WatchGuard Firebox M5600 review
WatchGuard’s Firebox M5600 delivers enterprise-grade network security and beats the rest on price
Enterprise network security usually costs a king's ransom but WatchGuard's Firebox M5600 bucks the trend by delivering a wealth of features at a more palatable price. It may only be a 1U rack appliance but it's plenty powerful, with WatchGuard claiming a 60Gbits/sec firewall throughput and 11Gbits/sec with all UTM services enabled.
Targeting distributed environments of up to 7,500 users, the M5600 offers a versatile range of port options. The appliance has four expansion slots at the front and comes with the eight copper Gigabit and quad 10GbE SFP+ port modules as standard.
The two spare slots accept any module so you can add eight more 10GbE ports if you wish. However, the clincher is WatchGuard's dual-port 40GbE fibre module, as few competing vendors offer this as an option.
The M5600 is powered by elderly 10-core 2.8GHz E5-2680 v2 Xeon CPU teamed up with 16GB of DDR3 memory, while internal storage is handled by a 2GB CFast card and 250GB LFF SATA hard disk. Dual 400W PSUs come as standard, as do four hot-plug fan modules - but this combination produces annoyingly loud noise levels.
The price may initially seem steep but it looks a lot more appealing when stacked up against the competition. The price we've shown includes the M5600 appliance and a full three-year subscription to the Total Security Suite, which activates everything WatchGuard has to offer.
Along with the firewall, VPNs and 24x7 Gold LiveSecurity support, it enables IPS, web content filtering, anti-spam, gateway anti-virus, application controls and HTTPS inspection, plus WatchGuard's reputation enabled defence, advanced persistent threat (APT) blocker service and data leak prevention (DLP) module.
There's more; WatchGuard's RED (reputation enabled defence) service is included for increased web protection. Web access requests send the URL in question to WatchGuard's RED cloud servers where they score it and instruct the appliance to either allow or block it.
To put the outlay into perspective, SonicWALL's top-of-the-line SuperMassive 9800 2U appliance (its E10xxx range recently went on EOL notice) starts at over 46K just for the hardware. Add in a three-year subscription to its Comprehensive Gateway Security Suite and the price jumps to nearly 100K.
The M5600 is very easy to deploy, as the web interface fires up a wizard to secure administrative access and get Internet access running on an external port along with DHCP services on your first trusted interface. Three operational modes are available and we opted for the mixed routing mode as it's the most versatile.
This mode allows all ports to be defined as separate interfaces where we could set them as external, trusted, optional or custom and add DHCP services on selected trusted ports. Port aliases streamline further configuration and we used these to assign multiple firewall policies to source and destination ports.
WatchGuard uses proxies to handle all traffic and includes ones for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. The relationship between proxies and actions takes a little while to get the hang of, but on first access, the web console provides a wizard for each one.
Enforcing web content filtering using the WebBlocker service was a three-step process. We chose from over 120 URL categories, applied HTTP and HTTPS filtering and on completion, the wizard created a new firewall rule.
Mail security is handled by the spamBlocker service, and to use it we set up the POP3 proxy to tag messages classed as spam, suspect and bulk. It's very effective: in live tests of other WatchGuard appliances, we've seen spam detection rates of 97-98 percent with no false positives.
Within selected policies, we could enable IPS and apply allow, drop or block actions based on five threat levels. Gateway AV is a cinch to set up - you enable it on selected policies and choose actions for virus detections, scan errors, oversized files and encrypted files.
You'll need to enable gateway AV if you want to apply APT protection. As files come in to the network, it scans them, creates an MD5 hash and checks the LastLine cloud service to see if they're known malware.
WatchGuard's application awareness controls access to hundreds of apps and has eleven entries for Facebook alone. DLP is another easy one to configure and uses predefined and custom rules on the HTTP, FTP and SMTP proxies to check for keywords such as credit card or social security numbers.
Security and management
The mobile security service queries Android and iOS devices and blocks access if they don't meet the minimum OS level. To use it on iOS devices, we loaded the free WatchGuard FireClient app and could then set blocking policies for any devices not running the latest OS version.
You can use the M5600 to centrally manage wireless networks that employ WatchGuard's own APs. Once paired with the appliance, they take all their settings from it and you can apply selected security policies to wireless traffic.
The appliance's web console provides plenty of detail about all activity and we also used WatchGuard's Dimension software on our Hyper-V host for centralized monitoring. It provides an impressive amount of information such as global threat maps and security service graphs and with Dimension Command activated, you can only log in to an appliance's web console from Dimension's interface.
Considering the price of the hardware, we would have liked a newer Xeon CPU and more memory (plus quieter fans) but performance is impressive and there's no denying the M5600's security credentials. WatchGuard offers a wealth of easily managed enterprise-grade security services at a price the competition will have trouble matching.
WatchGuard’s flagship M5600 UTM appliance is a great choice for enterprises that want tough and easily deployed network security at a more sensible price
Chassis: 1U rack CPU: 2.8GHz Intel Xeon E5-2680 v2 Memory: 16GB DDR3 Storage: 2GB CFast 3SE SATA card, 250GB LFF SATA HDD Network: 8 x Gigabit, 4 x 10GbE SFP+ Expansion: 4 x module slots (2 free) Other ports: Gigabit management, 2 x USB 2, RJ-45 serial Power: 2 x 400W hot-plus PSUs Management: Web browser, WatchGuard Dimension/Command Warranty: 3-year advanced hardware replacement
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now