Opinions on WatchGuard firewall and APs?

Considering going with these guys next year, especially with their recent AuthPoint product.

Does anyone use WatchGuard and have some experience with their hardware? Just looking for opinions :slight_smile:

I’ve loved the Watchguards that we’ve had for about 15 years… they may not have a bunch of bells and whistles but they have enough to do everything and in my opinion they have been the most intuitive to maintain… over the years we’ve tried Sonicwalls and Fortinet and we came from cisco-world… Having said that we do not use their AP’s… we use Ubiquitis. Also we do not run their server manager, we just manage each through the web interface… we manage about 10 now of different models.

My Favorite debug tool with WatchGuards was the RealTime Traffic Monitor. Pure gold!

We’ve been running watchguards for over 10 years. No complaints, easy to manage, and the only ones I’ve had fail were due to lightning strikes.

I have 100+ Watchguards in the wild right now and I find them pretty great to work with compared to other devices in a similar vein (Zyxel, Sonicwall)

Adding policies and SNATs is super straight forward, the VPN is pretty rocksolid, the realtime traffic monitor can be extremely helpful in diagnosing simple issues quickly, Watchguard System Manager is a really awesome tool, clean interface, easy to pick up.

Couple things to watch out for, they are configured by default to use non-standard SIP ports, so you may need to make some configuration changes. If you are going between different versions of firewalls configurations are not interchangable (we still have a couple XTM-series devices lurking.) I don’t find the models with wireless capabilities to perform very well, not sure how their APs are though (we use EnGenius.) We’ve been working on deploying Auth Point to some users who access RDS via iPad, and while the performance is pretty solid once you get it up and running it has been an absolute nightmare to setup, and we have run into some glitches such as when Auth Point is activated users can no longer download the SSLVPN client.

If your company is a partner their support is top notch.

Overall I would definitely recommend.

We’ve been using Watchguards for years. I’ve used the full gamot of NGFW/UTM devices and Watchguard is great for the price. Management server is great for pushing out OS updates on a schedule and tracking of config changes(first 4 devices are free). Dimension gives decent insight into traffic usage and can be nice flash for C levels and auditors. There’s really not a whole lot that they can’t do and they’ve been adding some SD WAN features recently that are making my life easier as well.

Now their APs are a different beast. Price performance wise I couldn’t justify them vs something like Ubiquity.

The firewalls are awesome and offer a good bang for your buck. I’ve found the feature set to be pretty rich and it’s easy manage and update which is why I replace what existing firewall is in place with watchguard. The wireless offering isn’t that much different than any other out there but watchguard is a firewall company so that’s where they excel. The biggest con of the watchguard wireless is that any changes made to the ssid’s will take down the wireless to apply the changes then it bring them back up.

/r/networking should have some interesting input on this :slight_smile:

We are transitioning from Watchguard to Untangle because easier management and non profit pricing. Watchguard is a solid product. The only headaches I ever had was a VPN tunnel that kept dropping to a data center and getting used to System Configuration Manager. SSL VPN worked fantastic with our telecommuters.

We are new in WG. Some thing what i hate:

1] VPN and again VPN - client vpn abilities are a lot worse than cisco asas

2] VPN and again VPN - site vpn abilities around NAT (and dynamic sites) are worse than cisco asas

3] aliases - you can’t use defined network object everywhere, especially in vpn setups.

Depends what you want to do. If you dont have experience , time or advanced functionality watchguard and sonicwall might be worth looking at. Should you want more, I would avoid these

Does anyone use WatchGuard and have some experience with their hardware? Just looking for opinions :slight_smile:

Yeah, and they’re generally quite acceptable but have so many annoying bugs when you turn more and more features on, that I’m here two months later as the result of a Google search trying to trace yet another bug.

I like them, more than I enjoy dealing with Cisco over SSH.

At my last gig, we slowly replaced all of our WatchGuards with SonicWalls. The SonicWalls seemed easier to work with and since we weren’t particularly strong on the networking aspect, that was important to us.

The WatchGuards were fine while we had them, but ours required regular equipment restarts, and far too often, needed reboots in the middle of the working day. The SonicWalls never steered us wrong.

What was wrong with Fortinet

Something I’ve always utterly hated about Watchguard (and quite a few products from other vendors) is that I’m not allowed to SSH in to the damn thing. I’ve had a few instances where being able to run tcpdump locally on the box would have saved me a good deal of time and frustration.

I use Untangle quite a bit and have nothing but good things to say about it. Great product, and they aren’t dicks about licensing it for a home lab - pretty much all the bells and whistles, no client limit, £50-ish. Yes please!

We actually still have one small Fortinet and it’s great… it gets the job done… my concern is not ‘trusting’ it that I have it set up 100% as it should be which is how I feel in the Watchguards because they’re so explicit in setting up rules… or maybe it’s just because I have more experience with it. I hope that makes sense…

You can run tcpdump from WSM, tools → diagnostic tasks

But you can SSH to them, on port 4118. They run a typical wannabe-Cisco CLI, you don’t get full Linux/Bash shell, but you can do tcpdump. (Policy rules must be set to let you connect to Firebox management on that port).

You can also tcpdump from Firebox policy manager, tools, diagnostic tasks, and tick the ‘advanced options’ box at the bottom and you can give any parameters to tcpdump you like and save the .pcap locally, streaming it until it has the data you want.

Honestly I’d just like to be able to punch in proper iptables rules and have the pretty GUI for my former CLI scared colleagues to use.