WatchGuard Firebox M5600 review

WatchGuard’s Firebox M5600 delivers enterprise-grade network security and beats the rest on price

IT Pro RecommendedWatchGuard Firebox m5600 front and rear
Price
£70,707
  • Top security measures; High firewall throughput; Good value; Easy deployment; Optional 40GbE ports
  • Noisy cooling system; Older Xeon CPU

Enterprise network security usually costs a king's ransom but WatchGuard's Firebox M5600 bucks the trend by delivering a wealth of features at a more palatable price. It may only be a 1U rack appliance but it's plenty powerful, with WatchGuard claiming a 60Gbits/sec firewall throughput and 11Gbits/sec with all UTM services enabled.

Targeting distributed environments of up to 7,500 users, the M5600 offers a versatile range of port options. The appliance has four expansion slots at the front and comes with the eight copper Gigabit and quad 10GbE SFP+ port modules as standard.

The two spare slots accept any module so you can add eight more 10GbE ports if you wish. However, the clincher is WatchGuard's dual-port 40GbE fibre module, as few competing vendors offer this as an option.

The M5600 is powered by elderly 10-core 2.8GHz E5-2680 v2 Xeon CPU teamed up with 16GB of DDR3 memory, while internal storage is handled by a 2GB CFast card and 250GB LFF SATA hard disk. Dual 400W PSUs come as standard, as do four hot-plug fan modules - but this combination produces annoyingly loud noise levels.

WatchGuard Firebox m5600 web console

Price 

The price may initially seem steep but it looks a lot more appealing when stacked up against the competition. The price we've shown includes the M5600 appliance and a full three-year subscription to the Total Security Suite, which activates everything WatchGuard has to offer.

Advertisement
Advertisement - Article continues below

Along with the firewall, VPNs and 24x7 Gold LiveSecurity support, it enables IPS, web content filtering, anti-spam, gateway anti-virus, application controls and HTTPS inspection, plus WatchGuard's reputation enabled defence, advanced persistent threat (APT) blocker service and data leak prevention (DLP) module.

There's more; WatchGuard's RED (reputation enabled defence) service is included for increased web protection. Web access requests send the URL in question to WatchGuard's RED cloud servers where they score it and instruct the appliance to either allow or block it.

To put the outlay into perspective, SonicWALL's top-of-the-line SuperMassive 9800 2U appliance (its E10xxx range recently went on EOL notice) starts at over 46K just for the hardware. Add in a three-year subscription to its Comprehensive Gateway Security Suite and the price jumps to nearly 100K.

WatchGuard Firebox m5600 web console subscription activity

Deployment

The M5600 is very easy to deploy, as the web interface fires up a wizard to secure administrative access and get Internet access running on an external port along with DHCP services on your first trusted interface. Three operational modes are available and we opted for the mixed routing mode as it's the most versatile.

This mode allows all ports to be defined as separate interfaces where we could set them as external, trusted, optional or custom and add DHCP services on selected trusted ports. Port aliases streamline further configuration and we used these to assign multiple firewall policies to source and destination ports.

WatchGuard uses proxies to handle all traffic and includes ones for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. The relationship between proxies and actions takes a little while to get the hang of, but on first access, the web console provides a wizard for each one.

Enforcing web content filtering using the WebBlocker service was a three-step process. We chose from over 120 URL categories, applied HTTP and HTTPS filtering and on completion, the wizard created a new firewall rule.

WatchGuard Firebox m5600 web console firewall policies

Proxies

Mail security is handled by the spamBlocker service, and to use it we set up the POP3 proxy to tag messages classed as spam, suspect and bulk. It's very effective: in live tests of other WatchGuard appliances, we've seen spam detection rates of 97-98 percent with no false positives.

Within selected policies, we could enable IPS and apply allow, drop or block actions based on five threat levels. Gateway AV is a cinch to set up - you enable it on selected policies and choose actions for virus detections, scan errors, oversized files and encrypted files.

You'll need to enable gateway AV if you want to apply APT protection. As files come in to the network, it scans them, creates an MD5 hash and checks the LastLine cloud service to see if they're known malware.

Advertisement
Advertisement - Article continues below

WatchGuard's application awareness controls access to hundreds of apps and has eleven entries for Facebook alone. DLP is another easy one to configure and uses predefined and custom rules on the HTTP, FTP and SMTP proxies to check for keywords such as credit card or social security numbers.

Dimension provides centralized management for all your WatchGuard security appliances

Security and management

The mobile security service queries Android and iOS devices and blocks access if they don't meet the minimum OS level. To use it on iOS devices, we loaded the free WatchGuard FireClient app and could then set blocking policies for any devices not running the latest OS version.

You can use the M5600 to centrally manage wireless networks that employ WatchGuard's own APs. Once paired with the appliance, they take all their settings from it and you can apply selected security policies to wireless traffic.

The appliance's web console provides plenty of detail about all activity and we also used WatchGuard's Dimension software on our Hyper-V host for centralized monitoring. It provides an impressive amount of information such as global threat maps and security service graphs and with Dimension Command activated, you can only log in to an appliance's web console from Dimension's interface.

Verdict

Considering the price of the hardware, we would have liked a newer Xeon CPU and more memory (plus quieter fans) but performance is impressive and there's no denying the M5600's security credentials. WatchGuard offers a wealth of easily managed enterprise-grade security services at a price the competition will have trouble matching.

Verdict

WatchGuard’s flagship M5600 UTM appliance is a great choice for enterprises that want tough and easily deployed network security at a more sensible price

As reviewed

Chassis: 1U rack CPU: 2.8GHz Intel Xeon E5-2680 v2 Memory: 16GB DDR3 Storage: 2GB CFast 3SE SATA card, 250GB LFF SATA HDD Network: 8 x Gigabit, 4 x 10GbE SFP+ Expansion: 4 x module slots (2 free) Other ports: Gigabit management, 2 x USB 2, RJ-45 serial Power: 2 x 400W hot-plus PSUs Management: Web browser, WatchGuard Dimension/Command Warranty: 3-year advanced hardware replacement

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/server-storage/34260/hpe-proliant-dl20-gen10-review-compact-and-bijou
Server & storage

HPE ProLiant DL20 Gen10 review: Compact and bijou

31 Aug 2019
Visit/server-storage/34108/broadberry-cyberserve-xeon-sp2-r1208-review-a-beast-of-a-server
Server & storage

Broadberry CyberServe Xeon SP2-R1208 review

30 Jul 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019