WatchGuard Firebox Reviews

The solution is very powerful.

It is the most effective on non-encrypted traffic and it is able to determine some threats through deep packet inspection. 

There is a basic deep packet inspection within the antivirus that is able to be run against proxy filtering and certain policies. It's pretty standard in the industry. 

The solution isn't what I would consider feature-rich.

Due to the fact that the high volume of traffic that is currently encrypted, I find that the antivirus is less effective every year. That's not just WatchGuard, however. It's the biggest area in need of improvement right now is as a whole in the industry. It has the same weaknesses other firewalls have, and that's its inability to dissect encrypted traffic. It is capable of doing it, however, it requires some specialty configuration that often interferes with Azure, Amazon cloud services, or things of that nature.

It would be useful if we could be able to get a report as to why the solution is doing one action but stopping another. You can configure it as part of the firewall to decrypt that traffic, effectively making it a middle man, however, in doing so, you often disrupt Microsoft Office 365 and Amazon Web Services. The capability is there. It is just not considered a recommended best practice.

While the ability to determine threats in non-encrypted traffic is a good part of a solution, it is not an adequate standalone. It does not have an endpoint component.

The feature I'm most interested in is additional endpoint protection, however, they recently purchased Panda. That would go in line with the EDR product. As a managed service provider, I'm always looking to simplify and clean my stack, so I can provide my customers with the best possible service with the least complexity. It's nice to know that they're actively working towards that already. 

Also, I should note that most of the features I want are currently already in beta.

I have 18 years of experience with the WatchGuard brand, and 13 years directly with their threat detection and response products. I've put in more than 30 pieces of WatchGuard hardware, firewalls, access points, etc., in the last 60 days.

I've been using WatchGuard's Gateway AntiVirus specifically for 15 years now.

The solution has remained very stable. It has never resulted in a service-related ticket being required or anything along those lines. Users can rely on it as it doesn't crash and there aren't bugs or glitches that affect its functionality.

The solution is very scalable as part of a whole solution. One of the best features is that it's capable of having file exceptions based on the MD5 hash.

As a consultant, I have many of the systems out in production and they are in environments ranging from five to 10 users, up to several hundred.

The technical support has been amazing. We're very satisfied with their level of support.

The initial setup was very, very easy. It was not complex at all.

Discussing licensing is tricky. It is not available as a standalone purchase. It is part of a whole, so I can't divide out the costs in an effective way.

We're a service provider and have been for a number of years. I'm a consultant.

The solution is part of the firewall and the UTM. It's never really handled as a separate entity, though it is licensed. It's part of their unified threat bundle.

I've used almost all of the current GUI interfaces. The antivirus has changed the backend engine a couple of times over the years. The current revision, I believe, is Bitdefender driven, but I'm not exactly 100% sure.

I'd advise other organizations, when setting up the solution, to configure all proxies and policies prior to doing the subscription service setup. 

If the policies are pre-configured and your proxies are set up prior to activating the security antivirus or the Gateway AntiVirus, 90% of the configuration is done for you. You only find yourself manually doing it if you are building rules after the fact.

As an antivirus and standalone product, I would rate the solution seven out of ten. The main reason is, as a gateway appliance, it does not have the capability to perform the same function as an endpoint antivirus. It is not a substitute for endpoint antivirus.

It's our firewall for the internet.

The most valuable feature is the NAT-ing, the IP addresses. What the firewall does is that it NATs through the IP addresses for different servers. We can direct the traffic where it needs to go. We can control the traffic.

It's fairly easy to use. I don't think we have any trouble with it.

We've also never had any trouble with the throughput or performance. We've just recently upgraded the internet and we're getting our router upgraded. Once we get that in place, we'll see how the Firebox responds. To date, we've never had any problems.

It also provides us with layered security.

I would like to see more tutorials on setting up the Firebox.

I've been Using WatchGuard for well over 10 years.

The stability has been fine. We've had no issues with its stability.

We haven't scaled it.

There are about 40 users, anywhere from plant production to purchasing to the president, and accounting. They all go through the firebox to get to the internet of course. It's used by all management in the organization, for sure.

We don't have any plans to increase usage of the solution.

There is just one person who handles the deployment and maintenance of the solution. He's a programmer.

We didn't have a previous solution. It's always been a Firebox.

I don't believe we had any trouble with the initial setup. 

My gut feeling is that we have seen ROI. It keeps us secure and it allows us to get out to the internet. As opposed to having no protection, it has provided ROI.

I've had no problems with the licensing.

It works for us.

In terms of simplifying any aspects of my job, there's nothing I can specifically say because I've used WatchGuard for so long that I don't have anything to compare it against.

We were primarily using WatchGuard to control applications that were trying to access offsite network locations.

I am no longer using this solution because it was in my previous job.

This is a feature-rich product.

The most valuable feature is the category control.

This is an easy product to manage.

There should be more reports available on different subjects. There is a set of predefined Dimension reports but there needs to be more available on aspects like security and Wi-Fi.

I have been working with WatchGuard for more than eight years.

It is a stable solution.

We only had a single site, albeit a large one. Scalability was not something that I had to test beyond the one location, but it was good for our environment.

I was in contact with the WatchGuard technical support three or four times. I was satisfied with them and their responses. We had a WatchGuard Gold Support package.

I have also used Sophos Application Control and from my experience, WatchGuard is the better solution. With Sophos, it is not as easy to block categories, and creating firewall rules is much more difficult. 

The initial setup was generally straightforward. We had a little bit of difficulty with our second installation, which was virtualized. It took us two or three days to move from our on-premises deployment to the cloud. It was easy because we already had all of our rules in place. This included testing and not just the implementation.

When we first implemented WatchGuard, we had the help of a solution provider. 

For what we needed, WatchGuard was fine and generally covered our needs. It is easy to maintain and it is a product that I recommend. That said, there is always room for improvement.

I would rate this solution a nine out of ten.

We use it internally and we are an MSP for lots of other companies that use it as well. Our primary use case is to block applications. 

It does the job of what it says it does. We set it to what we want it to block and then it blocks it. 

They could expand the amount of applications that are on the list, but it's pretty intensive anyway, so it's pretty good.

I have been using this solution for five years. 

We don't get any issues or bugs with it. The stability is good. 

There are two IT guys who use it in our company. 

I have contacted their technical support and they were very, very good. 

The initial setup was reasonably simple. It took us a couple of hours to get it all set up and working with all of the firewalls set. Our own team did the setup. 

It comes in the main licensing costs from the WatchGuard if you buy the license. I don't know about the prices there.

WatchGuard does what it says it does. Definitely use it. If you want to block applications, then definitely use it. 

I would rate it an eight out of ten. There's going to be newer apps that are probably not going to be blocked straight away, but then they are in time, so it's not really an issue.

We just use it as a secondary WiFi device. We're a small office and we needed to set up a WiFi device for a few of our employees.

The way it saves me time is that there is no maintenance. Once we set it up, there's nothing else for us to do on a regular basis. It might be saving me about an hour a month.

• It has a good signal.
• We haven't had any security issues.
• The usability has been good. We haven't had any problems with it.
• The performance has been good. We haven't had any issues with the performance.

We have been using WatchGuard Firebox for about two years.

We haven't had any issues with it. We set it up and it's been running since we set it up.

We don't have any plans to increase usage. It just services our one office, with eight users.

We have not had to use their technical support.

We did not have a wireless solution before Firebox. The main reason we went with it was the security protocols. They were more robust on this device.

The setup was easy enough. It was more or less plug-and-play. There weren't a lot of settings that we had to run through. The setup wasn't that complicated. It took about two hours and there was just one person involved.

The addition of the WiFi saves us from usage of our data plan. We have had some cost savings there.

The pricing was in line with everyone else; maybe slightly higher. That's why it's not a 10 out of 10.

We're a hospital and we use it for developing our incoming and outgoing policies, and we also use it for VPN.

It helps keep unwanted traffic from coming in, or traffic from going out that we don't want to see out there. If we have unwanted traffic coming in, traffic that we don't need as a facility, then we would be opening ourselves up to security problems and vulnerabilities. It helps because malicious attacks coming in are things I don't have to worry about. So far the WatchGuard has done a good job at blocking all that.

In terms of simplifying my job, the simplest device is one that you can put in place and not have to worry about it. That's the WatchGuard. It's there, it's working. I don't have problems with it so it's "out of sight, out of mind."

It also saves me time, by doing what it's supposed to do. I don't have to mitigate problems that it allowed through. I couldn't tell you how much time it has saved me. It really would depend on what kind of problems I might experience.

The policy monitoring and allowing different traffic flows are the most useful features for us; regulating which traffic comes in and out.

In terms of the throughput and performance, we don't have a problem or any bottleneck there. We downgraded the size of our appliance because we're a small facility, and what we had before was actually too big. The one we are now going with seems to be doing a great job.

The management feature is pretty nice.

I'm not really impressed with the reporting side of it. It may be something I just haven't figured out very well, but it's hard to filter down on reporting of the actual valuable information that you would want. There is a lot of information out there so you have to have some kind of tool capture it and then filter through it. So far, I haven't found the reporting side of the WatchGuard to be that user-friendly. I would definitely like to see better reporting tools from WatchGuard. That would be a very high priority for me.

Also, setting up the site-to-site VPN is pretty easy with the WatchGuard, but the client VPN setup is not very friendly. If you have a client-to-device VPN that you need to set up for a mobile user there are different protocols that they will accept but none of them are a plug-and-play type of option.

The organization has had WatchGuard, different versions, for 12 years. I've used WatchGuard, myself, for about seven years. We got the Firebox approximately three years ago.

The stability is great. I've not had any problems. In three years, we've had to restart the device maybe twice. We've had to restart it more than to clear out any cache, because you don't want anything building up in cache memory. But we've only had two problems where we needed to restart the device. And it actually restarts really fast. It doesn't have much downtime at all.

It's used extensively. This is the only firewall we have in the facility, between the hospital, nursing home, and home health. It handles all the traffic that comes from all three campuses here. I don't see us expanding enough to worry about getting another device. This one seems to be doing exactly what it needs to do.

I've only had to use their technical support twice in quite a few years, so it would be hard for me to rate. But they were responsive when I did have a problem. I haven't had any problems with support at all.

I moved here in 2013 and the company was using the WatchGuard at that point.

With this newest device, the initial setup was pretty straightforward. We were able to copy the configuration from the old device. That's a good thing about it: the configuration file is able to transfer from an old device to a newer device and just continue going. It takes a long time to build up different traffic policies, and to make exceptions for different websites. If you had to do that every time you got a new device, that would be a problem. Luckily, with this, you're able to save your configuration file and transfer it to the new device.

The deployment of this new device took 30 minutes, at most. There are only three people in our IT department, but the deployment only required me to be involved. The other two guys are network technicians. All three of us can go in and modify policies or do whatever we need to do, but it generally doesn't take much maintenance.

I got on the phone with WatchGuard to make sure that everything would transfer over and they assured me that it would. And as far as the switching over to the new device goes, most of the planning required was just letting users know that the internet was going to go down for just a little while. We planned it for a period of slow usage here at the hospital where we could bring it all down, copy the config file, move it to the new device, put it in place, and swap the connections over. It came right up. We had to import the new key and got it activated. But other than that, everything worked.

ROI on this type of solution is a hard number to quantify. We've not had a problem so that in itself is a return on investment. If you don't have an issue how do you calculate what your return of investment would be? How do you quantify the peace of mind? But we've not had to spend a lot of time troubleshooting.

The pricing of WatchGuard is probably a little higher than the SonicWall, but it makes up for it in dependability. It's worth it to me, especially since it's not much higher. For just a little bit higher price you get the dependability of the firewall with the WatchGuard brand. 

And with this appliance you also get a certain number of VPN tunnels. With this one, it's something like 500, not that we would even use that many. Whereas with SonicWall, at the time we were using it, it came with 10 and then anything over that had to be purchased.

Money-wise, it's a one-and-done with the WatchGuard. With SonicWall, there were a few things that you had to pay extra for to get. 

The subscription services with the WatchGuard are pretty nice.

I used the SonicWall at another hospital in southwest Arkansas. 

WatchGuard has come quite a way, as far as the Fireware Web UI goes. The GUI application has become better, making it easier to navigate through setting up policies and setting up VPN tunnels, etc. SonicWall had been there quite a while longer than WatchGuard, in terms of being user-friendly. But I can't complain about the WatchGuard now. When I first moved here, it was very cumbersome to navigate through, but with the Web UI it's really improved.

They do have a client that you can connect to the WatchGuard if you want to use that client. It's still kind of clunky for navigating and I very seldom use it anymore. They call it the WatchGuard System Manager. It's not quite as friendly as the Web UI. It's usable, it's just not really friendly. But the Web UI is very well done.

My advice would be go for it. We've not had any problem with it. We've been very pleased, especially with the newer WatchGuard we've put in place. It's very responsive. It works great. It may have a little bit of a curve on learning it, but once you learn it, it's hard to say you'd want to go back to something else.

It took me a little bit to get used to WatchGuard. I was familiar with SonicWall before I moved into this role. But now that I've used it for almost seven years, I've gotten to know it pretty well and it works great. Once you get used to what I would call the idiosyncrasies of WatchGuard, as opposed to the SonicWall, it's pretty easy to configure. Using the WatchGuard web UI also makes it a lot easier to configure.

It provides us with somewhat layered security. It is the firewall between us and the outside world. With our subscription we do have the Gateway AV, so it does watch for things of that nature. We have certain policies in place that help with the layered part of it. But it's just one of many layers. We have other things in place to help, but it's definitely something I wouldn't want to do without.

It's our perimeter firewall.

We used to have Cisco and Cisco was pretty cumbersome. I actually still use Cisco, but I like WatchGuard for the features it has.

It provides us with Layer 2 and Layer 3 security.

If it didn't work we wouldn't be able to get to the internet and that would be a terrible thing.

All of its features are valuable, although we don't use the antivirus. We do use the web filter.

It's also the ease of configuration that I like. In terms of usability, it just works. And the throughput is 100 Mbps. It's fine.

There are a couple of things I wished that it would do, but I can't think of those off the top of my head.

I have been using WatchGuard Firebox for about 15 years.

It works and just keeps on working.

The scalability is fine.

Their technical support is good. Honestly, I haven't had to call them in five or six years.

We used Cisco previously. Cisco didn't have the features that I needed, like the proxies. A Cisco box would probably do that now, but back then they wouldn't. So we switched to WatchGuard.

The initial setup is straightforward. You just read the manual and follow the directions. It didn't take very long to set up. It was about an hour to have it configured and set up.

I have deployed Firebox to distributed locations. You just plug in the numbers, the IP addresses. That's all you do. It's pretty simple.

We have seen return on our investment. It just works. I may have to reboot it once every two or three years.

The pricing of WatchGuard was pretty comparable to Cisco, but I actually haven't looked at a new Cisco box in quite some time, so I can't say how they compare now.

I would advise that you go with whatever you're more comfortable with. If you're more comfortable with Cisco, then go with Cisco.

Firebox doesn't really save us time because whether you're going to configure a Cisco or you're going to configure a WatchGuard, you still have to configure something, no matter what it is. It is a little easier to configure WatchGuard though.

It takes just one person in our organization to deploy and support it, and that's me. Overall, our environment has about 300 users.

WatchGuard Firebox is our edge firewall.

Currently, we are using the M470 and we have used many models in the past.

The solution provides our business with layered security. An example would be the intrusion protection on anything that is internet-facing. We host our own mail server and I regularly see that WatchGuard has swatted away attempts to get in from bad actors. I have to have that open because people have to connect on their cell phones. Obviously they have to send and receive mail. So I sleep a lot better knowing that something is watching the few things that I do need to present to the internet. I feel much better having something protecting and monitoring all traffic that passes through.

We have an interesting environment. There is actually a completely separate computer domain, an entirely separate network that belongs to a regulatory body. We work at a casino and our gaming commission has to be able to get into some of our systems and monitor some of our activities. Obviously we don't want them to just plug directly into our network, so we have created a DMZ where they can come into our network via the WatchGuard. That way, I get to see all of their activity as well and monitor what they can get to. We give them access to what they need and nothing more.

The solution also simplifies aspects of my job by having automated reports generated weekly, for review. I like the fact that they get delivered and I get to see the actual metrics of what the box is doing. The reporting features reassure me that it is working.

In terms of saving time, I have used Cisco firewalls in the past and I would say that it is easier to construct policies with WatchGuard than it is in Cisco, particularly Cisco's ASDM (Adaptive Security Device Manager). It probably takes about half the time with WatchGuard. Usually we're just modifying something, adding or removing somebody from a web blocker category. It's very easy to maintain.

As a casino, we have one site and that's it. There are no mobile workers. We usually don't have any remote access and we don't need collaboration tools because we all work in the same building. But now that we're trying to get some people to not come in [due to the Corona virus situation] and we're running on a skeleton crew, we are able to maintain productivity by leveraging the native VPN clients and access provided by WatchGuard. We didn't have to buy anything. We had all the infrastructure ready to go and then I slapped a policy together last Tuesday and we've been using it ever since. It was very easy.

• One of the most valuable features is the Gateway AntiVirus. We scan all traffic as it's coming through.
• We also use spamBlocker to scrub spam.
• We use content filtering, which is critical in any corporate environment to make sure that people don't surf things they're not supposed to.
• WatchGuard has a very easy VPN and branch office VPN setup, so we use those pretty extensively too.

It's very easy to use.

And our internet bandwidth does not exceed its throughput, so it is probably still a little overbuilt. It's definitely not a bottleneck. There is no problem with throughput.

In terms of performance, WatchGuard has always worked well for us. We've gone through about six different models in the last nine years, not all at our primary site. We had a couple of satellite offices that were using smaller models. They have all worked very well. There was only one time that we had a performance issue and it turned out that it was due to a hardware replacement being required, and that was handled expeditiously.

Regarding the reporting, I was in the Dimension server earlier today. It's very powerful. I like it. And the management features are easy to use. I like the fact that I can open up the System Manager client or I can just do it through the web if I'm making a quick change.

WatchGuard could be a little more robust in reporting. I get requests a lot to figure out people's internet traffic. We want to know what people are doing when they are on the internet. There is still a little bit of fine-tuning that can be done to that process.

I took over the admin role here back in 2011, so I've been using it for close to 10 years.

It's very solid. We don't reboot it very often and we don't seem to need to.

We went from a single appliance to a high-availability cluster, just last year. Managing the cluster is just as easy as it was to manage one unit.

It is doing everything we've asked of it so far, but we do plan on increasing usage. There are a few features that came out last year or maybe a little bit before that, features that we want to start using, such as WatchGuard's DNS. That will make sure that we're not asking for any bad players. At the moment we're still using Google DNS. And we haven't rolled out the endpoint security that came with it, but we are going to start using that as well.

I've never had to use their technical support. I've only used their online help. I've been able to find everything I need in the forums and the Knowledge Base.

The initial setup is straightforward. The wizards walk you through it, and I have found an answer to anything that I've ever had a question about in the Knowledge Base online. I don't think I've ever had to call for support personally. The documentation is awesome.

As for setup time, I usually have traffic passing through it within an hour or two. 

I know what traffic I want to allow out and I always start with just the stuff that I need to. I always start with the most restrictive, as far as policies go. The first thing I do is get rid of all the Any-Any rules and then I start locking it down. I love the way that it integrates with Active Directory. I base my internet usage and my web blocker policies on Active Directory security groups, and I can have all of that stuff set up ahead of time before I ever get ready to roll out the appliance itself.

Back in the day, we used to have a warehouse. We used to have a uniform shop that was offsite and I was responsible for setting up the tunnels of those sites. We recently relocated some administrative offices for the tribe that owns the casino that I work for, and we decided when they were moving that we would upgrade the firewall that they had. We purchased a WatchGuard so that it would be manageable, because we were already familiar with it from using it at our site. We dropped it right into place and I had traffic passing through it within minutes. I was done with it, doing all the other rules, within a couple of hours. I was onsite for all of those. I've never preconfigured one and then sent it out into the wild.

We use Variable Path, out of San Francisco. Our rep is Jason Chang. Our experience with them was very good. I would recommend them.

It's hard to measure ROI. But I've never had to go in front of upper management and tell them that we were breached. That is probably the conversation I would least like to have with them.

Otherwise, regarding return on investment, having the infrastructure already here and having more capabilities than we're using right now allow me to react very quickly. As I said, I was able to get some people working from home last week. It literally took us a day from going from zero people with remote access to a core group of about 12 people having remote access.

Getting a WatchGuard for the first three years pays for the hardware. I think it's cheaper to keep doing hardware upgrades at every software renewal, rather than just pay for maintenance to keep a piece of hardware going. I usually tell people that it's really affordable as well, particularly compared to Cisco.

In addition to the standard cost, we usually get the Total Security Suite. We go top-shelf on all of the subscription services.

WatchGuard was brought in by one of my predecessors. I left this company for a little while and went to go work for a credit union, and that was a completely Cisco shop, so I got to experience both of them at different times.

I don't think I've actually used anything other than the Cisco ASA. With the WatchGuard it's easier to create policies, that's for sure. I like the flexible stability of being able to leverage objects in Active Directory. I also like being able to not have to create all my policies using IP addresses, and that I can actually do web domain name lookups every time. That's very handy for large, distributed stuff where you have no idea where the actual source is going to be coming from. The cloud bounces traffic from all over nowadays. So crafting rules with fully qualified domain names, FQDN, is definitely something that I did not have in my Cisco ASA.

The Cisco was a little less confusing and more straightforward. It didn't do all of the things that the WatchGuard does, so in that sense it was a little bit easier to understand. That is particularly true once you start getting into proxy actions and setting up: "Okay, cool. Once this rule gets triggered, what actions have to happen?" I do know a few people who use WatchGuard and they still have to get assistance when they look at that. So I would file that as a con for WatchGuard. Proxy actions can be a little bit complicated.

Invest in some Professional Services. Although you can absolutely pull it out of the box and deploy it — and we've done that before — it's always good to have somebody that you can ask about best practices and run a few scenarios by them. We ended up purchasing four Professional Services from our local reseller. It was good. Although they didn't really provide any answers, they were there to say, "Oh no, you're doing the right thing." It was more reassurance than anything. But I would definitely recommend springing for some Professional Services. That will make the whole process go a lot easier.

A small subset of my staff, maybe three or four people, is involved in deploying and maintaining the solution. They're all IT administrators.