Watchguard Firebox X10e-W Review

Published on Friday 26th October, 2007 (AEST)

This week I've been playing around with a new Watchguard Firebox Edge X10e-W, an all-in-one firewall/WAP, with gateway antivirus, URL category filtering, VPN capabilities and a bunch of other features. I first used a firebox a couple of years ago, when I set one up for a client, and was impressed by the features included and the interface provided. Since Watchguard products aren't terribly common where I'm from, I relished the opportunity to play around with this new model.

The firewall itself includes an impressive list of features, with deep application inspection, protocol anomaly detection, malformed packet protection, and an auto-block feature for misbehaving IPs. The mix of white-list and black-list mechanisms certainly appears to work well; the roll call of viruses blocked by default (without signatures) between 2003 and 2006 is formidable.

The WebBlocker (URL category filter) is simple to implement, with the ability to block sites by selecting content categories (SurfControl), or specifying individual sites to block. Sites can also be white-listed. The Gateway AV/IPS and the SpamBlocker services have few settings to configure, other than enabling them and specifying your desired level of protection.

As a wireless access point, the X10e-W can accommodate users with different needs and security requirements by effectively acting as three WAPs at once. For instance, you might have employees connect to the Trusted network, temporary contract workers to the Optional network—with less access to company resources—while visitors connect to the Wireless Guest network, ensuring they have access only to the Internet. Each wireless interface can support different encryption protocols (WEP/WPA/WPA2) and passphrases, and the Wireless Guest network can also be configured with a different WebBlocker profile.

Noticeably absent from the X10e-W's wireless feature list is support for 802.1x. For a business-grade appliance with a security focus, this seems a little remiss. Indeed, similar products such as Cisco's 851W do provide 802.1x support. Come to think of it, even some consumer products can handle 802.1x.

The Firebox Edge series have extensive logging capabilities. While they do include a basic log viewer, to make the most of your logs you'll need to configure your Firebox to send log entries to a Watchguard log server (if you have a Firebox Core or Peak) or to a Syslog server.

All-in-all, this all-in-one device is a nice piece of work, but there are a couple of limitations to keep in mind. An X10e-W only supports up to 20 users. Since the only difference between an X10e-W, X20e-W and an X55e-W is the configuration of the software, it is a simple process to upgrade to a better model as your needs grow. (An X55e-W has no user limits). Another gotcha is the required registration—the box only allows one user connection until it's given a valid activation code. This isn't a hassle at all, but may deter some privacy-conscious buyers.

UPDATE (27/10/07): I should also mention that the web filter, spam filter and AV/IPS services are added subscriptions, not included as standard.

Save to del.icio.us Digg this Submit to StumbleUpon