Re: Watchguard (firewall appliance questions)

["Mark Coleman" <mcoleman () uniontown com>]

Re: Watchguard Firebox II Firewall

Hi all, long time listener first time caller.

I have experience with the old Cisco Centri, Cisco PIX, and the Watchguard
Firebox II.

I personally have installed 20 to 30 of these Watchguard firewalls, have
many on maintenance contracts, and I have one on our bench for testing and
have extensive experience with both the Firebox 100 and the Firebox II.  My
largest customer is a somewhat large university in South Western
Pennsylvania with approximately 2000 seats.  They have three T1 lines
frontending a Firebox II using version 3.3 (Watchguard's latest release).
We are not able to use proxying services for this customer because of the
CPU load they generate on the Watchguard firewall with this large of a
network, they are pushing the limits of this firewall.  I would recommend
using this firewall on networks of 1000 or less seats, and bandwidth not to
exceed 4 megs (two or three T1 lines).

For the most part, they tend to work well.  There are several points that
you have to manually edit the config file with notepad to get it to do some
of the advanced things, like port forwarding a socket not in their list for
example.  They do not have moving parts in them (other than the fan), so NT
based firewalls probably have a much lower mean time between failure rate.
If/when they do have a problem, all you do is swap the entire unit and blast
a new config to it and you are back where you were.  No hard drives to swap,
no video card to smoke, no keyboard keys to stick, you get the idea.

Two drawbacks for this firewall: It does IP Masquerading, not NAT.  This
means that you can not have more than one web server/email server/dns
server, whatever, masqueraded inside the firewall.  Also, you cannot create
a rule which can be applied to a range of ports.  If you want to open ports
1024 through 1500 for example, there is no easy way to do it.  You can
create a service opening ALL ports to a certain host, or enter a small list
of ports manually, but you cannot exceed (I think) 100 ports in a service.

I have seen two DOA units, other than that all other units have been running
strong.  They are reliable enough to allow us to use our on-site spare as a
demo unit for potential customers.

My experience is that they do quite a good job, but like any other firewall
you have to configure it properly.

Mark Coleman
Tripwire Network Solutions
http://tripwire.uniontown.com


----- Original Message -----
From: Frank Pawlak <FPAWL () pcsentre com>
To: <firewall-wizards () nfr net>
Sent: Monday, July 19, 1999 12:35 PM
Subject: Watchguard (firewall appliance questions)


> I am relatively new to INFOSec.  I have questions on firewall appliances
in general and Watchguard in particular.
> How do they stack up against the software solutions?  Their low cost makes
them attractive to management, and my issue is to get at the differences
between them.
> It appears to me that they are best suited for a small number of users.
Is that correct?
> Are they what "firewalls" will look like in the future?
>
> What are some of the technical differences?
>
> Any other comments would be appreciated.
>
> TIA
>
> Frank