WatchGuard Firebox: Fiery performer at a nice price
WatchGuard's Firebox Peak X5500e is a strong, manageable firewall and the fastest in our test, but complexity and weak attack protection hold it backFollow @infoworld
In the WatchGuard Firebox, we encountered a system significantly different from the other three boxes in this test. The differences were as fundamental as the number of processor cores and the whitelist/blacklist balance, and they extended all the way out to the complexity of the user interface. If you're looking for an easy-to-configure box that works with minimal admin interaction, then the Firebox is not the system for you. If, on the other hand, you need a high-performance, highly secure firewall, and you are willing to invest in a learning curve and a rather complex configuration process, then our experience indicates that Firebox should be on your short list of systems to consider.
WatchGuard splits management and administration functions across two different applications. In this case, the complexity serves a good purpose: System administrators can edit the XML rules files offline, then push the new configuration to the box when the new rule set is complete (and debugged). We were able to watch this feature in action as the WatchGuard engineers modified and pushed configuration files almost constantly during our testing. (This wasn't a bad thing. WatchGuard was the first company to come in for testing and served as guinea pig as we did final debugging on the test scripts.)
[ When is a UTM not a UTM? Read the overall results of the InfoWorld Test Center's great UTM challenge. Read the other reviews: Astaro Security Gateway 425 | SonicWall NSA E7500 | ZyXel ZyWall USG1000. Compare the UTMs feature by feature. ]
The good news is that swapping entire configuration profiles is no more difficult than making subtle rule changes. The bad news is that making changes to a single rule isn't a lot simpler than pushing an entirely new configuration profile. Still, in either case, the Firebox's unique process means troubleshooting and performance tweaking are much easier and more convenient than they might have been; we could work on a new configuration while the previous version was still under testing.
Security as process
It's important to note that, unlike the other products in this test, WatchGuard's is very much a client-server architecture. While there are many times when the architecture makes very little difference, WatchGuard's approach can be an advantage when it comes to things like verifying regulatory compliance. For example, the WatchGuard engineer working with us had a folder on his machine noting every configuration we had tinkered with. In one instance, we went back a couple of weeks to try out a previous configuration with a new version of the Ixia test tool. While the other products could hold multiple configurations, and yes, you could save them off to your workstation, WatchGuard makes it easy enough that the XML code could easily be dropped into a bug tracker or version tracker for quality control and compliance verification.