Watchguard Firebox X15w Review
- Review Price: £351.00
We’ve been using a Watchguard Firebox SOHO 6 for some time now – it’s been sitting quietly protecting a small office network with an ADSL connection. However, it does have some limitations – a lack of support for 802.11g wireless for starters – so the new range of Firebox X Edge appliances piqued our curiosity as a potential upgrade.
As a basic plug-and-play appliance the SOHO 6 has worked very well for us requiring virtually no intervention during its stay in the office. The new Firebox X Edge appliances aim to offer the same ease of use but Watchguard has focused more on their VPN capabilities allowing them to integrate with its new Core and Peak appliances. However, the focus in this review will be on the small business angle where we will be looking at the Firebox X15w as a standalone solution.
Out of the box the X15w provides a good range of features as you get an eight port Fast Ethernet switch, two WAN ports and an 802.11b/g wireless access point. The basic appliance provides an SPI firewall, DMZ capabilities and improved wireless security. Watchguard also offers a range of upgrades including its WebBlocker service and WAN failover option. After registering with Watchguard’s support site the appliance is licensed for up to thirty users.
You actually have seven Ethernet ports for general network use as the eighth provides an optional network connection. This is essentially a DMZ (demilitarized zone) where you can place servers or other systems that can be accessed from the Internet but are not part of the internal or trusted network. The second WAN port can only be enabled once the WAN failover upgrade has been applied which costs an additional £112. With a second ISP account you can link another ADSL or cable modem which will be used if the primary link goes down. Alternatively, you can plug a PSTN modem into the serial port to act as a secondary dial-up link.
It’s been a long wait for support for 802.11g wireless in the Firebox SME products and along with this you get improved security as well. As expected SSID masking, MAC address blocking and 64/128-bit WEP are on the menu and the X15w now adds WPA encryption. The wireless portion of the network can be disabled at any time and another useful feature is the appliance’s bridging capabilities as you can restrict access for wireless users to either the optional or trusted network.
The firewall commendably defaults to blocking all incoming unsolicited traffic on the external interface but you can modify this with custom rules. We’ve found a large number of SME firewall vendors leave you high and dry at this point but Watchguard bucks the trend by providing plenty of help in its copious documentation. You can also use extra rules to restrict traffic between the trusted and optional networks.
Setting up mobile client IPsec VPNs is never an easy task – one reason why SSL VPN appliances are growing in popularity. Even so, Watchguard does make a valiant effort at providing all the necessary information. Setting up a user’s VPN account at the X15w creates a unique configuration file which must be copied to the client system along with the MUVPN software which is downloaded from Watchguard’s support site. The least secure part of this process is supplying the user with a shared key which, obviously, shouldn’t be emailed to them. All the user then needs to do is activate the security policy and select the Connect option to create a VPN tunnel with the appliance. Usefully, you can force wireless users to connect over a VPN tunnel as well.
The WebBlocker option has been a standard feature on the Fireboxes for some time and is a hosted service managed by SurfControl. It costs £64 for the first year with a yearly renewal fee of only £48 and with this in action you can select from fourteen content categories that you want blocked. Users that attempt to access a banned site are redirected to the appliance which delivers a warning message and only with a valid password can they override the block. You can also enforce authentication from any client requesting Internet access. SurfControl runs one of the better content filtering services and it showed during testing with it spotting all our attempts to access dodgy websites.
The price also includes a one year subscription for five seats to McAfee’s VirusScan ASaP service. This is a cut-down version of McAfee’s main anti-virus software which provides real-time and on-demand scanning but it’s totally independent of the appliance which plays no part in management of this component.
The Firebox X15w is a great idea for small businesses that need an all-in-one security solution and as existing Firebox users we would seriously consider upgrading. However, for first time users there is a lot of competition, some of which costs a lot less. Take Billion’s myGuard 7500GL for example – it may be more basic, but it does provide a similar level of features which includes web content filtering and managed anti-virus services but costs around a third of the X15w’s price.