My favorite security device
August 12, 2021
My favorite security device
Score 10 out of 10
Overall Satisfaction with WatchGuard Network Security
WatchGuard Network Security is being used in our organization worldwide. WatchGuard is the main firewall that protects us from the outside world and hosts our BOVPN between sites. We use WatchGuard for firewall protection, application control, APT blocker, botnet detection, data loss prevention, gateway antivirus, geolocation blocking, IPS, and as a web blocker(filter). Each site has redundant fireboxes. If one box goes down for any reason, the other immediately picks up. It is a great feature that eliminates downtime and makes it amazingly easy to do updates without user disruption.
- Easy Administration. You can use commands if you like, but you don't have to with WatchGuard. There is an easy to understand GUI for administering policies and every other feature of the security device. You can connect directly through a secure web interface, or you can download a client and administer it from there. Either way is simple and uncomplicated. Someone new to WatchGuard might have to learn where everything is located and how it all works together, but that is the same with any new device.
- Most importantly WatchGuard is great at security. I have used it for years and different locations and different devices and I have never seen it fail. If there is a security breach, it is due to a bad configuration. It protects like you expect a security device to protect. It does its job well. There are so many features to the devices in addition to firewall protection, it eliminates the need for purchasing other hardware and software. It has built-in cost savings if you choose to use the features. IPS, gateway antivirus/anti-malware, web blocking, VPN, and the list goes on.
- WatchGuard integrates with Active Directory to grant or deny permission. You can set up accounts on the device, which creates another user account and password for the users, or you can integrate with AD and assign permissions based on the individual account or group.
- Upgrading to a new WatchGuard device from an older model is as simple as can be. The devices are easily backed up. You only have to restore your current configuration file to the new device. There might be a few tweaks if the model is very different, but support will tell you what those are. (It might be something like changing the number of ports on the device, or specifying the version number of the firmware.) After that, you just apply the configuration and the new device is ready to work!
- Backing up the device. You can schedule backups and or you can simply click a button and save the configuration file. (I use the web GUI the most) The device is easily restored from this backup. In addition to that, you can download a human-readable configuration report! It has an outline at the beginning of the report so you can easily find the information you want. The configuration report figuration report showing ALL settings in the device. The report is extremely long because of the level of detail, but easy to read. The configuration report is a great reference. I save it as a PDF. From the PDF I can search for settings which makes finding things so much easier.
- Other things I like: There are built-in charts and graphs in the Web UI. There is also a traffic monitor that is easily filtered. You can have the policies open on one screen and the monitor scrolling in another to easily see if policy changes affect access. You can choose whether or not individual policies are logged or not. This helps when you don't need to see redundant traffic. There are different types of logs that can be sent to different locations.
- A minor negative for WatchGuard is that the firewall policies cannot point to a domain, it must point to IP addresses or IP ranges. If there is a dynamic domain that you want to allow/deny, you must configure it using their WebBlocker in conjunction with policies. It takes a bit more logic to make that work. I've only run into that once, and after figuring out how to do it, it would not be a problem to configure it again. 99.9% of what you want to allow/deny has no problem using static IP addresses.
- WatchGuard integrates easily with Active Directory. There is a SSO (single sign-on) feature. If you use AD for SSO to determine user permissions, it sometimes doesn't refresh the user's when they log on and off. There is a client to install on a server to read who is logged in on which device. Everything is translated to IPs for the WatchGuard device. I have seen it where a user logs off a workstation and another log on, but the WatchGuard never got the info that the user changed. The previous user's permissions are granted, and the logs show the wrong user. This could have been a problem in my environment specifically due to the DC's or even where the client was installed, but I saw that this feature wasn't perfect.
- There are so many customizable features, sometimes I can't remember where things are.
- One WatchGuard device did the job of a previous firewall, IPS, proxy server, content blocker, and SPAM blocker/gateway antivirus. Great all-in-one device.
- Having no security issues (with proper configuration) is priceless.
I work with Bill Alger from GHA. He is the absolute best representative. He connects me with all the best configuration teams from any company. He NEVER calls me trying to sell anything, but whenever I email him, he responds within minutes. He treats everyone like they are his only client. Love him!
When I set up my first WatchGuard, it took a while for me to get used to all the features and set them up properly. It wasn't difficult, though. I didn't use an implementation team. I have not used one for any upgrades since. They do have support and I call each time to review my plan and listen to any suggestions or tips from WatchGuard. If you are clueless, you can call and they will help. :)
I like having a device with a license/maintenance agreement that covers everything. (You can choose your license level which can grant access to more features.) If you have a small budget, there is only so low that you can go. One year with a certain amount of features. That might not be appealing to those trying to shave off any extra dollars. I like not having to think about license versus maintenance fees or software coverage versus hardware. It makes things much simpler. There is also a date showing in the Web UI when you log in so it is easy to see when it is time to renew. If you keep an active agreement, they give a discount on upgrades. I also like that.
I have used Cisco, and Juniper security devices/firewalls. They did the jobs of firewalls well. Cisco did not have a GUI. That's fine if all you are doing is firewall policies, but it is nice to have the option. Neither of them performs all the functions of a WatchGuard; not even close. I would not purchase those again after using a WatchGuard.
Do you think WatchGuard Network Security delivers good value for the price?
Are you happy with WatchGuard Network Security's feature set?
Did WatchGuard Network Security live up to sales and marketing promises?
Did implementation of WatchGuard Network Security go as expected?
Would you buy WatchGuard Network Security again?
WatchGuard security is sizable from a simple home network to an international corporation. I have one at my house. There are different model sizes that can fit any scenario. Many features come with the devices and there are extra features that you can purchase if needed. They have support and documentation for those who are not familiar with the devices. If you are small or have a small budget, the ability to use one WatchGuard device in place of many other security devices is cost-saving, and they work well. If you sign up, they give free monthly webinars on different features and have Q&A's at the end of each session. WatchGuard has protected my environment, and my users, and kept me hack-free for years.