Watchguard Opinions 1

[bostontechguy]

Hello -

Could any of you pass on your experiences with muli-site Watchguard installations? I am considering deploying a 12 site system.

Thanks,

Dave

 

[lhuegele]

We only have two sites, both with Watchguard X1000's and they have performed most excellent! The throughput is nice, even with 300 users on one side of the VPN tunnel. The hardest thing we had to do was reprogram our Cisco routers. Other than that, the rest was pretty straight forward.

Good luck,
Larry

 

[lhuegele]

I also forgot to mention that we also renumbered the subnet at the second site in the UK so that we weren't using the same internal IP address ranges. Since they only had 20 users, it wasn't that big of a deal to renumber their subnet. You can still set-up a VPN even if the internal subnet ranges are the same, but it's much more difficult because you then have to setup NAT'ing for it, which is not too easy.

Good luck,
Larry

 

[kewalaka]

I find the lack of SNMP support irritating. Watchguard claim this is for security reasons but I don't see why they can't support SNMPv3, at least in RO mode.

I don't find the reports very intuitive.

The Manual IPSec seems reliable, we use it a lot, but the MUVPN and DVCP seems a bit flaky at times.

 

[Dollie]

We have found that technical support, user support, general support is not very thorough, and tends to assume that the user is not only highly technical but well versed in Watchguard products.

I've had a very hard time getting answers to simple questions, and their install guides do not offer solutions to common problems.

I couldn't tell you how the products are because I still can't get them to work properly.

 

[Davetoo]

We don't even bother with WG tech support anymore. We went to them with an issue and they responded that their equipment just wasn't able to do it. After some tinkering around and some Googling, we found the solution and that indeed their equipment was capable of solving our problem with some minor configuration changes.

When it happened again, we just stopped asking them and just relied upon Google to answer our questions about the Watchguards.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[ewiley]

I agree about their support, talking to their (Indian) techs was no help. Constantly needing to reboot the entire Firebox just to change VPN settings is irritating and not having a decent routing engine is unfortunate (forget about load balancing, dynamic routes or anything that an actual firewall should be able to handle). WG's make a good Playskool "My First Firewall", but if you're thinking of setting up a network with any kind of complexity/redundance, forget about it and buy a PIX.

 

[AntiEarnie]

We have had a Firebox 1000 for about 1.5 years. In that time i've learned one important thing:
Don't buy Watchguard.

The software is pretty but even after software upgrades we still have a flakey firewall. Gotta like a product that makes updating configs like playing russian roulette. Every fifth or so policy update gets corrupted somehow and we have to reset the box to factory default because it gets so unstable.

 

[kittenhammer]

Couldn't agree more with AntiEarnie....

Don't buy Watchguard.

I'm responsible for a VPN with one Firebox III 1000 at our head office and 20 SOHO6 units in the field.

-no SNMP on SOHO6 = major pain in the butt for auditing branches. (To be fair, I met in person to one of their lead software engineers, and he said SNMP functionality IS planned. Not sure if it's in the X units, because I'm definitely not buying them.)

-I need to reboot my Firebox III 1000 after particular configuration changes. That's ridiculous and totally unacceptable... and if it's truly based on Linux it makes even less sense to me.

-The SOHO6 units have been _extremely_ flaky... we've had a hardware failure rate of about 10% and nothing but problems with the Web interface and DHCP features, especially in later revisions of the software image. WG says it's not a known issue and have no suggestions for us.

-When the MUVPN client works, it works great. When it doesn't, you might as well distribute tin cans and string. So far I'm at about a 2/3 successful install rate for MUVPN clients.

-we've had particular rulesets interfere with other items in the ruleset for no apparent reason... for example, turning on HTTP filtering interrupted incoming FTP activity but the reporting tools showed something completely different being blocked (that issue was never even close to resolved by WG Support).

The graphical configuration and monitoring utilities are nice enough, I suppose, but overall... D-, would not deploy again. We're going Cisco for a new head office and that's the way it's heading for the field too. Costly, yes, but they'll pay for themselves by not giving my users and I headaches every second day.

 

[devastator]

I also agree with the above. Had nothing but problems with software configurations and software upgrades on a Firebox II. Then we upgraded to a Firebox 1000 (why i don't know but i ended up selling it to my old boss who loves WatchGuard and took their dumb tests to prove his loyalty, lame) and still had the same issues. Upgrades never worked right (you were better off reloading the box then restoring the flash) but even that sometimes caused issues. The SPAM thing was extra and sucked. Most of the time i woud come in to work and employees would complain that the Internet was down. After some checking the firewall was locked up. Had to reboot it. Just SO many issues like that that i sold it and switched to a Cisco Pix. Haven't had any issues with that and went with X-wall for SPAM filtering. Everything cost less then the Original Firewall and Spam filter by Watchguard.

Just my 2 cents

 

[dput]

We have had 4 watchguards for 3 years. I have had 1 hardware failure in that time, but I had the new box the next day. We had a time period when we had lock-ups, our support person modified the rules (it looked like we were getting attacked and logging could not keep up) to not log everything and to drop connections during the attack. We have not had problems since.

I have found the boxes to be a good value for us. We do have a person supporting them that seems to be real good with them. I don't think I would want to do it all by ourselves. I have not found Watchguard's support to be very responsive, but our local support guy (3rd party) has been great.

I know of several other organizations around here using them and being very satisfied.

Dan

 

[ddersch]

We have a return rate of 33% for SOHO6 boxes, but the FB700's and the FB1000's have been solid, and have worked without flaw.

Our biggest issue is that we have MUVPN clients that need to get into both CISCO sites and the Watchguard sites, and the two can not happen at the same time (as far as I know.)

If someone knows better, please let me know.

Thanks,
Doug

 

[Tijani1150]

I agree 100% with Dollie's comment, Watchguard's support is NOT good at all, and after your 90 days free support runs out you are expected to pay £200 + on each SOHO/Firebox for support renewal but the issue is with wether you gett any where with the so called support you receive.

I have resorted to their PDF manuals but found them very basic I would appriciate it if anyone recommends a good book on Watchguard...

 

[MoobyCow]

My experience is that our Watchguard 100 works great as a basic firewall.

If you want to set up a VPN though forget it. The client software is a nightmare and the documentation is horrible.

Fortunatly there are message boards and google to help out.

 

[AlpineMan]

Don't mean to hijack your thread, but has anyone been able to establish a site-to-site VPN tunnel between a Watchguard Firebox 1000 and a Cisco VPN Concentrator?

 

[Dollie]

AlpineMan,

You will probably get a better response if you started a new thread with your question.

 

[teletubby5e]

Yes, we had an older FBII that started to choke down on the throughput after several years, and so since its end of life was reached in april 2005, we replaced it with a x700. now having a config or problem in reusing the cfg file from the older unit that allowed all traffic to pass through webblocker software. not desirable, so put the older unit back in service. i am now on day 2 of waiting for tech support to establish contact back with me, despite the 2 to 4 hour statement. i have left my work number, my cell number, etc. but no success yet. i can't vouch for the gold level of support but the regular live service is definitely not worth the money.

 

[teletubby5e]

MAN, do I ever stand corrected! Sort of. After a non plus session of working with my first tech support guy, who called an hour and a half late for our appointment that took a day to set up via email-tag, who stepped me through an activation error I had made with a license key. Fair enough, but I had already submitted a request via the website for an escalation of my ticket to the support manager. I got a call back within the hour from a guy, who told me in 20 minutes how to make several key changes not only in the configuration that would get me working as desired, however, even went so far as telling me 'extra' things to do to set up the unit for better performance, changing some proxied filters to straight filters, swapped me from dropin to routed mode, suggested a few changes in the NT authentication scheme I was using. This is real tech support! I asked him if he was with the gold level support group, and he replied that no, but in fact was just a member of the us based tech support group that anyone with the live security service can request. 'Nuff said for me. I went from planning on selling the Watchguard gear on Ebay to ordering some edge units for the rest of my network. Reminds me of the good old days of getting tech support from the Lucent 5e switch group.

thanks, Jeff

 

[DYGobel]

Wanting to deploy a Watchguard, wel...
Where should I begin to tell you something about WatchGuard.

Currently i managing 148 all different kind of Watchguard devices. It's been my work for the last 3 1/2 years (some would say, i am living in a hell, but atleast i get paid for it).
Next ot Watchguard I managing also Sonicwalls and Checkpoints FW1.

The mayor problems:

- lock-up/freeze (the couse, viruses like blaster, most of the time you can’t tell what coused the lock-up)
- changes to the config (it’s never constant and always asks a reboot when never did before)
- locked-up MUVPN slots (IPSEC VPN users) (I believe recently resolved with WSM7.3, I am using MSS7.2)
- I don’t want to think hard about, it’s Friday and I want to go home, there a re much more points.

Remedy: restart

There are for sure things to consider when you want to deploy a WG, but there is just to much of them to tell them.
Here I have some point what I think what should be at least implemented before considering a WG.

Here are my points (addressed to WG):

=================
++ = higly demanded
+ = demanded
- = would be nice feature
=================

++ Remove that automated 'ANY' rule when creating VPN tunnels by VPN manager!!!
Mentioned before, this is a PAIN in the *ss Connecting offices with VPN tunnels doesn't mean that those offices are trusted. It's more
the otherway around! For sure now it is with the viruses, you want to minimialize any problems and security threads.
To my opinions, this automated feature is one of the big minors in the VPN manager setup. I believe that this is really easy to disable in
your software or please let me specify for what i want.

++ Ping AND Traceroute (with specifying your own IP address!) (?)
For now i use the FBSH util (UNIX) to do all of this and a Windows version will not come (your marketing doesn’t approve). What we need is that we can initiate a any given IP address to PING or TRACE (with given source) from the GUI. The existing GUI implementation demands that you initiate a PING or TRACE from a
IP address what passes the logging, you can't work with this implementation for troubleshooting.
So, it would be really great to initiate a PING/TRACE from GUI (not that PING from selecting a IP from logging output) and ofcourse specify
the source address (actually the Interface). You have to specify the Source, due the different networks what you have to deal with.

++ Adminstrative value to your policy rule, in other words, to overrule the service the ANY rule when needed!! (?)
In some situations, one given rule is more important then any other rule. In some cases i create a 'ANY' rule tothe Optional interface, but
while the 'ANY' rule overrules the 'Service' (like SMB, But the FTP (HTTP?) PROXY service overrules again the 'ANY'), i have situations that
i really would that i could overrule a 'Services' the 'ANY" rule.
Although one of my own workaround is to create my own service with the complete port range (1-65536), but also this doesn't give me a
satisfied solution, especially when you want to pass the IP protocol instead of the TCP/UDP port numbers.

+ Removing locked authenticated MUVPN users (SOLVED WITH WSM 7.3?)
This is a known problem, atleast when i was using MSS6.2. Maybe i missed the note that this problem is been resolved in the new
releases? . When you create 'Extended Authentication Groups' MUVPN users, the session on the firebox will stay up when a user abruptly
disconnect from his VPN session. The session on the firebox doesn't timeout and the only way to free-up the sessions is to reboot! Not
acceptable.


+ Create a new service and using the IP protocol nr (6,17) (?)
?, exactly. You can create your own New Service when choose the 'IP' Protocol, but it won't work. Like when i create a New Service with the
'IP' 6 (tcp) & 17 (udp) protocol numbers. Like this i wanted to create my own 'ANY' service (see my previous story). Because instead of
creating a range of port numbers, i would like to specify the protocol number. Well, it's not only 6 & 17.

++ specifying your own FTP proxy port numbers
I experienced situations that i wish that could change the default port (21) number into something else. I have created different
workarounds because i couldn't change that freaky port number I don't know what is the exactly reason and where the difficulties are
laying, but i am not interested to replace every time my Firebox for a Pix firewall only because my customers want to initiate a Passive
connections at a different port number.

+ Individual User Bandwidth usage meter (by ip, authenticated user? please explain)
Both , most of the times, our customer have a limited bandwidth. What we really need, is that we can read/tell for how much bandwidth a IP
is using (how much traffic does it generates). This implementation is really welcome. But I gueass I have to wait when SNMP will be implemented….(MSS 8.0?)

+ Service Session time out (define per service..?)
Yep, A session timeout for what you can specify in a Service policy (and any new created services). For now you can't do nothing with it and
in my opinions you should. I want that the FB close a session what becomes idle especially Telnet/SSH sessions. But there where also other
moments that i wish that i could close a idle session by time out.

+ Blocked Sites, add a site to block by hand, or doing this from hostwatch
It would be great if i can block a site instantly. Now you have to configure the 'Auto-Block Sites that....'. I would that i could do this
by hand. Ofcourse you can deploy a IDS and integrate this together with you firebox, but this is a overkill. Add a IP to block (with the default blocking period)

+ Block Host from trusted/optional >> WAN interface, when it makes more x connections/seccond. To prevent that the Firebox to freeze (Blaster Virus).
Now the other way around! First (my thoughts), It looks like that the marketing/Product Management created a weak point in the system of
the Firebox firewall by _software_ limiting the firebox capabilities. I can't imagine no other reason for the unexplainable free/lockups of my firebox firewall the old III series and also the new X series. It seems only to happen when the box have to handle to much connections in a very short moment. I think that the engine freeze and stops working.

Well, those are my thoughts. Now for what i would like to see is that the firewall also could do the same thing as what is does for the External interface, blocking IP when it makes to much connections from the trusted/Optional interface (or from interface 3,4 and 5).
The external interface is a the un-trusted zone, but the un-trusted zone could also be behind interface 4 or 5. If it is like that, i want to have then the same possibilities of blocking users.
So this means, i have to be able to specify for which interface i have to apply the 'Auto-block sites that attempt to connect via...', for now this is default only the External interface.

+ Allow more then 50 concurrent pptp-vpn with the new X series.
I think that the Firebox X with his PIII 1.3 Ghz can handle more then 50 concurrent
Just let us pay for this and activate this with a certificate or something.
Our customer prefer PPTP-VPN with Tokens above IPSEC MUVPN.

+ Record or save all the 'Host Watch' connections, i mentioned this also in ticket xxxxx, after my X1000 froze. Very likely from a PC infected a virus. That box is doing only routing with public IP addresses (no NAT no Proxy).
This would be great for instant trouble shooting. Recording (save) the Host watch connections and AUTO reconnect when it loose his connection.

- DNS proxy, add your own host record (can be very handy) (in the context of.?)
When a public accessible

http://WWW server

resides behind the Trusted with a private IP range, the Firebox can't create a NAT table when the
customer is browsing his own server. Only applicable for when a customer don't have their own DSN server. Like small schools.

- Change the JAVA applet 4100 port number into.... and change that logo into my company logo.

- Let pass-through the RADIUS attributes to the Firebox PPTP users. I want to assign by our RADIUS the DNS, IP.

There is MUCH more to improve....
But let's first start with the beginning.
All of this is only to make our live easier... from here, the product is ok. Escpially the GUI is very nice done job!

For ISP, WG is just not the product, you are better of with Sonicwall, especially with the power of the SGMS system... a _REAL_ great system. And also, this product also have his own flaws, but now we are talking about WG.

DYGobel