WatchGuard Firebox M440 review

The Firebox M440 shows big performance needn’t cost a king’s ransom

Editor's Choice
  • Superb value; Top performance; Extensive security measures, High port density, Integral wireless gateway controller
  • Proxy setup takes practice

With its fire-engine red chassis you can't miss a WatchGuard security appliance but the Firebox M440 is an eye-catcher for a number of other good reasons. It's designed to help big businesses enforce custom security policies across multiple network segments but without complicating the process.

This 1U rack appliance is stuffed with ports as it offers 25 copper Gigabit and two 10-GbE SFP+ ports. For a sub-10K appliance, it's a powerful beast as well with WatchGuard claiming a top 6.7Gbits/sec firewall throughput and 1.6Gbits/sec for UTM.

It's excellent value, too. A three-year LiveSecurity subscription activates the firewall, VPNs, HTTPS inspection plus full customer support and has an RRP of 4,942 ex VAT.

An NGFW subscription adds IPS and application controls and takes the total price to 6,798 while WatchGuard's Security Suite pushes the total to 8,449 and activates web content filtering, anti-spam, gateway anti-virus and WatchGuard's reputation enabled defence. You can also add WatchGuard's optional advanced persistent threat (APT) blocker and data leak prevention (DLP) services.

The appliances' ports are easily configured and can have custom security policies applied to them

WatchGuard's port-fest

We found the M440 very easy to deploy. The tidy web interface runs a wizard to secure the appliance and get basic Internet access running on an external port along with DHCP services on your first trusted interface.

The M440 supports three operational modes and we recommend the mixed routing mode - it's the most flexible as it allows all ports to be defined as separate interfaces. Configuring the remaining ports is a cinch as we defined them as external, trusted, optional or custom and added DHCP services on selected trusted ports. 

It's worth giving each port an alias as it makes it easier to assign firewall policies. Along with choosing which traffic to control, you assign policies to source and destination ports which could, for example, be all trusted and external ports or just specific ones.

The HTTP proxy is used to apply web filtering actions and WatchGuard provides 130 URL categories

Proxy practice

The M440 uses proxies for all security services where we created firewall rules for each one defining the interfaces they applied to and their actions. There are plenty to choose as you have proxies for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP.

We recommend practicing proxy configuration as it can initially be a bit of a fiddle to get them working. First, you view the predefined actions for each proxy and clone them for use in your own policies. 

To apply web filtering, we cloned the HTTP Client action and tweaked functions such as web caching, deny messages, alerting and so on. Next, we selected the WebBlocker subscription service and created a filtering action for it by choosing from 130 Websense categories to block or allow.

Now we could link our WebBlocker action with the policy, activate it with a firewall rule and choose which source and destination ports it should apply to. It sounds complicated but it gets easier with time and we could create a wide range of web filtering policies and apply them to different network segments.

The built-in FireWatch app provides a handy graphical chart showing the top activities on your network

More proxy action

For anti-spam, we cloned a POP3 client action from the spamBlocker service and configured it to tag messages classed as spam', suspect' and bulk'. Gateway anti-virus can be enabled on selected policies while APT scans incoming files and checks their MD5 hash with the LastLine cloud service to see if they're known malware. 

The optional DLP service includes predefined sensors for HIPPA and PCI but we could easily create our own. DLP can be enabled on the HTTP, FTP and SMTP proxies where it checks for specific keywords and drops the connection while for email, it can strip keywords out or quarantine the entire message.

The M440 can function as a central wireless controller for WatchGuard's own APs and its central group of eight Gigabit ports are PoE enabled. Pairing a WatchGuard AP200 with the M440's wireless gateway controller allowed us to assign SSIDs to its 2.4GHz and 5GHz radios, enforce wireless security and apply separate proxy policies to the port it was connected it.

The lab's Ixia Xcellon-Ultra NP blades recorded a steady 1.6Gbits/sec HTTP throughput with UTM enabled

Ixia performance tests

To test real world performance, we used the lab's Ixia Xcellon Ultra-NP network load modules and configured the IxLoad control software to generate 512KB HTTP web pages. With the load modules connected to the M440's 10GbE ports and a basic HTTP firewall policy applied to them, we saw an average HTTP throughput of 3.5Gbits/sec.

With gateway AV scanning activated in the policy, throughput dropped to 2.4Gbits/sec slightly more than WatchGuard claims. With AV turned off and IPS enabled we recorded an average of 2Gbits/sec a little less than the quoted figure of 2.2Gbits/sec.

To test UTM performance we enabled both AV and IPS and saw throughput settle at a steady 1.6Gbits/sec thus confirming WatchGuard's own speeds. This is the maximum achievable as appliance CPU usage was maxed out at 100 per cent for all tests.


Along with a superb range of security features, the M440 looks top value as it costs significantly less than SonicWALL's E-Series NSA 6500. Its high port count makes it easy to enforce custom security policies on different network segments and its integral wireless gateway allows these to be applied just as easily to wireless clients.


The Firebox M440 is a versatile security appliance that beats the competition soundly on value. Security features are excellent and our lab tests confirm it delivers on WatchGuard’s performance promises.

Chassis: 1U rack

Network: 25 x Gigabit, 2 x 10GbE SFP+ (PoE on ports 9-16)

Other ports: 2 x USB2, RJ-45 serial port

Power: Hot-plug 500W PSU, (optional redundant PSU)

Management: Web browser

Warranty: 1yr advanced hardware replacement 

Options: 3-year subscriptions: APT, £2,979; DLP, £1,438 (all ex VAT)

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021