Firewall Wizards mailing list archives
Re: Watchguard (firewall appliance questions)
From: "Mark Coleman" <mcoleman () uniontown com>
Date: Mon, 19 Jul 1999 18:56:45 -0400
Re: Watchguard Firebox II Firewall Hi all, long time listener first time caller. I have experience with the old Cisco Centri, Cisco PIX, and the Watchguard Firebox II. I personally have installed 20 to 30 of these Watchguard firewalls, have many on maintenance contracts, and I have one on our bench for testing and have extensive experience with both the Firebox 100 and the Firebox II. My largest customer is a somewhat large university in South Western Pennsylvania with approximately 2000 seats. They have three T1 lines frontending a Firebox II using version 3.3 (Watchguard's latest release). We are not able to use proxying services for this customer because of the CPU load they generate on the Watchguard firewall with this large of a network, they are pushing the limits of this firewall. I would recommend using this firewall on networks of 1000 or less seats, and bandwidth not to exceed 4 megs (two or three T1 lines). For the most part, they tend to work well. There are several points that you have to manually edit the config file with notepad to get it to do some of the advanced things, like port forwarding a socket not in their list for example. They do not have moving parts in them (other than the fan), so NT based firewalls probably have a much lower mean time between failure rate. If/when they do have a problem, all you do is swap the entire unit and blast a new config to it and you are back where you were. No hard drives to swap, no video card to smoke, no keyboard keys to stick, you get the idea. Two drawbacks for this firewall: It does IP Masquerading, not NAT. This means that you can not have more than one web server/email server/dns server, whatever, masqueraded inside the firewall. Also, you cannot create a rule which can be applied to a range of ports. If you want to open ports 1024 through 1500 for example, there is no easy way to do it. You can create a service opening ALL ports to a certain host, or enter a small list of ports manually, but you cannot exceed (I think) 100 ports in a service. I have seen two DOA units, other than that all other units have been running strong. They are reliable enough to allow us to use our on-site spare as a demo unit for potential customers. My experience is that they do quite a good job, but like any other firewall you have to configure it properly. Mark Coleman Tripwire Network Solutions http://tripwire.uniontown.com ----- Original Message ----- From: Frank Pawlak <FPAWL () pcsentre com> To: <firewall-wizards () nfr net> Sent: Monday, July 19, 1999 12:35 PM Subject: Watchguard (firewall appliance questions)
I am relatively new to INFOSec. I have questions on firewall appliances
in general and Watchguard in particular.
How do they stack up against the software solutions? Their low cost makes
them attractive to management, and my issue is to get at the differences between them.
It appears to me that they are best suited for a small number of users.
Is that correct?
Are they what "firewalls" will look like in the future? What are some of the technical differences? Any other comments would be appreciated. TIA Frank
Current thread:
- Watchguard (firewall appliance questions) Frank Pawlak (Jul 19)
- Re: Watchguard (firewall appliance questions) Mark Coleman (Jul 20)