My favorite firewall
October 07, 2016
My favorite firewall
Score 9 out of 10
Overall Satisfaction with WatchGuard XTM
WatchGuard XTM is the main firewall and web filter at my company. It is used for the entire site and was highly recommended by our sister company in another location. It provides everything a firewall provides, plus intrusion prevention, web content filtering, web monitoring, application control, and even antivirus protection from Internet traffic.
- WatchGuard XTM has a great GUI. It makes policy creation much easier, as well as setting up all the other features included in the WatchGuard. You can use the web interface or install an application to do the same.
- WatchGuard XTM allows you to integrate Active Directory accounts in policy creation. We can apply policies and web control to specific users or groups. For instance, our HR department can view job search sites to recruit, but everyone else is blocked from searching for jobs. Another example is that our IT department can download specific types of files that other users cannot. It makes life much easier.
- The policies are very flexible. Not only can you set policies for specific people or groups, you can set schedules. You can create a lunch hour or weekend policy that is different from normal working hours.
- You do not have to install anything on user workstations to authenticate with the WatchGuard. You can choose to install a client, but it is not required. It is a feature called Single Sign-On. With a small IT department, anything that reduces workload is welcome!
- Our XTM has run for several years and I can't remember having a hardware issue. We have to remember that we need to restart it every now and then. It just runs and runs with no problems.
- Although Watchguard XTM has a wonderful Single Sign-On (SSO) feature that integrates with Active Directory eliminating the need for client installs on workstations, I've noticed it is not always accurate. It is supposed to send the user information as soon as the user logs on, but I've see it keep a previous user's account attached to a workstation even after someone else has signed on. It has not been a major problem, but sometimes a user should have a specific policy, but a different policy is applied because it didn't register that the user changed on that workstation. I actually think it has something to do with DHCP. It ties the user with the IP address. When the IP address changes on a workstation, I've seen it move the user login with it. SSO is a wonderful feature, but it can be improved.
- WatchGuard XTM doesn't keep the best audit logs. It's difficult to tell what changes were made. We have to keep a manual log to record changes.
- Unlike other companies, I am not informed when there are updates to apply. I have to remember to check the site to see if there are newer versions of firmware, or software. There may be an email list I can join, but I haven't seen it.
- The cost and maintenance renewals WatchGuard XTM are much MUCH lower than the leading firewall brand. When we switched we had an ROI within the second year.
WatchGuard XTM comes in different models, so you can choose the model best suited for your company size. I think it works well in small as well as very large networks. I have not used this feature, but you can create a "FireCluster" to connect member devices of the same model if you need to put multiple WatchGuard XTMs in your environment. Coming from command line, it took a little adjusting to learn which screen to use to set up the different rules. Once you understand how to set up policies, it is simple to create more. New firewall administrators would appreciate the ease of creating policies, and expert administrators should find everything they need plus extra features.