WatchGuard Firebox M670 review: Dazzling value

A class security act at a very competitive price

Reviews
By Dave Mitchell
published

IT Pro Verdict

A very affordable choice for mid-sized businesses, the Firebox M670 is surprisingly easy to deploy and teams up top performance with an amazing range of security measures

Pros

  • +

    Top performance and value; Extensive security measures; Free management software; Choice of expansion modules; New SD-WAN service

Cons

  • -

    Nothing to complain about at this price

Stepping in at the top of WatchGuard's family of mid-range security appliances, the Firebox M670 delivers an impressively high performance at a low price. Targeting medium-sized businesses and distributed enterprises, the M670 boasts a raw firewall throughput of 34Gb/sec, dropping to 5.4Gb/sec with all security engines fired up.

This 1U rack appliance comes with eight Gigabit ports and the single expansion bay to the right accepts a range of sensibly-priced modules. WatchGuard offers ones with eight copper or fibre Gigabit plus a quad-port 10GbE fibre module which costs 1,163 exc VAT.

High availability is also on the cards; you can team up two M670 appliances as an active/passive pair. WatchGuard sweetens the deal as it's currently offering a 50% price reduction on the second appliance.

WatchGuard Firebox M670 review: Security features and options

WatchGuard Firebox T55-W review WatchGuard Firebox T15 review WatchGuard Firebox M270 review: Top-notch security, rock-bottom price

The M670 is packed to the gills with security features and WatchGuard offers a range of flexible licensing schemes. The Basic Security Suite subscription is available for one or three year periods and enables antivirus, antispam, web filtering, HTTPS inspection, IPS, application controls and WatchGuard's RED (reputation enabled defence) cloud URL filtering service.

We've priced up our review appliance with a full 3-year Total Security Suite (TSS) subscription, which adds WatchGuard's advanced persistent threat (APT) blocker plus data leak prevention (DLP) services and teams them up with a Gold 24/7 support contract. All subscriptions include the gateway antivirus service which the TSS augments with WatchGuard's IntelligentAV that employs the Cylance AI-based engine for signature-less malware scanning.

You get WatchGuard's DNSWatch service which monitors client DNS requests and blocks access to known malicious domains. The latest Fireware 12.3 software also adds secure software defined WAN (SD-WAN) services as a standard feature across all Firebox appliances.

WatchGuard Firebox M670 review: Installation and management

It may be big on features, but we found the M670 as easy to deploy as WatchGuard's small business appliances. On first contact, the web console runs a quick start wizard to secure admin access and get Internet access enabled on the default WAN port along with DHCP services on the first trusted LAN interface.

The wizard defaults to mixed-mode routing which allows all network ports to be defined as separate interfaces. Configuring the remaining ports is simple: we defined them as external, trusted, optional or custom and added DHCP services on selected trusted ports.

WatchGuard's smart browser interface opens with an informative dashboard. It provides a breakdown of traffic for the top clients, web destinations, policies and applications with options to drill down for more detail.

Triple-play management is available as along with the appliance's web console, you can install WatchGuard's free System Manager (WSM) suite on a separate Windows host to provide central management, logging and reporting services. We run WatchGuard's Dimension (also free) as a Hyper-V VM in the lab and securely linked it with the M670 by importing a configuration file into the appliance. Once accepted, we used the Dimension web console to view appliance utilisation, an executive dashboard, policy activity graphs and a global threat map.

WatchGuard Firebox M670 review: Rules and proxies

The Fireware software employs proxies to enforce security and these are provided for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. We found proxy configuration pleasantly simple as wizards help create firewall rules and policy actions for each one.

Configuring the WebBlocker service is a swift three step process. You can choose from over 180 URL categories, decide which ones to block or log, enable filtering for HTTP and HTTPS traffic and leave the wizard to sort out the firewall rules.

Anti-spam measures can be applied to SMTP traffic inbound to an internal mail server and it can transparently scan POP and IMAP mail. For the POP3 proxy, we set the service to tag dubious messages as 'bulk', suspect' or 'spam' and enabled the virus outbreak detection option which strips out infected attachments.

Gateway AV scanning can be enabled on selected proxies and you'll need this running if you want to use the APT service. This scans inbound files, creates MD5 hashes and checks them with the LastLine cloud service to see if they're known malware.

WatchGuard Firebox M670 review: SD-WANs and more

For the SD-WAN service, you designate multiple ports as external interfaces, link them together with rules and use packet loss, latency or jitter thresholds to determine routing decisions and failover. Along with options to dynamically route sensitive traffic such as VoIP through high-bandwidth WAN links, you have the added bonus that unlike many SD-WAN point solutions, you won't have the additional expense of securing them.

DNSWatch is activated with one click and once it had registered with the WatchGuard cloud service, we could set enforcement on all network interfaces or just selected ones. We triggered this during testing and received email alerts advising us that access to some dodgy domains had been blocked along with a link to view more detail in WatchGuard's cloud portal.

Application awareness controls access to hundreds of apps and has eleven entries for Facebook alone. DLP is another easy one to configure and uses predefined and custom rules on the HTTP, FTP and SMTP proxies to check for keywords such as social security or credit card numbers.

WatchGuard Firebox M670 review: Verdict

The Firebox M670 is an impressive appliance as it delivers a superb range of security measures at a price that easily beats much of the big-name competition for value. The new SD-WAN feature adds even more versatility and value gets even better as WatchGuard includes all appliance and security policy management software for free and not as chargeable options.

Verdict

A very affordable choice for mid-sized businesses, the Firebox M670 is surprisingly easy to deploy and teams up top performance with an amazing range of security measures

Chassis: 1U rack

Memory: 8GB RAM

Network: 8 x Gigabit

Expansion: 1 x module bay

Other ports: 2 x USB 2, RJ-45 serial

Power: 1 x internal PSU

Management: Web browser, WatchGuard WSM/Dimension/Command

Warranty: 3-year advanced hardware replacement

Optional modules: 8 x 1GbE copper, £830; 8 x 1GbE fibre, £996; 4 x 10GbE fibre, £1,163 (all exc VAT)

Dave Mitchell
Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.