WatchGuard Firebox M5600 review

WatchGuard’s Firebox M5600 delivers enterprise-grade network security and beats the rest on price

IT Pro RecommendedWatchGuard Firebox m5600 front and rear
Price
£70,707
  • Top security measures; High firewall throughput; Good value; Easy deployment; Optional 40GbE ports
  • Noisy cooling system; Older Xeon CPU

Enterprise network security usually costs a king's ransom but WatchGuard's Firebox M5600 bucks the trend by delivering a wealth of features at a more palatable price. It may only be a 1U rack appliance but it's plenty powerful, with WatchGuard claiming a 60Gbits/sec firewall throughput and 11Gbits/sec with all UTM services enabled.

Targeting distributed environments of up to 7,500 users, the M5600 offers a versatile range of port options. The appliance has four expansion slots at the front and comes with the eight copper Gigabit and quad 10GbE SFP+ port modules as standard.

Advertisement - Article continues below

The two spare slots accept any module so you can add eight more 10GbE ports if you wish. However, the clincher is WatchGuard's dual-port 40GbE fibre module, as few competing vendors offer this as an option.

The M5600 is powered by elderly 10-core 2.8GHz E5-2680 v2 Xeon CPU teamed up with 16GB of DDR3 memory, while internal storage is handled by a 2GB CFast card and 250GB LFF SATA hard disk. Dual 400W PSUs come as standard, as do four hot-plug fan modules - but this combination produces annoyingly loud noise levels.

WatchGuard Firebox m5600 web console

Price 

The price may initially seem steep but it looks a lot more appealing when stacked up against the competition. The price we've shown includes the M5600 appliance and a full three-year subscription to the Total Security Suite, which activates everything WatchGuard has to offer.

Advertisement
Advertisement - Article continues below

Along with the firewall, VPNs and 24x7 Gold LiveSecurity support, it enables IPS, web content filtering, anti-spam, gateway anti-virus, application controls and HTTPS inspection, plus WatchGuard's reputation enabled defence, advanced persistent threat (APT) blocker service and data leak prevention (DLP) module.

Advertisement - Article continues below

There's more; WatchGuard's RED (reputation enabled defence) service is included for increased web protection. Web access requests send the URL in question to WatchGuard's RED cloud servers where they score it and instruct the appliance to either allow or block it.

To put the outlay into perspective, SonicWALL's top-of-the-line SuperMassive 9800 2U appliance (its E10xxx range recently went on EOL notice) starts at over 46K just for the hardware. Add in a three-year subscription to its Comprehensive Gateway Security Suite and the price jumps to nearly 100K.

WatchGuard Firebox m5600 web console subscription activity

Deployment

The M5600 is very easy to deploy, as the web interface fires up a wizard to secure administrative access and get Internet access running on an external port along with DHCP services on your first trusted interface. Three operational modes are available and we opted for the mixed routing mode as it's the most versatile.

This mode allows all ports to be defined as separate interfaces where we could set them as external, trusted, optional or custom and add DHCP services on selected trusted ports. Port aliases streamline further configuration and we used these to assign multiple firewall policies to source and destination ports.

Advertisement - Article continues below

WatchGuard uses proxies to handle all traffic and includes ones for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. The relationship between proxies and actions takes a little while to get the hang of, but on first access, the web console provides a wizard for each one.

Enforcing web content filtering using the WebBlocker service was a three-step process. We chose from over 120 URL categories, applied HTTP and HTTPS filtering and on completion, the wizard created a new firewall rule.

WatchGuard Firebox m5600 web console firewall policies

Proxies

Mail security is handled by the spamBlocker service, and to use it we set up the POP3 proxy to tag messages classed as spam, suspect and bulk. It's very effective: in live tests of other WatchGuard appliances, we've seen spam detection rates of 97-98 percent with no false positives.

Advertisement
Advertisement - Article continues below

Within selected policies, we could enable IPS and apply allow, drop or block actions based on five threat levels. Gateway AV is a cinch to set up - you enable it on selected policies and choose actions for virus detections, scan errors, oversized files and encrypted files.

Advertisement - Article continues below

You'll need to enable gateway AV if you want to apply APT protection. As files come in to the network, it scans them, creates an MD5 hash and checks the LastLine cloud service to see if they're known malware.

WatchGuard's application awareness controls access to hundreds of apps and has eleven entries for Facebook alone. DLP is another easy one to configure and uses predefined and custom rules on the HTTP, FTP and SMTP proxies to check for keywords such as credit card or social security numbers.

Dimension provides centralized management for all your WatchGuard security appliances

Security and management

The mobile security service queries Android and iOS devices and blocks access if they don't meet the minimum OS level. To use it on iOS devices, we loaded the free WatchGuard FireClient app and could then set blocking policies for any devices not running the latest OS version.

You can use the M5600 to centrally manage wireless networks that employ WatchGuard's own APs. Once paired with the appliance, they take all their settings from it and you can apply selected security policies to wireless traffic.

Advertisement - Article continues below

The appliance's web console provides plenty of detail about all activity and we also used WatchGuard's Dimension software on our Hyper-V host for centralized monitoring. It provides an impressive amount of information such as global threat maps and security service graphs and with Dimension Command activated, you can only log in to an appliance's web console from Dimension's interface.

Verdict

Considering the price of the hardware, we would have liked a newer Xeon CPU and more memory (plus quieter fans) but performance is impressive and there's no denying the M5600's security credentials. WatchGuard offers a wealth of easily managed enterprise-grade security services at a price the competition will have trouble matching.

Verdict

WatchGuard’s flagship M5600 UTM appliance is a great choice for enterprises that want tough and easily deployed network security at a more sensible price

As reviewed

Chassis: 1U rack CPU: 2.8GHz Intel Xeon E5-2680 v2 Memory: 16GB DDR3 Storage: 2GB CFast 3SE SATA card, 250GB LFF SATA HDD Network: 8 x Gigabit, 4 x 10GbE SFP+ Expansion: 4 x module slots (2 free) Other ports: Gigabit management, 2 x USB 2, RJ-45 serial Power: 2 x 400W hot-plus PSUs Management: Web browser, WatchGuard Dimension/Command Warranty: 3-year advanced hardware replacement

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020