Currently working on a 2 month old ticket involving getting port forwarding working for Mist to work through a Watchguard. Even got the TAC from WG working on it. Still a big nope.
They only lose 100% of my packets 5% of the time. This is much better than 100% of the time.
Shut up and just take my money - you had me at “red”.
He was banned? Just curious… I mean he was being facetious right?
Watchguard is the best!
It’s the only gear that I can claim to have found a flaw worthy of an emergency hotfix. Wish I could remember all the details but it was something akin to “I deleted a FW rule and it’s still passing traffic. Everything would indicate rule is deleted but Ethereal doesn’t lie…” This was over a decade ago.
I know Watchguard gets a lot of hate here, and everyone always says “Go Palo Alto or Fortinet, avoid Watchguard!”, but I’ve had mostly positive experiences with them, so I figure WHY NOT, I’ll add my personal experience, and take the downvotes as they come. 
tl;dr version: my experience with Watchguard has been mostly positive. We’re on 12.3.1 and they’ve been stable.
I had no prior experience with them until a couple of years ago. I’ve rebuilt all our firewalls from the ground up over the last six months, mainly because the last “network engineer” they had was a homelab tinkerer who didn’t know what he was doing.
I have a few UI complaints, mostly that default enabled options for firewall policies like Dynamic NAT are a pain to disable en masse. I think System Manager is fairly unintuitive compared to the web UI. I don’t like their web portal too much; it’s kind of flaky, and the different products they’ve shoehorned into it - AuthPoint, DNSWatch, TDR, lack cohesion. I could never get remote deployment to work.
And I’ve had a couple of technical issues with them.
- We had a T50 with an iffy CPU that was spiking because of BGP, despite passing no traffic, and they RMA’d it only after a modicum of light resistance. I don’t think they were being unreasonable (there were some things we hadn’t checked, and they were pushing for remote support access) for further diagnostic testing, but since I was on a time crunch they processed it, and the RMA fixed the issue.
- 12.3 was randomly killing our SSL VPN connectivity which DID require a reboot, but that was fixed in 12.3.1. No issues since with our VPN.
- I’ve had a couple of firewalls refuse to boot after an update and a wipe (I pulled them to rebuild them rather than try and fix the last guy’s janky config). I was able to console in and boot into diagnostic mode, reset the firewall again, and the problem was fixed. No problems with stability or uptime.
BUT: after a couple of years, that’s basically all the complaints I have. The UI is clean and responsive. Once I got my head out of ASA access-list thinking, the firewall policy interface is intuitive. I like the dashboard. Dimension is pretty neat if you run it off a separate postgres DB, since the integrated one is horrifically slow. I use Dimension for reporting, to monitor our firewall health and licensing and have it open on our big screen next to Orion (another one that gets a lot of hate!). Configuring IPSEC tunnels between them and other devices has been easy. The OS update is one click when the firewalls are in HA and I’ve had no issues with it - a failed update here and there if the firewall was up for a significantly long period of time, but aborted cleanly and succeeded the second time.
What else? Firecluster as an HA solution is smooth. The only issues I’ve had bringing it up is when I had biffed on adding the right feature key for the failover unit. We had one site that kept dropping when the firewall failed over after the UPS it was attached to died, but that was because some genius attached the secondary switch to the primary UPS. That was a fun problem to figure out remotely. The IPS has blocked some nasty stuff, Application Control stopped a couple of cryptolockers in their tracks, and DMCA complaints thanks to employees torrenting over our guest wifi have been eliminated (so far). The Traffic Manager live view is detailed and has helped me diagnose some serious issues; tcpdump has helped me prove (or disprove) other issues.
The only massively irritating thing I had to deal with was using our own internal PKI for SSL inspection. Support has always been cordial and knowledgeable on questions I’ve had. They’re extremely responsive, unlike some of our other vendors. I feel like we got our licensing fees worth from all the questions I’ve had to ping them for.
We’re a lean IT operation that supports a few dozen sites and a couple of thousand employees and I work for a company that doesn’t want to pour its money into Ferrari-esque infrastructure - our entire operation is now on Watchguard firewalls. I am the only network engineer on staff, and if these boxes were pieces of junk, I would be spending more time trying to troubleshoot them than anything else. I don’t have to do that.
I like them much more than Fortinet, which makes me an outlier in this sub from the look of things. They work fine for what they are, but I disliked the UI for them immensely, and the CLI even more. Considering how much Cisco has apparently shit the bed with Firepower, I’m glad we aren’t on that. Juniper is still somewhat opaque to me, and I couldn’t sell the bean counters on Palo Alto. I’ve been happy with what we have.
They also have a really cool Windows app that shows the front display. You can’t buy that kind of cool
Can’t argue with a nice Palo
Yup! Total Mod Abuse right now!
We all know that keeping up with license renewals is a major pain in the arse. I mean, how many of us are really that organised? The WatchGuard method does away with all the drudgery of paper work and lets you get new equipment every three years. And who doesn’t like a shiny new Ferrari Red device showing up in the post?
Makes sense to me, the license renewals are ISSU. Gotta pay more for features like that
The trick is that that you want to put the watchguard at the top of the rack, that way when you use Cat 7 cables the data flows DOWN. No gravity to block your download speeds.
When you need to upload, buy another watchgurad and place it in the BOTTOM of the rack.
iAm aN eXeRpT in nEtwOrKiNg. tRuSt mE.
And the fire marshal loves them too!
If only I could afford the insurnace to pay for red
You know that if you paint a stripes on it, data will go even faster right? It works similar to cars.
I did this a few years ago. Life has been great. Not that I disliked watchguard, but I like meraki. There are less features overall though, but it gives more info in an easier to disseminate format.
Have fun with the lack of IPv6 support.
Reasons why Cisco FirePower sucks
- It IS Cisco FirePower
I just swapped out OpnSense on my XTM5 for a custom OpenWRT to aggregate WANs in a SD-WAN setup.
Reply
Nice! I did a similar thing with older Citrix hardware. Repurposed that thing to run pfSense for our guest wireless network.