WatchGuard Firebox Reviews

We're a hospital and we use it for developing our incoming and outgoing policies, and we also use it for VPN.

It helps keep unwanted traffic from coming in, or traffic from going out that we don't want to see out there. If we have unwanted traffic coming in, traffic that we don't need as a facility, then we would be opening ourselves up to security problems and vulnerabilities. It helps because malicious attacks coming in are things I don't have to worry about. So far the WatchGuard has done a good job at blocking all that.

In terms of simplifying my job, the simplest device is one that you can put in place and not have to worry about it. That's the WatchGuard. It's there, it's working. I don't have problems with it so it's "out of sight, out of mind."

It also saves me time, by doing what it's supposed to do. I don't have to mitigate problems that it allowed through. I couldn't tell you how much time it has saved me. It really would depend on what kind of problems I might experience.

The policy monitoring and allowing different traffic flows are the most useful features for us; regulating which traffic comes in and out.

In terms of the throughput and performance, we don't have a problem or any bottleneck there. We downgraded the size of our appliance because we're a small facility, and what we had before was actually too big. The one we are now going with seems to be doing a great job.

The management feature is pretty nice.

I'm not really impressed with the reporting side of it. It may be something I just haven't figured out very well, but it's hard to filter down on reporting of the actual valuable information that you would want. There is a lot of information out there so you have to have some kind of tool capture it and then filter through it. So far, I haven't found the reporting side of the WatchGuard to be that user-friendly. I would definitely like to see better reporting tools from WatchGuard. That would be a very high priority for me.

Also, setting up the site-to-site VPN is pretty easy with the WatchGuard, but the client VPN setup is not very friendly. If you have a client-to-device VPN that you need to set up for a mobile user there are different protocols that they will accept but none of them are a plug-and-play type of option.

The organization has had WatchGuard, different versions, for 12 years. I've used WatchGuard, myself, for about seven years. We got the Firebox approximately three years ago.

The stability is great. I've not had any problems. In three years, we've had to restart the device maybe twice. We've had to restart it more than to clear out any cache, because you don't want anything building up in cache memory. But we've only had two problems where we needed to restart the device. And it actually restarts really fast. It doesn't have much downtime at all.

It's used extensively. This is the only firewall we have in the facility, between the hospital, nursing home, and home health. It handles all the traffic that comes from all three campuses here. I don't see us expanding enough to worry about getting another device. This one seems to be doing exactly what it needs to do.

I've only had to use their technical support twice in quite a few years, so it would be hard for me to rate. But they were responsive when I did have a problem. I haven't had any problems with support at all.

I moved here in 2013 and the company was using the WatchGuard at that point.

With this newest device, the initial setup was pretty straightforward. We were able to copy the configuration from the old device. That's a good thing about it: the configuration file is able to transfer from an old device to a newer device and just continue going. It takes a long time to build up different traffic policies, and to make exceptions for different websites. If you had to do that every time you got a new device, that would be a problem. Luckily, with this, you're able to save your configuration file and transfer it to the new device.

The deployment of this new device took 30 minutes, at most. There are only three people in our IT department, but the deployment only required me to be involved. The other two guys are network technicians. All three of us can go in and modify policies or do whatever we need to do, but it generally doesn't take much maintenance.

I got on the phone with WatchGuard to make sure that everything would transfer over and they assured me that it would. And as far as the switching over to the new device goes, most of the planning required was just letting users know that the internet was going to go down for just a little while. We planned it for a period of slow usage here at the hospital where we could bring it all down, copy the config file, move it to the new device, put it in place, and swap the connections over. It came right up. We had to import the new key and got it activated. But other than that, everything worked.

ROI on this type of solution is a hard number to quantify. We've not had a problem so that in itself is a return on investment. If you don't have an issue how do you calculate what your return of investment would be? How do you quantify the peace of mind? But we've not had to spend a lot of time troubleshooting.

The pricing of WatchGuard is probably a little higher than the SonicWall, but it makes up for it in dependability. It's worth it to me, especially since it's not much higher. For just a little bit higher price you get the dependability of the firewall with the WatchGuard brand. 

And with this appliance you also get a certain number of VPN tunnels. With this one, it's something like 500, not that we would even use that many. Whereas with SonicWall, at the time we were using it, it came with 10 and then anything over that had to be purchased.

Money-wise, it's a one-and-done with the WatchGuard. With SonicWall, there were a few things that you had to pay extra for to get. 

The subscription services with the WatchGuard are pretty nice.

I used the SonicWall at another hospital in southwest Arkansas. 

WatchGuard has come quite a way, as far as the Fireware Web UI goes. The GUI application has become better, making it easier to navigate through setting up policies and setting up VPN tunnels, etc. SonicWall had been there quite a while longer than WatchGuard, in terms of being user-friendly. But I can't complain about the WatchGuard now. When I first moved here, it was very cumbersome to navigate through, but with the Web UI it's really improved.

They do have a client that you can connect to the WatchGuard if you want to use that client. It's still kind of clunky for navigating and I very seldom use it anymore. They call it the WatchGuard System Manager. It's not quite as friendly as the Web UI. It's usable, it's just not really friendly. But the Web UI is very well done.

My advice would be go for it. We've not had any problem with it. We've been very pleased, especially with the newer WatchGuard we've put in place. It's very responsive. It works great. It may have a little bit of a curve on learning it, but once you learn it, it's hard to say you'd want to go back to something else.

It took me a little bit to get used to WatchGuard. I was familiar with SonicWall before I moved into this role. But now that I've used it for almost seven years, I've gotten to know it pretty well and it works great. Once you get used to what I would call the idiosyncrasies of WatchGuard, as opposed to the SonicWall, it's pretty easy to configure. Using the WatchGuard web UI also makes it a lot easier to configure.

It provides us with somewhat layered security. It is the firewall between us and the outside world. With our subscription we do have the Gateway AV, so it does watch for things of that nature. We have certain policies in place that help with the layered part of it. But it's just one of many layers. We have other things in place to help, but it's definitely something I wouldn't want to do without.

WatchGuard Firebox is our edge firewall.

Currently, we are using the M470 and we have used many models in the past.

The solution provides our business with layered security. An example would be the intrusion protection on anything that is internet-facing. We host our own mail server and I regularly see that WatchGuard has swatted away attempts to get in from bad actors. I have to have that open because people have to connect on their cell phones. Obviously they have to send and receive mail. So I sleep a lot better knowing that something is watching the few things that I do need to present to the internet. I feel much better having something protecting and monitoring all traffic that passes through.

We have an interesting environment. There is actually a completely separate computer domain, an entirely separate network that belongs to a regulatory body. We work at a casino and our gaming commission has to be able to get into some of our systems and monitor some of our activities. Obviously we don't want them to just plug directly into our network, so we have created a DMZ where they can come into our network via the WatchGuard. That way, I get to see all of their activity as well and monitor what they can get to. We give them access to what they need and nothing more.

The solution also simplifies aspects of my job by having automated reports generated weekly, for review. I like the fact that they get delivered and I get to see the actual metrics of what the box is doing. The reporting features reassure me that it is working.

In terms of saving time, I have used Cisco firewalls in the past and I would say that it is easier to construct policies with WatchGuard than it is in Cisco, particularly Cisco's ASDM (Adaptive Security Device Manager). It probably takes about half the time with WatchGuard. Usually we're just modifying something, adding or removing somebody from a web blocker category. It's very easy to maintain.

As a casino, we have one site and that's it. There are no mobile workers. We usually don't have any remote access and we don't need collaboration tools because we all work in the same building. But now that we're trying to get some people to not come in [due to the Corona virus situation] and we're running on a skeleton crew, we are able to maintain productivity by leveraging the native VPN clients and access provided by WatchGuard. We didn't have to buy anything. We had all the infrastructure ready to go and then I slapped a policy together last Tuesday and we've been using it ever since. It was very easy.

• One of the most valuable features is the Gateway AntiVirus. We scan all traffic as it's coming through.
• We also use spamBlocker to scrub spam.
• We use content filtering, which is critical in any corporate environment to make sure that people don't surf things they're not supposed to.
• WatchGuard has a very easy VPN and branch office VPN setup, so we use those pretty extensively too.

It's very easy to use.

And our internet bandwidth does not exceed its throughput, so it is probably still a little overbuilt. It's definitely not a bottleneck. There is no problem with throughput.

In terms of performance, WatchGuard has always worked well for us. We've gone through about six different models in the last nine years, not all at our primary site. We had a couple of satellite offices that were using smaller models. They have all worked very well. There was only one time that we had a performance issue and it turned out that it was due to a hardware replacement being required, and that was handled expeditiously.

Regarding the reporting, I was in the Dimension server earlier today. It's very powerful. I like it. And the management features are easy to use. I like the fact that I can open up the System Manager client or I can just do it through the web if I'm making a quick change.

WatchGuard could be a little more robust in reporting. I get requests a lot to figure out people's internet traffic. We want to know what people are doing when they are on the internet. There is still a little bit of fine-tuning that can be done to that process.

I took over the admin role here back in 2011, so I've been using it for close to 10 years.

It's very solid. We don't reboot it very often and we don't seem to need to.

We went from a single appliance to a high-availability cluster, just last year. Managing the cluster is just as easy as it was to manage one unit.

It is doing everything we've asked of it so far, but we do plan on increasing usage. There are a few features that came out last year or maybe a little bit before that, features that we want to start using, such as WatchGuard's DNS. That will make sure that we're not asking for any bad players. At the moment we're still using Google DNS. And we haven't rolled out the endpoint security that came with it, but we are going to start using that as well.

I've never had to use their technical support. I've only used their online help. I've been able to find everything I need in the forums and the Knowledge Base.

The initial setup is straightforward. The wizards walk you through it, and I have found an answer to anything that I've ever had a question about in the Knowledge Base online. I don't think I've ever had to call for support personally. The documentation is awesome.

As for setup time, I usually have traffic passing through it within an hour or two. 

I know what traffic I want to allow out and I always start with just the stuff that I need to. I always start with the most restrictive, as far as policies go. The first thing I do is get rid of all the Any-Any rules and then I start locking it down. I love the way that it integrates with Active Directory. I base my internet usage and my web blocker policies on Active Directory security groups, and I can have all of that stuff set up ahead of time before I ever get ready to roll out the appliance itself.

Back in the day, we used to have a warehouse. We used to have a uniform shop that was offsite and I was responsible for setting up the tunnels of those sites. We recently relocated some administrative offices for the tribe that owns the casino that I work for, and we decided when they were moving that we would upgrade the firewall that they had. We purchased a WatchGuard so that it would be manageable, because we were already familiar with it from using it at our site. We dropped it right into place and I had traffic passing through it within minutes. I was done with it, doing all the other rules, within a couple of hours. I was onsite for all of those. I've never preconfigured one and then sent it out into the wild.

We use Variable Path, out of San Francisco. Our rep is Jason Chang. Our experience with them was very good. I would recommend them.

It's hard to measure ROI. But I've never had to go in front of upper management and tell them that we were breached. That is probably the conversation I would least like to have with them.

Otherwise, regarding return on investment, having the infrastructure already here and having more capabilities than we're using right now allow me to react very quickly. As I said, I was able to get some people working from home last week. It literally took us a day from going from zero people with remote access to a core group of about 12 people having remote access.

Getting a WatchGuard for the first three years pays for the hardware. I think it's cheaper to keep doing hardware upgrades at every software renewal, rather than just pay for maintenance to keep a piece of hardware going. I usually tell people that it's really affordable as well, particularly compared to Cisco.

In addition to the standard cost, we usually get the Total Security Suite. We go top-shelf on all of the subscription services.

WatchGuard was brought in by one of my predecessors. I left this company for a little while and went to go work for a credit union, and that was a completely Cisco shop, so I got to experience both of them at different times.

I don't think I've actually used anything other than the Cisco ASA. With the WatchGuard it's easier to create policies, that's for sure. I like the flexible stability of being able to leverage objects in Active Directory. I also like being able to not have to create all my policies using IP addresses, and that I can actually do web domain name lookups every time. That's very handy for large, distributed stuff where you have no idea where the actual source is going to be coming from. The cloud bounces traffic from all over nowadays. So crafting rules with fully qualified domain names, FQDN, is definitely something that I did not have in my Cisco ASA.

The Cisco was a little less confusing and more straightforward. It didn't do all of the things that the WatchGuard does, so in that sense it was a little bit easier to understand. That is particularly true once you start getting into proxy actions and setting up: "Okay, cool. Once this rule gets triggered, what actions have to happen?" I do know a few people who use WatchGuard and they still have to get assistance when they look at that. So I would file that as a con for WatchGuard. Proxy actions can be a little bit complicated.

Invest in some Professional Services. Although you can absolutely pull it out of the box and deploy it — and we've done that before — it's always good to have somebody that you can ask about best practices and run a few scenarios by them. We ended up purchasing four Professional Services from our local reseller. It was good. Although they didn't really provide any answers, they were there to say, "Oh no, you're doing the right thing." It was more reassurance than anything. But I would definitely recommend springing for some Professional Services. That will make the whole process go a lot easier.

A small subset of my staff, maybe three or four people, is involved in deploying and maintaining the solution. They're all IT administrators.

We have four locations and at every one of them we use WatchGuard. We use them as firewalls and for UTM. They provide protection in terms of detection and prevention. And we also use them for site-to-site VPN, as well as for direct connect, VPN to AWS, and to AWS using VLAN tagging.

One of the main ways it has helped is that we use site-to-site VPN a lot, as well as remote access ACLs and client-to-VPN. Prior to WatchGuard, for example, we used to use Remote Desktop, which is not very secure, or RD Web, which is also not very secure. We installed the client VPN on everyone's remote computer and they can access our local area network. That is much better than using the other solutions. It's an improvement for the user and it's less risky for us. It gives us peace of mind that we're using the proper channels to access our network.

It's hard to pick one feature over another. But if I had to pick one, the UTM would be the most valuable because of the notification. I get notified via email if there is any type of threat detection or alert, telling me something is wrong.

For me personally, because I'm Cisco-Certified, it was very easy to take this over. I think it's a lot easier to work with because it's a GUI and not a CLI. I cannot speak for other users or other administrators, but it's pretty simple.

Based on our needs, the throughput is pretty solid. We haven't had any issues as far as the throughput is concerned. This particular box maxes out at 2 GBs and we only have 1 GB so we haven't had any latency.

I manage it using the System Manager, based on the firewall access control that I have. I've been able to manage it and use it without any problems.

Websense is an application that monitors and filters internet traffic. Websense was derived from WatchGuard. But when you go to WatchGuard to actually implement that particular feature, you have to use some type of additional feature and you have to pay for it, unfortunately. I think it should be free or free in the WatchGuard box itself, as an option. It would be nice if they didn't charge us for that.

And if they won't offer it for free, they should offer something better. It definitely needs a big improvement because it's very unfriendly. It's called Dimension Basic and there is a reason they call it basic, because it gives you very basic information. Let's say you want to track someone's internet activity or where they've been going. Websense gives you detailed information as far as the source. But this one only gives you very basic information and, on top of that, it's a free version for only a few months and then you have to pay for it. So not only is the version very basic but you still have to pay for it. That, in my opinion, has room for improvement.

Everything else that we have, the live security services and network discovery and all the spam blocking, threat protection, and the web blocker, is included.

We've been using Firebox for as long as I can remember. I inherited this position close to 13 years ago and they'd been using it before that.

For the most part, everything seems to be working without any issues. That's why we've had it for this long, close to 17 years for the company and, under me, for 13 years. There are more pros than cons.

We haven't had any issues. I always buy an additional box as a Hot Standby. I have never had to use it, and thank God for that. So it's been very stable. We keep them for a maximum of three to four years and then we upgrade to a newer one. For the time that we keep the box active, we don't have any issues.

In terms of scalability, as far other features go, we're stuck with what we have on the physical appliance. For example, we had one that was set to 300 MBs for throughput and when we wanted to upgrade, we couldn't obviously use that same box. It wasn't really scalable. So we had to upgrade to a newer version.

We have four locations and approximately 400 users. We don't have any firm plans to increase usage. The owner of our company just acquired another company and that may make a difference. WatchGuard is the main component that we use. The subscription for all four of the WatchGuards that we currently have ends in 180 days. We're just going to upgrade to the newer version, if it's available. 

There was an incident, back in the day, where I called for support and the guy sort of brushed me off. It was very uncomfortable but it could have been an isolated incident. I don't want to say that all the support engineers are the same. But this particular guy was either drunk or rude.

Other than that, it's been very smooth sailing for us, as far as support goes.

We have always been using Cisco. They decided that WatchGuard would be beneficial to keep because it's GUI and it's a lot easier to work with than other products, especially for junior admins.

I set it up all the time and it's very straightforward. It's very easy to set up and very easy to migrate over to a newer version. It's really simple. I've only done a new deployment once. 

For upgrades, you save the configuration and you upload it to a new file, or you just open a new file and browse to the configuration file that you saved. It usually takes 10 minutes at the most.

But the first deployment, because it was obviously more involved, took a few hours. Setup included the site-to-site VPN, the client VPN, the actual interfaces, the static NATs, a lot of the firewall policy, the internet certificates, and the policy routing; the basic components of any router.

Deploying WatchGuard to distributed locations is mainly the same. Obviously, there are differences in the IP addressing and the network addresses. And you have to take care of the VPN connection between the two, to be able to communicate using the site-to-site VPN. There is also web blocking. We have certain policies for denying access to certain sites or certain applications. We don't allow, for example, weapons or sex or any of those kinds of solicitation sites. We then set the external and internal interfaces and then do the routing. In the some of those locations we use the WatchGuard as a DHCP server, so we set that up as well. The rest is all pre-configured.

We have had two-year deals in the past, but recently we decided to go with annual. The cost was somewhere in the vicinity of $2,000 to $3,000 for each one, depending on if they had a special at that time or if they were doing an in-place upgrade or with the same router.

They figured if they were going to get something different then it would have to be something very user-friendly for the administrators, because I'm the only one who is certified to work on Cisco. We evaluated the Barracuda NextGen Firewall. We also looked into Juniper and the Meraki firewall, because all our switches are Meraki switches. 

But we decided to stay with the WatchGuard. The prices were a little bit better than Meraki and, since everything was pre-configured, to upgrade to a newer WatchGuard all we had to do was just save the config file and upload it to the new one, and that was the end of that.

Educate yourself. Read documentation and watch videos online. Since the administrators are going to use it, they should educate themselves on WatchGuard. Keep a cheap, old box for training. I train my administrators on an older box and I give them a network to train on.

We have been attacked with ransomware in the past, and it was kind of disappointing because, when I talked to Cisco support they said that they recommended purchasing end-point protection with a ransomware interceptor, so we ended up getting Sophos. So alongside the WatchGuard, we have Sophos' ransomware interceptor and end-point protection. We use them, on top of the WatchGuard, as a secondary line of defense.

It has been smooth sailing as far as the product itself is concerned. That's why we keep renewing it. We either renew it or we upgrade to the newest version if they have a special. We also use it for Hot Standby. It's been good.

We use it both for VPN tunnels and as a firewall.

Our company runs group homes. There are 140 or so sites and employees are traveling to those sites on a daily basis. They use the VPN tunnels going back to the main office to access the file servers. We also have about 12 remote locations connected by WatchGuards on both ends to create a VPN tunnel, with SD-WAN to allow traffic to go between those two sites, both for the file servers and for the phone system.

It gives us a higher sense of security. There is an easier workflow as well.

I estimate that 50 percent more users use the WatchGuard VPN than use the SonicWall VPN tunnels. Those users are able to work on documents out of the site or increase their workflow and do work while they're onsite instead of doing it later. It saves us a couple of hours per person per week.

Once it's set up, we don't have to touch it that much.

We enjoy its usability very much. It's very easy to use, especially compared to similar products. A lot more users use the WatchGuard appliance now than use the SonicWall appliance because of the ease of usability.

As long as you're using the correct model, since different models have different numbers of allowed tunnels, the throughput is enough.

In terms of management features, we have a Dimension Server set up. It's nice to be able to see where people have gone to and when they have gone there. Overall, the solution makes it easier to manage on my side. Setting up new policies, new devices, and setting up tunnels to the current devices, is easier.

The firewall secures the external perimeter.

There is a slight learning curve.

Beyond that, the only issue we've had in the past two or three years had to do with the number of current tunnel connections, and that was just an issue with our size of Firebox. We got a bigger Firebox. The old one was able to handle the load. It was just that we ran into a licensing issue. We had hit our number of concurrent tunnels. We have a lot of tunnels with the phone system. We have tunnels to and from each site for the phones to be able to talk. It was a little bit of a surprise when we came across this situation, but it's present in the documentation.

It didn't take us long to figure out that that was the reason we were having an issue. It was just our not having the forethought to make sure that what we had was able to expand to meet our needs.

We've been using WatchGuard Firebox for about eight years.

Stability is excellent. We've had no issues with the firewall going down because of the Firebox.

We haven't run into a scalability issue yet. There are over 1,000 employees including several hundred office staff. There are 20-some sites that we have connected. We had to step up to a 470 for the current VPN connections, but as long as we're on the right size Firebox, everything goes pretty well.

Whenever there's a new office site coming up, we typically add a new Firebox. We're looking at putting more Fireboxes in all of the group homes, so that's probably going to be 115 more deployments in the coming years. We plan on continuing to use it, but I don't see any issues with expanding.

We don't work directly with Cisco tech support. We work with a third-party company to handle support that we can't figure out.

We used SonicWall Next or Dell. 

The setup is pretty straightforward. It takes 15 to 20 minutes per box. We have to set up current tunnels and get a static IP address at the sites where we're putting the boxes. It requires one person for deployment and there is very little maintenance needed.

Deploying it to distributed locations is a matter of setting the Firebox up. If it's a replacement Firebox, we set it up with the same policies and ship it to the location. They can take it, unplug the old wires from the old box, put the new wires in, turn it on, and it's up and going.

There were other options. We took a look at Dell but this was the best one at the time. The usability and setup of the WatchGuard were better. Also, the maintenance was very minimal. It's almost nothing.

The other solutions had their features that were nice, but there wasn't anything that really drew us or made it stand out from WatchGuard. We're pretty happy with WatchGuard right now.

There are updates pretty regularly. There haven't been any big changes over the past few years. They've kept working, rather than taking steps backward or making things harder.

The primary use case is protection for my network from external access. We also use it for some VPN, but mostly it's for protection. It's mixed usage on about a dozen different connections, a dozen different workstations, and access points.

I don't really worry about individual workstation security as much, anymore. I can depend upon the firewall to control incoming viruses, incoming attacks, bad port usage.

It simplifies my job because I don't have to worry about it on a day-to-day basis, the way I otherwise would. I'm not checking and monitoring each workstation on a minute-by-minute basis. I can check what's going on with the firewall and see how it's being used and where, and if there are any things coming through the logs.

I've built my process around the WatchGuard. I can't say it has saved me time because it's become the defacto process. I don't have anything against which to compare it.

• Intrusion Prevention is my primary focus so that's what I find most useful. The why is straightforward: It's to prevent intrusion.
• The usability is pretty good. 
• The throughput of the solution is also pretty good. I think there is some throttling that occurs.
• It provides me the layered security I need.

There are some features I'd like to see, although they are not standard in any of the products in this class; for example, better monitoring.

I'd like to have better access to workstation monitoring, connection monitoring, and the amount of time an address is being used, to better gauge proper network utilization. If I knew that something was connected to a particular external location for an extended period that seems abnormal, I'd be able to act upon it. It comes down to overall monitoring and reporting for the class of services that I have.

The solution's reporting and management features, based on what I have, are fair. I'd like to see an easier way of managing, controlling, and viewing usage at an IP-address-based level.

It's very stable.

WatchGuard's product line is very scalable, but this particular product is not.

Technical support is pretty good. The online knowledge base is usually the best way to go. But I have had some telephone support as well.

I had been using SonicWall for about ten years. I got a little frustrated with them at around the time that Dell purchased them. The WatchGuard UI is easier to manage and easier to work through. I ultimately became dissatisfied with the service and ongoing costs of the SonicWall devices.

The initial setup was straightforward. They walked me through it. I have enough knowledge to be able to walk through the setup and then tweak it the way I need it. I was able to find anything that was unusual, pretty easily, on the web.

The initial deployment took under an hour. I've spent dozens of hours tweaking it over the years, but nothing out of the ordinary.

The implementation strategy was to set up something that allowed for VPN access, to grow VPN access, and that would protect my workstations against viruses and attacks, as well as my servers. The goal was to simplify everything with one box.

For deployment and maintenance, it's just one person who handles the network, and that is me.

I did it myself.

I'm not sure I could establish a numerical return on investment. It's mostly peace of mind. I could probably do well with a lesser product, but I'm afraid a lesser product would provide significantly less protection.

It costs me about $800 a year. There any no costs in addition to the standard licensing fees.

I looked at some Cisco products. I only upgraded to this latest T35 last year, from the previous WatchGuard item. I also looked at SonicWall and a couple of others.

It's used extensively. Do I plan to increase usage? If I can get better reporting, perhaps. But it's fully deployed and static at this point.

I would rate WatchGuard a seven out of ten. A perfect ten would come from lower costs for small installations for the service licensing, and improved reporting. And maybe some better awareness of what it's capable of doing. It's hard to figure out what I could do. That's a big thing. It's hard to figure out what is possible. What am I not taking advantage of? I've tried to work with people on that, and that's the biggest thing.

It's our main firewall. We have over 120 hosts that flow through it.

The biggest way that it has advanced us is that when we started adding additional locations, it became surprisingly easy to do that, to create branch-office VPNs. When I was first tasked with that, I was overwhelmed with it. I thought, "This is going to be really difficult." But it was really simple. I've never actually done this, but they have the ability to program a box and ship it out there. It'll identify it by its number and just do the setup automatically. I've never been brave enough to just let it go automatically, but when I do get it in my office and set it up for the branch office, it's just a matter of just plugging in the right numbers. It works and it's very stable. That enables us to do some incredible things.

WatchGuard has been mostly cost-effective compared to other firewall systems that are out there, given the power that it has and the ease. I complain about the usability, but things such as how to set them up and how to set up the routing up are, at least, intuitive. So that's been invaluable. It's one of the reasons why I haven't moved away from them or been tempted to move away from them. These setups are very complicated and WatchGuard makes it very easy.

It does simplify my job in the sense that it's easy to set up a VPN. Setting up a branch-office VPN is rather simple, but when I have remote users, such as myself or remote salespeople who are operating out of their homes, I can use whatever solutions are out there; the software that makes it easy for them to connect. That avoids my having to go out and buy really expensive solutions like TeamViewer or LogMeIn. They are always clunky, always hard to navigate around in. With WatchGuard, remote users can pop in straight through the VPN and then RDP into their remote desktops. And everything works very smoothly and rather quickly. Anytime you VPN it's not super-fast, but it has been rather efficient and is a huge advantage. It makes my job a lot easier because I don't have to try to troubleshoot somebody else's TeamViewer account.

WatchGuard has saved me time versus having to manually help people with their remote connections. It saves me about ten to 15 hours a month of work, not having to do all that.

The basic firewall features, or just the routing, are the most valuable because that's how we configure our network. 

The second valuable feature would be the branch office. We have five offices throughout the United States, and it coordinates the connections of those offices. 

And the filtering features are okay.

It layers security in the sense that it does isolate different networks. I have in-house web hosting and that's more of a DMZ-type thing sitting out in the open, so that it has to be isolated from our network. It has Gateway antivirus, which is important. It has Gateway spam protection, but I've never actually seen it do anything. That could be because our regular spam filters grab it before it gets a chance to. It's not a direct user-security thing. Another level of security is that I do keep our guest WiFi network separate from our main WiFi network. Even though WatchGuard doesn't manage our WiFi, it does play the traffic-cop between those two networks and keeps them separate. It's more IP-based routing security than anything else.

We have several branch offices. Those things run, you forget about them. My biggest gripe was when I went to update some of my devices, to try to make some speed improvements, not only did I get hit with, "You need to renew your LiveSecurity," but there was this reinstatement fee that they threw in on top of it. That really angered me, to the point that I canceled the entire order. I actually almost replaced some of those devices and I'm looking to replace them because of that type of thing. It's fair to pay for services like filtering, etc., but I don't feel it's fair to pay for updates to a product because they're patching and fixing and updating their product because of bugs. If I want to pay for the next version of something that gives me additional features, that's fair. But to have to pay a reinstatement fee and that sort of thing, I find it to be a very poor and unethical practice. We'd never do that to our customers. The reason I haven't thrown a huge fit is because everybody does it. SonicWall will do it; Cisco. All those guys do that kind of thing. 

I really don't like that, particularly because you're talking about a device that you paid $300 for, and the reinstatement fees are another $200-plus. I can just buy a brand-new device for that, get a faster unit, and get another year of stuff. Maybe that's what they're trying to encourage me to do. But there are firewall devices out there that I can buy that will do a lot of the stuff that I need to do in the remote offices, without having to purchase a yearly or three-year plan. I keep our main system up to date, but for the small edge units, it's just an unneeded expense. That's my biggest negative and biggest gripe about WatchGuard.

In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be more of an industry-wide issue — you get reports, but a lot of times you don't know what you're looking at. You're so overwhelmed with the data. You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to know. If it gives me a threat assessment such as, "You received an attack from North Korea," I don't know what that means. I know that an IP address from North Korea hit our server, and they tried a certain attack. Is that something I should take seriously or not? I don't know.

But that seems to be true with a lot of the solutions out there. They tend to report everything, and there's not a lot of control over getting rid of the noise. I've had it report threat attacks from devices within my network, from my own PC, in fact. So it's misinterpreting some things, obviously. Reporting is not something I rely very heavily on because of that. I look at it but I don't know what I'm looking at. Instead, I have a monitor that displays various things about my network, and I will have the main screen up just to see things like which host in the network is the busiest. I tend to use the main dashboard to get real-time information.

I've been using this solution for over 15 years.

The solution is very stable. I don't think I've ever had one crash in 15 years.

I did have one fail, but that was just a hardware failure. That was one of the very first, early units. That was years and years ago. I've never had one fail since then.

It's not very scalable. You get what you get. You buy for your application but if you grow, if you were to double your network bandwidth or the like, you would have to upgrade the product. That's because the hardware can't handle that. 

You could say it is scalable if want to add additional networks and that sort of thing. It makes that fairly simple. But you do need to buy the appliance that's applicable to your network.

It's used at all of our locations and it traffic-cops our entire network. But we're not adding any new networks. As we buy companies, which we've been doing, I usually pull their firewalls out and put these in, because that's what I'm familiar with, if I can't interface their existing firewalls with it.

Their tech support, the few times I've used them, have been excellent. Their staff has been very knowledgeable. I've had several instances where, when fixing a problem, they've made suggestions about other things not related to that problem, as they inspected the setup.

They have a very good system for logging in securely and seeing configurations without being able to check it. That's been very helpful. I've always given an "A+" to their tech support.

It was so long ago, but I used some PC-based proxies at the time. So there was something before this solution, but my first, actual, dedicated appliance was WatchGuard.

It might be that we purchased this back in the late '90s, because our previous solutions were back during the dial-up age. It wasn't until we started getting always-on internet in the late '90s or early 2000s that we looked at a firewall. Someone suggested WatchGuard.

The initial setup is straightforward. Network setup is complex because setting up networks is complex. I will give them props for making a very complex task a little easier. I don't know a way you could make it any easier than they do. I have done network setups in other firewalls that I thought were way more complicated and more convoluted. We've set up a branch office with some SonicWall devices and my setup screen was a whole lot easier than theirs.

The deployment itself takes an hour, if that. I've done upgrades, but I haven't done a straight, flat-out deployment in a long time. But usually, when I deploy a branch office or upgrade the main unit, it's usually up and running within ten to 15 minutes in most cases. If I get something wrong, then it might go to an hour or so, but usually they're very straightforward. If it's a branch-office deployment, it's just a matter of plugging it in. It takes five to ten minutes. The configuration might take another ten to 15 minutes. The one thing that's difficult when you're setting one up is that you have to isolate a computer that you can connect directly to. They have things that make that easier, but I've never tried it.

Our implementation strategy, back then, was to bring branch offices online.

The process of deploying the product to distributed locations usually means that I bring the device in-house and preconfigure and test it before I send it out to a remote location. I'm usually onsite at remote locations to install it. So my process is to order the product, configure it locally, get it correct, and then install it onsite.

In terms of using it, there are maybe ten users and they use a VPN client. They directly interface with it. It's primarily me who manages it. I'm the only user who actually sets the configurations up in it.

I purchased it from a retailer at CDW and did the deployment myself.

Being able to control network traffic and being able to monitor employee activity on the network are things you can't quantify, but there's definitely a cost that you could attach to each. If we have users that we find are spending too much time on social networks, we can address those issues, replace the employee if they don't comply, or help them with their productivity, etc. 

A firewall is a necessary evil. You've got to have one. It's one of the less expensive but powerful models. I've always been very impressed with that. There's a definite return on investment in terms of that the branch-office option. I didn't have to pay anything extra for that. It was just built-in. Those can get upwards of thousands of dollars with other solutions. One solution I saw was $15 a month per user. It would be astronomical if we tried to go that route.

I don't have a number, but the return on investment is good.

I buy a three-year renewal on the main device, which is usually around $3,000 to $4,000. They usually upgrade the device when I do it. You get a big discount when you do three years.

If I were to renew my other devices — we haven't renewed them — it would probably be around a couple of thousand dollars for the little edge devices.

In addition to the standard licensing fees, we pay for the filtering software. There's a web blocker, Gateway antivirus, intrusion prevention. Those sorts of things are extra. They call it LiveSecurity. I do the LiveSecurity update and that includes a lot of those features. It's a type of a-la-carte scenario. You pick what you want, and that then includes maintenance and support.

I can't remember what we looked at, at that time. I have looked at more recent solutions like Untangled, SonicWall, and the like, just to see what else is out there.

Make sure you buy the device that fits your environment. Don't try to do too much with too little. You can buy one of the edge devices, and you could technically run a large network on it, but it's not going to work as smoothly. Your firewall is your primary point of security from outside intrusion so you want to do it right. Be very meticulous about your configuration.

Straight-up, walking-to-the-console usability of the solution is not very user-friendly. It's not very intuitive. However, compared to other firewalls, it's very user-friendly. So it's more user-friendly than most, but it's just not something anybody could walk up to and use. If I had to walk someone through it remotely, it wouldn't be very easy for them to do.

Each upgrade of the device, and I've had about five of them — five main devices — has allowed an increase in bandwidth and performance. They tend to work fairly consistently, but as speeds have gotten faster, you've got to upgrade the device to keep up with it. They seem to be doing an adequate job at that.

I have used the solution's Cloud Visibility feature. I wasn't really blown away. I thought, "Okay, that's neat." I haven't really dug into it deeply. I don't really think about it in the context of detecting and reacting to threats or other issues in our network. I like to be aware of threats, but threats in networking terms are always not practical. For a company like ours, we know there are going to be internet probes out there, and they're going to hit our network. The WatchGuard identifies them and locks them down. There's nothing I can do about it. It's more along the lines of, "For your information, there was an attempted attacked last night."

What I'd rather have is internal threat assessment. I want to know: "This machine started doing something last night it wasn't supposed to do. It was sending out emails at two in the morning. It shouldn't be doing that." Since it's sitting here watching the network, I'm more concerned with internal threats, and people doing things they shouldn't be doing, than I'm worried about the external threats. 

I probably should be equally concerned about them but I've never found a really good solution on that. I have some customized things that I've done that try to send me alerts if certain behavior patterns are detected. I'm scanning through the logs, and if certain keywords pop up, then I'm alerted. That's been somewhat helpful, but most of the time I get more false positives than I get actual.

We have web filtering, so I'm looking to see if anyone is going to pornographic or hacker or peer-to-peer sites. I get alerts from that and it logs those. But most of the time, I'll get hundreds of alerts on sites for a user, and I'll go over and find that the user was looking for fonts and one of the ads happened to be on a server that caused a trigger. It was a complete false positive but I don't know how to filter all that out. So the alert becomes useless. That may be an industry problem.

I would rate WatchGuard at eight out ten. There is a need for improvements in the reporting. There needs to be more granular, built-in filtering in the reporting, so that you can drill it down to exactly the information you want. The second thing would be the cost-plan of renewals. They can have a security plan and they can have a renewal plan. But if you lapse and they charge a penalty on top of that, to me that's really unacceptable. I should be able to let a product lapse if I want to. It may not be a priority. It might be something I have in someone's home and then there's just a new feature I need to add. As I'm going down the road I should just be able to buy that when I want. To put in reinstatement fees is a big negative to me. Granted, they all do it, but they all shouldn't do it.

It is a firewall. I have two M400s. They act as security for the Internet, like a border between us and the Internet.

We allow more outside vendors to be able to come in, then I could protect them. This is a way that I could leverage the solution which has improved business. It has made vendors coming from the outside able to get to resources that we can provide them without allowing them onto our production network.

We have the logging working along with the System Manager overview. This all seems very good to use and straightforward. It is where I look when I start since it gives me that sort of a single pane of glass for both firewalls.

It gives me Layer 3 and Layer 4 security. I don't know if it gives me the full Layer 7 security, which some other firewalls do. It might in new revisions of it. However, for what I need, it meets the sweet spot.

Having the VPN access helps productivity in the sense that people can get to resources anywhere.

• HostWatch is a nice feature.
• Logging
• The central management piece of the system
• The overview manager is good to have.
• The GUI is somewhat easy to use.

These features provide visibility on the network. When there is trouble, I like to see why I might be having trouble at the gateway level.

HostWatch makes it so I can see, in real-time, activity in the event that there is something weird happening on the network. This simplifies my job.

The product's usability is good. It is straightforward and simple. One of the benefits is that it is easy to navigate and intuitive.

Sometimes, the writing rules are a little confusing in how am I doing them.

I had some trouble with the previous product version (XTM) at the end. When the product aged a bit, there were no redundant power supplies. For what we're doing, it would've been nice to have something to fall back on instead rebuilding and taking it from an old configuration because the older version did die. We were able to take from an older configuration, build a new one quickly, and get it up and running, which didn't take long, but there was some pain around it.

With the previous version (XTM), I started seeing some hiccups.

With this new version (M400), it has been in place for about a year and been running just fine. I haven't had to reboot it. I don't think I've had an issue at all with it.

I manage the solution as the network administrator.

I am not sure what I can scale up to. It meets our needs, though. We're not a growing company. We are sort of a static company in terms of growth. As a static company, we are not looking to increase our usage.

We have around 200 users, who are tradesmen, toll collectors, administrators, accountants, and auditors.

I haven't used WatchGuard's technical support because it is an easy product to use.

We switched from WatchGuard's previous model due to age of hardware. We went from something that was seven or eight years old to something from the last year or two.

The initial setup was straightforward. We had been previously using WatchGuard and moved from an XTM to an M400. So, this is our second-generation of firewall with them, and I didn't have any problems.

The deployment took about a day. I upgraded the hardware, making sure that everything migrated over correctly. That was the goal. I had one rule that I dropped, but that's about it.

We have multiple networks with Internet points of presence where we have multiple firewalls. These are not at the distribution layer. The core layer is more where our firewall is.

For the price point, what we do with it, and the time that the last one lived for on our network, we have gotten our money's worth from it. I'm satisfied with the product for the most part.

We did consider other vendors. I don't think there's a need for us to switch right now. In the future, there might be. However, we're pretty happy right now with what we have.

We also looked at Palo Alto, Cisco, and Juniper NetScreen. We looked at Juniper because we have a lot of Juniper switching infrastructure. WatchGuard's price point worked, which is the reason why we stayed with WatchGuard.

Leverage the website. They have a good knowledge base out there. If this was a green deployment, make sure that you understand how the policies work for VPN and matting.

The throughput is adequate. It certainly handles what I pumped through it, which is about 150MB. I don't know how we would do on a big gigabit network, but for what I do, it works. I haven't seen any slow downs in throughput.

I am not using the Cloud Visibility feature.

Our primary use case is for firewalls.

We were using Websense before, for website filtering, and we had to configure the device to block and monitor. Then we would go to Cisco to configure the firewall ports and then we used antivirus software to protect that the gateway from viruses. So we were using three or four different security products. WatchGuard integrated into everything in one place, so it's much easier to configure.

It has simplified my job. Before WatchGuard, we needed one person inside and two people outside to set up our network. Now I can do it by myself.

The solution has saved us 30 minutes to an hour every day. In terms of productivity, before WatchGuard we had given up checking the logs because there was so much information. But now, with its graphical interface, it's much easier to get the information that I need: the violations and sever errors are easier to pull out.

The most valuable feature is the GUI, especially the real-time bandwidth usage report. Also, its integration with WiFi access points is nice.

The product's usability is very good. We were using Cisco products before, and that was terrible. The difference is in integration. With Cisco we had to go into the command line to configure devices. With WatchGuard we can do everything from the GUI, so it's much easier to set up and to make sure everything is working the way we want.

The throughput of the solution is good. It's also very good at reporting. I can see things graphically so I don't have to read through all the log text files.

The solution provides our business with layered security. In terms of the attack vectors it secures, we have a firewall set up and it gives me reports. It also has an integrated web filtering solution. I can set up a website filter and it's all filtered in one place. I don't have to go to another solution.

I don't know if it's just my version, but the WiFi access point integration has just started. It's getting better but if there were more reporting of the devices that are connected to WiFi access points that would be great. Right now I can see the MAC address and bandwidth usage for each device but that's about it. If I could see which sites the devices are visiting and what kind of traffic is generated from each device, that would be great.

We bought Firebox four or five years ago, and with the first version I had to reboot it every two or three months for no apparent reason. We upgraded last year to the M370 and it's been running, but it is rebooting from time to time. I don't know why.

Since everything is integrated, when there is really high user traffic, especially to the different locations, including email and everything coming in at one time, I see very high CPUs. It may not be as scalable as having three or four different devices running, one for each task.

The bandwidth is good but we only have a 15 meg fibre to this location and I see high CPU usage, so I wonder how far it can go up. It's working well for us but if you are trying to go to 200 or 300 meg of bandwidth you may need to get a bigger WatchGuard.

We don't have any plans to increase usage in the future. It has a hotspot client access which we're somewhat interested in, but we don't have many guests coming into our offices. That's the one area where we might spend some time.

Technical support is really good. That's one of the best parts of this product. With Cisco, you have to transfer all over the place, but with WatchGuard there's a ticket system. When you open up a ticket, they are really responsive.

Their response time is within a few hours. If you just log a ticket through the website, you get a response back within one to two hours. But if you call up, they respond really fast. And it's a real tech guy responding back. You go through all your details and you get answers right away.

At times I have made an additional feature request and even I have forgotten that I requested it, but they keep following up. I have to say, "It's okay now, forget it."

We were using Cisco Professional Services whenever we had to tweak our IP forms or QoS and those advanced types of changes. The outside consultants were costing us money. With WatchGuard we can do the setup by ourselves. We tried it and found we could do it.

The initial setup was very straightforward. The graphic interface gives you bandwidth control, traffic control, and a graphics screen, unlike the Cisco products where you have to go into the command line. There, you are typing commands but it's really hard to tell if it's working or not. With WatchGuard, it gives you the response right back and you see results right away. So, it's much easier to configure.

Our deployment took about three days. To get it up and running it took about one hour. The rest of the time was to tweak our firewalls, open up this port, open up that site.

Regarding our implementation strategy, we have ten remote locations. We started with one branch as a test bed, set up a template there, and applied it to the corporate site here. When we applied it to the corporate site it took a little while, about three days. But once the corporate template was done, the other sites were quick. We set up the device, and it shipped it out and, in ten to 15 minutes, it was up and running.

We purchased the solution from a local distributor, Jensen IT, and they had a support line. We called up two or three times. Our experience with them was very reasonable.

From a pure cost standpoint, we cut our fees in half by moving to WatchGuard. And in terms of time, we are spending one-third or even one-fifth of the time we were spending on Cisco devices. Those are substantial savings.

The price is so small that I don't pay attention to it anymore. I think we pay a few thousand dollars for two to three years, so about $100 per month. That's for all of our users.

There is an additional cost if we want to go with a deeper licensing model, but we just pay for antivirus, IPS, and main product support.

At the time we made the switch to WatchGuard we were also using two or three different solutions to manage security and our internet connection. We were using Symantec Gateway for antivirus protection, Websense for web filtering, Symantec IPS reporting, and Cisco.

The integration of all of those with our system was cumbersome and there were maintenance fees and license fees being paid to four or five companies. All licensing terms were different and it was really cumbersome to manage. With WatchGuard, everything is really in one place.

However, for one of our new locations we started using Meraki, which has cloud capabilities so I can remotely manage the setup of the firewall for remote offices. For ease-of-setup, Meraki is a little bit easier. If you want an easy solution in terms of setup, Meraki might be a better solution. But there is a lack of depth of setup on the Meraki, while WatchGuard is a real firewall solution. In the new office, we only have a five people, so the WatchGuard features may be a little bit too much that size of office.

Firebox has a very small model for personal use, a home-use product, but we did not test it out. That might be a good fit, but the value for a very small office may be a little bit of overkill.

If you have a small IT staff and want an easy-to-set-up solution, I would one hundred percent recommend WatchGuard. If you have a very serious, big IT department and a big business, you might want to test out the throughput and the stability.

In each of our ten remote offices, we have about ten to 15 people using it. At our corporate office we have 70 to 80 people. We require two people for deployment and one person for maintenance of the solution, including me, the IT manager and, our systems administrator.

I would rate the solution at nine out of the. It's just missing that stability point.