TrustRadius
10+ yrs experience with hundreds of Fireboxes, WatchGuard review
https://www.trustradius.com/firewallsWatchGuard Network SecurityUnspecified9.1127101
Felicia King profile photo
Updated August 07, 2019

10+ yrs experience with hundreds of Fireboxes, WatchGuard review

Score 10 out of 101
Vetted Review
Reseller
Review Source

Overall Satisfaction with WatchGuard Network Security

As a network security architect, it is my job to design NIST SP-800 cybersecurity framework hardened network layer security solutions. These strategies are combined with a comprehensive cybersecurity kill chain plan inclusive of email, network, phone, printer, cloud, server, and endpoint layered defense strategies. As part of the design decision, technologies that consistently have extremely high efficacy while having a low TCO are absolutely essential for this solution to be manageable, effective, and affordable. WatchGuard has been our choice for network layer protection for more than 10 years. We also use their endpoint protection agent technologies and authentication solutions. In doing so, we have been able to deliver high levels of security effectiveness at an affordable price to organizations ranging from one user to 500 users.
  • WatchGuard System Manager and centralized management is the key to low TCO
  • Security solution efficacy is critical. A solution that is only 95% effective is not good enough.
  • Partner support is good and enables us to be able to deliver quality solutions that are consistently functional
  • Partner enablement. WG focuses on the channel as they know that the skill of the integrators is what makes the difference between a default appliance and an effective security solution
  • Partner communications on technical issues. For example the undocumented feature of SDWAN hidden route. There is still no documentation on that.
  • Too infrequent communications about high incidence technical support issues. We do not want to have to be encountering known issues and then having outages or problems that we then have to put in tickets about.
  • Pay attention to your most highly technical partners, not just those that sell a lot of equipment. The highly technical partners can and do provide very usable feedback that can make the products better.
  • WG wants partners to build relationships with people inside WG so we can drive solutions to problems, but too frequently, we get no response to emails sent to the proper internal resources about legitimate issues.
  • Our business is very WatchGuard-centric and we value our relationship with WatchGuard more than any other manufacturer
  • Fireboxes comprise the CORE of everything we do in terms of network layer security. So you literally cannot do a secure environment without a Firebox. Therefore, nearly every single client we have or ever have had has Fireboxes.
  • We have been able to consistently prove value by our network layer security techniques we implement on Fireboxes. We are able to have a viable SIEM logging solution and security incident alarm notifications because of Dimension.
  • Many of our largest and most valuable customers have come to use through WatchGuard partner finder
  • WatchGuard has sometimes very poorly executed aspects of their marketing plans or technologies that have cost us business. For example, they solicited our customers on behalf of competitors repeatedly. WG's wireless technologies were very poorly executed during the controller to wifi cloud transition period for about a couple years. This caused us major problems which caused us to walk away from WG wireless for that time.
We are the WatchGuard network security partner.
Please see my responses to former survey questions.
Consolidated security services in two major service package flavors does provide simplified solutions offering. This model has worked well. Please continue with that.
SonicWall is insecure and horrible to manage. Cisco ASA is terrible to manage. 98% of breaches occur due to a misconfiguration. Therefore, any device that makes visibility and management difficult inherently results in misconfigurations and insecure configurations. I don't think that WatchGuard realizes how much of their success pivots around WatchGuard System Manager. Not the webUI, but WSM and centralized management server. WatchGuard Cloud will be absolutely nothing if it does not provide us feature parity for WSM.
I do not recommend Fireboxes for network layer security in a situation where you cannot run a Firebox as the core network router for all subnets/VLANs because the network is simply too large to be accommodated on a single Firebox appliance. In that case of a network that is too large, I run a network layer security solution on every single Extreme switch in an environment and possibly also at the WAP layer. The Extreme solution is not as good or as flexible, but it does scale larger. The Extreme solution is also too expensive for any environment of less than 500 users. This statement would also be true of any Cisco, Checkpoint, Aruba, or HPE Networking solution. All of those solutions have a very high cost of implementation and maintenance, but they do scale to the size of 10,000+ endpoints.

WatchGuard Network Security Feature Ratings

Identification Technologies
10
Visualization Tools
10
Content Inspection
9
Policy-based Controls
10
Active Directory and LDAP
10
Firewall Management Console
10
Reporting and Logging
10
VPN
10
High Availability
10
Stateful Inspection
10
Proxy Server
10

Using WatchGuard Network Security

5 - network security engineering and network security support
5 - Our engineers must have a very advanced knowledge of layer 3 networking technologies, server support, end user support, endpoint protection strategies, network layer security strategies, understanding of the cybersecurity framework, and the cybersecurity kill chain.
  • Fireboxes ARE the network
  • Fireboxes provide all the hardcore network layer security we need
  • WatchGuard technologies represent a comprehensive ecosystem for network layer security, visibility, awareness and monitoring
  • We were one of the first organizations to use autoblocking technologies. We have been using that innovation successfully since 2009.
  • We are one of the only WatchGuard partners in the entire world that successfully uses Fireboxes for hardened network layer security microsegmentation and intra-VLAN packet inspection which creates a network security layer at the endpoint level
  • We use real time alerting for all network layer security type issues that we think we should know about in real time. As such, we can offer clients a security operations center type of service.
  • We review all network security reports for all client sites weekly and are able to identify trends, areas for further investigation, or areas of configuration changing
  • For any prospects that contact us, we will use WatchGuard solutions to provide them the most security effective and cost effective cybersecurity kill chain solutions available in the SMB space.
  • We plan on using DNSWatchGo and the Access Portal technologies more.
  • We plan on using WatchGuard's MFA solution AuthPoint more than we are using it now.
  • We also think that WatchGuard has worked out the bugs in their Wifi Cloud solution and it is now a mature product worth adopting.
Ever since 2007, WatchGuard Fireboxes and WatchGuard network layer security solutions have been the most security effective with the lowest TCO of any solution on the market when properly implemented and properly maintained. As with any network layer security solution, the underlying network must first be architected correctly in order to facilitate network layer security, but then an extremely highly skilled network security architect must device, implement, and maintain a network layer security solution in order to achieve efficacy. This is true of any network layer security solution. Few people worldwide have that skill. However, WatchGuard technologies when implemented and supported by a qualified partner are able to deliver that solution very cost-effectively to the SMB space. No other solution can achieve that.

Evaluating WatchGuard Network Security and Competitors

Yes - We have tried Cisco ASA, Juniper, Barracuda, SonicWall, PaloAlto, Fortinet, and Netgear. We find all of those options to be lacking in functionality, features, support, management capabilities, or just outright lacking in security effectiveness.
  • Price
  • Product Features
  • Product Usability
There is really only a single factor that matters. Security effectiveness at a low total cost of ownership. Forcepoint is security effective, but their baseline unit is around $40,000 unobtainium for most organizations. WatchGuard Fireboxes, year after year, are the only network security appliances that deliver security effectiveness, when properly programmed of course, at an attainable total cost of ownership.
I would have stopped wasting my time reviewing other manufacturer's products.

WatchGuard Network Security Implementation

  • Third-party professional services
We are the third-party professional services company that has done over 250 full network rearchitecture and migration projects. WatchGuard Fireboxes are at the core of creating a NIST SP-800 cybersecurity framework compliant network design.
I do not believe that in-house IT for any organization of less than 5000 employees would ever have the adequate network security architecture and engineering skill to properly implement core network security strategies. Companies should be looking to partner with a qualified WatchGuard partner for their needs.
Yes - We always start with simple replacement at first. Remove the old garbage network equipment and put in WatchGuard Firebox. Then once the Firebox is in place, implement security policies. Finally after the network layer is hardened, then refinements for security at the endpoints, servers, email system, etc. are done.
Change management was a major issue with the implementation - The biggest problem with implementing any security into an organization that has effectively had no security, which is what we find in most cases, is the FUD (fear, uncertainty, and doubt) by executive management and most users. It is a complete waste of time to try to find out what websites people need access to in advance. The only implementation that will be successful is one where you go in with your security standard that you think is going to work best for the client's organization, and then be highly available to deal with immediately any issues they encounter with regards to access. You can implement policies for a certain group of users at a time, but we generally find this to be unnecessary. We go in with our grouping of users with the set policies that we have established and maintained after 15 years of experience, and then adapt as needed.
  • Educating users and executive management that network layer security is an absolute necessity
  • Educating users and executive management that whitelisting websites that they want to access is not only unnecessary but an incorrect security approach
  • Educating users and executive management that the Firebox and our security is not the problem. In many cases, the website developers of websites that they access are not maintaining secure website hosting or they are simply utilizing insecure methodologies. And that is the true source of the issues.

WatchGuard Network Security Training

  • Online training
  • In-person training
  • Self-taught
In person training is very good for the interaction with qualified trainers.
Online training is good for learning how to use the product. It does not teach security strategy because that is not its intent.
After 15+ years of experience with Fireboxes and having successfully trained 10 engineers to be successful supporting and managing Fireboxes, the only way to correctly and adequately learn Fireboxes or any other network security appliance is very heavy experiential effort. You must read the training manuals for Fireboxes, but you must also then spend a very significant amount of time with ANY network security appliance in order to be able to correctly and thoroughly use the solution for security efficacy. Very few people are going to have the skill to organically develop network security strategy on their own. Therefore they should partner with a highly qualified WatchGuard partner and then spend the time to learn how to use the product in order to maintain the security solution and strategy that their partner has implemented. It is actually better if managing network layer security is outsourced to a managed security services provider.

WatchGuard Network Security Support

As a network
security architect, it is my job to design NIST SP-800 cybersecurity framework
hardened network layer security solutions. These strategies are combined with a
comprehensive cybersecurity kill chain plan inclusive of email, network, phone,
printer, cloud, server, and endpoint layered defense strategies.



As part of the
design decision, technologies that consistently have extremely high efficacy
while having a low TCO are absolutely essential for this solution to be
manageable, effective, and affordable. WatchGuard has been our choice for
network layer protection for more than 10 years. We also use their endpoint
protection agent technologies and authentication solutions.



In doing so, we have
been able to deliver high levels of security effectiveness at an affordable
price to organizations ranging from one user to 500 users.

ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
None
Yes - We are a WatchGuard gold partner and we also pay for 4 hour RMA warranty services on some Fireboxes. We always by TSS, which entitles us and our clients to higher support. Further, the effort we put into being a top tier WatchGuard partner and the relationship that we have built with WatchGuard over the years is how we pay for premium partner support. The level of support we have cannot be simply purchased for a fee.
Yes - I've been an extremely heavy user of WatchGuard products ever since 2007 consulting for 200+ networks. As such, yes I have found a lot of bugs over the years. WatchGuard has a good bug reporting system. They resolve the issue quickly if they are able to reproduce it. One of the reasons you should work with a highly qualified partner is because your partner will be able to use their connections to get issues dealt with even faster. There have been times that I found a bug and was able to email the engineer who manages that bit directly. The issue got fixed in less than 24 hours. That kind of response and collaboration only occurs through relationship.
Because of the quality of our skills as a top tier WatchGuard partner, we are able to have highly sophisticated and valuable interactions with WatchGuard top tier support. In the last few years, WatchGuard has really dramatically increased the skill of their support technicians at all levels. Part of it is due to the high quality of their internal training and the skill of their internal trainers. Part of it is due to a concerted effort by support executive management Shari McLaren to improve support. They have succeeded.
As long as we are asking questions of WatchGuard partner support that is within the scope of what is appropriate to ask them about, we are always able to have more than adequately sophisticated conversations about whatever the technical problem is. This results in problems being solved.
Literally, in 25 years of being in the IT industry, I have not had this experience with any other manufacturer of software or hardware.

Using WatchGuard Network Security

ProsCons
Like to use
Relatively simple
Easy to use
Technical support not required
Well integrated
Consistent
Convenient
Feel confident using
Familiar
None
  • Firebox System Manager and Firebox Policy Manager are the essence of effective troubleshooting, monitoring, configuration auditing, and configuration management. 98% of breaches occur due to a misconfiguration. Firebox Policy Manager, in the hands of a skilled network security architect can reveal network layer security misconfigurations faster than any other solution on the market. As such, it also eliminates network layer security misconfigurations.
  • Dimension is an excellent visibility product
  • WatchGuard's network discovery product is extremely helpful and easy to use
  • There are areas of Policy Manager where no import/export or reordering function is available. This feature has been requested for years, but WatchGuard has not invested effort into improving Policy Manager. They are trying to move to WatchGuard Cloud. Unless they provide feature parity at least, then WatchGuard Cloud will never be able to replace WSM.