amungus
Premium
join:2004-11-26
America
clubs:
 ·Cox HSI
| Watchguard Firebox from Cisco Pix
So we're getting a Watchguard Firebox (8500) and getting rid of our ol' Pix 515E.
Anyone else use these Fireboxes - opinions?
Have never used Watchguard's products before, but the demo of their software did look interesting.
My biggest concern is setting it up to match all the configurations from the Pix. We have ~70 domain names, a bunch of VPN users, etc.
It seems like this is going to take a lot of tedious work to match things up... but I'd like to hear from anyone else who's moved from a Cisco product to one of theirs. |
|
B
Premium,MVM
join:2000-10-28
| It is the worst router / security appliance I've ever worked with. It's been completely unreliable in my experience.
Our main problem is that IPSec VPN clients, using their provided software, routinely get disabled and can't reconnect until the entire Firebox is rebooted. (I think there's a reason that the "Reboot" button is the most prominent feature of their default web admin interface, and that it doesn't ask for confirmation.) Tech support has been useless.
Recently we noticed that their SMTP proxy (turned on by default even if you don't subscribe to their add-on AV services) doesn't allow messages generated from AOL web mail unless you disable the default line length limit in the proxy.
So be very careful using them for dynamic VPN -- I think most people ignore the per-user-licensed IPSec and just use the free PPTP support (which is of course less desirable). Site-to-site IPSec might (?) be more reliable.
We're presently migrating the site that's stuck with that lemon of a product (the Watchguard Firebox) to a Cisco solution.
-- B
--
In a realm outside causality and function |
|
amungus
Premium
join:2004-11-26
America
clubs:
·Cox HSI
| oooh fun...
Have zero need for SMTP proxy.
Can't connect unless it's rebooted??? Prominent feature? Not good. Cisco VPN, though it is a tad bit slow, has been rock solid reliability wise. A reboot "button" should be as far out of the way as possible, at least with confirmation!
Having zero confirmation there is just a little bit frightening.
We are actually looking to do point to point with another site though. This would be in addition to the users who use VPN from home/road.
Well it sounds like this thing will be an adventure then. Better keep that Cisco's config in a safe place. Thing is, I don't have much choice on this one. It will be here this week, and I have to get it going asap.
Any good news?  |
|
B
Premium,MVM
join:2000-10-28
| Uhhh, it's expensive?  It boots fairly quickly?
More seriously, the only good news I can think of is that the web interface is relatively straightforward once you get used to it, even though VPN certificate handling is a bit of a mess. (You're probably better off running your own CA on a normal server.)
By the way, I think I'm in the minority on this -- there are lots of satisfied Watchguard users out there, apparently. (Might be a dedicated forum here?) Best of luck.
-- B
--
In a realm outside causality and function |
|
The WeaseL
Premium
join:2001-12-03
Sartell, MN
clubs:
| reply to amungus
I would highly recommend looking at a Cisco ASA 5505 or 5510 to replace your PIX, not a WatchGuard.
I share similar feelings as B towards them, and migrating to the ASA will be much easier then to the WatchGuard.
--
How lucky am I to have known someone who is so hard to say good-bye to. |
|
exocet_cm
Signal 26's Rock
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
 ·Network Telephone ..
·Suddenlink
 ·Cingular Wireless
·AT&T Southeast
| reply to amungus
I never had a problem with the Watchguard 700, 2500, or when I had one at my house (a SOHO something or another). I liked Watchguard Fireboxes but then I found Untangle Firewall and it changed everything for me (and free too)
--
"I have measured out my life with coffee spoons..." - T.S Eliot
Check Out the Tech Bench »johndball.blaize.net/index.php/tech-bench/
Ma blog: »www.johndball.com |
|
donoreo
Premium
join:2002-05-30
North York, ON
| reply to amungus
I have used a Firebox III 1000 and a x1250. Both were great. I know that does not help you with your conversion from a PIX. If it helps any, WG does not even have a utility to convert config files from the 1000 to x1250! What a pain that was. I used it as a chance to clean things up a bit and limit outbound traffic to only what was needed.
--
The irony of common sense, it is not that common
I cannot deny anything I did not say |
|
amungus
Premium
join:2004-11-26
America
clubs:
·Cox HSI
| Unfortunately, the option for considering a Cisco device just isn't there for me. The decision was made a little too quickly for my liking. I said, sure it sounds nice, and that was that. No further considerations were taken and the matter was closed before I had a chance to even compare this thing with what Cisco had to offer.
I'd think that, being Cisco, their IOS would be able to handle some configuration transfers rather easily. At the very worst, it'd be a matter of transferring only the relevant parts etc. instead of entering in things
one...
line...
at..
a.
time..
Which is what it sounds like I'll have to do with this firebox. That, or with their gui, we'll see. I have no problem with a gui if it's functions are actually usable and not slower and/or worse than doing it the "old fashioned way."
donoreo,
No conversion between their own devices?!?  ...least there's an opinion here that some of their products aren't total junk
exocet_cm,
Untangle. Wow! Heard of it, but just checked their site. that truly does look very nice. They have what appears to be a pretty solid product. I will definitely keep them in mind for the future! |
|
ftthz
If love can kill hate can also save
join:2005-10-17 | reply to amungus
yeah untangle is a nice product |
|
B
Premium,MVM
join:2000-10-28
| reply to exocet_cm
It seems the satisfied users may be using the older boxes and/or the higher end models. My disastrous experience is with a Firebox X Edge X20e.
On Untangle, I previously noted at »Re: [Need Info] In need of work related net access restriction p that its commercial pricing is about as high as that of the "big boys" -- $150 per month for a small office?? -- so I stopped looking at it.
For those who rely only on the free version of Untangle, does it do everything you need, comparable to a full bore SonicWall, ASA, or (ugh) Firebox? Can it be deployed AND managed at multiple sites? What kind of roaming VPN use does it support? How are updates for the various bolt-on features (AV, AS, content filtering, etc.) handled?
(Mods, please feel free to split this off if it generates any interesting replies...)
-- B
--
In a realm outside causality and function |
|
ftthz
If love can kill hate can also save
join:2005-10-17
| from the last time I tried it it didn't have qos so for website or p2p you either block it entirely or not at all. I think that if you set a timer you can unblock certain websites like youtube or facebook during lunch hours if people still wanted to access those sites from work. For a free product it was nice / cheap solution. |
|
freebird317
Premium
join:2004-02-23
Portland, OR
·Comcast
·Comcast Formerly ..
| reply to exocet_cm
said by exocet_cm  :I never had a problem with the Watchguard 700, 2500, or when I had one at my house (a SOHO something or another). I liked Watchguard Fireboxes but then I found Untangle Firewall and it changed everything for me (and free too) »www.untangle.com/ looks very cool, thanks |
|
GlazedHam
join:2004-04-28
Milford, CT | reply to amungus
We moved from a Cisco PIX 515 to a SonicWALL Pro 2040 and works real nice.
I also used Watchguard in the past and they are not even close to as good as the SonicWALL. |
|
B
Premium,MVM
join:2000-10-28
| reply to amungus
Just in case you think I'm exaggerating, here's a screen shot of the main administrator login. Which button does Watchguard think is the most used feature of their shiny red "security" appliance?
It's a sad, bad product. And expensive. Stay away. I'd take a Linksys or even Netgear over this thing any day of the week.
-- B
--
In a realm outside causality and function |
|
gudel
System Lord
join:2004-06-03
Santa Barbara, CA | reply to amungus
I use the Fireware management software, not the web interface. Overall I'm very pleased with the performance X1000.
No problem here. |
|
bilbus
@comcast.net
| firebox Edge is not the same thing as a core ...
Edge is a low end product made for VERY small offices.
Core is their small to mid office product.
I have a x750, the only problem i have had is with site to site ipsec tunnels.
I do wish they would have a web based administration interface .. the WSM is nice .. just anoying if you dont ahve it installed. |
|
Jahntassa
What, I can have feathers
join:2006-04-14
Conyers, GA
| reply to amungus
I have an X700 (replaced with a SW 1260 PRO), An X Edge, and quite a few SOHO6s that have been retired.
The X700 was a pain because anytime I changed something, I had to reboot, or random bits would just stop working. Most usually the Mobile VPN users would get hosed and wouldn't acquire an IP on the virtual adapter.
The Fireware Pro software was vaguely nice, along with the logreader, but I don't know how the new ones operate. We moved on to Sonicwall and i'm happily using their central management system. |
|
B
Premium,MVM
join:2000-10-28
| reply to amungus
Right, so is 3 users "VERY" small enough for the feeble X Edge series? Because it can't handle it.
Sorry to hear that the bigger models can't even do site to site VPN as well as a $50 SMC or Linksys -- I know that the Mobile User VPN doesn't work for #*(&#$% on the smaller Watchguard models, but haven't had the misfortune to try site to site.
So, somewhat to my surprise, it seems the consensus is that Watchguard really does suck all around. Thanks for the input folks.
To amungus, again, best of luck. All I can suggest is that you keep it very simple and stay away from anything to do with IPSec -- these boxes just aren't very good. Perhaps you'll get lucky.
-- B
--
In a realm outside causality and function |
|
mikemsd
join:2003-04-08
Oakland, TN
| reply to amungus
We use a Firebox Peak X5500e. No problems with it. Have never been prompted for a reboot. The IPSec tunnels are a little akward to configure, but it seems once they get running they usually stay running. If you are using the web interface regularly, I can see how you would get frustrated though. I have an Edge series at my house with the web interface and it's a pain to configure. WSM is really the way to go.
I don't know why everyone likes Sonicwall. We used to have a Pro 3060 and it seemed like it was always having issues. I thought the web interface was clunky. I'd much rather configure things in a GUI Client and just upload them all at once rather than having to work my way through a bunch of choppy rules one at a time. |
|
B
Premium,MVM
join:2000-10-28
| Oh I've never been "prompted" for a reboot either. It's just that it keeps locking remote users out until I reboot. (And no, it's not a licensing issue. Been through everything with tech support and they say there's nothing they can do.) Have you had luck with, specifically, the "MUVPN" software for mobile users?
-- B
--
In a realm outside causality and function |
|
