Watchguard Firebox M300 review
WatchGuard is on a mission to bring enterprise-level security to SMBs
High prices for UTM security appliances mean many SMBs aren't getting the protection they need which leaves them potentially vulnerable to cyber-criminals who are increasingly targeting smaller companies. Watchguard's latest Firebox appliances aim to put this right by delivering a wealth of security measures at a price SMBs can afford.
Clothed in Watchguard's customary fire-engine red chassis, the Firebox M300 has eight Gigabit Ethernet ports and claimed raw firewall speeds of 4Gbits/sec. Enabling its HTTP proxy plus IPS and gateway AV services drops this to 800Mbits/sec - still very respectable for an appliance at this price point.
A Standard Support subscription (formerly called Live Security) includes the appliance, hardware warranty, updates plus tech support and costs 2,117 for 3 years. This also includes Watchguard's System Manager and Dimension management software.
A Standard Support subscription only includes firewall and VPN capabilities. A 3-year Security Suite subscription pushes the price to 3,610 and augments the SPI firewall with web filtering, anti-spam, gateway anti-virus, IPS, application controls and WatchGuard's 'reputation enabled defence'. The M300 also supports Watchguard's optional data leak prevention (DLP) and advanced persistent threat (APT) blocker services.
The appliance's well-designed web interface makes management a simple process
Deployment was quick as we followed the web console's wizard which helped set up the first two network ports with Internet and LAN access. It enabled DHCP services on the LAN side and applied a base set of security policies.
It defaults to the mixed routing mode which is our preferred mode of operation. This allowed us to configure each port on the M300 as separate interfaces each with their own IP address and DHCP services if required.
When configuring the remaining ports, we could designate them as external, trusted, optional or custom and give each one an alias. It's worth taking a moment to get this right as it'll make creating firewall policies a lot easier.
The new wizards made light work of creating proxy actions for the WebBlocker filtering service
Watchguard's proxies are employed by all the security services but this is one feature we've always griped about as new users will find them complex to set up. You have proxies for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP.
It's now a lot quicker as a setup wizard handles cloning the predefined proxy actions and applying them to your security policy. For the WebBlocker filtering service, we gave the new HTTP Client action a meaningful name, browsed the 130 categories on offer and decided whether to block or allow them.
Anti-spam measures were equally quick to apply as the wizard helped us create a new action for the SpamBlocker service set to tag spam, suspect and bulk messages. It applies transparent scanning so there's no need to define internal mail servers plus we could add exceptions for specific mail senders and activate the virus outbreak detection feature.
Gateway AV can be enabled on selected proxies and set to decompress and scan archives. The APT service is available for the HTTP, FTP and SMTP proxies where it scans incoming files and checks their MD5 hash with the LastLine cloud service to see if they're known malware.
Watchguard's Dimension provides slick Firebox monitoring and reporting tools
Our preferred method for managing a single appliance is via its well-designed web interface but Watchguard's System Manager program comes in handy if you have loads to administer. After connecting to an appliance, we could manage its security policies or network settings and call up the Firebox System Manager utility to view all network activity.
Available as a free Hyper-V or VMware virtual machine, Watchguard's Dimension collects and analyses security information from multiple appliances. We tested the VMware version and simply pointed our M300's Log Server address at the Dimension VM which automatically discovered it.
The home page lists all monitored appliances along with details of their operational status and current firmware version. Selecting our appliance took us directly to the Executive Dashboard which provided a wealth of data about user activity.
The Security Dashboard shows essential information about clients, web sites and protocols being blocked. The Threat Map provides a global map showing regions where threats are coming from and clicking on the city's associated IP address loads a Google Map of the area which could be potentially useful information for law enforcement.
Our Ixia tests showed the M300 delivered 600Mbits/sec with UTM services enabled on the HTTP proxy
For real world performance testing we hooked the M300 up to the lab's Ixia Xcellon Ultra-NP network load modules and configured the IxLoad control software to generate 512KB HTTP web pages. We created three client/server streams and set a load objective of 1Gbits/sec for each stream.
With the HTTP packet filter enabled, we recorded a top speed of 2.6Gbits/sec which dropped to 1.7Gbits/sec with IPS enabled in the firewall policy. During this test, IxLoad confirmed there were no TCP retries or resets.
With WatchGuard's HTTP proxy on the case, we saw an average throughput of 1.1Gbits/sec and with IPS enabled, this fell to 800Mbits/sec. With gateway AV and IPS enabled in the policy, throughput averaged 600Mbits/sec 25% less than WatchGuard's claims.
Proxy performance didn't quite meet our expectations but compared with Dell SonicWALL's more costly NSA-2600, the Firebox M300 is still twice as fast. Combine this with its superb range of features and you have an ideal gateway security appliance for cost-conscious SMBs.
The Firebox M300 delivers a superb range of security features at a price SMBs will approve of. Overall performance is good and the price includes some quality management and monitoring tools.
Chassis: 1U rack
CPU: 1.8GHz quad-core Freescale
Memory: 4GB DDR3
Network: 8 x Gigabit Ethernet
Other ports: 2 x USB2, RJ-45 serial port
Management: Web browser, Watchguard System Manager
Warranty: Advanced hardware replacement with support subscription
Options: 3-year subscriptions: APT, £1,207; DLP, £583 (all ex VAT)