WatchGuard Firebox Reviews

Actually, we do not use WatchGuard Firebox, we just sell and sometimes deploy and install it for the customer. We usually set up a few basic policies then give it to them to continue on.

The features that I have found most valuable are the FireWall features. The management side of WatchGuard is quite easy because it supports two ways to manage it - by the web and the other one they call WatchGuard systems manager. I used to be familiar with WSM only, but they improved their GUI in the web browser and now it is much easier to do it within the web browser.

The other feature is the side to side VPN. We have a bank client and they use a WatchGuard device for their headquarters and other WatchGuard devices for their branches. Setting up those IP's and VPN's was quite easy because the relay was at the branch office where the VPN resides. So that was quite handy to set up.

In terms of what could be improved, I would say their web blocker feature. It is still quite a confusing setup, especially when you want to filter out a particular category for granularity. For example, you do not want to filter Facebook but you do want to filter Facebook games only. It can be done, but the process to do it is very confusing.

We have seen other products like Sophos, Checkpoint and Palo Alto that were much easier to set up their web built setting than it is with WatchGuard. So aside from all other features, including the VPN security policies, the only feature that is quite confusing is the web block feature.

They could make the web blocker much easier to set up.

In terms of scalability, they have models like the 5,000 series and 6,000 series. We have not reached that yet. We are only a small company and our customers are only small and medium businesses. So no enterprise companies yet. But I think if we need a bigger box, we would go with the 5,000 series.

Right now we're only at about 200 hundred users. Sometimes we are trying to push for the 300 series or 500 series, but not yet.

We require a staff of one or two for deployment and maintenance.

I think technical support is okay. When I log a case, they usually respond within a day. Then, if they need to do some things for the client, they are quite flexible and do it based on the client's schedule. So no problem with the support. They are good. So far all our issues we have raised, and we have large cases, have been resolved. So their tech support is quite good.

We switched because WatchGuard is cheaper. An old product that we previously sold was quite expensive, especially the security renewal after every year, but WatchGuard offered quite a competitive price and in a bundle that was much easier to understand. Cyberoam, for example, was quite complex to set up under licensing. Cyberoam was bought by Sophos. So we switched to WatchGuard for the price.

The main highlight is price. The client has quite a tight budget so we can offer much more with WatchGuard.

Setup was easy because the manual was there and it was quite easy to connect to a particular port. It's very understandable. Setup was very straightforward, nothing complex.

Deployment could take only a few minutes or up to an hour and we can already set up a few basic policies. But the thing that drags longer is teaching the client to use it and to set up their own security policies. Sometimes they don't have enough experience at setting up WatchGuard, it's still new to them. But maybe after a few hours of lectures from us they get it. We still continue to support them after initial set up, for example if if they want to set up a policy we can assist them with that.

I have seen a return on investment, especially for the client. They have less problems in the bandwidth because the users are not going to unnecessary sites. So productivity should be better. Clients would not be tempted to browse unnecessary sites, games, download movies, because there is a firewall with restrictions in the policies. So therefore, the users would be performing at their best.

The box costs 180,000. One third of the price of the box goes to the yearly renewal fee, around 50 or 60, for the basic. There is the advanced feature which is half of the box, but the basic is quite enough for most of our brand, which is why we have not used the TDR yet.

And the response comes free for the advanced features and advanced licensing.

The advice I would give to anyone considering WatchGuard Firebox is that it is a good product, despite what they say about it not being in the Gartner quadrant leaders. It performs well. It's fast. The only downside would be the web filtering side of things. If the client wants a good web filtering device, they have to go to another vendor, but just for Firewall IP and VPN, I think WatchGuard will be good.

I'm not saying that the web filtering for WatchGuard is really bad, just confusing. Some clients don't want to do something that's confusing for them, they prefer something easy, but if they can live with a little confusion, then it's okay. But it is good to have a good partner, someone like us, in case the client has a problem setting up their policies, especially in the web filtering, we can help.

Speaking on behalf of the client, I think they are okay with the solution. They are still continuing to use it past a year already, and they continue to renew. They are satisfied with its performance and what it is capable of doing.

On a scale of one to ten, I'll give WatchGuard Firebox an eight.

We are a solution provider and WatchGuard is one of the product lines that we implement for our customers. I am the person in the company that is responsible for WatchGuard products.

We do not use this product in my organization. I'm enabling partners and providing training for them on how to use this technology and how to sell it.

I assist customers with implementing PoC installations in different environments.

My client that recently implemented WatchGuard Firebox is running an ERP that is used by clients that are in different countries from around the world. They are using Firebox to protect the ERP from outside threats. Essentially, they need to protect the perimeter because users come to the server from different environments.

This solution protects the cloud-based server from incoming and outgoing traffic. In this regard, it acts as a web application filter for the server.

This product offers great protection using the default settings.

The vendor needs to address customer concerns and develop more according to requests, instead of prioritizing based on the existing roadmap. This is a great product and offers great protection but they don't hear the customers' needs. They don't make improvements as per the customers' requests. This is especially true in cases where the feature is common among competitors.

In the future, I would like to see better integration with Active Directory. It should depend on the user's login. This is a feature in big demand and most competitors do not deal with it the right way. Making this change would make sense with customers.

I began using WatchGuard Firebox approximately two years ago.

This is a very stable product.

Scaling this solution requires a migration plan. For an on-premises deployment, there can be challenges related to extending the hardware appliances. A single box is not scalable itself. Rather, you need to migrate to a bigger appliance. But, there is an amazing feature for this called offline configuration.

The offline configuration capability lets you migrate settings from one box to another in minutes. After five minutes, everything will be migrated to the other Firebox and it will scale smoothly without any interruptions.

Technical support for this product is perfect. If you open a ticket with them, even with the slowest SLA, they reply to you within four hours. You can also request that they open a remote session with you.

When it comes to feature requests, however, the vendor takes too long to reply.

Quite some time ago, I had experience with Sophos products as a distributor in Egypt.

I also have experience with products by Fortinet. I have been evaluating Fortinet because they are one of our competitors.

The initial setup is very easy and straightforward. They have a great wizard and it has a great default protection setting. Anyone that is setting it up for the first time, or has not even used a network security product, doesn't need an expert to configure it. The default protection for threats is great.

This is always deployed in a virtual environment, either on-premises or on the cloud. The deployment can be completed in six to ten minutes.

I deploy this product for my customers.

The staff required for deployment and maintenance depends on the project capacity. For a small or medium-sized project, one person is enough. For the smoothest deployment, this should be an engineer or an experienced technician that is aware of network security.

My advice for anybody who is implementing WatchGuard Firebox is to follow the guidelines and best practices that are available on the WatchGuard help center.

I would rate this solution a nine out of ten.

The big issue with data-loss protection is the end-to-end encryption between the user and whatever site they're connecting to. And that diminishes the effectiveness of the data loss protection because it can't inspect all of the data contents. Formatting is still reliant on numbers, letters, and sequences recognizable as credit cards, driver's license birthdays, etc. There's a lot of other sensitive material that could be at a client site, for example, that doesn't have a known methodology. It can be challenging to set it up to recognize instances of information unique to an environment. Unfortunately, it's even the case with a company like Microsoft. I would compare it to the data loss protection within Office 365 and say that it has the same inherent problems that you see with any encrypted email.

WatchGuard Data Loss Prevention catches so little. When I've implemented it, it just can't look at the traffic in a thorough enough manner to capture as much as it should. And I find that I'm disenchanted with all data loss protection solutions I've tested and looked at. WatchGuard certainly is not any better or worse than the others. It's just not a technology I have much faith in. 

You can get awfully granular in the setup, but it reminds me of antivirus software. True antivirus software catches very little. It's rare that antivirus software identifies a true virus. Everything's becoming more complicated, so now you need to look at detection and correlated threat response systems that are more effective than traditional antivirus. Data loss protection, I'm afraid, is kind of in that space.

We've used Watchguard Data Loss Prevention off and on for several years depending on the client's needs.  

Overall, I have utilized WatchGuard solutions for at least 20 years. I have been with them as they switched from private to public ownership and back again. So I've been a pretty faithful user for an excessive amount of time.

I find that their tech support is excellent. And as a reseller, my relationship with my point of contact is also strong. WatchGuard does a good job of maintaining that. So even if you are not getting the best response from support, you have a method to escalate it. I have so few incidents where I need to reach out to support. My most recent incident was handled very quickly, but with my experience, I don't have to call them often. At most, I maybe contact them once or twice a year. I have a lot of WatchGuard devices in service with my clientele.

It's a very simple setup.

I've never licensed it as a separate solution. It's always included in the licensing that would be appropriate for a medical facility, so I've never purchased DLP as an add-on to their basic licensing. I wouldn't say that I can give you a straight answer. It's never even come up in conversation to license it as a standalone solution.

I would rate WatchGuard five out of 10, but all of the data loss protection solutions I've looked at would be in that five range. I haven't found one that I would put much faith in.

Honestly, I think that data loss protection is just part of a whole configuration. Let's say you need granular control, reporting, and things of that nature. In that case, you need to do an extensive job configuring the firewall. It's probably insufficient to run the quick setup wizard and say that's good enough. So if you're looking to implement a feature like data loss protection, you probably need to have a relatively advanced technical person doing that configuration. So it's not difficult. But conceptually, to be effective, you need to have an excellent understanding of firewalls and firewall methodology.

We use them for perimeter security and also to manage virtual LANs.

The main benefit for us is the ability to manage the VLANs. It allows us to monitor types of traffic and to actually review and determine what traffic we want to allow and deny. It also allows us to modify the categories of restrictions that need to be applied.

It has also simplified some of the processes that we have. For example, we were having some issues in identifying where most of our bandwidth was being used up, which devices and which users, and what they were using the bandwidth to do. Were they watching videos or were they looking at some other bandwidth-intensive site or application? We have been able to determine user behavior on the network.

We are quite happy with the Firebox. It really helps us with the ease of managing firewalls at other locations. It has really helped us save time by not having to go to other locations. We have devices at two smaller offices, where we don't have IT staff. It has allowed us to remotely manage and update the firewalls at those locations. It's saving us at least four hours a week.

I don't think it has helped improve productivity in terms of efficiency, but it has enabled us to improve the security of the network. We don't have to worry as much about where the users are going. And if a user was blocked, it will let us know why they were blocked, what category of trip was being blocked, or what policy it was blocked under. Even if our staff is going to a legitimate site, but the site is under a wrong category, it allows us to put that site on our exemption list to allow it.

It has also really helped us with our management and to monitor internet usage. Our department is just three people and it has made it very easy for us to manage.

• Two of the functionalities we use most are the traffic monitoring and the full panel dashboard. Those are two things that are very useful for us.
• It's very easy to use. The interface does not present a challenge for the user. It is a great device for small businesses with up to 500 users. It allows easy management of all devices from one central device and updates are very easy as well.
• The performance is also very good. The throughput is excellent. I've not had any issues with that so far.
• The reporting and management features are excellent. They're easy to navigate and very intuitive, and reports are easy to read.
• In addition, it provides us with layered security. It allows us to determine what types of access, to which networks, we want to allow or deny.
• We also like the site-to-site VPN that allows us to connect to and securely access devices at other locations.

I would like to have a little more control over access points and the ability to see the bandwidth that is passing through a specific access point. We are not able to see that. We can see what traffic is passing through the Firebox itself, but we can't identify if it is coming from a particular access point or not.

We have used WatchGuard Firebox for seven years.

The Firebox is very stable. We have not had a failure over the seven years we've used them.

In terms of scalability, we would need to add another device to the M300 that we have right now. I know there are models of Firebox that you can actually add hardware to, to get them scaled up and for additional portals. But the one that we have, in terms of subscription, is very scalable in terms of features, and it integrates with WatchGuard's central interface where it can update our firmware as the updates come out.

What we want to do is put in some more redundancy in our network access. We want to have a second Firebox at each location. We have two ISPs at each location, so instead of both ISPs going to one Firebox, we want to split the ISPs between the two Fireboxes and have load balancing through the internet on firewalls.

We have 100 employees at our head office, and we have 10 employees at our sub-offices. In terms of devices, we probably have about 150 devices, including printers and computers at our head office, and about 12 devices at each of our sub-offices.

We used the technical support once, when we had some issues with employees trying to access legitimate sites. That is when we learned about setting exemptions for certain sites. A company might be a travel site, for instance, but due to the amount of advertising they do, it might be flagged as an advertising site. To resolve that issue, when it's a legitimate site that does a lot of advertising, you can go to support for help in figuring that out, and also for help in putting necessary exemptions in place. 

The support was very professional. They were very patient, and they explained the issues and the solutions fully.

I don't have a lot of experience with other firewalls. There was a Cisco Certified office that I was exposed to before we moved to the WatchGuard Firebox. It felt like the WatchGuard was a lot easier to use, and easier to set up than the Certified Office device.

The primary reason that we went with Firebox was its cost. It is very economical and it provided us with all the security functions that we were looking for at the time. And the throughput was more than what we required, so it was a very cost-effective device to deploy on our network.

The initial setup of Firebox was straightforward. It was not complex.

For our deployment we configured all three access points at one location, our head office, and tested them in that one environment. Then, at the various offices, it was just a matter of changing the IP address. We had one technician go to one office and another technician go to the other office to install the Fireboxes and connect them to the network. As they were plugged in, they connected and it provided the service that we wanted from day one. We didn't have to do too many reconfigurations. The policies that come with it out-of-the-box provide adequate network protection, and we just had to put in special policies to allow various types of traffic, either both ways or one way, to various ports on the firewall. We didn't have many problems in getting them up and running at each office.

Deployment took one day at each location. Overall, we were able to prepare the Fireboxes and test them in less than a week. We prepared everything at one location, did the testing on the second day, and on the third and fourth days we went to the other two office locations to install them.

With the Firebox solutions we have had a lot more accessibility, in the network, to our third-party vendors and suppliers. Prior to that, we did not have a direct connection to those companies, but with the Firebox we were able to configure a DMZ, and that allowed us to apply the granular restrictions that we really wanted. It allowed us to reduce the number of devices that we have on one desk, at certain workstations. Instead of having the supplier's computer and our computer, we were able to use just one computer, and connect to the supplier.

Going with the Firebox is a no-brainer. It provides the necessary security, out-of-the-box, for your configuration of the policies. It's very easy to use and it also gives you a reporting dashboard that can be customized. It makes a lot of sense out of all the data. It's very easy to read. We use a 40-inch display in our office and have it connected to the Firebox so that we can see what's going on on the network. We can look at it and see how the traffic is going through it.

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

I've been using Firebox for two or three years.

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

We basically use this solution to filter traffic so that the network can be secured and no one can hack the network. We are using WatchGuard as a gateway security product. It is installed on the gateway to filter the traffic for our network, stop access to malicious websites, and protect our interwork network from any kind of hack attempt from outside.

We are also using the VPN feature. The traffic is encrypted via a VPN, and no one can hack it. We are using the latest version of this solution.

The VPN and the filtering features are the most valuable. Its VPN is very strong, and its services are very nice.

The main problem in India is the service. There are not enough Check Point and Fortinet Firewall services, but for this product, the service is very good.

Its graphical user interface could be improved because not everybody is technical. There is a lack of knowledge, and they can give some training for this solution.

I have been using this solution for three months.

It is 100% stable. Our technical team had tested this product before buying it.

We have approximately 500 to 700 users who are using this solution in our company.

I haven't used their support.

It is easy to install. If we have all the required information about static IP, private and personal IPs, and network series, it takes just 10 to 15 minutes to install.

We have seven technical guys for its deployment and maintenance. 

It is not expensive. Other products like Fortinet and Check Point are of the same price.

I would 100% recommend this solution to others. We plan to keep using this solution in the future.

I would rate WatchGuard Intrusion Prevention Service a seven out of ten.

I'm deploying the WatchGuard Firebox for many of my clients, and they all stay satisfied with the product. The primary reason as a common request from most of the users is to protect the environment from the outside network attacks. It is popular because of its security layers dependencies and its great performance.

The proxy policy and packet filtering templates make it very clear while I am configuring the Firebox for customers. Also, the variety of actions that are designed per kind of packet payload are dependent on the protocol's payload.

The Firebox is developing most of my client's infrastructures, starting from internet access and its amazing protocol-oriented proxy policies. It also has a deep understanding of the packets, meanwhile the most powerful HTTPS inspection features.

It is supported by the VPN, either Branch office or mobile users.

In addition to its impressive extraordinary DNS security, it has an access portal, which is a feature for publishing web applications, cloud applications, or even publishing internal RDP and SSH. 

https://www.watchguard.com/wgrd-resource-center/2019-nss-labs-ngfw-group-test

The traffic management feature is very flexible and it let you manage varieties of our customer's needs as it is working per policy, for all policies, and per IP address. You can apply it also per application or application category, all in the same proxy policy.

The differences between backup and restore and the configuration file allow us to perform a migration from one box to another in a single click.

The security that is used for defending from the attacks is very good. As an example, for the HTTP packet, you will find botnet protection, Reputation Enabled Defense "RED" and DNSWatch "the DNS security", in addition to the AV gateway. They are all working together to protect internet access.

I would like to see the number of management consoles reduced. As it is now, Firebox can be configured using the web UI, WatchGuard System Manager, Dimension server, and from the cloud. This should be done without affecting the way we deal with the configuration file, as it's one of the strongest points in making its implementation smooth and easy.

I would like to see the devices made more flexible by adding modules to increase the ports that we can use. As it's started from T80, the last edition of tabletop appliances, it should also be applied to all M series appliances.

As I work as a services provider, I have used many different solutions. I find WatchGuard Firebox provides very good value. as you find in the following points "Not everything":-

1. Configuration migration between boxes.

2. More flexible while applying traffic management.

3. Best performance.

4. Security layers and its dependencies.

5. Protocol oriented.

6. Rapid deploy feature that it let you make a total configuration remotely for a box on its default factory mode.

7. total protection for inbound and outbound traffic by applying the policies with a deep understanding of the traffic. 

8. The DNS security and how it stops the malicious DNS requests on the scale of network security and its endpoint for mobile users to apply the same while they are outside the environment.

9. SD-WAN feature and how it deals with lines quality by its Jitter, loss, and latency.

10. The exception for sites, ports, and IPs, it has a huge variety and you can do it at many levels. Before the policies starting already in the default threat protection, Or in the global settings but after the policies starting to scan then you can avoid all of that per policy per protection type which is meaning that you can expect something from geolocation or WebBlocker or APT Blocker, etc...

11. there are some other features in the box Access Portal, Application Control, APT Blocker, Botnet Detection, Data Loss Prevention (DLP), Gateway AntiVirus, DNSWatch, Geolocation, IntelligentAV, Intrusion Prevention Service (IPS), Reputation Enabled Defense (RED), spamBlocker, Threat Detection and Response, and WebBlocker.

We are using WatchGuard Firebox for defense of our internal infrastructure.

I wouldn't say that Firebox has improved the way our organization functions, but rather that it protects our organization.

The solution identifies attacks on our services and, as a result, directs our attention precisely to the cause of the problem. As we are not actively watching the traffic ourselves and we completely rely on Firebox to alert us instead, the solution saves us about 30 hours per week.

The most valuable features are WatchGuard’s antivirus, traffic protection, and ease of configuration. I also appreciate their traffic analytics. 

After conducting several tests I found the antivirus is working very well. Additionally, they have a very interesting feature, DNS WatchGuard, which is checking DNS requests for phishing, among other things, and it has caught a lot of unwanted attempts and attacks.

Regarding the management features, the interface is user-friendly, and the instructions are well documented. There is a fast learning curve and everything is intuitive and understandable.

It also provides us with layered security. Firebox protects our traffic, as we have numerous Web Services that are external and which are a priority for us to defend. We don't use the rest as much.

I haven’t dug deeply into the reporting features yet or if they are working well. However, I have generated several reports and there was too much unnecessary information, in comparison with the reporting features in the Sophos firewall. Sophos' reporting is more readable and easier to configure. Having said that, reporting features were not very important for us when selecting a solution. What was important were other types of functionality that WatchGuard Firebox was able to meet.

In addition to the reporting features, I would suggest they work on an SSL VPN gateway.

We have been working with WatchGuard Firebox for about one year. Initially we got an M200 model and then switched to an M470 in a cluster.

In terms of the stability, everything is perfect. We haven’t experienced any issues.

The solution scales intuitively and quickly with any internet, meaning the solution’s protocols support any internet configuration. The connectivity scales in any location.

We could scale it to several companies with up to 100 employees and up to 1 Gb of traffic.

I would rate WatchGuard's tech support at the highest mark of five out of five. I was very pleased with them. We were working with them on the software licensing and opened some tickets related to technical issues. In both cases, they resolved the issues promptly and without unnecessary back-and-forth, unlike when working with the support teams of other vendors.

Before Firebox we used a Sophos firewall. We switched because the WatchGuard firewall offers a broad set of features and parameters that were lacking in the Sophos firewall. Additionally, the WatchGuard solution was cheaper.

WatchGuard has a comprehensive antivirus system included in the firewall and that was important for us. Sophos’ antivirus features were weak, in comparison.

The initial setup was medium in terms of the difficulty of some aspects, such as initially understanding the logic of their security policies. It took several hours to acquaint myself and to fully understand things. The whole deployment took about three days.

We initially had an implementation strategy, but it was adapted according to the recommendations and specifications of WatchGuard.

In terms of the technical aspects, I am the only who works with this solution in our organization.

Initially, we purchased the Firebox just for us but, as of today, we have deployed it to two or three other companies. The client sent us project specs with necessary internet configurations for each device, as well as the physical locations. We replicated their infrastructure in our test environment, configured each device according to their specs, and shipped the device to them. The client then connected the device with a cable to the ports outlined in our instructions and everything worked the first time.

During the deployment we worked closely with WatchGuard’s tech support team and they were very speedy in their responses to us.

The price of the solution corresponds to the quality and the feature set offered. There are no additional costs to the standard licensing fees.

Before selecting WatchGuard Firebox, we evaluated the Cisco FirePOWER firewall and, in comparison, Firebox is much easier to use.

Also, WatchGuard’s solution, in terms of the cost-per-value ratio, is very balanced.

My advice would be to try this product.

As for the throughput, at this point it is hard for us to evaluate it because we don’t have heavy traffic, or at least we do not experience the traffic throughput specified for this model. Our inbound and outbound traffic is 1 Gb and the M470 handles it very well, not even stressing its components.

When it comes to the solution’s Cloud Visibility feature, they need to improve on the reporting. But in terms of the logs, it gives us very good visibility.

Overall, I would rate the solution a strong eight out of 10.

We use it in my company and for my clients as well. We sell Internet access, so we use them as a firewall to hopefully protect our clients. We work with one of our partners, who is a certified WatchGuard engineer, and have come up with a fairly good plan to get these completely fired up and working. That makes a huge difference.

We're now up to the 7 Series. We've gone through WatchGuard 3 Series, 5 Series, and 6 Series. So, we've gone through several different versions over the years.

Firebox's reporting and management features have been very helpful to us. Unfortunately, we don't always have them turned on at the right time. That's something we have to be aware of. However, once they're turned on, they seem to do really well in identifying things across the board for us. We can usually hunt down problems very quickly and go from there.

The solution provides our business with layered security.

We do most of our services now as Voice over IP services. We do not do computer services. We have been able to slowly pair down exactly what we need to program within Firebox to give us the best quality of service for our customers. 

We can open or close individual ports, which most can, but I like the way that this programs. Meaning its GUI interface versus Cisco's, where their interface is still not all that great. We just become very comfortable with WatchGuard over the years because we know what to do with them.

We have found it to be very usable and friendly. We can use it for identifying and hunting down. If we run into a problem for some reason, the reporting capability makes it much easier for us to ID where problems may be.

Depending on what specific model you get, along with how deeply reprogrammed and restrictive we make it, their throughput is pretty good. Though, the models are all pretty close to the same. We get about an 85 to 90 percent throughput, depending on which of their security platforms we install. Some will take a little bit more and some will take a little less.

The pricing could be improved. It is definitely one of the more expensive products, though you can't really compare it to Ubiquiti or SonicWall.

About 15 years.

Its stability and reliability make it a good product for us.

Over the last 15 years, there has been only one Firebox in which we've had any hardware problems and one box in which we have had a software problem. In both cases, WatchGuard overnighted a new box to us so we had it the next day, then we were able to repair or replace, as necessary.

They seem to be fairly stable. Like anything else, it's an electronic device that can last for 10 minutes or 10 years.

They have put together a good process where we can go in and see, based on the processor power of Firebox, which one we would want to use on what circuit size. They have it from very small to extremely large.

We have four telephone technicians in the company who have had the training and capability to work on Firebox.

For us, a large environment is somebody with 250 or 300 users inside the company.

Our partner has used their support. It's really good support. If they don't answer immediately, they get back to you very quickly, usually in less than an hour.

We see cases where several of our clients are switching from a different firewall to WatchGuard. With Cisco, it depends on who's supporting it. SonicWall seems to give us a bit more problems when it comes to interfacing with IP telephone devices or if we're doing SIP trunking.

Firebox stabilizes it so we know we get better support for the platform and user when it comes to Voice over IP. We find a lot of them don't give us the ease of setting it up. Now that we know we have it down to what we're doing so the platform stays stable, we can imply good quality of service for the customer and keep going on so they continually get good performance on their network.

In the beginning to set this solution up, it takes four to six hours. That is to get a brand new one out of the box and make sure it's got all the latest and greatest revisions on it, then setting it up. That also depends on the size of the client that you are supporting with it.

We have a template built for it. Once we upload the template, we go in and adjust it accordingly.

We have a few Fireboxes deployed to distributed locations, not a lot. However, it does work well in a distributed environment. We have one customer who has five offices in five different states. He has Firebox for all of them and it seems to work pretty well.

Deploying to distributed locations is easy enough. We have a template. We just get the IP addresses for the network and update the template, so it has the appropriate addresses. We can either have one of their folks do it because this happens to be a tech company, not necessarily IT. However, a tech company is knowledgeable enough. We can send it out there and tell them what to plug in where and turn it on. Then, if we're really lucky, it comes up without any problems at all because we've already set it all up before we take it out to them. So, the deployment becomes easy depending on how you want to address it. There have been times where we've gone out to deploy them in different locations. Most of the time, depending on the company, we can set it up to deploy, then just plug and play.

Make sure you have a good, qualified, trained engineer to help you initially get it set up. I do not recommend you doing it on your own unless you're somewhat trained in the terminology and capabilities of the particular product.

We have an engineering specialist, who has been certified by WatchGuard, secure attack vectors for us.

Once we get done putting the solution in and getting it set, there are times that the local IT support may be different from ours. They may go in and make a few minor tweaks to it. We try to keep that to a minimum because it is just one of those situations where we would like not to have too many hands in the pot.

It saves us time in the respect that we now have the template built for it so we can get in and get it done. We've had much less problem supporting Voice over IP technologies from different companies. Because our client base has grown over the years, we're probably saving 20 to 30 man-hours a month now that we've got this on a good stable level.

They license it. When we buy it, we buy it with a three-year license. That's the most cost-effective way to do it. So, if you're going to buy it, then buy it with the three-year licensing. Only the person buying it can determine which level of licenses they have. That's something to truly consider.

There are no additional costs unless you choose their advanced licenses or different levels that they have for security. You can add on more security licenses with what you have in Microsoft today, but we have not been adding those on.

Our experience has been that Firebox actually performs a little better than some of its competitors as far as throughput goes. However, it depends on how much of their security software you get loaded, because they have different versions.

We have used other products. We've used SonicWall, Ubiquiti, and Cisco PIX. My personal favorite happens to be WatchGuard. Also, if we compare WatchGuard against Ubiquiti or Cisco PIX Firewalls, its ability to add multiple IP addresses and ports is much simpler than those. I can run several different networks off of ports that come on the hardware device. Depending on the model, there are anywhere from four to eight ports on the device, so you can plug it in at different levels.

It is a great piece of hardware.

The learning curve for this solution depends on your background. If you have some technology background, implementing it will probably be okay. They have a WatchGuard academy. If you have no background at all, I wouldn't suggest you do it. In comparison, when you get trained with Cisco, there are several different classes to go through and each class is several hours long.

I would rate it as a nine or nine point five out of 10.

The purpose is to enhance the application control and internet access control of our company in our office and factory.

Firebox provides our business with layered security. Before implementing the firewall, we didn't have any control over application access. Now, by using the Firebox, we can control each staff member and department and what kind of application they're able to access on the internet, especially with the popularity of cloud SaaS systems. It has really reduced the degree of risk in accessing those unauthorized, and potentially risky, destinations. WatchGuard provides a pre-built database that can protect against gambling domains, for example. But the accuracy of that database still needs to be improved because, in many cases, the categorization of the website is not exact.

It has also helped with productivity. It reduces the time our networking staff spends implementing things. It has saved about 20 percent of our time. We're also doing more control than before, so we have made some effort to configure the policies, which was something we'd never done before. Previously, we didn't have any control, so we didn't have to spend time configuring or troubleshooting application control policies.

There wasn't one particular valuable feature. What I like is that 

• its pricing is competitive when compared with other brands, 
• it has all-in-one features for intrusion detection
• it has application control 
• it has email control.

Also, the load balancing and failover features cost only 20 percent more than a single instance of Firebox. Those are the main reasons we chose it.

Because we use cloud applications like Office 365 and Salesforce, we don't want all our staff accessing the whole internet. We use the application control so that they are only able to access the company-authorized cloud applications.

Because we use the firewall to monitor the external traffic as well as the internal traffic, we bought a fairly large model, the M570. We turned on most of the features and the performance is comfortable. It can reach the throughput, the performance specified on the data sheet.

Also, because we bought two firewalls, which I know is not that many — not like in the retail industry where they have many firewalls in their retail stores — still, we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations.

The reporting features are not as flexible as I thought before I bought it. You can retrieve some simple statistics from the centralized reporting server. But let's say I want to look at the volume of internet access among our staff. There are no out-of-the-box reports or stats or any unit of measurement that show internet access for particular staff. There is no report that shows how long they're on or the volume of traffic, especially in a particular period. It's not necessary that it have very modern BI analytics, but at this point I'm a little bit disappointed with the reporting. One of the purposes of implementing the firewall was to do more application control and reduce the risk involved in employees accessing the internet. We want to measure and know how much time of our staff spends accessing and browsing and using internet resources.

We bought WatchGuard Firebox last year and implemented it in our Hong Kong office and China-based factory. In the factory we have larger coverage and we use the M570. For our Hong Kong office we use the M370.

It's stable. So far, there have been no incidents.

Our case is quite straightforward. We only use two nodes. We still need to expand to one or two more factory locations, as well as our office. We will scale out the same solution.

I do have previous experience in the retail industry. In that industry, where you need to implement many firewalls in multiple retail stores, I doubt the management tools of the Firebox would be able to scale out for that use case. But for our use case it's good.

We haven't had any issues so we haven't contacted their technical support. It's been quite stable over the year since we implemented it.

There was no application control in our old solution and we wanted to reduce the risk of being attacked from outside. So we looked for a UTM model and the cost-benefit of the WatchGuard Firebox was one of the best.

I did a little bit marketing research locally and listened to recommendations from some partners in Hong Kong.

The initial setup was quite straightforward. It's a typical UTM.

Our implementation took about two months.

In terms of our deployment strategy, we implemented one of the firewalls. We replaced our old firewall, enabling only the internet access and left the major email traffic access. Then we defined the control by defining more specific application policies. Once it was successful, we used the same method to deploy the other firewall to our China side.

We have one person who maintains the Fireboxes, but it's really less than one because he does other administration and is not only dedicated to firewall administration. We have about 100 people in the Hong Kong office and on the factory side there are 400.

We had one internal staff member and an external consultant from BARO International for the deployment. Our experience with BARO was good. They understood our requirements and were able to translate them into an actual solution and deploy it.

We have seen ROI using WatchGuard.

We needed a firewall to control our internal network and the external access and we needed to implement load balancing and failover as well. Going with WatchGuard "increased" our budget.

WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device and the licensing scheme didn't charge double. They only charge for one license, unlike other brands whose method of hardware and software licensing would have doubled our cost. That was a major consideration.

We looked at Juniper, Check Point, and one more that was the most expensive.

The usability of the Firebox is good. But the UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings. When I used the Check Point a few years ago, the UI usually guided me on how to define a policy from the source to the target, and what the objects were, and how to group objects, and everything could be seen from a simple, table-based web UI. 

The interface of the Firebox is clumsier. The settings are like a tree structure, and you need to drill down to each node in order to get to the property. It serves the same purposes, but I won't memorize all the settings. A more user-friendly user interface would reduce the number of things I need to memorize and guide me in configuring policies. It's quite good, but is not the best I have seen.

The other brands provide more professional features for reporting, the application control, and the scalability. But the strong point of WatchGuard is their all-in-one features that are suitable for our size of company and our budget.

WatchGuard is not the best. We already knew that, but it comes with most of the features we need. Although it's not the most user-friendly, we sacrificed that to keep the core features to increase our control while maintaining our budget. Honestly, there are no particular features of the WatchGuard that impressed me to say, "I must choose a WatchGuard." But when I needed several things to come together, then I really had no choice.

I would rate WatchGuard Firebox at seven out of 10. It's good, it's better than a six, but from the management point of view, it has not totally satisfied my expectations so it's below an eight or nine.