"
  • "It's very difficult to find a reseller of WatchGuard Firebox to purchase a license"

What is our primary use case?

I have used WatchGuard Firebox for firewall testing purposes and setting up a couple of new projects for my company. I test the solution's efficiency in blocking IPs, role management and policy optimization. 

What is most valuable?

The product can be configured very easily. The license model of WatchGuard Firebox is also simple and transparent. A purchaser can effortlessly obtain the required features through the license system. 

WatchGuard Firebox offers a satisfying VM and hardware. The performance of the solution differs when it's deployed as a VM and a physical appliance. 

All basic firewall-based tasks, such as creating a policy or role, can be effortlessly implemented using WatchGuard Firebox. The user interface is simple and intuitive, allowing even a beginner to complete tasks without difficulty. 

What needs improvement?

It's very difficult to find a reseller of WatchGuard Firebox to purchase a license. The number of resellers for the solution should be increased through partnerships. The solution's network observability should be improved. The observance adaptability of different WatchGuard devices is minimal and it should be improved. The information or guidance provided by the vendor for using APIs, syslogs and exports should be enhanced. 

For how long have I used the solution?

I have been using WatchGuard Firebox for eight years. 

What do I think about the stability of the solution?

I would rate the stability an eight out of ten. It's a fairly stable product. 

What do I think about the scalability of the solution?

I would rate the scalability a seven out of ten. In our company, when we perform some load tests on one interface, there is a requirement for multiple packet drops at times, which the firewall might not be able to handle, and the other interfaces might go down as well.

There are some performance issues in WatchGuard Firebox when the load is high, but within limits the solution works perfectly. There are seven users of WatchGuard Firebox in our organization for the network administrator cycle. The solution is used daily in our company. There are no plans to increase the usage of the product any time soon in our organization as it is being used only for testing purposes. 

How was the initial setup?

The solution has a seamless initial setup process. I would rate the initial setup a nine out of ten. All the deployment aspects of WatchGuard Firebox are straightforward, and all basic features are available, but for advanced features, many professionals might prefer other solutions over WatchGuard Firebox.

The deployment process of the solution took about an hour in our company, it was a step-by-step configuration process but there were some issues with the VM otherwise it would have taken much less time. One professional is enough to deploy WatchGuard Firebox. For maintenance of WatchGuard Firebox only one person is required and multiple professionals monitors the solution in rotational shifts. 

What about the implementation team?

The solution was implemented completely in-house. 

What's my experience with pricing, setup cost, and licensing?

I would rate the pricing as four out of ten. It's an affordable tool. The basic product license costs our company ₹400,000 per year. In our organization, we don't purchase any security add-ons with WatchGuard Firebox. 

Which other solutions did I evaluate?

I am part of the research and development team, so I parallelly use competitor solutions from vendors like Palo Alto, Sophos and Check Point. 

What other advice do I have?

Our company professionals claim that WatchGuard Firebox is competent with other firewall solutions in the market. For security purposes, our organization mostly relies on proxy software and other application firewalls.

Our company is majorly concerned with the application firewall and not the network security; this is why we choose application firewalls like WatchGuard Firebox, which can be used both as a VM and physical appliance. In our organization, we use the solution not only for testing purposes but also for data centers. 

I would rate the product's performance and reliability for the remote workforce an eight out of ten. When I setup a data center and keep the solution as an entry point, then later on when I access it through a VPN, it will be flawless. It's very easy to configure a VPN using WatchGuard Firebox. The solution will showcase stability and easy accessibility even in remote functions.

For small and medium-scale networks, WatchGuard Firebox will be an ideal and cost-effective solution. I would rate the solution as eight out of ten. I would surely recommend the solution to others. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
WatchGuard Firebox
October 2024
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Ronald Lewis - PeerSpot reviewer
IT Manager at Invest Barbados
Real User
Top 10
Useful VPNs, effective web filtering, and cost effective
Pros and Cons
  • "The most valuables feature of WatchGuard Firebox are the VPNs, and web filtering where we can stop users from going to malicious sites."
  • "The VPN aspect of the WatchGuard Firebox is an area that could potentially benefit from improvement. We encountered difficulties while attempting to integrate Windows 11 laptops into the system, which resulted in unreliable connections. After some research, we discovered that this was primarily due to compatibility issues with Windows 11 and required a patch. However, it was still a challenge as it seemed that even when we tried to keep the laptops on Windows 10, they still exhibited the same issues as Windows 11 machines. Despite WatchGuard attributing the problem to Microsoft, we were eventually able to find a solution and all the machines are now functioning seamlessly."

What is our primary use case?

The utilization of the WatchGuard Firebox system is as follows: the head office, located in Barbados, has two remote offices in New York and Toronto that utilize Cisco for their VPNs, which are running to these two locations for the branch offices. The email system has three locations for redundancy, two in the UK in Purley and London, and one in Toronto, Canada. Employees who work from home, access the office through mobile VPNs.

How has it helped my organization?

The WatchGuard Fire Box has greatly improved the functioning of our organization, especially in the wake of the COVID-19 pandemic. Prior to the pandemic, the use of VPNs was primarily limited to IT support. However, with the rollout of the WatchGuard Fire Box, all of our staff members in Barbados, Toronto, and New York were able to seamlessly transition to working from home. The WatchGuard Fire Box also provides a unified track for virus scanning, which enhances the security of our connections. Additionally, we have moved our email off-island, which has made the SPA filtering from WatchGuard redundant. Overall, the WatchGuard Fire Box has played a critical role in enabling our organization to adapt to the challenges posed by the pandemic and work efficiently from home.

What is most valuable?

The most valuables feature of WatchGuard Firebox are the VPNs, and web filtering where we can stop users from going to malicious sites.

What needs improvement?

The VPN aspect of the WatchGuard Firebox is an area that could potentially benefit from improvement. We encountered difficulties while attempting to integrate Windows 11 laptops into the system, which resulted in unreliable connections. After some research, we discovered that this was primarily due to compatibility issues with Windows 11 and required a patch. However, it was still a challenge as it seemed that even when we tried to keep the laptops on Windows 10, they still exhibited the same issues as Windows 11 machines. Despite WatchGuard attributing the problem to Microsoft, we were eventually able to find a solution and all the machines are now functioning seamlessly.

The solution comes with a web interface that facilitates configurations, but it doesn't have the same level of functionality as the installed client or system manager. The web UI could be further improved.

In a future release, the detection of ransomware would be helpful. Ransomware is our biggest fear.

For how long have I used the solution?

I have been using WatchGuard Firebox for approximately 20 years.

What do I think about the stability of the solution?

I rate the stability of WatchGuard Firebox a nine out of ten.

What do I think about the scalability of the solution?

Approximately thirty individuals are currently utilizing the Watchguard Firebox solution. This includes a diverse range of individuals from the CEO and directors, to managers, secretaries, clerks, and even our receptionist. Given the recent trend of remote work, it has become increasingly necessary for all individuals within the company to have access to the firewall for their daily job duties.

As a government agency, our budget has been impacted by the current economic circumstances, which has resulted in a reduction in funding. Consequently, it would not be feasible to allocate additional resources toward increasing usage within the next year or two. Nonetheless, we will strive to maintain the current level of functionality and make any necessary updates to ensure a smooth operation.

I rate the scalability of WatchGuard Firebox a nine out of ten.

How are customer service and support?

There is a time difference when I have tried to receive support causing some challenges.

I rate the support from WatchGuard Firebox a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We used Check Point previously.

How was the initial setup?

The deployment took us a couple of hours and it was simple.

The deployment process for the WatchGuard Firebox in our department was a rather straightforward one given the size of our team. Being the head of the department and the sole person responsible for handling firewalls, I was in charge of conducting the entire process from start to finish. This involved a considerable amount of research to determine the most suitable option, followed by cost analysis to ensure that we were making the most cost-effective decision. Ultimately, I was responsible for making the selection, conducting the implementation, and overseeing the entire process, which required me to take on a multitude of tasks and responsibilities.

I rate the setup of WatchGuard Firebox an eight out of ten.

What about the implementation team?

We did the deployment of the solution in-house.

What was our ROI?

We have seen an ROI from using the solution.

I rate the ROI of WatchGuard Firebox a nine out of ten.

What's my experience with pricing, setup cost, and licensing?

Despite the fact that there is always room for improvement, the current pricing of the solution is still lower compared to its competitors.

I rate the price of the WatchGuard Firebox an eight out of ten.

Which other solutions did I evaluate?

We have evaluated SonicWall and Cisco, but the choice to choose WatchGuard Firebox was based on cost and reputation.

What other advice do I have?

We use two people for the maintenance of the solution.

I would recommend it and tell them to try it. It is a cost-effective, reliable solution.

I rate WatchGuard Firebox a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
ITManagedf70 - PeerSpot reviewer
IT Manager at a engineering company with 11-50 employees
Real User
Geolocation allows us to lock down certain policies to only U.S. IPs
Pros and Cons
  • "One of my favorite features is the Geolocation service, where you can actually block specific activity or IP addresses registered to certain countries. For example, I don't want any web traffic from Russia or North Korea. I may even lock down certain policies down to 'I only want U.S. IP addresses.' I find that very useful."
  • "They've done a lot of work with their SD-WAN, which we do use, to have our old internet service with our new internet service. If anything goes down on a particular interface, I can have different rules applied. Most of my users don't even know when our primary internet goes down anymore... I don't have to be here to do anything to switch it to our backup internet or to switch it back."
  • "Reporting is something you've got to set up separately. It's one of those things that you've got to put some time into. One of the options is to set up a local report server, which is what I did. It's not great. It's okay... Some of the stuff is a little complicated to get up and running. Once you do, it becomes very user-friendly and easy to work with, but I find there are some implementation headaches with some of their stuff."

What is our primary use case?

It's our primary firewall. It's also our UTM device, so we have multiple security layers enabled on it.

We're using an M270 firewall with version 12.5.

How has it helped my organization?

With WatchGuard, I've got a lot of WebBlocker rules set up which help quite a bit, blocking a lot of suspicious and parked domains. Between WebBlocker, the Botnet Detection, the website reputation filters going, and IPS - which is one that is essential, but nobody really talks about a whole lot; between all those things working together, and even the antivirus, I feel our network is pretty clean. And if there is some suspicious activity, I think I have a better chance of being alerted to it. I've even been able to set up Application Control rules, so that something like Windows Update doesn't deplete too much bandwidth. There are whole bandwidth controls you can set up which aren't necessarily security-related, but they can help make sure that one particular function doesn't take up so much bandwidth that the users are affected. WatchGuard has layered security, but I also have other layers beyond that.

I wouldn't necessarily say it has simplified my job but I am very happy to have it. I'm very glad we went with WatchGuard. I was impressed with WatchGuard for a lot of other reasons like their education and training videos. They do a lot of little security announcements about what's going on with other companies in the industry, so that part has made my job easier. I wouldn't say it's made my job more difficult either. It has definitely made me feel more comfortable about the security here, but I wouldn't say it simplified things. We had a very simple firewall which was almost a small-business router. It had a little firewall screen with four settings on it that really didn't do a whole lot. So, I can't say WatchGuard simplified things for me. It's just we're much more secure and it hasn't overly complicated things.

What is most valuable?

One of my favorite features is the Geolocation service, where you can actually block specific activity or IP addresses registered to certain countries. For example, I don't want any web traffic from Russia or North Korea. I may even lock down certain policies down to "I only want U.S. IP addresses." I find that very useful. That was not a feature that was initially there for us. It was something WatchGuard released after we bought our first device with them and it is one I am very happy with.

I may want to only allow U.S. IPs onto a specific interface that I share files with, for security reasons, or I may know of a security issue in a particular country. I can just block that whole country for all my users. Or maybe I'm seeing a lot of malicious links coming out of South Korea, even, and I just say, "We don't go on a lot of websites there, let me just block that country completely," and if we do need to get on a website, I'll just make an exception. It improves security and helps block malicious links.

There's a little bit of a learning curve in getting everything working. But once you understand how all the pieces work, and the fact that you're using physical hardware with a web interface alongside a piece of software installed on your computer, and you learn what to do in each location, it's very user-friendly.

I like the management. There are some nice dashboards and other things to keep an eye on things. There are email alerts, once you get those configured. Once again, they're a little complicated to get set up, but once they work, they work well. Management is pretty easy. 

The version I'm on, 12.5, came out last week. I try to stay pretty current and they do add features and improve usability and functionality often. It's one thing I've been happy with. It's not like they say, "Here are the modules you bought with it four years ago and that's all you have." They're constantly adding, developing, improving. 

They've done a lot of work with their SD-WAN, which we do use, to have our old internet service with our new internet service. If anything goes down on a particular interface, I can have different rules applied. Most of my users don't even know when our primary internet goes down anymore. It does run slower on our backup, but they don't know the difference unless they're doing some kind of bandwidth-intensive function or streaming. I don't have to be here to do anything to switch it to our backup internet or to switch it back. They've developed that feature even more, to allow you to have different rules for different policies or different interfaces to behave differently, depending on what happens with either packet-loss or latency, with multiple internet sources. That is pretty helpful.

What needs improvement?

Reporting is something you've got to set up separately. It's one of those things that you've got to put some time into. One of the options is to set up a local report server, which is what I did. It's not great. It's okay. I've heard their Dimension control reporting virtual machine is supposed to be a lot better, but I haven't had the time our resources to set that up. Some of the stuff is a little complicated to get up and running. Once you do, it becomes very user-friendly and easy to work with, but I find there are some implementation headaches with some of their stuff.

I wish I had a contact at WatchGuard because there are a few things I'm not using. I'm not doing packet inspection because I know it's pretty intensive to install certificates on all my computers and have it actually analyze the encrypted traffic. That's something I'd like to do but I'd really like to talk to somebody at WatchGuard about it. Is that recommended with my number of users with my piece of hardware, or is that going to overload everything? I'm not using Dimension control. I'm not using cloud. If I had a sales rep or a support person that I could just check in with, that would help. Maybe they could do yearly account reviews where somebody calls me to say, "What are you using? What are you not using? What would you like more information about?" That sort of thing could go a long way.

They do a lot of education, but it's sent out to the masses. They have really good emails they send out which I find very valuable, talking about the industry, security events, and other things to be aware of. But there's not too much personal reaching out that I've seen where they're say, "Hey, how can we help your company use this device better? What do you feel you need from us?" That's my main recommendation: There should be somebody reaching out to check in with us and help us get more out of our device.

For how long have I used the solution?

We've been using WatchGuard for over four years.

What do I think about the stability of the solution?

It's very stable.

I've only even had one update that I applied that caused problems, that I had to roll back. I don't recall any kind of issue where I had to reboot the device to fix something. Somewhere along the line, WatchGuard, with their free training and free training videos, had recommended setting up an automatic reboot once a week just to keep everything clean, fresh, and healthy. I set that up during to reboot every week during off-hours on the weekend and I've had almost zero problems with it. Even with the updates, as I said, I can only think of one instance where there was a problem. I had to roll the update back, which was very easy to do, and then wait until the update patch came out and fixed the problem. That only happened once.

I've been very happy with the stability and reliability of not just the device and the software, but WatchGuard as a company.

What do I think about the scalability of the solution?

With my needs and my network, I feel we could add bandwidth and add users for a while, before we would run into any issues. It's scalable for my needs with my device.

How are customer service and technical support?

I don't think I have used WatchGuard's technical support. If I did, it might have been once.

I haven't really needed it too much. As I said, they have some good YouTube videos that they put out themselves on setting up stuff. That's my first resource when I want to get into a new feature I'm not using. They've got pretty good notes in there, so when I update software on the device itself, I go through their installation guide or their admin guide for that version of the software and it's all pretty straightforward. It lays out the new stuff they changed and what you need to be aware of, so I haven't needed to bug them.

Which solution did I use previously and why did I switch?

We didn't have anything like this before, so it's not necessarily saving me time, but it did add a whole other level of security to our network, which we really appreciate.

We had a small-business Cisco basic solution. They called it a security router, but it was just a small device that sat on the shelf and which mostly provided internet access. It had very simple firewall controls: two or three check-boxes to do basic filtering. So we did have something, but it was nowhere near the level of the WatchGuard.

We switched to WatchGuard because we did not have a UTM device like we do with WatchGuard. We needed to upgrade the old device because it wasn't performing well anyway. I suggested that we needed something more appropriate, or with more layers of security than what our other small, entry-level device was offering. We did review solutions from a few other firewall vendors and WatchGuard offered, in my opinion, the best protection for the cost.

How was the initial setup?

The initial setup was a little bit of both straightforward and complex. I'm a technical person. I read an instruction manual before I do something, whether it's putting a piece of gym equipment together or implementing something like a WatchGuard firewall. I had gone through all of their admin guides and getting-started guides and recommendations. So it was pretty straightforward, but there were a lot of steps and a lot of things to work through.

Something as simple as email wasn't just set up by specifying the IP address of your email server. I had to enable a bunch of things on the web interface and then install the software on my computer and set it up as an email relay. That was the only way to get email alerts, which I found a little shocking because email alerts should be critical on these things. I guess bigger companies may have alert servers or Syslog servers or other things they're using. But we're smaller and we don't. So that was one thing that I found was a little more complicated than it should have been for the importance of the feature. And now I have a computer and a firewall and if one or the other isn't working, those email alerts don't work.

Our deployment did not take long. It was no more than a week or two. I did it pretty quickly. I convinced the owner why we needed it and why this was the right move. I wanted to make sure I implemented it quickly and that we got some benefits out of it right away. I didn't want to let it sit around. It took less than two weeks.

My implementation strategy was mostly what I mentioned above: Review all of the guides, all of the walk-throughs, a couple of tutorial videos, get a baseline of what I wanted to enable and how. Then I did it offline, as you would expect. I brought the device into my office, got it updated, got everything baselined and set up the way I needed it to start with. From there it was just switch out early in the morning before users were in the office. It was nothing too out of the ordinary.

For deployment and maintenance of the product, it's just me.

What about the implementation team?

I did it myself.

What was our ROI?

I believe there has been ROI, with the level of protection and things that are being blocked that we're aware of. And there is just the peace of mind of knowing certain things.

Some of this I'm simplifying a little bit because, again, a lot of these things have been implemented over the last four-and-a-half years. I'm thinking now of other features I've implemented that I'm very proud of, like locking down remote access software so people can't just come and use any remote access software to get in or out of our office. There's a sense of security because I only allow the remote-access software that we pay for and use. I don't allow any other protocols to get through. It is making sure we don't have people who work here doing weird things, but it also makes it harder for other people to break in. Just that peace of mind and all the other layers we have working is worth the money, in my opinion.

What's my experience with pricing, setup cost, and licensing?

We had a trade-in offer at the end of our first three-year term. As a result, we pretty much got a free device by buying the three-year subscription. It was around $3,000 for the three-years.

Which other solutions did I evaluate?

We probably looked at SonicWall and ForcePoint, but it's been a number of years so I don't recall much of that process.

What other advice do I have?

Do your research. It's not impossible. Do things in a logical order and make sure you understand what you're doing and how you're going to do it. Once you understand it and get everything working the way you want, it does get very easy to use and work with from there. Once you get over the learning curve of how all the pieces work together, it's very easy, very user-friendly, very easy to update, and very easy to make changes and document those changes - all that good stuff.

I tend to buy the hardware platform that's like one level above where we think we absolutely have to be at a minimum, so the performance has been adequate or good. I've yet to hit an issue where I feel the device is slowing us down or causing any issues because of the performance of the device, itself. We're usually limited more by our actual bandwidth. It's been great as far as our network and needs go.

In terms of the extent to which we're using the product, six months ago when I renewed the second three-year term, the subscriptions had changed quite a bit from when I had my first three-year term. Now, I have a whole list of new subscription services or modules or layers that I have not started implementing. I got a couple of the new ones implemented, to get some of the benefit, when I first got this new device. But there are a few more I want to implement. One of them, is packet inspection, which is difficult because that can really bog down your device. I'd like to have Dimension control to get better reporting. There are a couple of other ones that I have not implemented because they're new for me and I just haven't had the time to work on them. Threat Detection and Response is one I'm interested in which I haven't time to implement yet. It involves me setting up a client in each one of my endpoints and it keeps track of unusual activity there. That's probably where I want to go next. Maybe even the Access Portal could be useful for me, to have a place for vendors or customers go to access things inside our network.

We've gotten more features for our money because there's a new security package which wasn't available when I first subscribed, and that included pretty much everything. I had paid separately for APT, Advanced Persistent Threat protection, on my old subscription. To get that now, it was cheaper to bundle it with their total threat package. That included a lot of things like DNSWatch, which I did set up to look for malicious DNS access requests throughout my network. It gave me intelligent antivirus. I believe there's some kind of DLP module, which is one I haven't spent any time on. Network Discovery is another one I haven't spent time on that I need to work on. All of those came as new features with the new hardware and with that new subscription. The Threat Detection Response is definitely something I didn't have access to before. For sure, in this second three-year term, we got a lot more value for the money with what WatchGuard offered us.

I would give WatchGuard an eight out of ten. There's a little bit of room for improvement but I'm very happy with WatchGuard. I think it's a good fit for me. I won't often give a ten, just on principle, unless I feel they deserve a 12. That's when I give a ten.

I've definitely said positive things about WatchGuard to other people in the industry, people I talk to or know. I'm a promoter of WatchGuard, to be honest. I haven't seen anything I like better, but I haven't had a lot of experience with other devices. I've said good things to people on a regular basis, especially about WatchGuard's education, the emails and videos and other stuff they put out to try and help people, even when it's not related to WatchGuard products.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
IT Manager at Horizon Forest Products LP
Real User
Allows us to self-manage our network and branch office VPNs while saving money
Pros and Cons
  • "The firewall aspect and the branch office VPNs are the most valuable features... We don't have any issues with it. We don't have to spend a lot of time maintaining it."
  • "We use WatchGuard to manage our failover for internet. If a primary internet goes down, it does a failover to the secondary the internet. However, what it doesn't do so well is that if the primary internet has a lot of latency but it's not completely down, it doesn't do a failover to the backup in a timely manner."

What is our primary use case?

We use it for our firewall as well as for our branch office VPNs.

How has it helped my organization?

The WatchGuard devices allow us to self-manage our network and our branch office VPNs. As a result, we've saved ourselves a lot of money, without compromising our security. It provides a much more economical and effective solution. We used to have an MPLS network which was a cloud-based firewall system and it cost us a small fortune every month. But when we implemented all these firewalls and got it all configured, up and running, we literally saved ourselves $10,000 a month.

It makes managing the network a lot easier. It takes care of our network for us.

Once it was set up and running, it began to save us time. It works, and we spend very little time managing it. We have very few issues with it. We might spend an hour a month managing it, if that.

What is most valuable?

The firewall aspect and the branch office VPNs are the most valuable features. They just plain work. We don't have any issues with it. We don't have to spend a lot of time maintaining it. You set it up and, for the most part, you can forget about it.

In terms of the usability:

  • It's user-friendly with an easy user interface.
  • It has a lot of features.

The throughput the solution provides is good.

In addition, WatchGuard provides our business with layered security. It certainly protects our network, blocks unwanted incoming traffic and, at the same time, can manage outbound traffic too.

What needs improvement?

We use WatchGuard to manage our failover for internet. If a primary internet goes down, it does a failover to the secondary the internet. However, what it doesn't do so well is that if the primary internet has a lot of latency but it's not completely down, it doesn't do a failover to the backup in a timely manner.

For how long have I used the solution?

We've been using WatchGuard for about three years.

What do I think about the stability of the solution?

The stability is great. 

What do I think about the scalability of the solution?

We don't really have any experience with the scalability. We implemented the appropriate devices for our size and we haven't really grown to the point that we've had to upgrade devices. The scalability is fine in the sense that we have some locations with more people, and WatchGuard has a slightly beefier device than we use at some of our smaller locations. All in all, it works well.

All of our networks are managed by WatchGuard. If we add locations we'll be using it for them as well in the future, although we don't have new locations on the horizon. We use it every day because it manages our network. Because all of our network traffic runs through WatchGuard, everybody uses it. But they're not using it for a specific function, other than to communicate between locations.

How are customer service and technical support?

The customer service is good. If we have an occasional issue there are helpful. They help us resolve problems. Overall, I'm pleased.

Which solution did I use previously and why did I switch?

We had a third-party MPLS network that managed all of the cloud-based software but it was very expensive. It was similar in effect, but it was a third-party, as opposed to WatchGuard which is self-managed. The main reason we switched was the pricing.

How was the initial setup?

The initial setup was a little complex. But once we understood how it works and after we got the first one configured, the rest of the firewalls were pretty easy. It is pretty straightforward. It is just a matter of learning it initially: understanding the nuances of the application and the user interface, understanding how to set it up and understanding what does what and the naming of features. That initial learning curve was a little steep, but once we got into it, it made a lot of sense.

Company-wide, our deployment took about 30 days.

Our initial implementation strategy was to do a backup to the internet and ultimately remove our MPLS and use the branch office VPN to manage it ourselves.

What about the implementation team?

We were helped by an authorized WatchGuard reseller on the initial setup. Once we got through the first one, we took over from them internally. The reseller was NetSmart. Our overall experience with them was very good.

We still have a relationship with them. We do a lot of our stuff in-house, but if we have something that we need a little bit of help with, we do reach out to them from time to time. But doing so, for us, is pretty rare at this point.

What was our ROI?

We have absolutely seen return on investment. We saved a small fortune switching over. It paid for itself, literally, within the first couple months.

What's my experience with pricing, setup cost, and licensing?

When we bought them we got a three-year license for each device. The two larger devices are about $1,000 each and the smaller ones are about $500 or $600 each. 

There are some additional software features that you can add on and pay for, but we don't use them. 

Which other solutions did I evaluate?

We didn't evaluate other options. The WatchGuard reseller was a company we had done business with before and they recommended it right out of the gate. We went with that.

What other advice do I have?

It's worth it, depending on your current network environment. If you are in the same situation we were in, it's really a no-brainer going from the MPLS network to self-managing it with simple broadband internet. It works great. To be honest, you'd be crazy not to do it. The advantages of WatchGuard over MPLS are that it's cheaper and you have more control because it's self-managed. The only con is that it does require a little bit of maintenance that you wouldn't otherwise have to do, but it's minimal.

In terms of distributed locations, we have a firewall at all of our locations. Once we got it set up we'd visit a branch, install it, test it, and implement it.

As for maintenance, it requires just one person, a network administrator. We manage it ourselves and there's not a whole lot to it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Rajesh  Makwana - PeerSpot reviewer
Regional Pre-Sales Engineer at Roundrobin Tech
Reseller
Top 5
Efficient bandwidth management and secure network access with a strong firewall
Pros and Cons
  • "Some of the most valuable features of the Firebox include web blocking, application control, protection against brute force attacks, load balancing, SD-WAN, and VPN support. These features help us manage and secure our network efficiently."
  • "One area for improvement is the limitation in the product portfolio compared to competitors like Fortinet, which offers a broader portfolio including Authentication, VPNs, FortiMail, Sandbox, and Email Security."

What is our primary use case?

The primary use case of the Firebox mainly revolves around bandwidth management, unnecessary web blocking, application control, and protection against brute force attacks. It is also implemented for load balancing, SD-WAN, and branch-to-branch connectivity from one location to another. We also use it for securing access through VPN and enforcing network security policies.

How has it helped my organization?

The WatchGuard Firebox has helped in securing our network by implementing a strong firewall with various features like VPN support, gateway antivirus, and application control. It has aided in preventing brute force attacks and managing our bandwidth effectively.

What is most valuable?

Some of the most valuable features of the Firebox include web blocking, application control, protection against brute force attacks, load balancing, SD-WAN, and VPN support. These features help us manage and secure our network efficiently.

What needs improvement?

One area for improvement is the limitation in the product portfolio compared to competitors like Fortinet, which offers a broader portfolio including Authentication, VPNs, FortiMail, Sandbox, and Email Security. WatchGuard's focus on UTM solutions may not meet the needs of all enterprise customers.

For how long have I used the solution?

We have been using the WatchGuard Firebox for approximately five years.

What do I think about the stability of the solution?

The stability of the WatchGuard Firebox can vary depending on the customer network environment. The performance and latency may differ from customer to customer and infrastructure to infrastructure.

What do I think about the scalability of the solution?

The scalability of the Firebox depends on the specific model and the number of concurrent users it can support. Different models offer different VPN capacities and can be tailored to fit the needs of various sizes of organizations.

How are customer service and support?

Customer service and support are not explicitly mentioned in terms of rating, but overall feedback seems positive.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have previously used various solutions including CyberRooms, Sophos, Fortinet, SonicWall, and other competitors. We largely switched to WatchGuard to integrate their UTM solutions and later their acquired endpoint security portfolios.

How was the initial setup?

The initial setup of the WatchGuard Firebox is straightforward and time-saving. It is designed to be user-friendly even for those with basic IT knowledge, making it easy to deploy and manage.

What about the implementation team?

Implementation can be done by internal IT teams. WatchGuard also provides support for implementation, ensuring that the configurations are appropriately pushed as per the model and requirements.

What's my experience with pricing, setup cost, and licensing?

WatchGuard offers cost-effective solutions, especially beneficial for economically-constrained customers. Pricing and discounts are deal-dependent and vary based on customer requirements.

Which other solutions did I evaluate?

We evaluated multiple products, including Fortinet, SonicWall, Sophos, CyberRooms, and various others in the market.

What other advice do I have?

To maintain the efficacy of the Firebox, it is crucial to renew the subscription to get security updates and additional support features. Ensuring the subscription is up-to-date is necessary for ongoing product support.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
PeerSpot user
Systems integrator at It- Consulting
Real User
Top 10
Controls internet access and offers DNS protection and geofencing features

What is our primary use case?

The solution controls who can connect to the Internet and who cannot and which protocols and services are allowed to pass through. It manages VPNs, including back-office VPNs. It also provides web-blocking features for users who want to restrict access to certain types of content.

How has it helped my organization?

Compared to competitors in the same segments, WatchGuard Firebox is an excellent firewall to implement.

What is most valuable?

WatchGuard Firebox offers DNS protection along with geofencing features. Additionally, the SSL VPN combined with multifactor authentication is excellent and a standout feature. 

What needs improvement?

The product is expensive. The pricing could be improved.

WatchGuard Firebox offers various models, each designed to meet different needs. While it's true that the models share many features, consolidating the lineup into fewer models could be beneficial. For example, they could have distinct models for small, medium, and large enterprises, each capable of scaling according to the number of users or throughput requirements. This approach would streamline their offerings, making it easier for customers to choose the right Firebox for their needs.

For how long have I used the solution?

I have been using WatchGuard Firebox for 25 years.

What do I think about the stability of the solution?

The solution is very stable. I rate the solution’s stability a ten out of ten.

What do I think about the scalability of the solution?

The solution’s scalability is good. 20 customers are using this solution.

I rate the solution’s scalability an eight out of ten.

How are customer service and support?

WatchGuard support is highly effective. They maintain an excellent support and help desk service.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Once, I had to connect with a Cisco device on the remote side, which also went smoothly. It was between a customer and a third-party firm conducting business with my customer. They needed to establish a connection to their Cisco Firewall, and the implementation process was as smooth as setting up the back-end VPN.

How was the initial setup?

The initial setup is straightforward. A simple installation for a small business takes about four to six hours. One IT guy is enough for the deployment.

What's my experience with pricing, setup cost, and licensing?

I rate the product’s pricing an eight out of ten, where one is cheap, and ten is expensive.

What other advice do I have?

The solution is transparent and easy to set up and maintain. 

WatchGuard Firebox has always been very effective for many customers who use Firebox to connect their remote sites. Additionally, many customers log in to a Firebox using the WatchGuard Mobile VPN with multi-factor authentication. This setup has proven to be very stable, high quality, and easy to configure.

Customers find WatchGuard Firebox to be an expensive solution, but some of them recognize its necessity. However, some customers initially fail to see the need for a firewall. Yet, when it comes time for renewal, after a year or three, they begin to understand its importance, often aided by a chart explaining its benefits. Just like a car requiring periodic servicing, a firewall also necessitates attention.

I recommend WatchGuard Firebox to others because it's a very good product. Firstly, it boasts numerous nice features. It's straightforward to implement, maintain, and understand. One particularly appealing feature is the real-time traffic monitoring.

Overall, I rate the solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
Owner at a construction company with 51-200 employees
Real User
Competent, basic front-end; the ports that I have assigned appear to be unattainable to outsiders
Pros and Cons
  • "The ports that I have assigned appear to be unattainable to outside 'mal-actors,' unless they have an address registered on the internet that this thing is expecting. That's a layer of security."
  • "I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that."

What is our primary use case?

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

What is most valuable?

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

What needs improvement?

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

For how long have I used the solution?

I've been using Firebox for two or three years.

What do I think about the stability of the solution?

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

What do I think about the scalability of the solution?

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

Which solution did I use previously and why did I switch?

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

How was the initial setup?

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

What about the implementation team?

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

What's my experience with pricing, setup cost, and licensing?

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

Which other solutions did I evaluate?

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

What other advice do I have?

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free WatchGuard Firebox Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free WatchGuard Firebox Report and get advice and tips from experienced pros sharing their opinions.