Seriously, why does everyone hate watchguard firewall/routers? I have used them several times, and although quirky, they do seem to work quite well. So, honest question, what gives with all the hate? whats wrong with them?
I have never sold/installed one, only picked up new clients who already have them. Problems I have encountered include: Had to create a Windows VM just to manage it. Was unable to download the software to manage it from watchguard, had to find a torrent to get the management software. Some of the lower end units have had user limit licences (some PC’s would randomly lose internet access). No openvpn capability for site to site connectivity.
I have a stack of watchguards in my office doing nothing as we remove them every chance we get.
worked for a reseller that sold them and was watchguard certified (which is a joke).
-
Bugs. This one time they kept telling me that i was wrong, only to come back a week later and say that there was a bug in generating csr.
-
counter intuitive cli, infact they tell you to use WSM (discussed below). They themselves never use cli.
-
tac is useless. I’ve run into a few issues where it took them ages to come up with an answer and until then i had already figured a workaround.
-
WSM aka watchguard system manager, the gui to configure the firewall. It needs a windows machine, is slow when the box is generating a lot of traffic. Troubleshooting under high load is a nightmare! !
there are some good points though:-
- its red and that adds color to the server room.
- dimension (its free) !!
- management server. if you have lots of watchguard fw then their management server gives you a single pane to look at and configure all of them. This is one of the things where they are better than the competition.
- You get a lot more in one box than just a firewall. But you have to pay for the extra (subscription) services.
I would say watchguard is good for small and medium size enterprises only. It has some issues, but for smaller places it should be ok…but definitely not for DC or bigger enterprises.
edit: formatting
Top of my head to kick things off.
-
Support is useless - They are fine for basic but any intermediate to senior calls are a waste of time.
-
Bugs - So many bugs and quirks
-
Terrible logging
-
CLI is useless
-
Features like SSO are utterly broken.
-
The way it handles One to one NAT causes issues.
-
It can’t do things like passthrough very well so things like voip and wireless remote AP had to physically go around the firewall for it to work.
Basically almost every issue the client who had a WG on issue turned out to be caused by the WG more often than not. Its main selling point is that it is cheap and you get what you pay for. The red boxes look nice though.
We’ve been using one at our main office since 2010, we don’t do a whole lot with it (couple IPSec tunnels and about 30 access rules or so) and for cases like that, it works well enough.
We had to have it replaced after about 2 years when one of the ports simply up and died and caused the whole system to reassign the ports different device ids. I had to spend more time than I should have to explain this to the tech on the phone, even going so far as to send pictures of the screen showing the error I was getting.
The latest issue we have with it is backing up the device. It’s a known issue that if too much memory is being used, it won’t allow you to make a system backup and their workaround is to reboot the system or to wait until less memory is being used
I use it. I like everything about it with the exception of the SSL VPN client not starting before logon. My remote people have to use L2TP so they don’t run out of cached logons.
Hello, I am part of a company that has subsidiary enterprises. Recently, one of our smaller affiliates wanted to implement a security solution for its network. We were recommended the brand WatchGuard, which was unfamiliar to me. Despite that, I requested a product quote from a WatchGuard business partner for a basic network setup:
- 15 workstations
- 1 NAS
- 1 printer
- Internet with a speed of 400 Mbps
The WatchGuard business partner suggested that a Firebox T25 would be suitable for such a simple network, and that’s when my nightmare began.
It took almost two months to receive the Firebox T25. Then, it took an additional month to try to configure it due to various errors. For such a basic network, it disrupted our internet, blocking everything. The WatchGuard business partner claimed it was defective and promised to replace it. It has been two weeks since the return material authorization (RMA) process began, and we are still dealing with the nightmare of the terrible service from the WatchGuard business partner.
We contacted WatchGuard about the issues we are facing with both the partner and the product, but they have not yet responded. Does anyone have any opinions or suggestions?
what do you replace them with?
Yup, they are fantastic in that small-mid sized market if you can get over the fact that WSM is a steaming turd to use most of the time. Never had a lot of complaints when supporting a 10 person office with a Watchguard, wouldn’t recommend them for > 50 users or so, or people with high expectations of performance and reliability (ie, not going in my datacenter).
Bugs - find me a software company that is bug-free? Even Cisco published 10+ DoS Exploitable bugs just last week for the ASA.
CLI - why torture yourself when there is a fully functional HTML5 WebUI and a dedicated offline policy manager?
TAC - my experience is that they are quite good and often troubleshoot non-firewall issues without complaint. As with any TAC, the more information you can provide and the quicker you reply to updates, the faster things get resolved.
WSM - it’s an offline tool, so no idea how the firewall load can affect it? It can take a couple of seconds to apply a policy, but have you ever saved a policy to a Palo Alto… 20 minutes!
Yes - Watchguard is targeted at small and medium business. No reason to hate for that.
Edit: My marketing guy said I have to let you guys know I’m from WatchGuard. Happy to answer any Qs you guys have.
I have 2 I was planning to sell, XTM-22W and XTM-530, pm if interested.
4 or 5 x750e’s and some smaller models (x20e I think). Would have to walk to the warehouse to check.
- As far as I am aware you cant manage the x750e’s via the webui.
- Livesecurity was out of date thanks to the previous IT support.
- The branch VPN’s are IPSec from memory.
I had a Watchguard around 7 years ago. I ended up disabling the unified threat management features one by one as none of them worked properly and ultimately created issues.
Ended up replacing with Fortigate which actually delivers on the features that Watchguard promises. Fortigate is faster due to custom Asics and cheaper because you you don’t have to pay for the services separately.
Linux + Shorewall + OpenVPN + DNSMasq + Squid3. Various other utilities as required by clients.
your response seems as if it was typed in haste. you conclude by saying there is nothing wrong on targeting small to medium organisations… that sir, is exactly what i concluded …
i mentioned wg is good for that.
next up, is your pointing fingers at other vendors. Sir, the question here is why i hate watchguard, not who is better, or compare xyz with abc. If this was why i hate Cisco i would’ve has a similar reply by posting things i hate about them and things i liked.
wsm is offline eh…? sure.
the device it connects to works in real time. so troubleshooting via traffic manager is a night mare.
and did you just say cli sucks, on /r/networking! !! blasphemy! ! lol. while i agree that the gui is good for the modern feature rich devices but i think a powerfull cli helps a lot specially when troubleshooting.
finally:- i know why you responded the way you did… i would’ve done the same if i was you. surely you know more about watchguard than i do, so i apologise if i seem misguided. Conversly, you can view me as an unhappy customer and try and take this feedback. Maybe I’m the odd man out I’m which case you can reject this and move on.
cheers!
Thanks for your feedback. Fair enough! You’re free to hate on whoever you like. We generally point fingers less than others but it was a good example in this case.
Re WSM – There are a few components to WSM – Policy Manager is an offline policy editor so no need to connect to the device in order to use it. The Firebox System Manager is a suite of troubleshooting tools. Some say that it’s brilliant and a major advantage. It can often come down to experience and familiarity with the process. Same goes for cli.
Good and bad feedback is an important part of the process and we always try to take it on board and make changes where possible to improve things. Our local feedback might be different to your experiences but we’ve moved to an html 5 web interface, added a variety of processes to improve support case resolution times and boosted training programs to increase familiarity. Hoping to do more in future.
Yeah, the 22W was my home router. Just bought a Ubiquiti Edgerouter to replace the aging Watchguard. It served its time and was just fine for a home system. I wouldn’t go so far as say I hate them, but they can be quirky for sure.