Ronald Lewis - PeerSpot reviewer
IT Manager at Invest Barbados
Real User
Top 10
Useful VPNs, effective web filtering, and cost effective
Pros and Cons
  • "The most valuables feature of WatchGuard Firebox are the VPNs, and web filtering where we can stop users from going to malicious sites."
  • "The VPN aspect of the WatchGuard Firebox is an area that could potentially benefit from improvement. We encountered difficulties while attempting to integrate Windows 11 laptops into the system, which resulted in unreliable connections. After some research, we discovered that this was primarily due to compatibility issues with Windows 11 and required a patch. However, it was still a challenge as it seemed that even when we tried to keep the laptops on Windows 10, they still exhibited the same issues as Windows 11 machines. Despite WatchGuard attributing the problem to Microsoft, we were eventually able to find a solution and all the machines are now functioning seamlessly."

What is our primary use case?

The utilization of the WatchGuard Firebox system is as follows: the head office, located in Barbados, has two remote offices in New York and Toronto that utilize Cisco for their VPNs, which are running to these two locations for the branch offices. The email system has three locations for redundancy, two in the UK in Purley and London, and one in Toronto, Canada. Employees who work from home, access the office through mobile VPNs.

How has it helped my organization?

The WatchGuard Fire Box has greatly improved the functioning of our organization, especially in the wake of the COVID-19 pandemic. Prior to the pandemic, the use of VPNs was primarily limited to IT support. However, with the rollout of the WatchGuard Fire Box, all of our staff members in Barbados, Toronto, and New York were able to seamlessly transition to working from home. The WatchGuard Fire Box also provides a unified track for virus scanning, which enhances the security of our connections. Additionally, we have moved our email off-island, which has made the SPA filtering from WatchGuard redundant. Overall, the WatchGuard Fire Box has played a critical role in enabling our organization to adapt to the challenges posed by the pandemic and work efficiently from home.

What is most valuable?

The most valuables feature of WatchGuard Firebox are the VPNs, and web filtering where we can stop users from going to malicious sites.

What needs improvement?

The VPN aspect of the WatchGuard Firebox is an area that could potentially benefit from improvement. We encountered difficulties while attempting to integrate Windows 11 laptops into the system, which resulted in unreliable connections. After some research, we discovered that this was primarily due to compatibility issues with Windows 11 and required a patch. However, it was still a challenge as it seemed that even when we tried to keep the laptops on Windows 10, they still exhibited the same issues as Windows 11 machines. Despite WatchGuard attributing the problem to Microsoft, we were eventually able to find a solution and all the machines are now functioning seamlessly.

The solution comes with a web interface that facilitates configurations, but it doesn't have the same level of functionality as the installed client or system manager. The web UI could be further improved.

In a future release, the detection of ransomware would be helpful. Ransomware is our biggest fear.

Buyer's Guide
WatchGuard Firebox
February 2024
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.

For how long have I used the solution?

I have been using WatchGuard Firebox for approximately 20 years.

What do I think about the stability of the solution?

I rate the stability of WatchGuard Firebox a nine out of ten.

What do I think about the scalability of the solution?

Approximately thirty individuals are currently utilizing the Watchguard Firebox solution. This includes a diverse range of individuals from the CEO and directors, to managers, secretaries, clerks, and even our receptionist. Given the recent trend of remote work, it has become increasingly necessary for all individuals within the company to have access to the firewall for their daily job duties.

As a government agency, our budget has been impacted by the current economic circumstances, which has resulted in a reduction in funding. Consequently, it would not be feasible to allocate additional resources toward increasing usage within the next year or two. Nonetheless, we will strive to maintain the current level of functionality and make any necessary updates to ensure a smooth operation.

I rate the scalability of WatchGuard Firebox a nine out of ten.

How are customer service and support?

There is a time difference when I have tried to receive support causing some challenges.

I rate the support from WatchGuard Firebox a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We used Check Point previously.

How was the initial setup?

The deployment took us a couple of hours and it was simple.

The deployment process for the WatchGuard Firebox in our department was a rather straightforward one given the size of our team. Being the head of the department and the sole person responsible for handling firewalls, I was in charge of conducting the entire process from start to finish. This involved a considerable amount of research to determine the most suitable option, followed by cost analysis to ensure that we were making the most cost-effective decision. Ultimately, I was responsible for making the selection, conducting the implementation, and overseeing the entire process, which required me to take on a multitude of tasks and responsibilities.

I rate the setup of WatchGuard Firebox an eight out of ten.

What about the implementation team?

We did the deployment of the solution in-house.

What was our ROI?

We have seen an ROI from using the solution.

I rate the ROI of WatchGuard Firebox a nine out of ten.

What's my experience with pricing, setup cost, and licensing?

Despite the fact that there is always room for improvement, the current pricing of the solution is still lower compared to its competitors.

I rate the price of the WatchGuard Firebox an eight out of ten.

Which other solutions did I evaluate?

We have evaluated SonicWall and Cisco, but the choice to choose WatchGuard Firebox was based on cost and reputation.

What other advice do I have?

We use two people for the maintenance of the solution.

I would recommend it and tell them to try it. It is a cost-effective, reliable solution.

I rate WatchGuard Firebox a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Manager at a engineering company with 11-50 employees
Real User
Geolocation allows us to lock down certain policies to only U.S. IPs
Pros and Cons
  • "One of my favorite features is the Geolocation service, where you can actually block specific activity or IP addresses registered to certain countries. For example, I don't want any web traffic from Russia or North Korea. I may even lock down certain policies down to 'I only want U.S. IP addresses.' I find that very useful."
  • "They've done a lot of work with their SD-WAN, which we do use, to have our old internet service with our new internet service. If anything goes down on a particular interface, I can have different rules applied. Most of my users don't even know when our primary internet goes down anymore... I don't have to be here to do anything to switch it to our backup internet or to switch it back."
  • "Reporting is something you've got to set up separately. It's one of those things that you've got to put some time into. One of the options is to set up a local report server, which is what I did. It's not great. It's okay... Some of the stuff is a little complicated to get up and running. Once you do, it becomes very user-friendly and easy to work with, but I find there are some implementation headaches with some of their stuff."

What is our primary use case?

It's our primary firewall. It's also our UTM device, so we have multiple security layers enabled on it.

We're using an M270 firewall with version 12.5.

How has it helped my organization?

With WatchGuard, I've got a lot of WebBlocker rules set up which help quite a bit, blocking a lot of suspicious and parked domains. Between WebBlocker, the Botnet Detection, the website reputation filters going, and IPS - which is one that is essential, but nobody really talks about a whole lot; between all those things working together, and even the antivirus, I feel our network is pretty clean. And if there is some suspicious activity, I think I have a better chance of being alerted to it. I've even been able to set up Application Control rules, so that something like Windows Update doesn't deplete too much bandwidth. There are whole bandwidth controls you can set up which aren't necessarily security-related, but they can help make sure that one particular function doesn't take up so much bandwidth that the users are affected. WatchGuard has layered security, but I also have other layers beyond that.

I wouldn't necessarily say it has simplified my job but I am very happy to have it. I'm very glad we went with WatchGuard. I was impressed with WatchGuard for a lot of other reasons like their education and training videos. They do a lot of little security announcements about what's going on with other companies in the industry, so that part has made my job easier. I wouldn't say it's made my job more difficult either. It has definitely made me feel more comfortable about the security here, but I wouldn't say it simplified things. We had a very simple firewall which was almost a small-business router. It had a little firewall screen with four settings on it that really didn't do a whole lot. So, I can't say WatchGuard simplified things for me. It's just we're much more secure and it hasn't overly complicated things.

What is most valuable?

One of my favorite features is the Geolocation service, where you can actually block specific activity or IP addresses registered to certain countries. For example, I don't want any web traffic from Russia or North Korea. I may even lock down certain policies down to "I only want U.S. IP addresses." I find that very useful. That was not a feature that was initially there for us. It was something WatchGuard released after we bought our first device with them and it is one I am very happy with.

I may want to only allow U.S. IPs onto a specific interface that I share files with, for security reasons, or I may know of a security issue in a particular country. I can just block that whole country for all my users. Or maybe I'm seeing a lot of malicious links coming out of South Korea, even, and I just say, "We don't go on a lot of websites there, let me just block that country completely," and if we do need to get on a website, I'll just make an exception. It improves security and helps block malicious links.

There's a little bit of a learning curve in getting everything working. But once you understand how all the pieces work, and the fact that you're using physical hardware with a web interface alongside a piece of software installed on your computer, and you learn what to do in each location, it's very user-friendly.

I like the management. There are some nice dashboards and other things to keep an eye on things. There are email alerts, once you get those configured. Once again, they're a little complicated to get set up, but once they work, they work well. Management is pretty easy. 

The version I'm on, 12.5, came out last week. I try to stay pretty current and they do add features and improve usability and functionality often. It's one thing I've been happy with. It's not like they say, "Here are the modules you bought with it four years ago and that's all you have." They're constantly adding, developing, improving. 

They've done a lot of work with their SD-WAN, which we do use, to have our old internet service with our new internet service. If anything goes down on a particular interface, I can have different rules applied. Most of my users don't even know when our primary internet goes down anymore. It does run slower on our backup, but they don't know the difference unless they're doing some kind of bandwidth-intensive function or streaming. I don't have to be here to do anything to switch it to our backup internet or to switch it back. They've developed that feature even more, to allow you to have different rules for different policies or different interfaces to behave differently, depending on what happens with either packet-loss or latency, with multiple internet sources. That is pretty helpful.

What needs improvement?

Reporting is something you've got to set up separately. It's one of those things that you've got to put some time into. One of the options is to set up a local report server, which is what I did. It's not great. It's okay. I've heard their Dimension control reporting virtual machine is supposed to be a lot better, but I haven't had the time our resources to set that up. Some of the stuff is a little complicated to get up and running. Once you do, it becomes very user-friendly and easy to work with, but I find there are some implementation headaches with some of their stuff.

I wish I had a contact at WatchGuard because there are a few things I'm not using. I'm not doing packet inspection because I know it's pretty intensive to install certificates on all my computers and have it actually analyze the encrypted traffic. That's something I'd like to do but I'd really like to talk to somebody at WatchGuard about it. Is that recommended with my number of users with my piece of hardware, or is that going to overload everything? I'm not using Dimension control. I'm not using cloud. If I had a sales rep or a support person that I could just check in with, that would help. Maybe they could do yearly account reviews where somebody calls me to say, "What are you using? What are you not using? What would you like more information about?" That sort of thing could go a long way.

They do a lot of education, but it's sent out to the masses. They have really good emails they send out which I find very valuable, talking about the industry, security events, and other things to be aware of. But there's not too much personal reaching out that I've seen where they're say, "Hey, how can we help your company use this device better? What do you feel you need from us?" That's my main recommendation: There should be somebody reaching out to check in with us and help us get more out of our device.

For how long have I used the solution?

We've been using WatchGuard for over four years.

What do I think about the stability of the solution?

It's very stable.

I've only even had one update that I applied that caused problems, that I had to roll back. I don't recall any kind of issue where I had to reboot the device to fix something. Somewhere along the line, WatchGuard, with their free training and free training videos, had recommended setting up an automatic reboot once a week just to keep everything clean, fresh, and healthy. I set that up during to reboot every week during off-hours on the weekend and I've had almost zero problems with it. Even with the updates, as I said, I can only think of one instance where there was a problem. I had to roll the update back, which was very easy to do, and then wait until the update patch came out and fixed the problem. That only happened once.

I've been very happy with the stability and reliability of not just the device and the software, but WatchGuard as a company.

What do I think about the scalability of the solution?

With my needs and my network, I feel we could add bandwidth and add users for a while, before we would run into any issues. It's scalable for my needs with my device.

How are customer service and technical support?

I don't think I have used WatchGuard's technical support. If I did, it might have been once.

I haven't really needed it too much. As I said, they have some good YouTube videos that they put out themselves on setting up stuff. That's my first resource when I want to get into a new feature I'm not using. They've got pretty good notes in there, so when I update software on the device itself, I go through their installation guide or their admin guide for that version of the software and it's all pretty straightforward. It lays out the new stuff they changed and what you need to be aware of, so I haven't needed to bug them.

Which solution did I use previously and why did I switch?

We didn't have anything like this before, so it's not necessarily saving me time, but it did add a whole other level of security to our network, which we really appreciate.

We had a small-business Cisco basic solution. They called it a security router, but it was just a small device that sat on the shelf and which mostly provided internet access. It had very simple firewall controls: two or three check-boxes to do basic filtering. So we did have something, but it was nowhere near the level of the WatchGuard.

We switched to WatchGuard because we did not have a UTM device like we do with WatchGuard. We needed to upgrade the old device because it wasn't performing well anyway. I suggested that we needed something more appropriate, or with more layers of security than what our other small, entry-level device was offering. We did review solutions from a few other firewall vendors and WatchGuard offered, in my opinion, the best protection for the cost.

How was the initial setup?

The initial setup was a little bit of both straightforward and complex. I'm a technical person. I read an instruction manual before I do something, whether it's putting a piece of gym equipment together or implementing something like a WatchGuard firewall. I had gone through all of their admin guides and getting-started guides and recommendations. So it was pretty straightforward, but there were a lot of steps and a lot of things to work through.

Something as simple as email wasn't just set up by specifying the IP address of your email server. I had to enable a bunch of things on the web interface and then install the software on my computer and set it up as an email relay. That was the only way to get email alerts, which I found a little shocking because email alerts should be critical on these things. I guess bigger companies may have alert servers or Syslog servers or other things they're using. But we're smaller and we don't. So that was one thing that I found was a little more complicated than it should have been for the importance of the feature. And now I have a computer and a firewall and if one or the other isn't working, those email alerts don't work.

Our deployment did not take long. It was no more than a week or two. I did it pretty quickly. I convinced the owner why we needed it and why this was the right move. I wanted to make sure I implemented it quickly and that we got some benefits out of it right away. I didn't want to let it sit around. It took less than two weeks.

My implementation strategy was mostly what I mentioned above: Review all of the guides, all of the walk-throughs, a couple of tutorial videos, get a baseline of what I wanted to enable and how. Then I did it offline, as you would expect. I brought the device into my office, got it updated, got everything baselined and set up the way I needed it to start with. From there it was just switch out early in the morning before users were in the office. It was nothing too out of the ordinary.

For deployment and maintenance of the product, it's just me.

What about the implementation team?

I did it myself.

What was our ROI?

I believe there has been ROI, with the level of protection and things that are being blocked that we're aware of. And there is just the peace of mind of knowing certain things.

Some of this I'm simplifying a little bit because, again, a lot of these things have been implemented over the last four-and-a-half years. I'm thinking now of other features I've implemented that I'm very proud of, like locking down remote access software so people can't just come and use any remote access software to get in or out of our office. There's a sense of security because I only allow the remote-access software that we pay for and use. I don't allow any other protocols to get through. It is making sure we don't have people who work here doing weird things, but it also makes it harder for other people to break in. Just that peace of mind and all the other layers we have working is worth the money, in my opinion.

What's my experience with pricing, setup cost, and licensing?

We had a trade-in offer at the end of our first three-year term. As a result, we pretty much got a free device by buying the three-year subscription. It was around $3,000 for the three-years.

Which other solutions did I evaluate?

We probably looked at SonicWall and ForcePoint, but it's been a number of years so I don't recall much of that process.

What other advice do I have?

Do your research. It's not impossible. Do things in a logical order and make sure you understand what you're doing and how you're going to do it. Once you understand it and get everything working the way you want, it does get very easy to use and work with from there. Once you get over the learning curve of how all the pieces work together, it's very easy, very user-friendly, very easy to update, and very easy to make changes and document those changes - all that good stuff.

I tend to buy the hardware platform that's like one level above where we think we absolutely have to be at a minimum, so the performance has been adequate or good. I've yet to hit an issue where I feel the device is slowing us down or causing any issues because of the performance of the device, itself. We're usually limited more by our actual bandwidth. It's been great as far as our network and needs go.

In terms of the extent to which we're using the product, six months ago when I renewed the second three-year term, the subscriptions had changed quite a bit from when I had my first three-year term. Now, I have a whole list of new subscription services or modules or layers that I have not started implementing. I got a couple of the new ones implemented, to get some of the benefit, when I first got this new device. But there are a few more I want to implement. One of them, is packet inspection, which is difficult because that can really bog down your device. I'd like to have Dimension control to get better reporting. There are a couple of other ones that I have not implemented because they're new for me and I just haven't had the time to work on them. Threat Detection and Response is one I'm interested in which I haven't time to implement yet. It involves me setting up a client in each one of my endpoints and it keeps track of unusual activity there. That's probably where I want to go next. Maybe even the Access Portal could be useful for me, to have a place for vendors or customers go to access things inside our network.

We've gotten more features for our money because there's a new security package which wasn't available when I first subscribed, and that included pretty much everything. I had paid separately for APT, Advanced Persistent Threat protection, on my old subscription. To get that now, it was cheaper to bundle it with their total threat package. That included a lot of things like DNSWatch, which I did set up to look for malicious DNS access requests throughout my network. It gave me intelligent antivirus. I believe there's some kind of DLP module, which is one I haven't spent any time on. Network Discovery is another one I haven't spent time on that I need to work on. All of those came as new features with the new hardware and with that new subscription. The Threat Detection Response is definitely something I didn't have access to before. For sure, in this second three-year term, we got a lot more value for the money with what WatchGuard offered us.

I would give WatchGuard an eight out of ten. There's a little bit of room for improvement but I'm very happy with WatchGuard. I think it's a good fit for me. I won't often give a ten, just on principle, unless I feel they deserve a 12. That's when I give a ten.

I've definitely said positive things about WatchGuard to other people in the industry, people I talk to or know. I'm a promoter of WatchGuard, to be honest. I haven't seen anything I like better, but I haven't had a lot of experience with other devices. I've said good things to people on a regular basis, especially about WatchGuard's education, the emails and videos and other stuff they put out to try and help people, even when it's not related to WatchGuard products.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
WatchGuard Firebox
February 2024
Learn what your peers think about WatchGuard Firebox. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.
Network Administrator at PT Lautan Luas Tbk
Real User
Top 20
Provides good stability and high availability of devices
Pros and Cons
  • "It is a scalable solution."
  • "The performance of the solution's processor needs to be faster."

What is our primary use case?

We use the solution as an internet gateway. With its help, we can establish the connection between our company's HQ and branch.

How has it helped my organization?

The solution provided us with site connections and internet policies.

What is most valuable?

The solution's valuable feature is its pricing which is better than other competitors.

What needs improvement?

The performance of the solution's processor needs to be faster than other vendors. Also, it is time-consuming to configure it whenever multiple policies are involved. This area needs improvement as well.

For how long have I used the solution?

I have been using the solution since 2012.

What do I think about the stability of the solution?

The solution is highly stable. I rate its stability a nine.

What do I think about the scalability of the solution?

We have around 200-300 solution users in our organization. I rate its scalability a nine.

How are customer service and support?

The solution's technical support is excellent.

Which solution did I use previously and why did I switch?

Fortinet is faster to configure and access policies than WatchGuard.

How was the initial setup?

The solution's initial setup process was simple, as I already have experience using it. It takes a month to complete. The process involves setting up the solution in a lab. Later, deploying it in a production environment once it meets all the configuration requirements.

What about the implementation team?

Initially, we took help from a third-party vendor to deploy the solution. Afterward, we did it in-house. It requires three to four network administrators for deployment and two network administrators for maintenance.

What was our ROI?

The solution is worth buying.

What's my experience with pricing, setup cost, and licensing?

I rate the solution's pricing as an eight.

What other advice do I have?

I rate the solution as an eight. It offers more variable license bundles and has high availability than the other products.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Manager at Horizon Forest Products LP
Real User
Allows us to self-manage our network and branch office VPNs while saving money
Pros and Cons
  • "The firewall aspect and the branch office VPNs are the most valuable features... We don't have any issues with it. We don't have to spend a lot of time maintaining it."
  • "We use WatchGuard to manage our failover for internet. If a primary internet goes down, it does a failover to the secondary the internet. However, what it doesn't do so well is that if the primary internet has a lot of latency but it's not completely down, it doesn't do a failover to the backup in a timely manner."

What is our primary use case?

We use it for our firewall as well as for our branch office VPNs.

How has it helped my organization?

The WatchGuard devices allow us to self-manage our network and our branch office VPNs. As a result, we've saved ourselves a lot of money, without compromising our security. It provides a much more economical and effective solution. We used to have an MPLS network which was a cloud-based firewall system and it cost us a small fortune every month. But when we implemented all these firewalls and got it all configured, up and running, we literally saved ourselves $10,000 a month.

It makes managing the network a lot easier. It takes care of our network for us.

Once it was set up and running, it began to save us time. It works, and we spend very little time managing it. We have very few issues with it. We might spend an hour a month managing it, if that.

What is most valuable?

The firewall aspect and the branch office VPNs are the most valuable features. They just plain work. We don't have any issues with it. We don't have to spend a lot of time maintaining it. You set it up and, for the most part, you can forget about it.

In terms of the usability:

  • It's user-friendly with an easy user interface.
  • It has a lot of features.

The throughput the solution provides is good.

In addition, WatchGuard provides our business with layered security. It certainly protects our network, blocks unwanted incoming traffic and, at the same time, can manage outbound traffic too.

What needs improvement?

We use WatchGuard to manage our failover for internet. If a primary internet goes down, it does a failover to the secondary the internet. However, what it doesn't do so well is that if the primary internet has a lot of latency but it's not completely down, it doesn't do a failover to the backup in a timely manner.

For how long have I used the solution?

We've been using WatchGuard for about three years.

What do I think about the stability of the solution?

The stability is great. 

What do I think about the scalability of the solution?

We don't really have any experience with the scalability. We implemented the appropriate devices for our size and we haven't really grown to the point that we've had to upgrade devices. The scalability is fine in the sense that we have some locations with more people, and WatchGuard has a slightly beefier device than we use at some of our smaller locations. All in all, it works well.

All of our networks are managed by WatchGuard. If we add locations we'll be using it for them as well in the future, although we don't have new locations on the horizon. We use it every day because it manages our network. Because all of our network traffic runs through WatchGuard, everybody uses it. But they're not using it for a specific function, other than to communicate between locations.

How are customer service and technical support?

The customer service is good. If we have an occasional issue there are helpful. They help us resolve problems. Overall, I'm pleased.

Which solution did I use previously and why did I switch?

We had a third-party MPLS network that managed all of the cloud-based software but it was very expensive. It was similar in effect, but it was a third-party, as opposed to WatchGuard which is self-managed. The main reason we switched was the pricing.

How was the initial setup?

The initial setup was a little complex. But once we understood how it works and after we got the first one configured, the rest of the firewalls were pretty easy. It is pretty straightforward. It is just a matter of learning it initially: understanding the nuances of the application and the user interface, understanding how to set it up and understanding what does what and the naming of features. That initial learning curve was a little steep, but once we got into it, it made a lot of sense.

Company-wide, our deployment took about 30 days.

Our initial implementation strategy was to do a backup to the internet and ultimately remove our MPLS and use the branch office VPN to manage it ourselves.

What about the implementation team?

We were helped by an authorized WatchGuard reseller on the initial setup. Once we got through the first one, we took over from them internally. The reseller was NetSmart. Our overall experience with them was very good.

We still have a relationship with them. We do a lot of our stuff in-house, but if we have something that we need a little bit of help with, we do reach out to them from time to time. But doing so, for us, is pretty rare at this point.

What was our ROI?

We have absolutely seen return on investment. We saved a small fortune switching over. It paid for itself, literally, within the first couple months.

What's my experience with pricing, setup cost, and licensing?

When we bought them we got a three-year license for each device. The two larger devices are about $1,000 each and the smaller ones are about $500 or $600 each. 

There are some additional software features that you can add on and pay for, but we don't use them. 

Which other solutions did I evaluate?

We didn't evaluate other options. The WatchGuard reseller was a company we had done business with before and they recommended it right out of the gate. We went with that.

What other advice do I have?

It's worth it, depending on your current network environment. If you are in the same situation we were in, it's really a no-brainer going from the MPLS network to self-managing it with simple broadband internet. It works great. To be honest, you'd be crazy not to do it. The advantages of WatchGuard over MPLS are that it's cheaper and you have more control because it's self-managed. The only con is that it does require a little bit of maintenance that you wouldn't otherwise have to do, but it's minimal.

In terms of distributed locations, we have a firewall at all of our locations. Once we got it set up we'd visit a branch, install it, test it, and implement it.

As for maintenance, it requires just one person, a network administrator. We manage it ourselves and there's not a whole lot to it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Owner at a construction company with 51-200 employees
Real User
Competent, basic front-end; the ports that I have assigned appear to be unattainable to outsiders
Pros and Cons
  • "The ports that I have assigned appear to be unattainable to outside 'mal-actors,' unless they have an address registered on the internet that this thing is expecting. That's a layer of security."
  • "I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that."

What is our primary use case?

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

What is most valuable?

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

What needs improvement?

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

For how long have I used the solution?

I've been using Firebox for two or three years.

What do I think about the stability of the solution?

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

What do I think about the scalability of the solution?

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

Which solution did I use previously and why did I switch?

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

How was the initial setup?

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

What about the implementation team?

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

What's my experience with pricing, setup cost, and licensing?

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

Which other solutions did I evaluate?

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

What other advice do I have?

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Director at Wise Ally Holdings Limited
Real User
Enables us to control what kind of applications each staff member and department is able to access, but UI is not user-friendly
Pros and Cons
  • "Because we bought two firewalls... we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations."
  • "The UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings."

What is our primary use case?

The purpose is to enhance the application control and internet access control of our company in our office and factory.

How has it helped my organization?

Firebox provides our business with layered security. Before implementing the firewall, we didn't have any control over application access. Now, by using the Firebox, we can control each staff member and department and what kind of application they're able to access on the internet, especially with the popularity of cloud SaaS systems. It has really reduced the degree of risk in accessing those unauthorized, and potentially risky, destinations. WatchGuard provides a pre-built database that can protect against gambling domains, for example. But the accuracy of that database still needs to be improved because, in many cases, the categorization of the website is not exact.

It has also helped with productivity. It reduces the time our networking staff spends implementing things. It has saved about 20 percent of our time. We're also doing more control than before, so we have made some effort to configure the policies, which was something we'd never done before. Previously, we didn't have any control, so we didn't have to spend time configuring or troubleshooting application control policies.

What is most valuable?

There wasn't one particular valuable feature. What I like is that 

  • its pricing is competitive when compared with other brands, 
  • it has all-in-one features for intrusion detection
  • it has application control 
  • it has email control.

Also, the load balancing and failover features cost only 20 percent more than a single instance of Firebox. Those are the main reasons we chose it.

Because we use cloud applications like Office 365 and Salesforce, we don't want all our staff accessing the whole internet. We use the application control so that they are only able to access the company-authorized cloud applications.

Because we use the firewall to monitor the external traffic as well as the internal traffic, we bought a fairly large model, the M570. We turned on most of the features and the performance is comfortable. It can reach the throughput, the performance specified on the data sheet.

Also, because we bought two firewalls, which I know is not that many — not like in the retail industry where they have many firewalls in their retail stores — still, we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations.

What needs improvement?

The reporting features are not as flexible as I thought before I bought it. You can retrieve some simple statistics from the centralized reporting server. But let's say I want to look at the volume of internet access among our staff. There are no out-of-the-box reports or stats or any unit of measurement that show internet access for particular staff. There is no report that shows how long they're on or the volume of traffic, especially in a particular period. It's not necessary that it have very modern BI analytics, but at this point I'm a little bit disappointed with the reporting. One of the purposes of implementing the firewall was to do more application control and reduce the risk involved in employees accessing the internet. We want to measure and know how much time of our staff spends accessing and browsing and using internet resources.

For how long have I used the solution?

We bought WatchGuard Firebox last year and implemented it in our Hong Kong office and China-based factory. In the factory we have larger coverage and we use the M570. For our Hong Kong office we use the M370.

What do I think about the stability of the solution?

It's stable. So far, there have been no incidents.

What do I think about the scalability of the solution?

Our case is quite straightforward. We only use two nodes. We still need to expand to one or two more factory locations, as well as our office. We will scale out the same solution.

I do have previous experience in the retail industry. In that industry, where you need to implement many firewalls in multiple retail stores, I doubt the management tools of the Firebox would be able to scale out for that use case. But for our use case it's good.

How are customer service and technical support?

We haven't had any issues so we haven't contacted their technical support. It's been quite stable over the year since we implemented it.

Which solution did I use previously and why did I switch?

There was no application control in our old solution and we wanted to reduce the risk of being attacked from outside. So we looked for a UTM model and the cost-benefit of the WatchGuard Firebox was one of the best.

I did a little bit marketing research locally and listened to recommendations from some partners in Hong Kong.

How was the initial setup?

The initial setup was quite straightforward. It's a typical UTM.

Our implementation took about two months.

In terms of our deployment strategy, we implemented one of the firewalls. We replaced our old firewall, enabling only the internet access and left the major email traffic access. Then we defined the control by defining more specific application policies. Once it was successful, we used the same method to deploy the other firewall to our China side.

We have one person who maintains the Fireboxes, but it's really less than one because he does other administration and is not only dedicated to firewall administration. We have about 100 people in the Hong Kong office and on the factory side there are 400.

What about the implementation team?

We had one internal staff member and an external consultant from BARO International for the deployment. Our experience with BARO was good. They understood our requirements and were able to translate them into an actual solution and deploy it.

What was our ROI?

We have seen ROI using WatchGuard.

What's my experience with pricing, setup cost, and licensing?

We needed a firewall to control our internal network and the external access and we needed to implement load balancing and failover as well. Going with WatchGuard "increased" our budget.

WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device and the licensing scheme didn't charge double. They only charge for one license, unlike other brands whose method of hardware and software licensing would have doubled our cost. That was a major consideration.

Which other solutions did I evaluate?

We looked at Juniper, Check Point, and one more that was the most expensive.

The usability of the Firebox is good. But the UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings. When I used the Check Point a few years ago, the UI usually guided me on how to define a policy from the source to the target, and what the objects were, and how to group objects, and everything could be seen from a simple, table-based web UI. 

The interface of the Firebox is clumsier. The settings are like a tree structure, and you need to drill down to each node in order to get to the property. It serves the same purposes, but I won't memorize all the settings. A more user-friendly user interface would reduce the number of things I need to memorize and guide me in configuring policies. It's quite good, but is not the best I have seen.

The other brands provide more professional features for reporting, the application control, and the scalability. But the strong point of WatchGuard is their all-in-one features that are suitable for our size of company and our budget.

What other advice do I have?

WatchGuard is not the best. We already knew that, but it comes with most of the features we need. Although it's not the most user-friendly, we sacrificed that to keep the core features to increase our control while maintaining our budget. Honestly, there are no particular features of the WatchGuard that impressed me to say, "I must choose a WatchGuard." But when I needed several things to come together, then I really had no choice.

I would rate WatchGuard Firebox at seven out of 10. It's good, it's better than a six, but from the management point of view, it has not totally satisfied my expectations so it's below an eight or nine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Supervisor/Technical Manager at The Premier Centre
Real User
The solution's most valuable feature is dashboard but need improvement in accessibility
Pros and Cons
  • "The tool's most valuable feature is the dashboard."
  • "The solution needs to improve its accessibility."

What is most valuable?

The tool's most valuable feature is the dashboard. 

What needs improvement?

The solution needs to improve its accessibility. 

For how long have I used the solution?

I have been working with the solution for four months. 

What do I think about the stability of the solution?

I rate the tool's stability an eight out of ten. 

What do I think about the scalability of the solution?

My company has three users for WatchGuard Firebox. 

What other advice do I have?

I rate WatchGuard Firebox a five out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
PeerSpot user
Technical & Pre-Sales Manager at GateLock
Real User
Top 5Leaderboard
Easy and quick to set up with a helpful wizard, offers good protection, quick technical support
Pros and Cons
  • "This product offers great protection using the default settings."
  • "This is a great product and offers great protection but they don't hear the customers' needs. They don't make improvements as per the customers' requests."

What is our primary use case?

We are a solution provider and WatchGuard is one of the product lines that we implement for our customers. I am the person in the company that is responsible for WatchGuard products.

We do not use this product in my organization. I'm enabling partners and providing training for them on how to use this technology and how to sell it.

I assist customers with implementing PoC installations in different environments.

My client that recently implemented WatchGuard Firebox is running an ERP that is used by clients that are in different countries from around the world. They are using Firebox to protect the ERP from outside threats. Essentially, they need to protect the perimeter because users come to the server from different environments.

This solution protects the cloud-based server from incoming and outgoing traffic. In this regard, it acts as a web application filter for the server.

What is most valuable?

This product offers great protection using the default settings.

What needs improvement?

The vendor needs to address customer concerns and develop more according to requests, instead of prioritizing based on the existing roadmap. This is a great product and offers great protection but they don't hear the customers' needs. They don't make improvements as per the customers' requests. This is especially true in cases where the feature is common among competitors.

In the future, I would like to see better integration with Active Directory. It should depend on the user's login. This is a feature in big demand and most competitors do not deal with it the right way. Making this change would make sense with customers.

For how long have I used the solution?

I began using WatchGuard Firebox approximately two years ago.

What do I think about the stability of the solution?

This is a very stable product.

What do I think about the scalability of the solution?

Scaling this solution requires a migration plan. For an on-premises deployment, there can be challenges related to extending the hardware appliances. A single box is not scalable itself. Rather, you need to migrate to a bigger appliance. But, there is an amazing feature for this called offline configuration.

The offline configuration capability lets you migrate settings from one box to another in minutes. After five minutes, everything will be migrated to the other Firebox and it will scale smoothly without any interruptions.

How are customer service and support?

Technical support for this product is perfect. If you open a ticket with them, even with the slowest SLA, they reply to you within four hours. You can also request that they open a remote session with you.

When it comes to feature requests, however, the vendor takes too long to reply.

Which solution did I use previously and why did I switch?

Quite some time ago, I had experience with Sophos products as a distributor in Egypt.

I also have experience with products by Fortinet. I have been evaluating Fortinet because they are one of our competitors.

How was the initial setup?

The initial setup is very easy and straightforward. They have a great wizard and it has a great default protection setting. Anyone that is setting it up for the first time, or has not even used a network security product, doesn't need an expert to configure it. The default protection for threats is great.

This is always deployed in a virtual environment, either on-premises or on the cloud. The deployment can be completed in six to ten minutes.

What about the implementation team?

I deploy this product for my customers.

The staff required for deployment and maintenance depends on the project capacity. For a small or medium-sized project, one person is enough. For the smoothest deployment, this should be an engineer or an experienced technician that is aware of network security.

What other advice do I have?

My advice for anybody who is implementing WatchGuard Firebox is to follow the guidelines and best practices that are available on the WatchGuard help center.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free WatchGuard Firebox Report and get advice and tips from experienced pros sharing their opinions.
Updated: February 2024
Buyer's Guide
Download our free WatchGuard Firebox Report and get advice and tips from experienced pros sharing their opinions.