Watchguard Firebox M300 review

WatchGuard is on a mission to bring enterprise-level security to SMBs

IT Pro Value
Price
£3,610
  • Top value; Easy deployment; Tough security measures; Wireless gateway controller
  • HTTP proxy performance less than expected

High prices for UTM security appliances mean many SMBs aren't getting the protection they need which leaves them potentially vulnerable to cyber-criminals who are increasingly targeting smaller companies. Watchguard's latest Firebox appliances aim to put this right by delivering a wealth of security measures at a price SMBs can afford.

Clothed in Watchguard's customary fire-engine red chassis, the Firebox M300 has eight Gigabit Ethernet ports and claimed raw firewall speeds of 4Gbits/sec. Enabling its HTTP proxy plus IPS and gateway AV services drops this to 800Mbits/sec - still very respectable for an appliance at this price point.

A Standard Support subscription (formerly called Live Security) includes the appliance, hardware warranty, updates plus tech support and costs 2,117 for 3 years. This also includes Watchguard's System Manager and Dimension management software.

A Standard Support subscription only includes firewall and VPN capabilities. A 3-year Security Suite subscription pushes the price to 3,610 and augments the SPI firewall with web filtering, anti-spam, gateway anti-virus, IPS, application controls and WatchGuard's 'reputation enabled defence'. The M300 also supports Watchguard's optional data leak prevention (DLP) and advanced persistent threat (APT) blocker services.

The appliance's well-designed web interface makes management a simple process

Simple deployment

Deployment was quick as we followed the web console's wizard which helped set up the first two network ports with Internet and LAN access. It enabled DHCP services on the LAN side and applied a base set of security policies.

It defaults to the mixed routing mode which is our preferred mode of operation. This allowed us to configure each port on the M300 as separate interfaces each with their own IP address and DHCP services if required.

When configuring the remaining ports, we could designate them as external, trusted, optional or custom and give each one an alias. It's worth taking a moment to get this right as it'll make creating firewall policies a lot easier.

The new wizards made light work of creating proxy actions for the WebBlocker filtering service

New features

Watchguard's proxies are employed by all the security services but this is one feature we've always griped about as new users will find them complex to set up. You have proxies for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It's now a lot quicker as a setup wizard handles cloning the predefined proxy actions and applying them to your security policy. For the WebBlocker filtering service, we gave the new HTTP Client action a meaningful name, browsed the 130 categories on offer and decided whether to block or allow them.

Anti-spam measures were equally quick to apply as the wizard helped us create a new action for the SpamBlocker service set to tag spam, suspect and bulk messages. It applies transparent scanning so there's no need to define internal mail servers plus we could add exceptions for specific mail senders and activate the virus outbreak detection feature. 

Gateway AV can be enabled on selected proxies and set to decompress and scan archives. The APT service is available for the HTTP, FTP and SMTP proxies where it scans incoming files and checks their MD5 hash with the LastLine cloud service to see if they're known malware.

Watchguard's Dimension provides slick Firebox monitoring and reporting tools

Management choices

Our preferred method for managing a single appliance is via its well-designed web interface but Watchguard's System Manager program comes in handy if you have loads to administer. After connecting to an appliance, we could manage its security policies or network settings and call up the Firebox System Manager utility to view all network activity.

Available as a free Hyper-V or VMware virtual machine, Watchguard's Dimension collects and analyses security information from multiple appliances. We tested the VMware version and simply pointed our M300's Log Server address at the Dimension VM which automatically discovered it.

Advertisement - Article continues below

The home page lists all monitored appliances along with details of their operational status and current firmware version. Selecting our appliance took us directly to the Executive Dashboard which provided a wealth of data about user activity.

The Security Dashboard shows essential information about clients, web sites and protocols being blocked. The Threat Map provides a global map showing regions where threats are coming from and clicking on the city's associated IP address loads a Google Map of the area which could be potentially useful information for law enforcement.

Our Ixia tests showed the M300 delivered 600Mbits/sec with UTM services enabled on the HTTP proxy

Proxy performance 

For real world performance testing we hooked the M300 up to the lab's Ixia Xcellon Ultra-NP network load modules and configured the IxLoad control software to generate 512KB HTTP web pages. We created three client/server streams and set a load objective of 1Gbits/sec for each stream. 

Advertisement
Advertisement - Article continues below

With the HTTP packet filter enabled, we recorded a top speed of 2.6Gbits/sec which dropped to 1.7Gbits/sec with IPS enabled in the firewall policy. During this test, IxLoad confirmed there were no TCP retries or resets.

With WatchGuard's HTTP proxy on the case, we saw an average throughput of 1.1Gbits/sec and with IPS enabled, this fell to 800Mbits/sec. With gateway AV and IPS enabled in the policy, throughput averaged 600Mbits/sec 25% less than WatchGuard's claims.

Conclusions 

Proxy performance didn't quite meet our expectations but compared with Dell SonicWALL's more costly NSA-2600, the Firebox M300 is still twice as fast. Combine this with its superb range of features and you have an ideal gateway security appliance for cost-conscious SMBs.

Verdict

The Firebox M300 delivers a superb range of security features at a price SMBs will approve of. Overall performance is good and the price includes some quality management and monitoring tools.

Chassis: 1U rack

CPU: 1.8GHz quad-core Freescale

Memory: 4GB DDR3

Network: 8 x Gigabit Ethernet

Other ports: 2 x USB2, RJ-45 serial port

Management: Web browser, Watchguard System Manager

Warranty: Advanced hardware replacement with support subscription

Options: 3-year subscriptions: APT, £1,207; DLP, £583 (all ex VAT)

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019