WatchGuard Firebox Reviews

We use it in my company and for my clients as well. We sell Internet access, so we use them as a firewall to hopefully protect our clients. We work with one of our partners, who is a certified WatchGuard engineer, and have come up with a fairly good plan to get these completely fired up and working. That makes a huge difference.

We're now up to the 7 Series. We've gone through WatchGuard 3 Series, 5 Series, and 6 Series. So, we've gone through several different versions over the years.

Firebox's reporting and management features have been very helpful to us. Unfortunately, we don't always have them turned on at the right time. That's something we have to be aware of. However, once they're turned on, they seem to do really well in identifying things across the board for us. We can usually hunt down problems very quickly and go from there.

The solution provides our business with layered security.

We do most of our services now as Voice over IP services. We do not do computer services. We have been able to slowly pair down exactly what we need to program within Firebox to give us the best quality of service for our customers. 

We can open or close individual ports, which most can, but I like the way that this programs. Meaning its GUI interface versus Cisco's, where their interface is still not all that great. We just become very comfortable with WatchGuard over the years because we know what to do with them.

We have found it to be very usable and friendly. We can use it for identifying and hunting down. If we run into a problem for some reason, the reporting capability makes it much easier for us to ID where problems may be.

Depending on what specific model you get, along with how deeply reprogrammed and restrictive we make it, their throughput is pretty good. Though, the models are all pretty close to the same. We get about an 85 to 90 percent throughput, depending on which of their security platforms we install. Some will take a little bit more and some will take a little less.

The pricing could be improved. It is definitely one of the more expensive products, though you can't really compare it to Ubiquiti or SonicWall.

About 15 years.

Its stability and reliability make it a good product for us.

Over the last 15 years, there has been only one Firebox in which we've had any hardware problems and one box in which we have had a software problem. In both cases, WatchGuard overnighted a new box to us so we had it the next day, then we were able to repair or replace, as necessary.

They seem to be fairly stable. Like anything else, it's an electronic device that can last for 10 minutes or 10 years.

They have put together a good process where we can go in and see, based on the processor power of Firebox, which one we would want to use on what circuit size. They have it from very small to extremely large.

We have four telephone technicians in the company who have had the training and capability to work on Firebox.

For us, a large environment is somebody with 250 or 300 users inside the company.

Our partner has used their support. It's really good support. If they don't answer immediately, they get back to you very quickly, usually in less than an hour.

We see cases where several of our clients are switching from a different firewall to WatchGuard. With Cisco, it depends on who's supporting it. SonicWall seems to give us a bit more problems when it comes to interfacing with IP telephone devices or if we're doing SIP trunking.

Firebox stabilizes it so we know we get better support for the platform and user when it comes to Voice over IP. We find a lot of them don't give us the ease of setting it up. Now that we know we have it down to what we're doing so the platform stays stable, we can imply good quality of service for the customer and keep going on so they continually get good performance on their network.

In the beginning to set this solution up, it takes four to six hours. That is to get a brand new one out of the box and make sure it's got all the latest and greatest revisions on it, then setting it up. That also depends on the size of the client that you are supporting with it.

We have a template built for it. Once we upload the template, we go in and adjust it accordingly.

We have a few Fireboxes deployed to distributed locations, not a lot. However, it does work well in a distributed environment. We have one customer who has five offices in five different states. He has Firebox for all of them and it seems to work pretty well.

Deploying to distributed locations is easy enough. We have a template. We just get the IP addresses for the network and update the template, so it has the appropriate addresses. We can either have one of their folks do it because this happens to be a tech company, not necessarily IT. However, a tech company is knowledgeable enough. We can send it out there and tell them what to plug in where and turn it on. Then, if we're really lucky, it comes up without any problems at all because we've already set it all up before we take it out to them. So, the deployment becomes easy depending on how you want to address it. There have been times where we've gone out to deploy them in different locations. Most of the time, depending on the company, we can set it up to deploy, then just plug and play.

Make sure you have a good, qualified, trained engineer to help you initially get it set up. I do not recommend you doing it on your own unless you're somewhat trained in the terminology and capabilities of the particular product.

We have an engineering specialist, who has been certified by WatchGuard, secure attack vectors for us.

Once we get done putting the solution in and getting it set, there are times that the local IT support may be different from ours. They may go in and make a few minor tweaks to it. We try to keep that to a minimum because it is just one of those situations where we would like not to have too many hands in the pot.

It saves us time in the respect that we now have the template built for it so we can get in and get it done. We've had much less problem supporting Voice over IP technologies from different companies. Because our client base has grown over the years, we're probably saving 20 to 30 man-hours a month now that we've got this on a good stable level.

They license it. When we buy it, we buy it with a three-year license. That's the most cost-effective way to do it. So, if you're going to buy it, then buy it with the three-year licensing. Only the person buying it can determine which level of licenses they have. That's something to truly consider.

There are no additional costs unless you choose their advanced licenses or different levels that they have for security. You can add on more security licenses with what you have in Microsoft today, but we have not been adding those on.

Our experience has been that Firebox actually performs a little better than some of its competitors as far as throughput goes. However, it depends on how much of their security software you get loaded, because they have different versions.

We have used other products. We've used SonicWall, Ubiquiti, and Cisco PIX. My personal favorite happens to be WatchGuard. Also, if we compare WatchGuard against Ubiquiti or Cisco PIX Firewalls, its ability to add multiple IP addresses and ports is much simpler than those. I can run several different networks off of ports that come on the hardware device. Depending on the model, there are anywhere from four to eight ports on the device, so you can plug it in at different levels.

It is a great piece of hardware.

The learning curve for this solution depends on your background. If you have some technology background, implementing it will probably be okay. They have a WatchGuard academy. If you have no background at all, I wouldn't suggest you do it. In comparison, when you get trained with Cisco, there are several different classes to go through and each class is several hours long.

I would rate it as a nine or nine point five out of 10.

The purpose is to enhance the application control and internet access control of our company in our office and factory.

Firebox provides our business with layered security. Before implementing the firewall, we didn't have any control over application access. Now, by using the Firebox, we can control each staff member and department and what kind of application they're able to access on the internet, especially with the popularity of cloud SaaS systems. It has really reduced the degree of risk in accessing those unauthorized, and potentially risky, destinations. WatchGuard provides a pre-built database that can protect against gambling domains, for example. But the accuracy of that database still needs to be improved because, in many cases, the categorization of the website is not exact.

It has also helped with productivity. It reduces the time our networking staff spends implementing things. It has saved about 20 percent of our time. We're also doing more control than before, so we have made some effort to configure the policies, which was something we'd never done before. Previously, we didn't have any control, so we didn't have to spend time configuring or troubleshooting application control policies.

There wasn't one particular valuable feature. What I like is that 

• its pricing is competitive when compared with other brands, 
• it has all-in-one features for intrusion detection
• it has application control 
• it has email control.

Also, the load balancing and failover features cost only 20 percent more than a single instance of Firebox. Those are the main reasons we chose it.

Because we use cloud applications like Office 365 and Salesforce, we don't want all our staff accessing the whole internet. We use the application control so that they are only able to access the company-authorized cloud applications.

Because we use the firewall to monitor the external traffic as well as the internal traffic, we bought a fairly large model, the M570. We turned on most of the features and the performance is comfortable. It can reach the throughput, the performance specified on the data sheet.

Also, because we bought two firewalls, which I know is not that many — not like in the retail industry where they have many firewalls in their retail stores — still, we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations.

The reporting features are not as flexible as I thought before I bought it. You can retrieve some simple statistics from the centralized reporting server. But let's say I want to look at the volume of internet access among our staff. There are no out-of-the-box reports or stats or any unit of measurement that show internet access for particular staff. There is no report that shows how long they're on or the volume of traffic, especially in a particular period. It's not necessary that it have very modern BI analytics, but at this point I'm a little bit disappointed with the reporting. One of the purposes of implementing the firewall was to do more application control and reduce the risk involved in employees accessing the internet. We want to measure and know how much time of our staff spends accessing and browsing and using internet resources.

We bought WatchGuard Firebox last year and implemented it in our Hong Kong office and China-based factory. In the factory we have larger coverage and we use the M570. For our Hong Kong office we use the M370.

It's stable. So far, there have been no incidents.

Our case is quite straightforward. We only use two nodes. We still need to expand to one or two more factory locations, as well as our office. We will scale out the same solution.

I do have previous experience in the retail industry. In that industry, where you need to implement many firewalls in multiple retail stores, I doubt the management tools of the Firebox would be able to scale out for that use case. But for our use case it's good.

We haven't had any issues so we haven't contacted their technical support. It's been quite stable over the year since we implemented it.

There was no application control in our old solution and we wanted to reduce the risk of being attacked from outside. So we looked for a UTM model and the cost-benefit of the WatchGuard Firebox was one of the best.

I did a little bit marketing research locally and listened to recommendations from some partners in Hong Kong.

The initial setup was quite straightforward. It's a typical UTM.

Our implementation took about two months.

In terms of our deployment strategy, we implemented one of the firewalls. We replaced our old firewall, enabling only the internet access and left the major email traffic access. Then we defined the control by defining more specific application policies. Once it was successful, we used the same method to deploy the other firewall to our China side.

We have one person who maintains the Fireboxes, but it's really less than one because he does other administration and is not only dedicated to firewall administration. We have about 100 people in the Hong Kong office and on the factory side there are 400.

We had one internal staff member and an external consultant from BARO International for the deployment. Our experience with BARO was good. They understood our requirements and were able to translate them into an actual solution and deploy it.

We have seen ROI using WatchGuard.

We needed a firewall to control our internal network and the external access and we needed to implement load balancing and failover as well. Going with WatchGuard "increased" our budget.

WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device and the licensing scheme didn't charge double. They only charge for one license, unlike other brands whose method of hardware and software licensing would have doubled our cost. That was a major consideration.

We looked at Juniper, Check Point, and one more that was the most expensive.

The usability of the Firebox is good. But the UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings. When I used the Check Point a few years ago, the UI usually guided me on how to define a policy from the source to the target, and what the objects were, and how to group objects, and everything could be seen from a simple, table-based web UI. 

The interface of the Firebox is clumsier. The settings are like a tree structure, and you need to drill down to each node in order to get to the property. It serves the same purposes, but I won't memorize all the settings. A more user-friendly user interface would reduce the number of things I need to memorize and guide me in configuring policies. It's quite good, but is not the best I have seen.

The other brands provide more professional features for reporting, the application control, and the scalability. But the strong point of WatchGuard is their all-in-one features that are suitable for our size of company and our budget.

WatchGuard is not the best. We already knew that, but it comes with most of the features we need. Although it's not the most user-friendly, we sacrificed that to keep the core features to increase our control while maintaining our budget. Honestly, there are no particular features of the WatchGuard that impressed me to say, "I must choose a WatchGuard." But when I needed several things to come together, then I really had no choice.

I would rate WatchGuard Firebox at seven out of 10. It's good, it's better than a six, but from the management point of view, it has not totally satisfied my expectations so it's below an eight or nine.

We use it to protect our web stations and service. 

We established a branch office VPN to our branch office. Since last month, we have added Mobile VPN tunnels to our headquarter.

We have the ability to use it for connecting to our terminal services, then to the Fireboxes, so we can create user-based policies, which are very important at this time. We can control who has access to management servers and machines that are not for general use by users.

We use a normal packet server. We are also using a proxy service and IPS, so all features are possible with these devices. We have seen many attacks from specific IP addresses that were all blocked. Most times, these were IPS traffic port scans. All this traffic is normally blocked from our side.

The solution simplifies my business. Normally, for administration, we are using Watchguard System Manager on Windows since it's easy to create new policies. In a short amount of time, you can create new policies based on new requirements. For example, in the last few months, many requirements changed due to the coronavirus, adding the use of new services, like Office 365, and eLearning tools, like Zoom.

With Firebox, the monitoring is good. On the Dimension servers, I can see where the IP addresses send and receive a lot of the traffic so I can analyze it. I am also able to see where attacks are coming from. It's good to see visually what policies are most in use and which traffic was blocked. Its easy to visualize policies. The dimension server shows which policy is used and the data flow through the firebox.

For our requirements, WatchGuard has very good features available in its software.

It is good for administrating devices. It is reliable and easy to use. Most of the time, the results are what I expected.

The performance of the device is good. The time to load web pages has not been slowed down too much. With additional security features, like APT and IPS, WatchGuard Fireboxes need a moment to check the traffic.

For reporting, we use the Dimension server from WatchGuard where we have many options to analyze traffic. It has a good look and feel on all websites that WatchGuard creates. All pages have the same system, so it's easy to use because the interface is uniform throughout the entire solution.

We are using some of the cloud visibility features. What we use on that cloud is DNSWatch, which checks the DNS records for that site. It is a good feature that stops attacks before they come into the network. For most of our clients, we also run DNSWatchGO, which is for external users, and does a good job with threat detection and response. It is a tool that works with a special client on our workstations. 

Sometimes I would like to copy a rule set from one box to another box in a direct way. This is a feature that is not present at the moment in WatchGuard.

I'm missing a tool by default, where you can find unused policies. This is possible when a) you adminstrate the firebox with dimension, or b) you connect it to Watchguard's cloud.

We have been using this solution for a long time (for more than a decade).

The stability is very good. I normally only do a reboot of a Firebox when I upgrade the boxes with new software, so they run sometimes two or three months without a reboot.

It is scalable to many environments. With all our locations, we found this solution works.

For the moment, we have around 80 users total at all our locations. The traffic at our headquarters per day is 300 gigabytes.

Our number of Fireboxes has been constant over the last few years, as we don't have new locations. We are a sports organization, so we are not expanding.

WatchGuard's support is very good. Over the years, there have been only one or two tickets that were not solved.

When you start as a new customer, you should start with a bit of support from your dealer so you have some training on the boxes and how to manage them.

Before using WatchGuard, we had a Linux server with iptables. We switched to Firebox because it is much easier to administrate. It has real boxes with a graphical interface, instead of command line administration.

It is relatively easy to set up a new box. In my experience, you have a basic rule set. When you start with a new box, you can quickly make it work, but you always need to specify the services that you need on the boxes. You need some time to create the right policies and services on the box. This is the process for all Fireboxes that you buy.

When you have a small branch office with a small number of policies, you can make them active in production in one or two hours. With complex requirements at your headquarters where you have several networks with servers, web servers, and mail servers which can be accessed from the outside, the configuration will need more time because the number of policies is much higher.

The implenetation was done by the vendor. For us the solution was ok. At this point my knowledge about firewall was not on the level I have today.

It saves me three or four a month worth of time because it stops malware. I don't need spend time removing malware from the client.

I think the larger firewall packages are much better because a normal firewall is not enough for these times. You need IPS, APT, and all the security features of a firewall that you can buy.

We evaluated some other solutions.

Administration of Fireboxes is only a small part of my job. I have been the network administrator since 1997. While the solution does make less work, I still need a little time to monitor all solutions. 

I would rate this solution as a nine (out of 10).

Our primary use cases are for the firewall and for limited routing for small to medium-sized businesses. 

I had a client that was saturated with RDP, remote desktop attempts, while using a standard low, consumer-grade firewall. Putting in WatchGuard allowed me to drop a lot of that traffic and reduce a lot of load on their otherwise poorly performing Internet connection.

Reporting PCI and HIPAA compliance reporting, firmware updates, cloud-based firmware updates all make for visibility within the client site much easier. I can provide comprehensive reporting on user activity and user behavior which goes along with user productivity. It has excellent mobile SSL VPN capabilities that have allowed for very rapid deployment of remote workers during our current situation.

As a whole, it has a very low requirement for ongoing interaction. It's very self-sufficient. If properly patched, it has very high reliability. The total cost of ownership once deployed is very low.

It absolutely saves us time. All firewalls can be deployed with a very basic configuration in a reasonable amount of time. The uniform way in which WatchGuard can be managed allows for the deployment of much more comprehensive configurations more quickly. When it comes to troubleshooting and identifying any kind of communication issue, they use a hierarchal policy layout. It allows you to manipulate the order of precedence, simplifying troubleshooting by tenfold. Compared to a competitor, I spend less than 10% of the amount of time on WatchGuard that a similar task would take on a Meraki, a FortiGate, or a SonicWall.

The most valuable features are: 

• The unified threat management bundle
• Advanced threat detection and response
• APT Blocker
• Zero-day threat detection.

With most Internet traffic being encrypted, it is much more difficult for firewalls to detect threats. Some of the advanced features, such as the APT Blocker and the advanced threat protection, use advanced logistics to look for behavioral, nonpattern related threats. And the threat detection and response has the capability of working with the endpoints to do a correlated threat detection.

For most people, they don't think about one workstation having a denied access, but when multiple workstations throughout a network have requests that are denied in a short period of time, one of the only ways you can detect that something nefarious is going on is through a correlated threat detection. And WatchGuard has that capability that integrates at the endpoint level and the firewall together, giving it a much better picture of what's going on in the network.

It is the single easiest firewall to troubleshoot I have ever worked with. It deploys very rapidly in the event that a catastrophic failure requires the box to be replaced. The replacement box can be put in place in a matter of minutes. Every single Firebox, regardless of its size and capability, can run the exact same management OS. Unlike some of the competitors where you have dissimilar behavior and features in the management interface, WatchGuard's uniform across the board from its smallest appliance to its very largest, making it very, very simple to troubleshoot, recover, or transition a customer to a larger appliance.

It absolutely provides us with layered security. It has one of the most robust unified threat bundles available with Gateway AntiVirus, APT Blocker. It does DNS control. It does webpage reputation enabled defense. It effectively screens out a lot of the threats before the user ever has an attempt to get to them.

Externally it does a very good job of identifying the most common threat vectors, as well as different transported links, attachments, and things of that nature because of the endpoint integration. It helps protect from internal and external threats, along with payload type, and zero-day threats.

The cloud visibility feature has improved our ability to detect and react to threats or other issues in our network. It has improved firmware upgrades and maintenance reporting as well as investigating and detecting problems or potential threats.

It has reduced my labor cost to monthly manage a firewall by 60%.

The data loss protection works well, but it could be easier to configure. The complexity of data loss protection makes it a more difficult feature to fully leverage. Better integration with third-party, two-factor authentication would be advantageous.

I have been using WatchGuard Firebox for fifteen years. 

We mostly use the T series: T30s, T70s, some M3, and 400 series.

It is the most stable firewall I work with. The incidence of failure is very low, maybe once every two years.

It's very scalable. Because it has the unified configuration interface and the unified tools, or the common tools that are used from the smallest to the lowest, a ton of time and configuration, and thereby money, is saved during an upgrade, for example. The time to take an upgrade to a new appliance is a fraction of the time it would be with a competitor because of the direct portability of the configuration from the prior firewall.

We have one engineer and one part-time technician to maintain approximately 75 WatchGuards for limited, physical installations and onsite. It is very reasonable for one or two engineers to manage 200 to 300 WatchGuards. It's very reasonable.

We have just a single location in which we do use the T70 box and WatchGuard is in place at 95% of our clientele. We do not replace viable commercial-grade solutions until such time that they are ending their licensing or whatever. We do not replace FortiGates or SonicWalls while they're still viable. However, when the opportunity to replace one arises, it is our first suggestion to the client.

I do not or have not had to use technical support very often, but I find it to be excellent. They're very responsive and very knowledgeable. I get engineers from a similar time zone. They're very skilled engineers and very invested in end-user satisfaction. Even though they are 100% channel-driven, they take end-users satisfaction very seriously.

The complexity of configuring a Sonic Wall, for example, is much, much greater than that of a WatchGuard. Identical tasks can be completed in a WatchGuard in a fraction of the time as a SonicWall. When comparing similar models, the performance of Meraki is far inferior to the WatchGuard. Its capabilities are inferior to WatchGuard. It's a simple cloud interface. Meraki's simple cloud interface is probably more appropriate for a less experienced engineer. FortiGate lacks some advanced features that WatchGuard has, but my predominant issue with FortiGate is that when all the unified threat management utilities are enabled, performance on FortiGate is inferior. Although it has capabilities, when fully enabled it does not perform as well as WatchGuard.

The initial setup is very straightforward. I'm able to deploy a standard template after activating the device. The activation is very simple and takes just a few minutes. Then a base configuration can be applied once the firmware has been updated and a box can be prepared for initial deployment within 7 to 10 minutes after it boots. 

It took 45 minutes to set up.

In terms of the implementation strategy, I have an implementation baseline of minimum acceptable settings and then it is adjusted based on client needs.

We deploy it to distributed locations in one of two ways. The device can be drop-shipped to the user or the endpoint and a cloud configuration deployment can be pushed to the box. My preferred method is to receive the box, perform a firmware update and a base configuration, and then ship the box.

I would recommend working with a partner for an expert-level deployment. It greatly reduces the time to deploy it. An experienced engineer can then deploy the product very rapidly and can often provide instruction on how best to maintain the product. But otherwise, the deployment is very straightforward.

They are very low maintenance, they have a very high rate of my end-user satisfaction. I'm able to provide excellent levels of service to my end-users and my customers. I would say that they have a very high value and a good return on the investment.

Generally speaking, I find the three years of live and total security to be the best option. By going with their total security, you do get the endpoint protection component of the threat detection and response. Typically the trade-in options, depending on your prior firewall, are options that they should request or pursue when dealing with their provider. Those programs are usually available, but they're not always offered by a provider unless you ask.

I would rate WatchGuard Firebox a ten out of ten. 

We have multiple sites. We're in the wine business. Our corporate office is where we have accounting and marketing. Our executives are based there as is IT, HR, and payroll. That's where we have the big M200. We have five wineries that we support. Each of the wineries has a WatchGuard on it and we connect them with the business office VPN. 

We share files across our VPN and we also authenticate our users. Not all of our sites have file servers so we use the business office VPN to get them authenticated onto their machines. We also use that to go out and work on their machines if they have problems or we send files out to them and install software remotely, etc.

We also have 11 tasting rooms where we sell our wine, and each of those has a smaller WatchGuard in it. We support the computers that they use in the back office of the tasting rooms. We also support their iPads and the machines that they use to print off orders and FedEx labels and to do inventory stuff. 

We have two hospitality sites where we will take our distributors to talk to them and educate them about the wine industry and what we're doing in the industry. We provide them with internet while they're there. Some of our people will go to these sites to do retreats and planning. We have WatchGuards there to support them so they can get back to the files they need and get authenticated.

We're using a whole variety of models. We've got a couple of M200s, multiple 30s and multiple 15s. We also have about 15 of the AP120s.

The solution simplifies traffic management. It has features that let me automatically reboot the wireless access points on a weekly basis. For us, that has been really beneficial. Prior to that we had a range of different wireless access points and there was no way to have them all reboot. So people would just have bad experiences using them and we'd have to go in manually and reboot them. Once we started using the WatchGuard wireless access points, we just scheduled them to reboot automatically. 

Both the throughput and the fact that they support the two different radio frequencies have been great for us. It has paid for itself because we don't have to deal with them anymore. They're a set-it-and-forget-it type of deal.

The solution has saved me time, but it would be hard to come up with a specific amount of time. The bottom line is that I just don't have to deal with it.

• Among the most valuable features is the ease of use — love the interface — of both the web interface and of the WatchGuard System Manager.
• It's a stable platform. The devices are pretty rock-solid.
• Education: They do host regular webinars where I can go in and learn more about the product and new features.
  

Also, the throughput is good value for the money. Our corporate office is basically shut down [due to COVID-19]. We've got 100 people who have been working from home over the last month and we're using the SSL VPN connection to get in, get authenticated, to get to our files, update passwords, etc. The throughput has been good for that.

I'm impressed with the solution's reporting and management features.

If they could make the traffic monitoring easier that would be great. I don't use it that frequently, but I would like to see some improvements in the ease of use of that component, so it makes more sense. I know it's a technical component so there's going to be some difficulty trying to make that easier.

Also, if they could provide more examples in their documentation, that would help. Sometimes they will say, "Hey, go in and set this up," and it would be so much easier to do it if they put in a couple of examples and showed me. Imagine instructions on how to change a tire and the steps you go through. Give me some pictures or some examples of how you change the tire. Where do you put the jack so it doesn't tear up the fender on your car? I'm a person who loves looking at examples cause I can look at things and see how they applied them and then learn from them.

Even if they put in some snapshots and said, "Here's how this should look after you put this information in," that would help. It would be confirmation that this is accurate and this is going to work. 

Finally, when we did the split tunneling, as it turned out, that was an all-or-nothing, global setting. As soon as I did that it impacted everybody. What I was hoping to do was to set that up so that I could do a pilot group and, once it was working, I could turn it on for everybody. We needed to get it going and it was all-or-nothing. We did that on a weekend and it ate up my weekend time.

In my current position, I have been using WatchGuard Firebox since 2016. Prior to that, I was at another place and I used a WatchGuard for about 12 years.

The scalability is fine but we're not experiencing a whole lot of people using it. Our Seattle office is probably the one where it is used the most and the M200 is fine. Our corporate office has close to 70 or 80 people. And we're spread out nationwide, with people getting back into the corporate office to get files. We have our wineries where there are another 40 people or so. Some of them are smaller and would have 12 or 15 people. And the tasting rooms are typically three people.

We opened up two new tasting rooms in the last year and we've got two more that are going to be opening up and, in my requirements, I always put in WatchGuard.

For everything that I've dealt with, their technical support has been really great about helping out and helping me fix things. I just worked two weeks on a project to split our VPN tunnels out and the WatchGuard technical support guys helped me with that a couple of times.

WatchGuard was already installed here when I came onboard and that was one of the reasons I got hired. I'd had experience with WatchGuard before and I knew about the product and I could support it. They brought me in for that. And now, over the last four years, I've gone through and upgraded the hardware. The hardware was older hardware, it was out of date, so I went through an upgrade and got it back on a maintenance plan.

In working with our WatchGuard vendor, they're the ones who emphasized that we should be getting off of Remote Desktop Protocol from Microsoft because it was being hacked so badly. They're the ones who said that WatchGuard has this SSL VPN and it's free, so they just configured it and away we went.

For me, the setup is straightforward. Part of that is that I've just done it so frequently. On average, deployment of these devices takes me about 15 or 20 minutes. I know what I've done on other machines, so I just do the same thing again on new ones.

For deploying them to distributed locations, we order from our vendor. When it arrives I get it authorized on our account, go in and set up some basics, and set it up so I can get to it remotely. Then I ship it off. I've got some hands-on people, operations people, at the winery who will take it and start to plug it when they get it.

For maintenance of the solution there are three of us on the IT team.

The fact that they're reliable pieces of equipment is part of the ROI. I know when I go back into it, it's not like it's going to drop how it's been programmed. 

It also has a great function for my needs because I work remotely to many other places in Idaho, Eastern Washington, New Mexico, etc. I know I can get into that box remotely and it's going to have the configuration that I set up.

I'd love it to be cheaper, but as long as long as they're being fair with me, it's a good value.

I've never had a need to evaluate other options.

Take a good hard look at it. The interface is pretty easy to work with. The devices are consistently good. It has a lot of features and the boxes are hard-working. They just work.

I recommend WatchGuard to people when I'm at industry trade shows when anybody asks me. I think it does provide me with layered security, but I don't spend a lot of time looking into that. It's just part of my total solution package. The value that I get out of it is consistent management. It's a good product. Whatever kind of additional security they provide to me is just a bonus.

It's our external firewall and VPN solution.

• It allows us to access the outside world.
• It keeps us safe from external threats coming in.
• It allows us to have remote access.

The fact that it just works is one of the most valuable features.

It's fairly intuitive when trying to figure out how to try to get things configured the way you need them. It either works or it doesn't, which means if you have a failure you have a chance to get things fixed.

In addition, I have not noticed any throughput issues at all. The device we have will actually operate at faster technologies than we have available to us.

Management of the solution is great and it also provides us with layered security. It has onboard virus scanning features that allow it to scan before something gets to the host. It will also stop a person from going to a site that is known to be bad.

There is room for improvement on the education side, regarding what does what, rather than just throwing it at a person and assuming they know everything about it. A lot of times, you have to call WatchGuard support to get the solution that will work, rather than their just having it published so that you can fix the problem on your own.

We've been with WatchGuard now for about six years. We've got their XTM firewall.

Their support is awesome. I get a solution to my problem within 24 hours, and if they don't have a solution within 24 hours, they usually have a higher-tier tech working with me until the problem is solved.

The setup was fairly straight forward. We were actually dealing with a failure situation when we received the product. So we had WatchGuard support on the lines from the get-go, helping us get started so that we could get the information. It's something that we would not have been able to do had they not helped.

The main firewall was deployed within a day. The satellites were deployed within a week.

We have two home offices that they're distributed to. Typically, I get the device in, I provision it with the workflows and the exceptions they need, and then they plug it.

I can't say whether Firebox has saved me time. It's a firewall and it does its job. So whether it be WatchGuard, SonicWall, or anybody else, if it does its job and I don't have to look at it, I'm happy. I haven't really looked at a lot of the reporting features. I mainly go in there, figure out where people are having troubles, and fix their problems. 

It's our main firewall. We have over 120 hosts that flow through it.

The biggest way that it has advanced us is that when we started adding additional locations, it became surprisingly easy to do that, to create branch-office VPNs. When I was first tasked with that, I was overwhelmed with it. I thought, "This is going to be really difficult." But it was really simple. I've never actually done this, but they have the ability to program a box and ship it out there. It'll identify it by its number and just do the setup automatically. I've never been brave enough to just let it go automatically, but when I do get it in my office and set it up for the branch office, it's just a matter of just plugging in the right numbers. It works and it's very stable. That enables us to do some incredible things.

WatchGuard has been mostly cost-effective compared to other firewall systems that are out there, given the power that it has and the ease. I complain about the usability, but things such as how to set them up and how to set up the routing up are, at least, intuitive. So that's been invaluable. It's one of the reasons why I haven't moved away from them or been tempted to move away from them. These setups are very complicated and WatchGuard makes it very easy.

It does simplify my job in the sense that it's easy to set up a VPN. Setting up a branch-office VPN is rather simple, but when I have remote users, such as myself or remote salespeople who are operating out of their homes, I can use whatever solutions are out there; the software that makes it easy for them to connect. That avoids my having to go out and buy really expensive solutions like TeamViewer or LogMeIn. They are always clunky, always hard to navigate around in. With WatchGuard, remote users can pop in straight through the VPN and then RDP into their remote desktops. And everything works very smoothly and rather quickly. Anytime you VPN it's not super-fast, but it has been rather efficient and is a huge advantage. It makes my job a lot easier because I don't have to try to troubleshoot somebody else's TeamViewer account.

WatchGuard has saved me time versus having to manually help people with their remote connections. It saves me about ten to 15 hours a month of work, not having to do all that.

The basic firewall features, or just the routing, are the most valuable because that's how we configure our network. 

The second valuable feature would be the branch office. We have five offices throughout the United States, and it coordinates the connections of those offices. 

And the filtering features are okay.

It layers security in the sense that it does isolate different networks. I have in-house web hosting and that's more of a DMZ-type thing sitting out in the open, so that it has to be isolated from our network. It has Gateway antivirus, which is important. It has Gateway spam protection, but I've never actually seen it do anything. That could be because our regular spam filters grab it before it gets a chance to. It's not a direct user-security thing. Another level of security is that I do keep our guest WiFi network separate from our main WiFi network. Even though WatchGuard doesn't manage our WiFi, it does play the traffic-cop between those two networks and keeps them separate. It's more IP-based routing security than anything else.

We have several branch offices. Those things run, you forget about them. My biggest gripe was when I went to update some of my devices, to try to make some speed improvements, not only did I get hit with, "You need to renew your LiveSecurity," but there was this reinstatement fee that they threw in on top of it. That really angered me, to the point that I canceled the entire order. I actually almost replaced some of those devices and I'm looking to replace them because of that type of thing. It's fair to pay for services like filtering, etc., but I don't feel it's fair to pay for updates to a product because they're patching and fixing and updating their product because of bugs. If I want to pay for the next version of something that gives me additional features, that's fair. But to have to pay a reinstatement fee and that sort of thing, I find it to be a very poor and unethical practice. We'd never do that to our customers. The reason I haven't thrown a huge fit is because everybody does it. SonicWall will do it; Cisco. All those guys do that kind of thing. 

I really don't like that, particularly because you're talking about a device that you paid $300 for, and the reinstatement fees are another $200-plus. I can just buy a brand-new device for that, get a faster unit, and get another year of stuff. Maybe that's what they're trying to encourage me to do. But there are firewall devices out there that I can buy that will do a lot of the stuff that I need to do in the remote offices, without having to purchase a yearly or three-year plan. I keep our main system up to date, but for the small edge units, it's just an unneeded expense. That's my biggest negative and biggest gripe about WatchGuard.

In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be more of an industry-wide issue — you get reports, but a lot of times you don't know what you're looking at. You're so overwhelmed with the data. You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to know. If it gives me a threat assessment such as, "You received an attack from North Korea," I don't know what that means. I know that an IP address from North Korea hit our server, and they tried a certain attack. Is that something I should take seriously or not? I don't know.

But that seems to be true with a lot of the solutions out there. They tend to report everything, and there's not a lot of control over getting rid of the noise. I've had it report threat attacks from devices within my network, from my own PC, in fact. So it's misinterpreting some things, obviously. Reporting is not something I rely very heavily on because of that. I look at it but I don't know what I'm looking at. Instead, I have a monitor that displays various things about my network, and I will have the main screen up just to see things like which host in the network is the busiest. I tend to use the main dashboard to get real-time information.

I've been using this solution for over 15 years.

The solution is very stable. I don't think I've ever had one crash in 15 years.

I did have one fail, but that was just a hardware failure. That was one of the very first, early units. That was years and years ago. I've never had one fail since then.

It's not very scalable. You get what you get. You buy for your application but if you grow, if you were to double your network bandwidth or the like, you would have to upgrade the product. That's because the hardware can't handle that. 

You could say it is scalable if want to add additional networks and that sort of thing. It makes that fairly simple. But you do need to buy the appliance that's applicable to your network.

It's used at all of our locations and it traffic-cops our entire network. But we're not adding any new networks. As we buy companies, which we've been doing, I usually pull their firewalls out and put these in, because that's what I'm familiar with, if I can't interface their existing firewalls with it.

Their tech support, the few times I've used them, have been excellent. Their staff has been very knowledgeable. I've had several instances where, when fixing a problem, they've made suggestions about other things not related to that problem, as they inspected the setup.

They have a very good system for logging in securely and seeing configurations without being able to check it. That's been very helpful. I've always given an "A+" to their tech support.

It was so long ago, but I used some PC-based proxies at the time. So there was something before this solution, but my first, actual, dedicated appliance was WatchGuard.

It might be that we purchased this back in the late '90s, because our previous solutions were back during the dial-up age. It wasn't until we started getting always-on internet in the late '90s or early 2000s that we looked at a firewall. Someone suggested WatchGuard.

The initial setup is straightforward. Network setup is complex because setting up networks is complex. I will give them props for making a very complex task a little easier. I don't know a way you could make it any easier than they do. I have done network setups in other firewalls that I thought were way more complicated and more convoluted. We've set up a branch office with some SonicWall devices and my setup screen was a whole lot easier than theirs.

The deployment itself takes an hour, if that. I've done upgrades, but I haven't done a straight, flat-out deployment in a long time. But usually, when I deploy a branch office or upgrade the main unit, it's usually up and running within ten to 15 minutes in most cases. If I get something wrong, then it might go to an hour or so, but usually they're very straightforward. If it's a branch-office deployment, it's just a matter of plugging it in. It takes five to ten minutes. The configuration might take another ten to 15 minutes. The one thing that's difficult when you're setting one up is that you have to isolate a computer that you can connect directly to. They have things that make that easier, but I've never tried it.

Our implementation strategy, back then, was to bring branch offices online.

The process of deploying the product to distributed locations usually means that I bring the device in-house and preconfigure and test it before I send it out to a remote location. I'm usually onsite at remote locations to install it. So my process is to order the product, configure it locally, get it correct, and then install it onsite.

In terms of using it, there are maybe ten users and they use a VPN client. They directly interface with it. It's primarily me who manages it. I'm the only user who actually sets the configurations up in it.

I purchased it from a retailer at CDW and did the deployment myself.

Being able to control network traffic and being able to monitor employee activity on the network are things you can't quantify, but there's definitely a cost that you could attach to each. If we have users that we find are spending too much time on social networks, we can address those issues, replace the employee if they don't comply, or help them with their productivity, etc. 

A firewall is a necessary evil. You've got to have one. It's one of the less expensive but powerful models. I've always been very impressed with that. There's a definite return on investment in terms of that the branch-office option. I didn't have to pay anything extra for that. It was just built-in. Those can get upwards of thousands of dollars with other solutions. One solution I saw was $15 a month per user. It would be astronomical if we tried to go that route.

I don't have a number, but the return on investment is good.

I buy a three-year renewal on the main device, which is usually around $3,000 to $4,000. They usually upgrade the device when I do it. You get a big discount when you do three years.

If I were to renew my other devices — we haven't renewed them — it would probably be around a couple of thousand dollars for the little edge devices.

In addition to the standard licensing fees, we pay for the filtering software. There's a web blocker, Gateway antivirus, intrusion prevention. Those sorts of things are extra. They call it LiveSecurity. I do the LiveSecurity update and that includes a lot of those features. It's a type of a-la-carte scenario. You pick what you want, and that then includes maintenance and support.

I can't remember what we looked at, at that time. I have looked at more recent solutions like Untangled, SonicWall, and the like, just to see what else is out there.

Make sure you buy the device that fits your environment. Don't try to do too much with too little. You can buy one of the edge devices, and you could technically run a large network on it, but it's not going to work as smoothly. Your firewall is your primary point of security from outside intrusion so you want to do it right. Be very meticulous about your configuration.

Straight-up, walking-to-the-console usability of the solution is not very user-friendly. It's not very intuitive. However, compared to other firewalls, it's very user-friendly. So it's more user-friendly than most, but it's just not something anybody could walk up to and use. If I had to walk someone through it remotely, it wouldn't be very easy for them to do.

Each upgrade of the device, and I've had about five of them — five main devices — has allowed an increase in bandwidth and performance. They tend to work fairly consistently, but as speeds have gotten faster, you've got to upgrade the device to keep up with it. They seem to be doing an adequate job at that.

I have used the solution's Cloud Visibility feature. I wasn't really blown away. I thought, "Okay, that's neat." I haven't really dug into it deeply. I don't really think about it in the context of detecting and reacting to threats or other issues in our network. I like to be aware of threats, but threats in networking terms are always not practical. For a company like ours, we know there are going to be internet probes out there, and they're going to hit our network. The WatchGuard identifies them and locks them down. There's nothing I can do about it. It's more along the lines of, "For your information, there was an attempted attacked last night."

What I'd rather have is internal threat assessment. I want to know: "This machine started doing something last night it wasn't supposed to do. It was sending out emails at two in the morning. It shouldn't be doing that." Since it's sitting here watching the network, I'm more concerned with internal threats, and people doing things they shouldn't be doing, than I'm worried about the external threats. 

I probably should be equally concerned about them but I've never found a really good solution on that. I have some customized things that I've done that try to send me alerts if certain behavior patterns are detected. I'm scanning through the logs, and if certain keywords pop up, then I'm alerted. That's been somewhat helpful, but most of the time I get more false positives than I get actual.

We have web filtering, so I'm looking to see if anyone is going to pornographic or hacker or peer-to-peer sites. I get alerts from that and it logs those. But most of the time, I'll get hundreds of alerts on sites for a user, and I'll go over and find that the user was looking for fonts and one of the ads happened to be on a server that caused a trigger. It was a complete false positive but I don't know how to filter all that out. So the alert becomes useless. That may be an industry problem.

I would rate WatchGuard at eight out ten. There is a need for improvements in the reporting. There needs to be more granular, built-in filtering in the reporting, so that you can drill it down to exactly the information you want. The second thing would be the cost-plan of renewals. They can have a security plan and they can have a renewal plan. But if you lapse and they charge a penalty on top of that, to me that's really unacceptable. I should be able to let a product lapse if I want to. It may not be a priority. It might be something I have in someone's home and then there's just a new feature I need to add. As I'm going down the road I should just be able to buy that when I want. To put in reinstatement fees is a big negative to me. Granted, they all do it, but they all shouldn't do it.

It is a firewall. I have two M400s. They act as security for the Internet, like a border between us and the Internet.

We allow more outside vendors to be able to come in, then I could protect them. This is a way that I could leverage the solution which has improved business. It has made vendors coming from the outside able to get to resources that we can provide them without allowing them onto our production network.

We have the logging working along with the System Manager overview. This all seems very good to use and straightforward. It is where I look when I start since it gives me that sort of a single pane of glass for both firewalls.

It gives me Layer 3 and Layer 4 security. I don't know if it gives me the full Layer 7 security, which some other firewalls do. It might in new revisions of it. However, for what I need, it meets the sweet spot.

Having the VPN access helps productivity in the sense that people can get to resources anywhere.

• HostWatch is a nice feature.
• Logging
• The central management piece of the system
• The overview manager is good to have.
• The GUI is somewhat easy to use.

These features provide visibility on the network. When there is trouble, I like to see why I might be having trouble at the gateway level.

HostWatch makes it so I can see, in real-time, activity in the event that there is something weird happening on the network. This simplifies my job.

The product's usability is good. It is straightforward and simple. One of the benefits is that it is easy to navigate and intuitive.

Sometimes, the writing rules are a little confusing in how am I doing them.

I had some trouble with the previous product version (XTM) at the end. When the product aged a bit, there were no redundant power supplies. For what we're doing, it would've been nice to have something to fall back on instead rebuilding and taking it from an old configuration because the older version did die. We were able to take from an older configuration, build a new one quickly, and get it up and running, which didn't take long, but there was some pain around it.

With the previous version (XTM), I started seeing some hiccups.

With this new version (M400), it has been in place for about a year and been running just fine. I haven't had to reboot it. I don't think I've had an issue at all with it.

I manage the solution as the network administrator.

I am not sure what I can scale up to. It meets our needs, though. We're not a growing company. We are sort of a static company in terms of growth. As a static company, we are not looking to increase our usage.

We have around 200 users, who are tradesmen, toll collectors, administrators, accountants, and auditors.

I haven't used WatchGuard's technical support because it is an easy product to use.

We switched from WatchGuard's previous model due to age of hardware. We went from something that was seven or eight years old to something from the last year or two.

The initial setup was straightforward. We had been previously using WatchGuard and moved from an XTM to an M400. So, this is our second-generation of firewall with them, and I didn't have any problems.

The deployment took about a day. I upgraded the hardware, making sure that everything migrated over correctly. That was the goal. I had one rule that I dropped, but that's about it.

We have multiple networks with Internet points of presence where we have multiple firewalls. These are not at the distribution layer. The core layer is more where our firewall is.

For the price point, what we do with it, and the time that the last one lived for on our network, we have gotten our money's worth from it. I'm satisfied with the product for the most part.

We did consider other vendors. I don't think there's a need for us to switch right now. In the future, there might be. However, we're pretty happy right now with what we have.

We also looked at Palo Alto, Cisco, and Juniper NetScreen. We looked at Juniper because we have a lot of Juniper switching infrastructure. WatchGuard's price point worked, which is the reason why we stayed with WatchGuard.

Leverage the website. They have a good knowledge base out there. If this was a green deployment, make sure that you understand how the policies work for VPN and matting.

The throughput is adequate. It certainly handles what I pumped through it, which is about 150MB. I don't know how we would do on a big gigabit network, but for what I do, it works. I haven't seen any slow downs in throughput.

I am not using the Cloud Visibility feature.