WatchGuard Firebox Reviews

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

I've been using Firebox for two or three years.

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

We use it to protect our web stations and service. 

We established a branch office VPN to our branch office. Since last month, we have added Mobile VPN tunnels to our headquarter.

We have the ability to use it for connecting to our terminal services, then to the Fireboxes, so we can create user-based policies, which are very important at this time. We can control who has access to management servers and machines that are not for general use by users.

We use a normal packet server. We are also using a proxy service and IPS, so all features are possible with these devices. We have seen many attacks from specific IP addresses that were all blocked. Most times, these were IPS traffic port scans. All this traffic is normally blocked from our side.

The solution simplifies my business. Normally, for administration, we are using Watchguard System Manager on Windows since it's easy to create new policies. In a short amount of time, you can create new policies based on new requirements. For example, in the last few months, many requirements changed due to the coronavirus, adding the use of new services, like Office 365, and eLearning tools, like Zoom.

With Firebox, the monitoring is good. On the Dimension servers, I can see where the IP addresses send and receive a lot of the traffic so I can analyze it. I am also able to see where attacks are coming from. It's good to see visually what policies are most in use and which traffic was blocked. Its easy to visualize policies. The dimension server shows which policy is used and the data flow through the firebox.

For our requirements, WatchGuard has very good features available in its software.

It is good for administrating devices. It is reliable and easy to use. Most of the time, the results are what I expected.

The performance of the device is good. The time to load web pages has not been slowed down too much. With additional security features, like APT and IPS, WatchGuard Fireboxes need a moment to check the traffic.

For reporting, we use the Dimension server from WatchGuard where we have many options to analyze traffic. It has a good look and feel on all websites that WatchGuard creates. All pages have the same system, so it's easy to use because the interface is uniform throughout the entire solution.

We are using some of the cloud visibility features. What we use on that cloud is DNSWatch, which checks the DNS records for that site. It is a good feature that stops attacks before they come into the network. For most of our clients, we also run DNSWatchGO, which is for external users, and does a good job with threat detection and response. It is a tool that works with a special client on our workstations. 

Sometimes I would like to copy a rule set from one box to another box in a direct way. This is a feature that is not present at the moment in WatchGuard.

I'm missing a tool by default, where you can find unused policies. This is possible when a) you adminstrate the firebox with dimension, or b) you connect it to Watchguard's cloud.

We have been using this solution for a long time (for more than a decade).

The stability is very good. I normally only do a reboot of a Firebox when I upgrade the boxes with new software, so they run sometimes two or three months without a reboot.

It is scalable to many environments. With all our locations, we found this solution works.

For the moment, we have around 80 users total at all our locations. The traffic at our headquarters per day is 300 gigabytes.

Our number of Fireboxes has been constant over the last few years, as we don't have new locations. We are a sports organization, so we are not expanding.

WatchGuard's support is very good. Over the years, there have been only one or two tickets that were not solved.

When you start as a new customer, you should start with a bit of support from your dealer so you have some training on the boxes and how to manage them.

Before using WatchGuard, we had a Linux server with iptables. We switched to Firebox because it is much easier to administrate. It has real boxes with a graphical interface, instead of command line administration.

It is relatively easy to set up a new box. In my experience, you have a basic rule set. When you start with a new box, you can quickly make it work, but you always need to specify the services that you need on the boxes. You need some time to create the right policies and services on the box. This is the process for all Fireboxes that you buy.

When you have a small branch office with a small number of policies, you can make them active in production in one or two hours. With complex requirements at your headquarters where you have several networks with servers, web servers, and mail servers which can be accessed from the outside, the configuration will need more time because the number of policies is much higher.

The implenetation was done by the vendor. For us the solution was ok. At this point my knowledge about firewall was not on the level I have today.

It saves me three or four a month worth of time because it stops malware. I don't need spend time removing malware from the client.

I think the larger firewall packages are much better because a normal firewall is not enough for these times. You need IPS, APT, and all the security features of a firewall that you can buy.

We evaluated some other solutions.

Administration of Fireboxes is only a small part of my job. I have been the network administrator since 1997. While the solution does make less work, I still need a little time to monitor all solutions. 

I would rate this solution as a nine (out of 10).

I use the solution in my company mainly for security management and also for VPN.

The most valuable feature of the solution is its ease of use. For budgetary purposes, it meets our requirements.

For most of the part, the tool's interface is quite simple. The product can improve in terms of layout to provide easier access and viewing to users, especially for the reports.

One of the things that I think is missing in the tool is the area of managing IPv4 traffic via the IPv6 tunnel. If a few features were added to the tool, it would be great for migrating our network from IPv4 to IPv6.

I have been using WatchGuard Firebox for three years.

Considering we have even used the tool in our company for the past three years, we don't see much problem with the devices, except with what we call the updating and patching processes, which require some downplay and everything. I think we are quite satisfied with the tool's performance in our company.

I do believe the solution provides devices with a profile for a much higher requirement, but it all depends on the number of users and everything. Currently, my company is not that big, but we are supported by good vendors. I do believe the tool is scalable in terms of the devices because the product does provide a much higher model, but we don't need it because we are quite a small company.

In my company, we have only around 200 users, so we don't have many staff members.

My company contacted the solution's technical support regarding the services, especially when we had some new requirements in terms of configurations and settings or when there were new protocol rules and policies and policies that needed to be implemented. I rate the support an eight out of ten.

Positive

Previously, we used Sangfor, which is a brand from China, for our firewall and internet access management, but we switched to WatchGuard Firebox three years ago. One of the biggest reasons to use WatchGuard Firebox was related to the area of expertise. Our team or staff had experienced some lack of knowledge in Sangfor. After my company figured out which product was easy to learn and after making some comparisons, we decided to go for WatchGuard Firebox.

Compared to Sangfor, I think one of the advantages of WatchGuard Fire is the VPN solution, which includes a certain number of licenses in the package. There is no requirement to purchase more VPN licenses. The con is that Firebox is a part of the existing solution provided by WatchGuard.

When it comes to the product's initial setup phase, our vendors support us, so they handle the setup process. We don't have many issues or problems during procurement or setting up all the configurations for WatchGuard Firebox.

The solution is deployed on the hybrid cloud model.

Last time, we got the tool ready within three days. After we provided all the information that the vendors required regarding the setup and configuration settings that we needed, they set it up within three days. A third party also provides the tool's maintenance services.

From the budgetary perspective, I believe the proposed price for WatchGuard Firebox was certainly much better than the other model that had been promoted to us before because the concerned department in our company procured the tool. I don't have any specific information on it.

I am not sure about the tool's price as the commercial part is under a different department. I think the tool is quite competitive compared to the other brands.

The tool's most effective for managing threats revolves around the area of the reporting services it offers, which is cloud-based reporting, so we can get a lot of information from the services.

I don't have much experience with other models, so I can't speak about WatchGuard Firebox's security. The good thing is that because it is easier to handle, and the company that supports us provides us with a lot of information, it is easier for us to operate the product.

WatchGuard Firebox VPN features significantly enhance operations, making it easier during COVID-19, when many people work from home. There are very good features, I recall, whereby you can access office resources without requiring employees to come to the office. The tool did help us a lot during COVID-19.

Our company has a data leakage prevention solution for our email. It is quite intuitive, but it's not WatchGuard Firebox.

Whether I would recommend the product or not is something that depends since I work in a small company where the income is not too much. Other companies of similar sizes might find some similarities with our organization, so I can recommend WatchGuard Firebox to such users or businesses. Bigger or corporate users who have much more requirement settings or a large number of users should look for a different brand that can support the large numbers.

I rate the overall tool an eight out of ten.

We have four locations and at every one of them we use WatchGuard. We use them as firewalls and for UTM. They provide protection in terms of detection and prevention. And we also use them for site-to-site VPN, as well as for direct connect, VPN to AWS, and to AWS using VLAN tagging.

One of the main ways it has helped is that we use site-to-site VPN a lot, as well as remote access ACLs and client-to-VPN. Prior to WatchGuard, for example, we used to use Remote Desktop, which is not very secure, or RD Web, which is also not very secure. We installed the client VPN on everyone's remote computer and they can access our local area network. That is much better than using the other solutions. It's an improvement for the user and it's less risky for us. It gives us peace of mind that we're using the proper channels to access our network.

It's hard to pick one feature over another. But if I had to pick one, the UTM would be the most valuable because of the notification. I get notified via email if there is any type of threat detection or alert, telling me something is wrong.

For me personally, because I'm Cisco-Certified, it was very easy to take this over. I think it's a lot easier to work with because it's a GUI and not a CLI. I cannot speak for other users or other administrators, but it's pretty simple.

Based on our needs, the throughput is pretty solid. We haven't had any issues as far as the throughput is concerned. This particular box maxes out at 2 GBs and we only have 1 GB so we haven't had any latency.

I manage it using the System Manager, based on the firewall access control that I have. I've been able to manage it and use it without any problems.

Websense is an application that monitors and filters internet traffic. Websense was derived from WatchGuard. But when you go to WatchGuard to actually implement that particular feature, you have to use some type of additional feature and you have to pay for it, unfortunately. I think it should be free or free in the WatchGuard box itself, as an option. It would be nice if they didn't charge us for that.

And if they won't offer it for free, they should offer something better. It definitely needs a big improvement because it's very unfriendly. It's called Dimension Basic and there is a reason they call it basic, because it gives you very basic information. Let's say you want to track someone's internet activity or where they've been going. Websense gives you detailed information as far as the source. But this one only gives you very basic information and, on top of that, it's a free version for only a few months and then you have to pay for it. So not only is the version very basic but you still have to pay for it. That, in my opinion, has room for improvement.

Everything else that we have, the live security services and network discovery and all the spam blocking, threat protection, and the web blocker, is included.

We've been using Firebox for as long as I can remember. I inherited this position close to 13 years ago and they'd been using it before that.

For the most part, everything seems to be working without any issues. That's why we've had it for this long, close to 17 years for the company and, under me, for 13 years. There are more pros than cons.

We haven't had any issues. I always buy an additional box as a Hot Standby. I have never had to use it, and thank God for that. So it's been very stable. We keep them for a maximum of three to four years and then we upgrade to a newer one. For the time that we keep the box active, we don't have any issues.

In terms of scalability, as far other features go, we're stuck with what we have on the physical appliance. For example, we had one that was set to 300 MBs for throughput and when we wanted to upgrade, we couldn't obviously use that same box. It wasn't really scalable. So we had to upgrade to a newer version.

We have four locations and approximately 400 users. We don't have any firm plans to increase usage. The owner of our company just acquired another company and that may make a difference. WatchGuard is the main component that we use. The subscription for all four of the WatchGuards that we currently have ends in 180 days. We're just going to upgrade to the newer version, if it's available. 

There was an incident, back in the day, where I called for support and the guy sort of brushed me off. It was very uncomfortable but it could have been an isolated incident. I don't want to say that all the support engineers are the same. But this particular guy was either drunk or rude.

Other than that, it's been very smooth sailing for us, as far as support goes.

We have always been using Cisco. They decided that WatchGuard would be beneficial to keep because it's GUI and it's a lot easier to work with than other products, especially for junior admins.

I set it up all the time and it's very straightforward. It's very easy to set up and very easy to migrate over to a newer version. It's really simple. I've only done a new deployment once. 

For upgrades, you save the configuration and you upload it to a new file, or you just open a new file and browse to the configuration file that you saved. It usually takes 10 minutes at the most.

But the first deployment, because it was obviously more involved, took a few hours. Setup included the site-to-site VPN, the client VPN, the actual interfaces, the static NATs, a lot of the firewall policy, the internet certificates, and the policy routing; the basic components of any router.

Deploying WatchGuard to distributed locations is mainly the same. Obviously, there are differences in the IP addressing and the network addresses. And you have to take care of the VPN connection between the two, to be able to communicate using the site-to-site VPN. There is also web blocking. We have certain policies for denying access to certain sites or certain applications. We don't allow, for example, weapons or sex or any of those kinds of solicitation sites. We then set the external and internal interfaces and then do the routing. In the some of those locations we use the WatchGuard as a DHCP server, so we set that up as well. The rest is all pre-configured.

We have had two-year deals in the past, but recently we decided to go with annual. The cost was somewhere in the vicinity of $2,000 to $3,000 for each one, depending on if they had a special at that time or if they were doing an in-place upgrade or with the same router.

They figured if they were going to get something different then it would have to be something very user-friendly for the administrators, because I'm the only one who is certified to work on Cisco. We evaluated the Barracuda NextGen Firewall. We also looked into Juniper and the Meraki firewall, because all our switches are Meraki switches. 

But we decided to stay with the WatchGuard. The prices were a little bit better than Meraki and, since everything was pre-configured, to upgrade to a newer WatchGuard all we had to do was just save the config file and upload it to the new one, and that was the end of that.

Educate yourself. Read documentation and watch videos online. Since the administrators are going to use it, they should educate themselves on WatchGuard. Keep a cheap, old box for training. I train my administrators on an older box and I give them a network to train on.

We have been attacked with ransomware in the past, and it was kind of disappointing because, when I talked to Cisco support they said that they recommended purchasing end-point protection with a ransomware interceptor, so we ended up getting Sophos. So alongside the WatchGuard, we have Sophos' ransomware interceptor and end-point protection. We use them, on top of the WatchGuard, as a secondary line of defense.

It has been smooth sailing as far as the product itself is concerned. That's why we keep renewing it. We either renew it or we upgrade to the newest version if they have a special. We also use it for Hot Standby. It's been good.

It's our primary firewall. It's also our UTM device, so we have multiple security layers enabled on it.

We're using an M270 firewall with version 12.5.

With WatchGuard, I've got a lot of WebBlocker rules set up which help quite a bit, blocking a lot of suspicious and parked domains. Between WebBlocker, the Botnet Detection, the website reputation filters going, and IPS - which is one that is essential, but nobody really talks about a whole lot; between all those things working together, and even the antivirus, I feel our network is pretty clean. And if there is some suspicious activity, I think I have a better chance of being alerted to it. I've even been able to set up Application Control rules, so that something like Windows Update doesn't deplete too much bandwidth. There are whole bandwidth controls you can set up which aren't necessarily security-related, but they can help make sure that one particular function doesn't take up so much bandwidth that the users are affected. WatchGuard has layered security, but I also have other layers beyond that.

I wouldn't necessarily say it has simplified my job but I am very happy to have it. I'm very glad we went with WatchGuard. I was impressed with WatchGuard for a lot of other reasons like their education and training videos. They do a lot of little security announcements about what's going on with other companies in the industry, so that part has made my job easier. I wouldn't say it's made my job more difficult either. It has definitely made me feel more comfortable about the security here, but I wouldn't say it simplified things. We had a very simple firewall which was almost a small-business router. It had a little firewall screen with four settings on it that really didn't do a whole lot. So, I can't say WatchGuard simplified things for me. It's just we're much more secure and it hasn't overly complicated things.

One of my favorite features is the Geolocation service, where you can actually block specific activity or IP addresses registered to certain countries. For example, I don't want any web traffic from Russia or North Korea. I may even lock down certain policies down to "I only want U.S. IP addresses." I find that very useful. That was not a feature that was initially there for us. It was something WatchGuard released after we bought our first device with them and it is one I am very happy with.

I may want to only allow U.S. IPs onto a specific interface that I share files with, for security reasons, or I may know of a security issue in a particular country. I can just block that whole country for all my users. Or maybe I'm seeing a lot of malicious links coming out of South Korea, even, and I just say, "We don't go on a lot of websites there, let me just block that country completely," and if we do need to get on a website, I'll just make an exception. It improves security and helps block malicious links.

There's a little bit of a learning curve in getting everything working. But once you understand how all the pieces work, and the fact that you're using physical hardware with a web interface alongside a piece of software installed on your computer, and you learn what to do in each location, it's very user-friendly.

I like the management. There are some nice dashboards and other things to keep an eye on things. There are email alerts, once you get those configured. Once again, they're a little complicated to get set up, but once they work, they work well. Management is pretty easy. 

The version I'm on, 12.5, came out last week. I try to stay pretty current and they do add features and improve usability and functionality often. It's one thing I've been happy with. It's not like they say, "Here are the modules you bought with it four years ago and that's all you have." They're constantly adding, developing, improving. 

They've done a lot of work with their SD-WAN, which we do use, to have our old internet service with our new internet service. If anything goes down on a particular interface, I can have different rules applied. Most of my users don't even know when our primary internet goes down anymore. It does run slower on our backup, but they don't know the difference unless they're doing some kind of bandwidth-intensive function or streaming. I don't have to be here to do anything to switch it to our backup internet or to switch it back. They've developed that feature even more, to allow you to have different rules for different policies or different interfaces to behave differently, depending on what happens with either packet-loss or latency, with multiple internet sources. That is pretty helpful.

Reporting is something you've got to set up separately. It's one of those things that you've got to put some time into. One of the options is to set up a local report server, which is what I did. It's not great. It's okay. I've heard their Dimension control reporting virtual machine is supposed to be a lot better, but I haven't had the time our resources to set that up. Some of the stuff is a little complicated to get up and running. Once you do, it becomes very user-friendly and easy to work with, but I find there are some implementation headaches with some of their stuff.

I wish I had a contact at WatchGuard because there are a few things I'm not using. I'm not doing packet inspection because I know it's pretty intensive to install certificates on all my computers and have it actually analyze the encrypted traffic. That's something I'd like to do but I'd really like to talk to somebody at WatchGuard about it. Is that recommended with my number of users with my piece of hardware, or is that going to overload everything? I'm not using Dimension control. I'm not using cloud. If I had a sales rep or a support person that I could just check in with, that would help. Maybe they could do yearly account reviews where somebody calls me to say, "What are you using? What are you not using? What would you like more information about?" That sort of thing could go a long way.

They do a lot of education, but it's sent out to the masses. They have really good emails they send out which I find very valuable, talking about the industry, security events, and other things to be aware of. But there's not too much personal reaching out that I've seen where they're say, "Hey, how can we help your company use this device better? What do you feel you need from us?" That's my main recommendation: There should be somebody reaching out to check in with us and help us get more out of our device.

It's very stable.

I've only even had one update that I applied that caused problems, that I had to roll back. I don't recall any kind of issue where I had to reboot the device to fix something. Somewhere along the line, WatchGuard, with their free training and free training videos, had recommended setting up an automatic reboot once a week just to keep everything clean, fresh, and healthy. I set that up during to reboot every week during off-hours on the weekend and I've had almost zero problems with it. Even with the updates, as I said, I can only think of one instance where there was a problem. I had to roll the update back, which was very easy to do, and then wait until the update patch came out and fixed the problem. That only happened once.

I've been very happy with the stability and reliability of not just the device and the software, but WatchGuard as a company.

With my needs and my network, I feel we could add bandwidth and add users for a while, before we would run into any issues. It's scalable for my needs with my device.

I don't think I have used WatchGuard's technical support. If I did, it might have been once.

I haven't really needed it too much. As I said, they have some good YouTube videos that they put out themselves on setting up stuff. That's my first resource when I want to get into a new feature I'm not using. They've got pretty good notes in there, so when I update software on the device itself, I go through their installation guide or their admin guide for that version of the software and it's all pretty straightforward. It lays out the new stuff they changed and what you need to be aware of, so I haven't needed to bug them.

We didn't have anything like this before, so it's not necessarily saving me time, but it did add a whole other level of security to our network, which we really appreciate.

We had a small-business Cisco basic solution. They called it a security router, but it was just a small device that sat on the shelf and which mostly provided internet access. It had very simple firewall controls: two or three check-boxes to do basic filtering. So we did have something, but it was nowhere near the level of the WatchGuard.

We switched to WatchGuard because we did not have a UTM device like we do with WatchGuard. We needed to upgrade the old device because it wasn't performing well anyway. I suggested that we needed something more appropriate, or with more layers of security than what our other small, entry-level device was offering. We did review solutions from a few other firewall vendors and WatchGuard offered, in my opinion, the best protection for the cost.

The initial setup was a little bit of both straightforward and complex. I'm a technical person. I read an instruction manual before I do something, whether it's putting a piece of gym equipment together or implementing something like a WatchGuard firewall. I had gone through all of their admin guides and getting-started guides and recommendations. So it was pretty straightforward, but there were a lot of steps and a lot of things to work through.

Something as simple as email wasn't just set up by specifying the IP address of your email server. I had to enable a bunch of things on the web interface and then install the software on my computer and set it up as an email relay. That was the only way to get email alerts, which I found a little shocking because email alerts should be critical on these things. I guess bigger companies may have alert servers or Syslog servers or other things they're using. But we're smaller and we don't. So that was one thing that I found was a little more complicated than it should have been for the importance of the feature. And now I have a computer and a firewall and if one or the other isn't working, those email alerts don't work.

Our deployment did not take long. It was no more than a week or two. I did it pretty quickly. I convinced the owner why we needed it and why this was the right move. I wanted to make sure I implemented it quickly and that we got some benefits out of it right away. I didn't want to let it sit around. It took less than two weeks.

My implementation strategy was mostly what I mentioned above: Review all of the guides, all of the walk-throughs, a couple of tutorial videos, get a baseline of what I wanted to enable and how. Then I did it offline, as you would expect. I brought the device into my office, got it updated, got everything baselined and set up the way I needed it to start with. From there it was just switch out early in the morning before users were in the office. It was nothing too out of the ordinary.

For deployment and maintenance of the product, it's just me.

I did it myself.

I believe there has been ROI, with the level of protection and things that are being blocked that we're aware of. And there is just the peace of mind of knowing certain things.

Some of this I'm simplifying a little bit because, again, a lot of these things have been implemented over the last four-and-a-half years. I'm thinking now of other features I've implemented that I'm very proud of, like locking down remote access software so people can't just come and use any remote access software to get in or out of our office. There's a sense of security because I only allow the remote-access software that we pay for and use. I don't allow any other protocols to get through. It is making sure we don't have people who work here doing weird things, but it also makes it harder for other people to break in. Just that peace of mind and all the other layers we have working is worth the money, in my opinion.

We had a trade-in offer at the end of our first three-year term. As a result, we pretty much got a free device by buying the three-year subscription. It was around $3,000 for the three-years.

We probably looked at SonicWall and ForcePoint, but it's been a number of years so I don't recall much of that process.

Do your research. It's not impossible. Do things in a logical order and make sure you understand what you're doing and how you're going to do it. Once you understand it and get everything working the way you want, it does get very easy to use and work with from there. Once you get over the learning curve of how all the pieces work together, it's very easy, very user-friendly, very easy to update, and very easy to make changes and document those changes - all that good stuff.

I tend to buy the hardware platform that's like one level above where we think we absolutely have to be at a minimum, so the performance has been adequate or good. I've yet to hit an issue where I feel the device is slowing us down or causing any issues because of the performance of the device, itself. We're usually limited more by our actual bandwidth. It's been great as far as our network and needs go.

In terms of the extent to which we're using the product, six months ago when I renewed the second three-year term, the subscriptions had changed quite a bit from when I had my first three-year term. Now, I have a whole list of new subscription services or modules or layers that I have not started implementing. I got a couple of the new ones implemented, to get some of the benefit, when I first got this new device. But there are a few more I want to implement. One of them, is packet inspection, which is difficult because that can really bog down your device. I'd like to have Dimension control to get better reporting. There are a couple of other ones that I have not implemented because they're new for me and I just haven't had the time to work on them. Threat Detection and Response is one I'm interested in which I haven't time to implement yet. It involves me setting up a client in each one of my endpoints and it keeps track of unusual activity there. That's probably where I want to go next. Maybe even the Access Portal could be useful for me, to have a place for vendors or customers go to access things inside our network.

We've gotten more features for our money because there's a new security package which wasn't available when I first subscribed, and that included pretty much everything. I had paid separately for APT, Advanced Persistent Threat protection, on my old subscription. To get that now, it was cheaper to bundle it with their total threat package. That included a lot of things like DNSWatch, which I did set up to look for malicious DNS access requests throughout my network. It gave me intelligent antivirus. I believe there's some kind of DLP module, which is one I haven't spent any time on. Network Discovery is another one I haven't spent time on that I need to work on. All of those came as new features with the new hardware and with that new subscription. The Threat Detection Response is definitely something I didn't have access to before. For sure, in this second three-year term, we got a lot more value for the money with what WatchGuard offered us.

I would give WatchGuard an eight out of ten. There's a little bit of room for improvement but I'm very happy with WatchGuard. I think it's a good fit for me. I won't often give a ten, just on principle, unless I feel they deserve a 12. That's when I give a ten.

I've definitely said positive things about WatchGuard to other people in the industry, people I talk to or know. I'm a promoter of WatchGuard, to be honest. I haven't seen anything I like better, but I haven't had a lot of experience with other devices. I've said good things to people on a regular basis, especially about WatchGuard's education, the emails and videos and other stuff they put out to try and help people, even when it's not related to WatchGuard products.

Production business use at multiple interconnected locations.

It is one of the layers of our security and it definitely does protect us from many attack vectors. Between the antivirus scanning, the blocking, and DNSWatch, it is protecting us from a number of attack vectors. It is also provides useful diagnostic tools for identifying and troubleshooting issues. A recent example was when a few LOB network devices were having issues which was affecting operations. ZazaThe ability to search the realtime and historical logs helped me to navigate, zone in, and identify the ultimate issue. It ended up not being the firewall, but fast access to the logs helped me determine and prove that to be the case.

Because of the way it's organized and the user-friendliness of the device, it does make my job managing the firewall profiles and security a lot easier. There's nothing you have to do through the command line. Being able to definitively know what the configuration is, visually, being able to edit it offline without affecting production have all been big time-savers for me. When I had to do two firewalls which had similar configurations it saved me at least 20 hours of setup work. Templates allowed me to create and define a bunch of objects once and use them in both places.

Overall, per month, Firebox will save me four to five hours, depending on if there's something I have to investigate.

The Application Control and web blocker have been very valuable because they let me control the outgoing traffic of my users and keep them off of both productivity wasters and sources of vulnerabilities in my environment. 

I like the High Availability feature because it allows a firewall to fail while keeping the environment up and running.

In terms of its usability, it's very straightforward to use, once you understand the way they look at a firewall and the design choices they made.

The throughput the solution provides is excellent. I have not had any performance-related issues with any of the fireboxes I've used.

I like their management features a lot. Their System Manager server as well the System Manager software make managing them, and tracking changes, very easy and complete. In terms of the reporting, I am just starting to look at the reports in Dimension and they look pretty well-organized and useful.

The product could have some more predefined service protocols in the list, which don't have to manually be defined. But that's very low hanging fruit.

The documentation for the System Manager/Dimension configuration, could be a little bit clearer. The use case where you have multiple sites with multiple firewalls, and one site that has the System Manager server and the Dimension server, wasn't really well defined. It took me a little bit of digging to get that to actually work.

It's pretty rock-solid. I've never had to reboot one because it was acting in an unstable manner and have some that I ran through their entire usable lives without issue.

The scalability is good, assuming you buy the right model. They make it easy to trade up to a bigger model without having a big, financial impact, giving you a discount to trade up. 

The times I've used technical support it was excellent.

I moved from FortiGate. The reasons i switched include price - WatchGuard is a lot more cost-effective than FortiGate - and complexity. FortiGate is very complicated, had little documentation which relied heavily on cookbooks, and a lot of command-line required to get some common things to work. WatchGuard is very well-documented and everything fits within their configuration. Nothing that I've encountered has to be done through the command line. And when your subscription expires on the WatchGuard, it will still pass traffic, if you configure it to. FortiGate will only allow one connection out. 

The initial set up was very straightforward. You take it out of the box, you plug it in, you download the software, and it starts working. That's what I consider to be the initial set up, and that was very easy and very fast.

The deployment took me a total of about 40 hours for two sites, two firewalls, and with an incredibly complicated configuration. The complexity was a product of the environment, not the firewall.

I utilized the template feature to make everything that could be the same, the same across both sites, which are connected locations.

In-house.

They are well priced for the market and offer discounts for competitor trades and model upgrades which are definitely worth taking advantage of.

FortiGate and WatchGuard were the only two I've evaluated recently.

I would definitely recommend using WatchGuard.

I would also recommend taking one of the courses that goes through all the features of the device and the way it is organized. Every firewall vendor looks at things differently. If you don't understand the way WatchGuard is structured, you may make a strategic mistake in setting it up and you'll have to tear some of it down and redo which is true of any firewall. Leanr and use the tools Watchguard  provides.

I used to do everything in WatchGuard through their Web UI but I now use the System Manager software because it is very valuable. It provides a lot of features that I had not realized I was missing. The System Manager Server is able to store previous versions of the configuration, and to force people to enter comments regarding what they changed when they save one. Being able to compare the configurations side-by-side, and have it tell you the differences are great tools that you should know about if you're going to start implementing a WatchGuard.

We use them for perimeter security and also to manage virtual LANs.

The main benefit for us is the ability to manage the VLANs. It allows us to monitor types of traffic and to actually review and determine what traffic we want to allow and deny. It also allows us to modify the categories of restrictions that need to be applied.

It has also simplified some of the processes that we have. For example, we were having some issues in identifying where most of our bandwidth was being used up, which devices and which users, and what they were using the bandwidth to do. Were they watching videos or were they looking at some other bandwidth-intensive site or application? We have been able to determine user behavior on the network.

We are quite happy with the Firebox. It really helps us with the ease of managing firewalls at other locations. It has really helped us save time by not having to go to other locations. We have devices at two smaller offices, where we don't have IT staff. It has allowed us to remotely manage and update the firewalls at those locations. It's saving us at least four hours a week.

I don't think it has helped improve productivity in terms of efficiency, but it has enabled us to improve the security of the network. We don't have to worry as much about where the users are going. And if a user was blocked, it will let us know why they were blocked, what category of trip was being blocked, or what policy it was blocked under. Even if our staff is going to a legitimate site, but the site is under a wrong category, it allows us to put that site on our exemption list to allow it.

It has also really helped us with our management and to monitor internet usage. Our department is just three people and it has made it very easy for us to manage.

• Two of the functionalities we use most are the traffic monitoring and the full panel dashboard. Those are two things that are very useful for us.
• It's very easy to use. The interface does not present a challenge for the user. It is a great device for small businesses with up to 500 users. It allows easy management of all devices from one central device and updates are very easy as well.
• The performance is also very good. The throughput is excellent. I've not had any issues with that so far.
• The reporting and management features are excellent. They're easy to navigate and very intuitive, and reports are easy to read.
• In addition, it provides us with layered security. It allows us to determine what types of access, to which networks, we want to allow or deny.
• We also like the site-to-site VPN that allows us to connect to and securely access devices at other locations.

I would like to have a little more control over access points and the ability to see the bandwidth that is passing through a specific access point. We are not able to see that. We can see what traffic is passing through the Firebox itself, but we can't identify if it is coming from a particular access point or not.

We have used WatchGuard Firebox for seven years.

The Firebox is very stable. We have not had a failure over the seven years we've used them.

In terms of scalability, we would need to add another device to the M300 that we have right now. I know there are models of Firebox that you can actually add hardware to, to get them scaled up and for additional portals. But the one that we have, in terms of subscription, is very scalable in terms of features, and it integrates with WatchGuard's central interface where it can update our firmware as the updates come out.

What we want to do is put in some more redundancy in our network access. We want to have a second Firebox at each location. We have two ISPs at each location, so instead of both ISPs going to one Firebox, we want to split the ISPs between the two Fireboxes and have load balancing through the internet on firewalls.

We have 100 employees at our head office, and we have 10 employees at our sub-offices. In terms of devices, we probably have about 150 devices, including printers and computers at our head office, and about 12 devices at each of our sub-offices.

We used the technical support once, when we had some issues with employees trying to access legitimate sites. That is when we learned about setting exemptions for certain sites. A company might be a travel site, for instance, but due to the amount of advertising they do, it might be flagged as an advertising site. To resolve that issue, when it's a legitimate site that does a lot of advertising, you can go to support for help in figuring that out, and also for help in putting necessary exemptions in place. 

The support was very professional. They were very patient, and they explained the issues and the solutions fully.

I don't have a lot of experience with other firewalls. There was a Cisco Certified office that I was exposed to before we moved to the WatchGuard Firebox. It felt like the WatchGuard was a lot easier to use, and easier to set up than the Certified Office device.

The primary reason that we went with Firebox was its cost. It is very economical and it provided us with all the security functions that we were looking for at the time. And the throughput was more than what we required, so it was a very cost-effective device to deploy on our network.

The initial setup of Firebox was straightforward. It was not complex.

For our deployment we configured all three access points at one location, our head office, and tested them in that one environment. Then, at the various offices, it was just a matter of changing the IP address. We had one technician go to one office and another technician go to the other office to install the Fireboxes and connect them to the network. As they were plugged in, they connected and it provided the service that we wanted from day one. We didn't have to do too many reconfigurations. The policies that come with it out-of-the-box provide adequate network protection, and we just had to put in special policies to allow various types of traffic, either both ways or one way, to various ports on the firewall. We didn't have many problems in getting them up and running at each office.

Deployment took one day at each location. Overall, we were able to prepare the Fireboxes and test them in less than a week. We prepared everything at one location, did the testing on the second day, and on the third and fourth days we went to the other two office locations to install them.

With the Firebox solutions we have had a lot more accessibility, in the network, to our third-party vendors and suppliers. Prior to that, we did not have a direct connection to those companies, but with the Firebox we were able to configure a DMZ, and that allowed us to apply the granular restrictions that we really wanted. It allowed us to reduce the number of devices that we have on one desk, at certain workstations. Instead of having the supplier's computer and our computer, we were able to use just one computer, and connect to the supplier.

Going with the Firebox is a no-brainer. It provides the necessary security, out-of-the-box, for your configuration of the policies. It's very easy to use and it also gives you a reporting dashboard that can be customized. It makes a lot of sense out of all the data. It's very easy to read. We use a 40-inch display in our office and have it connected to the Firebox so that we can see what's going on on the network. We can look at it and see how the traffic is going through it.

Our primary use cases are for the firewall and for limited routing for small to medium-sized businesses. 

I had a client that was saturated with RDP, remote desktop attempts, while using a standard low, consumer-grade firewall. Putting in WatchGuard allowed me to drop a lot of that traffic and reduce a lot of load on their otherwise poorly performing Internet connection.

Reporting PCI and HIPAA compliance reporting, firmware updates, cloud-based firmware updates all make for visibility within the client site much easier. I can provide comprehensive reporting on user activity and user behavior which goes along with user productivity. It has excellent mobile SSL VPN capabilities that have allowed for very rapid deployment of remote workers during our current situation.

As a whole, it has a very low requirement for ongoing interaction. It's very self-sufficient. If properly patched, it has very high reliability. The total cost of ownership once deployed is very low.

It absolutely saves us time. All firewalls can be deployed with a very basic configuration in a reasonable amount of time. The uniform way in which WatchGuard can be managed allows for the deployment of much more comprehensive configurations more quickly. When it comes to troubleshooting and identifying any kind of communication issue, they use a hierarchal policy layout. It allows you to manipulate the order of precedence, simplifying troubleshooting by tenfold. Compared to a competitor, I spend less than 10% of the amount of time on WatchGuard that a similar task would take on a Meraki, a FortiGate, or a SonicWall.

The most valuable features are: 

• The unified threat management bundle
• Advanced threat detection and response
• APT Blocker
• Zero-day threat detection.

With most Internet traffic being encrypted, it is much more difficult for firewalls to detect threats. Some of the advanced features, such as the APT Blocker and the advanced threat protection, use advanced logistics to look for behavioral, nonpattern related threats. And the threat detection and response has the capability of working with the endpoints to do a correlated threat detection.

For most people, they don't think about one workstation having a denied access, but when multiple workstations throughout a network have requests that are denied in a short period of time, one of the only ways you can detect that something nefarious is going on is through a correlated threat detection. And WatchGuard has that capability that integrates at the endpoint level and the firewall together, giving it a much better picture of what's going on in the network.

It is the single easiest firewall to troubleshoot I have ever worked with. It deploys very rapidly in the event that a catastrophic failure requires the box to be replaced. The replacement box can be put in place in a matter of minutes. Every single Firebox, regardless of its size and capability, can run the exact same management OS. Unlike some of the competitors where you have dissimilar behavior and features in the management interface, WatchGuard's uniform across the board from its smallest appliance to its very largest, making it very, very simple to troubleshoot, recover, or transition a customer to a larger appliance.

It absolutely provides us with layered security. It has one of the most robust unified threat bundles available with Gateway AntiVirus, APT Blocker. It does DNS control. It does webpage reputation enabled defense. It effectively screens out a lot of the threats before the user ever has an attempt to get to them.

Externally it does a very good job of identifying the most common threat vectors, as well as different transported links, attachments, and things of that nature because of the endpoint integration. It helps protect from internal and external threats, along with payload type, and zero-day threats.

The cloud visibility feature has improved our ability to detect and react to threats or other issues in our network. It has improved firmware upgrades and maintenance reporting as well as investigating and detecting problems or potential threats.

It has reduced my labor cost to monthly manage a firewall by 60%.

The data loss protection works well, but it could be easier to configure. The complexity of data loss protection makes it a more difficult feature to fully leverage. Better integration with third-party, two-factor authentication would be advantageous.

I have been using WatchGuard Firebox for fifteen years. 

We mostly use the T series: T30s, T70s, some M3, and 400 series.

It is the most stable firewall I work with. The incidence of failure is very low, maybe once every two years.

It's very scalable. Because it has the unified configuration interface and the unified tools, or the common tools that are used from the smallest to the lowest, a ton of time and configuration, and thereby money, is saved during an upgrade, for example. The time to take an upgrade to a new appliance is a fraction of the time it would be with a competitor because of the direct portability of the configuration from the prior firewall.

We have one engineer and one part-time technician to maintain approximately 75 WatchGuards for limited, physical installations and onsite. It is very reasonable for one or two engineers to manage 200 to 300 WatchGuards. It's very reasonable.

We have just a single location in which we do use the T70 box and WatchGuard is in place at 95% of our clientele. We do not replace viable commercial-grade solutions until such time that they are ending their licensing or whatever. We do not replace FortiGates or SonicWalls while they're still viable. However, when the opportunity to replace one arises, it is our first suggestion to the client.

I do not or have not had to use technical support very often, but I find it to be excellent. They're very responsive and very knowledgeable. I get engineers from a similar time zone. They're very skilled engineers and very invested in end-user satisfaction. Even though they are 100% channel-driven, they take end-users satisfaction very seriously.

The complexity of configuring a Sonic Wall, for example, is much, much greater than that of a WatchGuard. Identical tasks can be completed in a WatchGuard in a fraction of the time as a SonicWall. When comparing similar models, the performance of Meraki is far inferior to the WatchGuard. Its capabilities are inferior to WatchGuard. It's a simple cloud interface. Meraki's simple cloud interface is probably more appropriate for a less experienced engineer. FortiGate lacks some advanced features that WatchGuard has, but my predominant issue with FortiGate is that when all the unified threat management utilities are enabled, performance on FortiGate is inferior. Although it has capabilities, when fully enabled it does not perform as well as WatchGuard.

The initial setup is very straightforward. I'm able to deploy a standard template after activating the device. The activation is very simple and takes just a few minutes. Then a base configuration can be applied once the firmware has been updated and a box can be prepared for initial deployment within 7 to 10 minutes after it boots. 

It took 45 minutes to set up.

In terms of the implementation strategy, I have an implementation baseline of minimum acceptable settings and then it is adjusted based on client needs.

We deploy it to distributed locations in one of two ways. The device can be drop-shipped to the user or the endpoint and a cloud configuration deployment can be pushed to the box. My preferred method is to receive the box, perform a firmware update and a base configuration, and then ship the box.

I would recommend working with a partner for an expert-level deployment. It greatly reduces the time to deploy it. An experienced engineer can then deploy the product very rapidly and can often provide instruction on how best to maintain the product. But otherwise, the deployment is very straightforward.

They are very low maintenance, they have a very high rate of my end-user satisfaction. I'm able to provide excellent levels of service to my end-users and my customers. I would say that they have a very high value and a good return on the investment.

Generally speaking, I find the three years of live and total security to be the best option. By going with their total security, you do get the endpoint protection component of the threat detection and response. Typically the trade-in options, depending on your prior firewall, are options that they should request or pursue when dealing with their provider. Those programs are usually available, but they're not always offered by a provider unless you ask.

I would rate WatchGuard Firebox a ten out of ten.