WatchGuard FireboxV review: Virtually perfect network security

Businesses concerned about the cost and complexity of hardware security appliances will find WatchGuard’s FireboxV a great alternative. Supporting both VMware and Hyper-V, FireboxV allows businesses to virtualize all their security services and extend protection to the network perimeter and their virtual environments.

There are no compromises on features as FireboxV delivers precisely the same tough security measures as WatchGuard’s Firebox hardware appliances. It’s flexible too, as you can choose from four different virtual models and upgrade them in the future if you need to increase performance.

The FireboxV Small model on review targets up to 50 users and is restricted to two virtual CPUs (vCPUs) and a maximum firewall throughput of 2Gbits/sec. The Medium model supports four vCPUs and doubles licensed bandwidth to 4Gbits/sec while the XLarge version supports 16 vCPUs and has no bandwidth restrictions.

WatchGuard offers a wide choice of licensing schemes with one- and three-year subscriptions. The Basic Security Suite subscription enables anti-virus, anti-spam, web filtering, HTTPS inspection, IPS, application controls and WatchGuard’s RED (reputation enabled defence) cloud URL filtering service.

The price we’ve shown is for a one-year Total Security Suite subscription which adds a Gold 24/7 support contract, WatchGuard’s data leak prevention (DLP) and advanced persistent threat (APT) blocker service. There’s more as along with the Bitdefender AV scanning engine, the subscription activates WatchGuard’s new IntelligentAV feature.

This employs the Cylance AI-based engine which doesn’t use signatures and scans Office documents, Windows portable executables and PDFs after they’ve passed through the Bitdefender engine. Also new is WatchGuard’s DNSWatch service which monitors client DNS requests and blocks access to known malicious domains.

VPN services include site-to-site IPsec tunnels plus mobile IPsec, PPTP and L2TP clients along with SSL VPNs. FireboxV also supports the Access Portal feature which provisions secure, client-free VPN connections to cloud-hosted apps and can integrate with SSO and MFA providers.

We tested the FireboxV Hyper-V version and found installation a pleasantly simple process. Using the downloaded virtual disk, we created a new VM with two vCPUs, the recommended 1GB of memory and two network adapters for external WAN and trusted LAN connections.

After powering the VM up, we pointed a browser at its LAN address and followed the quick start wizard which ran through securing admin access, licensing and enabling internet access with DHCP services on the LAN interface. At this stage, you may want to tweak the default firewall policy as FireboxV is set to accept management connections on the WAN and LAN ports.

The wizard defaults to mixed-mode routing which requires each port to be defined as a separate interface. FireboxV supports up to eight Hyper-V network adapters so you can add extra ports and extend protection to different network segments.

Value gets even better as unlike most of the competition, WatchGuard doesn’t charge extra for its management and reporting apps. The WatchGuard System Manager (WSM) suite uses a Windows host to provide central management, logging and reporting services. Our Hyper-V host runs WatchGuard’s Dimension and after linking it to the FireboxV, we viewed appliance utilisation, an executive dashboard, a global threat map and policy activity graphs.

The FireboxV uses proxies to handle all traffic and WatchGuard includes ones for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. The relationship between proxies and actions takes a little while to get used to but the web console provides wizards for all of them.

Enforcing web content filtering using the WebBlocker service is a three-step process and WatchGuard now offers over 180 URL categories to choose from. Pick the ones you want to block, apply HTTP and HTTPS filtering and when you’ve finished, the wizard creates a new firewall rule.

Gateway AV scanning is enabled on selected proxies and you can opt to block or drop infected payloads. All you do to enable IntelligentAV is activate it with one click and it will be applied to all proxies that have gateway AV enabled.

Once gateway AV is enabled, you can use the APT service which scans inbound files, creates MD5 hashes and checks them with the LastLine cloud service to see if they’re known malware. Anti-spam is just as easy to configure as you can select incoming SMTP, IMAP or POP3 traffic and block or tag spam messages.

DNSWatch is activated with one click and once it had registered with the WatchGuard cloud service, we could set enforcement on all network interfaces or selected ones. Mobile devices come under WatchGuard’s protection umbrella as the service queries Android and iOS devices and blocks access if they don’t meet the minimum OS level.

The appliance can run networks scans, display the results as a map and attempts to identify each system’s OS. It shows all open ports on each device but OS accuracy is poor as it failed to get any of our Windows server and workstation OSes correct.

Application Controls allows you to fine-tune what is allowed in the workplace as it manages access to hundreds of predefined apps. Worried about Facebook in the office? Don’t be, as the service has 12 entries for this app alone so you can block all usage or decide precisely what Facebook activities your staff are allowed to engage in.

You can even use the FireboxV to centrally manage wireless networks that employ WatchGuard’s own APs. Once paired with the appliance, they take all their settings from it and you can apply selected security policies to wireless traffic.

Businesses that want to dispense with hardware appliances and virtualize their security services will find WatchGuard’s FireboxV a great choice. It can protect both virtual environments and external networks, is remarkably easy to deploy and for the price, is offering an impressive range of security features.