WatchGuard Firebox Reviews

Our primary use cases for WatchGuard Firebox are routing and VPN, including the integrated firewall. We do not use the SSO system or any other router features.

WatchGuard Firebox was able to help our organization during the pandemic as we were obligated to work from home. We were working remotely, so the VPN feature of WatchGuard Firebox allowed remote work.

The most valuable feature of WatchGuard Firebox is the VPN. It's easy to connect to the VPN.

The user interface for WatchGuard Firebox has room for improvement. Right now, it's a bit complex to work with and could be easier. I like Fortigate better because its user interface is nicer and easier to work with than WatchGuard Firebox, so improving the user interface would be great.

I've used WatchGuard Firebox for two to three years and still use it at work.

WatchGuard Firebox is a nine out of ten in terms of stability.

In terms of scalability, WatchGuard Firebox is an eight out of ten.

I didn't have to call the WatchGuard Firebox technical support team, but the support on the website is a six out of ten.

Neutral

The company used Fortinet before using WatchGuard Firebox, though I don't have information on which Fortinet product and why the company switched to WatchGuard Firebox.

I wasn't involved in the deployment of WatchGuard Firebox because I wasn't there when the company chose the product. I just learned to love it.

WatchGuard Firebox was great for remote working, but I have no information on its ROI.

I have no information on WatchGuard Firebox costs.

My company uses WatchGuard Firebox. There's a Watchguard router for the internet and three sites on WatchGuard.

I'm using WatchGuard Firebox M440.

The product is deployed on-site.

I can recommend WatchGuard Firebox to anyone looking into implementing it, but I cannot advise on how to implement the product for your network or environment.

My rating for WatchGuard Firebox is eight out of ten.

We are WatchGuard partners, and we also use it on our own. We are using it for general firewall purposes and vulnerability management. We are also using some of the additional security stacks such as intrusion detection and so on.

We are one version behind the latest version. We have it on-prem at the moment, but some of our customers have private cloud solutions.

I like intrusion detection the most.

I'm pretty happy with it, but vulnerability management could improve a little bit in comparison to other parts, such as Cisco and so on.

There could also be better reporting. For example, there should be more out-of-the-box management reports. These two improvements would be nice.

I have been using this solution for around 10 to 15 years.

It's stable.

It's scalable, but I haven't compared it with others.

There are five people who are using it from an administrative perspective, but everyone is using WatchGuard because of the VPN.

I haven't interacted with them myself, but my colleagues state that their support line is good.

Its setup is of medium complexity. It's not super easy. Everything is in its right place, but it's not as complicated as other vendors. It's in the middle.

The deployment duration varies. Depending on your needs, it could take a few hours.

It's in the medium range. Its price is pretty good considering the functions and add-ons that are used.

I would advise having a proper look at the features because there are a lot of different versions, scales, and limits on different Fireboxes. You have to decide in advance which one is good for you in terms of performance, future needs, and so on. You shouldn't have too many changes in your landscape. 

I would rate it an eight out of ten.

We are a solution provider and WatchGuard is one of the product lines that we implement for our customers. I am the person in the company that is responsible for WatchGuard products.

We do not use this product in my organization. I'm enabling partners and providing training for them on how to use this technology and how to sell it.

I assist customers with implementing PoC installations in different environments.

My client that recently implemented WatchGuard Firebox is running an ERP that is used by clients that are in different countries from around the world. They are using Firebox to protect the ERP from outside threats. Essentially, they need to protect the perimeter because users come to the server from different environments.

This solution protects the cloud-based server from incoming and outgoing traffic. In this regard, it acts as a web application filter for the server.

This product offers great protection using the default settings.

The vendor needs to address customer concerns and develop more according to requests, instead of prioritizing based on the existing roadmap. This is a great product and offers great protection but they don't hear the customers' needs. They don't make improvements as per the customers' requests. This is especially true in cases where the feature is common among competitors.

In the future, I would like to see better integration with Active Directory. It should depend on the user's login. This is a feature in big demand and most competitors do not deal with it the right way. Making this change would make sense with customers.

I began using WatchGuard Firebox approximately two years ago.

This is a very stable product.

Scaling this solution requires a migration plan. For an on-premises deployment, there can be challenges related to extending the hardware appliances. A single box is not scalable itself. Rather, you need to migrate to a bigger appliance. But, there is an amazing feature for this called offline configuration.

The offline configuration capability lets you migrate settings from one box to another in minutes. After five minutes, everything will be migrated to the other Firebox and it will scale smoothly without any interruptions.

Technical support for this product is perfect. If you open a ticket with them, even with the slowest SLA, they reply to you within four hours. You can also request that they open a remote session with you.

When it comes to feature requests, however, the vendor takes too long to reply.

Quite some time ago, I had experience with Sophos products as a distributor in Egypt.

I also have experience with products by Fortinet. I have been evaluating Fortinet because they are one of our competitors.

The initial setup is very easy and straightforward. They have a great wizard and it has a great default protection setting. Anyone that is setting it up for the first time, or has not even used a network security product, doesn't need an expert to configure it. The default protection for threats is great.

This is always deployed in a virtual environment, either on-premises or on the cloud. The deployment can be completed in six to ten minutes.

I deploy this product for my customers.

The staff required for deployment and maintenance depends on the project capacity. For a small or medium-sized project, one person is enough. For the smoothest deployment, this should be an engineer or an experienced technician that is aware of network security.

My advice for anybody who is implementing WatchGuard Firebox is to follow the guidelines and best practices that are available on the WatchGuard help center.

I would rate this solution a nine out of ten.

We run education organizations. We have students and staff working on campus. We wanted to be protected within the campus as well as outside the campus.

I am using WatchGuard Firebox XTM 850, and I have its latest version.

In terms of users within the campus, the policy-based usage helps us where we allow something during the daytime, something after school hours, and something during the night. In terms of outside the campus, it helps us in monitoring our mail services. All our deployments are protected from external users.

Policy VPN, site-to-site VPN, traffic monitoring, anti-spam filters, and all other advanced features are valuable.

The way Secure Sign-On authentication is happening needs to be improved. When the Secure Sign-On portal is turned on, anybody who comes into the campus, whether he or she is a staff member or a guest, has to go past the initial portal. One of the shortcomings is the username. It shouldn't allow permutations or combinations with upper or lower cases. For example, when there is a username abc, it shouldn't allow ABC or Abc. It should not allow the same username, but currently, two separate people can go in. Therefore, its authentication or validation should be improved, and the case sensitiveness should be picked up. If I have restricted someone to two devices, they shouldn't be able to use different combinations of the same username and get into the third or fourth device. It shouldn't allow different combinations of alphabets to be used to log in. 

I have been using WatchGuard solutions for the last ten years.

It is very stable.

It is scalable. We have about 1,200 users at this point in time, but the number of devices exceeds 2,200. There are multiple devices per person in today's world. A staff member is using three or four devices, and students are using at least two, which makes it 2,500 or 3,000 devices.

Their technical support is very good. You get a response within 15 minutes to an hour at the max.

We had Cisco ASA Firewall. It was a very simple firewall.

Its initial setup is very straightforward. It took 30 minutes.

A consultant from WatchGuard was there. He showed it once, and our people could do it easily. They have deployed it again and again. It is pretty simple. 

You just need one person for its deployment and maintenance. Security personnel is the one who manages it.

They have an annual subscription license. Initially, we had opted for three years. After that, we went for another three years, and after that, we have been doing it yearly. They also have a license for five years.

We evaluated SonicWall, Palo Alto, and Cisco, but this was the best.

I would rate this solution a nine out of ten.

We use them for perimeter security and also to manage virtual LANs.

The main benefit for us is the ability to manage the VLANs. It allows us to monitor types of traffic and to actually review and determine what traffic we want to allow and deny. It also allows us to modify the categories of restrictions that need to be applied.

It has also simplified some of the processes that we have. For example, we were having some issues in identifying where most of our bandwidth was being used up, which devices and which users, and what they were using the bandwidth to do. Were they watching videos or were they looking at some other bandwidth-intensive site or application? We have been able to determine user behavior on the network.

We are quite happy with the Firebox. It really helps us with the ease of managing firewalls at other locations. It has really helped us save time by not having to go to other locations. We have devices at two smaller offices, where we don't have IT staff. It has allowed us to remotely manage and update the firewalls at those locations. It's saving us at least four hours a week.

I don't think it has helped improve productivity in terms of efficiency, but it has enabled us to improve the security of the network. We don't have to worry as much about where the users are going. And if a user was blocked, it will let us know why they were blocked, what category of trip was being blocked, or what policy it was blocked under. Even if our staff is going to a legitimate site, but the site is under a wrong category, it allows us to put that site on our exemption list to allow it.

It has also really helped us with our management and to monitor internet usage. Our department is just three people and it has made it very easy for us to manage.

• Two of the functionalities we use most are the traffic monitoring and the full panel dashboard. Those are two things that are very useful for us.
• It's very easy to use. The interface does not present a challenge for the user. It is a great device for small businesses with up to 500 users. It allows easy management of all devices from one central device and updates are very easy as well.
• The performance is also very good. The throughput is excellent. I've not had any issues with that so far.
• The reporting and management features are excellent. They're easy to navigate and very intuitive, and reports are easy to read.
• In addition, it provides us with layered security. It allows us to determine what types of access, to which networks, we want to allow or deny.
• We also like the site-to-site VPN that allows us to connect to and securely access devices at other locations.

I would like to have a little more control over access points and the ability to see the bandwidth that is passing through a specific access point. We are not able to see that. We can see what traffic is passing through the Firebox itself, but we can't identify if it is coming from a particular access point or not.

We have used WatchGuard Firebox for seven years.

The Firebox is very stable. We have not had a failure over the seven years we've used them.

In terms of scalability, we would need to add another device to the M300 that we have right now. I know there are models of Firebox that you can actually add hardware to, to get them scaled up and for additional portals. But the one that we have, in terms of subscription, is very scalable in terms of features, and it integrates with WatchGuard's central interface where it can update our firmware as the updates come out.

What we want to do is put in some more redundancy in our network access. We want to have a second Firebox at each location. We have two ISPs at each location, so instead of both ISPs going to one Firebox, we want to split the ISPs between the two Fireboxes and have load balancing through the internet on firewalls.

We have 100 employees at our head office, and we have 10 employees at our sub-offices. In terms of devices, we probably have about 150 devices, including printers and computers at our head office, and about 12 devices at each of our sub-offices.

We used the technical support once, when we had some issues with employees trying to access legitimate sites. That is when we learned about setting exemptions for certain sites. A company might be a travel site, for instance, but due to the amount of advertising they do, it might be flagged as an advertising site. To resolve that issue, when it's a legitimate site that does a lot of advertising, you can go to support for help in figuring that out, and also for help in putting necessary exemptions in place. 

The support was very professional. They were very patient, and they explained the issues and the solutions fully.

I don't have a lot of experience with other firewalls. There was a Cisco Certified office that I was exposed to before we moved to the WatchGuard Firebox. It felt like the WatchGuard was a lot easier to use, and easier to set up than the Certified Office device.

The primary reason that we went with Firebox was its cost. It is very economical and it provided us with all the security functions that we were looking for at the time. And the throughput was more than what we required, so it was a very cost-effective device to deploy on our network.

The initial setup of Firebox was straightforward. It was not complex.

For our deployment we configured all three access points at one location, our head office, and tested them in that one environment. Then, at the various offices, it was just a matter of changing the IP address. We had one technician go to one office and another technician go to the other office to install the Fireboxes and connect them to the network. As they were plugged in, they connected and it provided the service that we wanted from day one. We didn't have to do too many reconfigurations. The policies that come with it out-of-the-box provide adequate network protection, and we just had to put in special policies to allow various types of traffic, either both ways or one way, to various ports on the firewall. We didn't have many problems in getting them up and running at each office.

Deployment took one day at each location. Overall, we were able to prepare the Fireboxes and test them in less than a week. We prepared everything at one location, did the testing on the second day, and on the third and fourth days we went to the other two office locations to install them.

With the Firebox solutions we have had a lot more accessibility, in the network, to our third-party vendors and suppliers. Prior to that, we did not have a direct connection to those companies, but with the Firebox we were able to configure a DMZ, and that allowed us to apply the granular restrictions that we really wanted. It allowed us to reduce the number of devices that we have on one desk, at certain workstations. Instead of having the supplier's computer and our computer, we were able to use just one computer, and connect to the supplier.

Going with the Firebox is a no-brainer. It provides the necessary security, out-of-the-box, for your configuration of the policies. It's very easy to use and it also gives you a reporting dashboard that can be customized. It makes a lot of sense out of all the data. It's very easy to read. We use a 40-inch display in our office and have it connected to the Firebox so that we can see what's going on on the network. We can look at it and see how the traffic is going through it.

It's a perimeter device and I use it as a DNS server for my domain, but I'm not the typical user for this type of device. I'm a hobbyist when it comes to this type of product and I use it in a small office environment.

It's competent. There's really nothing technically wrong with it. This is just a small device, and I don't use it for intrusion monitoring. I am only using it as a basic front-end and I have port-forwarding for services behind the network.

I use it to give access to some remote users. I give them access to their desktops with RDP and I have a client so they can register on the domain network with dynamic DNS. The ports that I have assigned appear to be unattainable to outside "mal-actors," unless they have an address registered on the internet that this thing is expecting. That's a layer of security.

I don't think I can get a full-blown DNS client from it. I've been trying to have DNS services. It has forwarding, but I don't get the services of a full DNS client. My main difficulty with it is that I can't run a complete service. I need NTP. I need DNS. I need DHCP for my domain, but I only get forwarding. As far as I can tell, I don't get caching and the kinds of reporting and registration needed to host a DNS for a domain. I have to have a separate solution for that.

I also struggle with its usability a little bit. I come from an open source background, so I'm accustomed to BIND and DHCP from Linux builds. With their tools I'm struggling to have a web interface. I'm not getting a third-party web interface, so I'm using Webmin, which I have become accustomed to. You have to relearn or find services that you know are there. You have to figure out what they mean by an alias. Setting up a network interface or port-forwarding isn't necessarily using the language that I'm accustomed to. Every time you deal with a new user interface, they structure things differently. Where do you go and how do you maintain it and how do you document it?

So I'm frustrated often when I get involved in vertical software where they start to brand or rename things, or they've adopted terminology. An example with WatchGuard is that every time I want to find a log, I have to search forever to find just basic logging. It's in there someplace, consistently. It's just that there isn't a button that says "logging."

I've been using Firebox for two or three years.

The stability seems perfect. The last time I rebooted it was a half a year ago. 

Hardware-wise, it's comparable to a Linksys consumer perimeter device. It's obviously got more bells and whistles behind it. It's some sort of ARM processor. I'm sure it's pretty low power. It sits there and idles and I can always get on it, and I can set it up with additional security to keep the ports safe. 

The DNS works fine, although it's a little clumsy to find, and get at, and get set up. And I can set up some sort of VPN on it. I haven't at this point, but I've got a couple of licenses for VPN if I needed that for my home office.

In terms of scalability, I would imagine they know what they're doing. I would imagine you could make it as big as you want it. I've seen some of their devices, with the intrusion detection, that are designed for large networks. We've got 15 or 20 devices here. At any given time, I have five active users, and they're mostly just getting Gmail or streaming music to their desktops. Our needs are really small, but I would imagine that a company like WatchGuard knows what it's doing and that they could scale it up as much as you need it to. 

There's also WatchGuard Cloud. I think it's part of a subscription service and it maintains some sort of a threats database or maybe prevents users from getting on certain items. But those things are frustrating. You set them up and then people can't get where they want to go, and you have to crack the cloud on that. It's one thing if you're administering hundreds of desktops, but I can see all of mine. I know where my security problems are.

When I first got the device I was thinking, "Oh, I could at least, just out of curiosity, dig into the intrusion detection and traffic monitoring stuff." I was reading some of the guides. It has the power, but it's going to start to slow network traffic at a certain point. So I just didn't pursue it anymore. My impression was that you would want to buy models that are two steps larger than this if you wanted to actually do any effective stuff. 

For my purposes, I would just fire up a virtual machine, install pfSense and Snort, and figure out how that works. I could have as much hardware as I needed anytime I needed it.

I had an inexpensive perimeter device, a $100 Linksys product. Behind that, I had DNS, DHCP, NTP, print servers, and my domain management. I use Samba for that. I just used whatever firewall was there.

I switched to WatchGuard because I was experimenting with this VAR—he's a friend—to see if I could take what I've done and to get to know some of his tags and put some sort of a service agreement on my infrastructure, through his resources. We talked about it and they were seemingly interested. They do documentation or I might bring them in to do some of the coding projects I suffer with.

My experience has been, in my unique situation, that when I end up bringing somebody in from a third-party, it's more work to train them. You're training somebody from a VAR and they are going to charge $150 an hour or so. That's a pretty healthy investment. The training would take a lot of my time. If I take that time and just solve my problem on my own, I get a two-for-one. I don't have to pay for it outside the company.

But that's why I was bringing in this WatchGuard device in my particular situation. I was just experimenting and seeing if I could find a guy at this VAR whom I felt was worth investing more in, and having him be a third-party to maintain my system if it goes down or I get hit by a bus.

I had to learn it. I had to find where they put stuff.

It took minutes to get the thing up and operating. I started to configure DHCP and puzzle through what they meant by that, and find ways to identify what leases were there and if it was able to register with this other DNS server I have on it.

I've fussed with it any number of times, setting up the port-forwarding for the RDP clients. I knew where to go and what to do, and I got that working pretty quickly. But that was one of the situations where I needed to see a log to see what was happening—it wasn't answering—and to find out what the function was, I had to find the log. It took me an age to find the log. Once I found out what was being rejected, then I figured it out. I've had a couple of bouts of that.

The VAR came in—they charged me plenty, a couple of hundred dollars—to set the thing up. He put the thing down. I said, "How do I get onto it?" He made an account for me on it, but it wasn't, by design, to be user-configurable. Normally, they would configure it from their side and every time I would want to make a change I would have to call them.

Then I asked him about the DNS , and he said, "Well, is this it?" He didn't really know it very well. He was just a mid-level tech for a VAR who can set the things up in their base configuration, but he couldn't answer any questions.

From there, it was me. I can't get support from the WatchGuard group itself because they work through the VARs. So I'm looking at those websites that have server guys who talk about things that frustrate them, to find where the DNS is. Even now, I can't easily find logging. I have to search for it every time I want to see a log. The frustration I have with these devices is that they're put together in a certain way and you've got to learn where they want you to go to get what you want.

I spent $600 or $800 on this product and I'm paying a couple of hundred dollars a year in a subscription service to keep the lights on, on it. I imagine there's some aspect of it that I won't be able to utilize if it goes off of support.

For what it is—for example, for a doctors' office building or a situation with remote offices and no tech guy on staff—it's perfect. It has antivirus subscription services, IPS, web blocker, file exception, spam blocker, application control, reputation defense, botnet detection.

It works out to $100 or $200 a year if you buy several years at once. It's fair. But when you get into the intrusion detection and gateway stuff, it can be fairly expensive and you're going to need more expensive hardware.

I looked at a lot of stuff. I'm familiar with pfSense. I have used that a little bit here and there over the years, so if I went to an open-source solution I would go straight to that. And I looked at the professional versions and this one had a $700, three-year service contract on it and it handled VPN. The VAR supported it and they like it.

I don't really feel that it improves anything compared to a more common firewall device. It's certainly less capable or less configurable compared to something like a pfSense, an open source perimeter device that can be integrated with intrusion detection and network monitoring on a computer or on a virtual machine-type of setting.

The thing that the Firebox adds is it's managed and a VAR can support it. It's a known entity. It's supportable, whereas it's more difficult to support a pfSense-type of setup. You pretty much have to maintain the latter yourself.

It's there for a reason. It's there for VARs to be able to put in a known device that they can train on and the user doesn't need to manage it much. In my circumstances, I'm the IT guy of the company, and it's a small company. I'm also the owner and I understand this stuff. It's somewhat of a hobby for me to be able to configure and have a competent domain, without having to pay a VAR tens of thousands of dollars a year, and without having to pay subscription services. I'm not the targeted client for it. I'm more like the hobbyist and the super-geeks who use open source, freely available tools. The types of people who need this sort of service shouldn't listen to me. A hobbyist would never touch this product.

Use it. It's very unlikely that a perimeter device is going to be cracked unless you leave something really crazy open. Most consumers are going to have some sort of perimeter device involved with their internet delivery and they're going to have some sort of a reasonably clean plug, with some port forwarding for their outbound connections coming into their network. And then if they're geeks, they're going to set up a pfSense virtual machine or get a little ARM processor.

I wanted to have a physical device at the network that I could just glare at. But you can set up a perimeter device with hardware, pfSense, or virtual pfSense, in the back of a 20-year-old computer. As long as you're careful about how you set up your routing, it's as effective as anything.

In terms of its throughput, we barely use it. All we're really doing is using it as a perimeter device and gateway. It's just fine. It's a tiny little thing. It has two interfaces plus the WAN interface. It's fine for what I do. I trust it being maintained. And until I got to the point of wanting to use it for domain monitoring, and traffic shaping or IDS-type of stuff, it really didn't require any processing power. It's competent for that.

It's a firewall so it provides my business with layered security. But it's got additional options, many of which you have to pay for. My device is too low-powered to efficiently host any of that stuff. I'd probably have to upgrade hardware in order to do the layered security types of things, and I would probably have to pay a fairly expensive subscription.

For the cost, if I got to the point where I was going to make a change, I would probably go to an open source tool, and suffer through that too, but get it to the point where I could do pretty much anything I wanted with it.

I should be in a situation where I have somebody else maintaining this stuff and not doing it myself. If that was the case, I would use a device just like this. But if I'm still playing around with the nuts and bolts of IT management in my company, then I'm probably going to revert to an open source tool again.

Firebox is 10 out of 10 at what it does. In terms of usefulness and reducing frustration, at my level, it's a three. It's not targeted for me, but it's good at what it does. Overall I would rate it at eight. I don't have a bad thing to say about the hardware and the software, for what it is. It's just frustrating for my particular use case.

I'm deploying the WatchGuard Firebox for many of my clients, and they all stay satisfied with the product. The primary reason as a common request from most of the users is to protect the environment from the outside network attacks. It is popular because of its security layers dependencies and its great performance.

The proxy policy and packet filtering templates make it very clear while I am configuring the Firebox for customers. Also, the variety of actions that are designed per kind of packet payload are dependent on the protocol's payload.

The Firebox is developing most of my client's infrastructures, starting from internet access and its amazing protocol-oriented proxy policies. It also has a deep understanding of the packets, meanwhile the most powerful HTTPS inspection features.

It is supported by the VPN, either Branch office or mobile users.

In addition to its impressive extraordinary DNS security, it has an access portal, which is a feature for publishing web applications, cloud applications, or even publishing internal RDP and SSH. 

https://www.watchguard.com/wgrd-resource-center/2019-nss-labs-ngfw-group-test

The traffic management feature is very flexible and it let you manage varieties of our customer's needs as it is working per policy, for all policies, and per IP address. You can apply it also per application or application category, all in the same proxy policy.

The differences between backup and restore and the configuration file allow us to perform a migration from one box to another in a single click.

The security that is used for defending from the attacks is very good. As an example, for the HTTP packet, you will find botnet protection, Reputation Enabled Defense "RED" and DNSWatch "the DNS security", in addition to the AV gateway. They are all working together to protect internet access.

I would like to see the number of management consoles reduced. As it is now, Firebox can be configured using the web UI, WatchGuard System Manager, Dimension server, and from the cloud. This should be done without affecting the way we deal with the configuration file, as it's one of the strongest points in making its implementation smooth and easy.

I would like to see the devices made more flexible by adding modules to increase the ports that we can use. As it's started from T80, the last edition of tabletop appliances, it should also be applied to all M series appliances.

As I work as a services provider, I have used many different solutions. I find WatchGuard Firebox provides very good value. as you find in the following points "Not everything":-

1. Configuration migration between boxes.

2. More flexible while applying traffic management.

3. Best performance.

4. Security layers and its dependencies.

5. Protocol oriented.

6. Rapid deploy feature that it let you make a total configuration remotely for a box on its default factory mode.

7. total protection for inbound and outbound traffic by applying the policies with a deep understanding of the traffic. 

8. The DNS security and how it stops the malicious DNS requests on the scale of network security and its endpoint for mobile users to apply the same while they are outside the environment.

9. SD-WAN feature and how it deals with lines quality by its Jitter, loss, and latency.

10. The exception for sites, ports, and IPs, it has a huge variety and you can do it at many levels. Before the policies starting already in the default threat protection, Or in the global settings but after the policies starting to scan then you can avoid all of that per policy per protection type which is meaning that you can expect something from geolocation or WebBlocker or APT Blocker, etc...

11. there are some other features in the box Access Portal, Application Control, APT Blocker, Botnet Detection, Data Loss Prevention (DLP), Gateway AntiVirus, DNSWatch, Geolocation, IntelligentAV, Intrusion Prevention Service (IPS), Reputation Enabled Defense (RED), spamBlocker, Threat Detection and Response, and WebBlocker.

The purpose is to enhance the application control and internet access control of our company in our office and factory.

Firebox provides our business with layered security. Before implementing the firewall, we didn't have any control over application access. Now, by using the Firebox, we can control each staff member and department and what kind of application they're able to access on the internet, especially with the popularity of cloud SaaS systems. It has really reduced the degree of risk in accessing those unauthorized, and potentially risky, destinations. WatchGuard provides a pre-built database that can protect against gambling domains, for example. But the accuracy of that database still needs to be improved because, in many cases, the categorization of the website is not exact.

It has also helped with productivity. It reduces the time our networking staff spends implementing things. It has saved about 20 percent of our time. We're also doing more control than before, so we have made some effort to configure the policies, which was something we'd never done before. Previously, we didn't have any control, so we didn't have to spend time configuring or troubleshooting application control policies.

There wasn't one particular valuable feature. What I like is that 

• its pricing is competitive when compared with other brands, 
• it has all-in-one features for intrusion detection
• it has application control 
• it has email control.

Also, the load balancing and failover features cost only 20 percent more than a single instance of Firebox. Those are the main reasons we chose it.

Because we use cloud applications like Office 365 and Salesforce, we don't want all our staff accessing the whole internet. We use the application control so that they are only able to access the company-authorized cloud applications.

Because we use the firewall to monitor the external traffic as well as the internal traffic, we bought a fairly large model, the M570. We turned on most of the features and the performance is comfortable. It can reach the throughput, the performance specified on the data sheet.

Also, because we bought two firewalls, which I know is not that many — not like in the retail industry where they have many firewalls in their retail stores — still, we need a central place to manage the policies and deploy them to both devices. It's good that it provides a system management console that is able to manipulate and manage policies in one place and deploy them to different locations.

The reporting features are not as flexible as I thought before I bought it. You can retrieve some simple statistics from the centralized reporting server. But let's say I want to look at the volume of internet access among our staff. There are no out-of-the-box reports or stats or any unit of measurement that show internet access for particular staff. There is no report that shows how long they're on or the volume of traffic, especially in a particular period. It's not necessary that it have very modern BI analytics, but at this point I'm a little bit disappointed with the reporting. One of the purposes of implementing the firewall was to do more application control and reduce the risk involved in employees accessing the internet. We want to measure and know how much time of our staff spends accessing and browsing and using internet resources.

We bought WatchGuard Firebox last year and implemented it in our Hong Kong office and China-based factory. In the factory we have larger coverage and we use the M570. For our Hong Kong office we use the M370.

It's stable. So far, there have been no incidents.

Our case is quite straightforward. We only use two nodes. We still need to expand to one or two more factory locations, as well as our office. We will scale out the same solution.

I do have previous experience in the retail industry. In that industry, where you need to implement many firewalls in multiple retail stores, I doubt the management tools of the Firebox would be able to scale out for that use case. But for our use case it's good.

We haven't had any issues so we haven't contacted their technical support. It's been quite stable over the year since we implemented it.

There was no application control in our old solution and we wanted to reduce the risk of being attacked from outside. So we looked for a UTM model and the cost-benefit of the WatchGuard Firebox was one of the best.

I did a little bit marketing research locally and listened to recommendations from some partners in Hong Kong.

The initial setup was quite straightforward. It's a typical UTM.

Our implementation took about two months.

In terms of our deployment strategy, we implemented one of the firewalls. We replaced our old firewall, enabling only the internet access and left the major email traffic access. Then we defined the control by defining more specific application policies. Once it was successful, we used the same method to deploy the other firewall to our China side.

We have one person who maintains the Fireboxes, but it's really less than one because he does other administration and is not only dedicated to firewall administration. We have about 100 people in the Hong Kong office and on the factory side there are 400.

We had one internal staff member and an external consultant from BARO International for the deployment. Our experience with BARO was good. They understood our requirements and were able to translate them into an actual solution and deploy it.

We have seen ROI using WatchGuard.

We needed a firewall to control our internal network and the external access and we needed to implement load balancing and failover as well. Going with WatchGuard "increased" our budget.

WatchGuard had a very competitive price. It was only 10 to 20 percent more than a single instance device but with that extra cost it provided a second load balancing device and the licensing scheme didn't charge double. They only charge for one license, unlike other brands whose method of hardware and software licensing would have doubled our cost. That was a major consideration.

We looked at Juniper, Check Point, and one more that was the most expensive.

The usability of the Firebox is good. But the UI is not as user-friendly as the model that I had used before, which was from Check Point. The design of the Firebox UI is restricted and needs an experienced network guy to understand the format and settings. When I used the Check Point a few years ago, the UI usually guided me on how to define a policy from the source to the target, and what the objects were, and how to group objects, and everything could be seen from a simple, table-based web UI. 

The interface of the Firebox is clumsier. The settings are like a tree structure, and you need to drill down to each node in order to get to the property. It serves the same purposes, but I won't memorize all the settings. A more user-friendly user interface would reduce the number of things I need to memorize and guide me in configuring policies. It's quite good, but is not the best I have seen.

The other brands provide more professional features for reporting, the application control, and the scalability. But the strong point of WatchGuard is their all-in-one features that are suitable for our size of company and our budget.

WatchGuard is not the best. We already knew that, but it comes with most of the features we need. Although it's not the most user-friendly, we sacrificed that to keep the core features to increase our control while maintaining our budget. Honestly, there are no particular features of the WatchGuard that impressed me to say, "I must choose a WatchGuard." But when I needed several things to come together, then I really had no choice.

I would rate WatchGuard Firebox at seven out of 10. It's good, it's better than a six, but from the management point of view, it has not totally satisfied my expectations so it's below an eight or nine.