We are getting quotes to replace a old Cisco ASA firewall
Our preferred vendor has proposed an Fortigate 500E or Watchguard M570. They are kinda pushing the watchguard as a better fit for us but I have seen some negative comments out here about that brand - wondering about specifics?
Good remote user vpn, reporting/logging, web filtering, app blocking are things important to us. Thanks
FortiGate all the way.
I’m 100% biased and would only put in a FortiGate and avoid Watchguard. Fortinet is a market leader. For me it’s Palo or Fortinet. And before I get grilled, no I don’t have any tangible data to say why Fortinet is better than Watchguard. All I can say is I’ve found what works well for networks and designs I’m involved with and have no need to explore Watchguard anymore.
Maybe someone with more Watchguard experience than I can comment on what they’re really good at and we can compare and contrast a bit for you.
As a career firewall engineer, I can say I’ve NEVER liked Watchguard. Granted, I’m not the biggest fan of FortiGate you’ll ever meet, but it’s head and shoulders better than WatchGuard ever hoped to be.
I’ll defend Watchguard, since this isn’t the first thread I’ve seen in r/networking where everyone trashes it.
I have a Watchguard Firebox cert, and have sold and configured over a hundred of them.
Client VPN is great, and works for PC, Mac, and non-IOS devices as well. You install the client application, type in credentials(which can be managed by the firebox itself, AD, Radius or other options) and public IP address, and you’re connected. Much better, in my opinion, than Cisco, Meraki, or Sonicwall’s for ease of use. And I’ve never had it randomly drop, it either connects or there’s a deeper issue.
Reporting/logging, the firebox holds a small amount of logs by itself, and can either redirect logs to an SNMP server, or you can set up Watchguard Dimension as a VM that can store any amount and generate awesome data and graphs out of it.
Web filtering and app blocking: Watchguard’s subscription services like these are farmed out from 3rd parties, so for example, their Gateway Antivirus used to actually be Sophos AV. Now it’s with someone else. I’m not sure who is the actual vendor of the services you’re mentioning currently, but both of those are easy to set up. And if a user goes to a blocked site, they get a very obvious “This site has been blocked by Watchguard, please see your administrator” page.
Support has always been helpful for me; you usually get someone pretty quickly, and they will escalate to tier 2 if they cannot solve the issue on the first call.
Updates are still run manually, so depending on your experience with automatic updates like Meraki runs, your may have different opinions on whether that’s a good thing.
Watchguard’s primary troubleshooting tool, Traffic Monitor, is super useful for figuring out why something is or isn’t working correctly. It’s a simple search box that scans logs in the last X seconds/minutes via IP, protocol, or any other search term, and it will clearly show in red/green whether something was allowed or blocked, what rule blocked it, the source/destination, and more info. Very handy.
Firewall rules are edited from the Policy Manager, which is a big table of rules that can be rearranged and edited easily.
So personally, while my company has moved to mostly Meraki(single pane of glass management, auto-updates, and Cisco support are all great) we still have several legacy customers on Watchguard, and I still find working on them to be easy, and they work very well.
I wouldn’t trust anyone who just says “I like X” without an explanation, which is why I gave the details above. I’ve worked with Fortigate a few times, and their support was good, but personally didn’t like their policy management GUI. That’s possibly just a training/experience difference though, which I’d guess is the issue a lot of people here have with X product; just not enough training/experience.
Demo both solutions and see which clicks for you!
FortiGate all the way.
I dont have much experience with Watchguard either way, good or bad. But that’s because we are a FortiNet shop and love them.
We have two Watchguard M470s in a HA setup and I’ve got no complaints. They weren’t my first choice, due to the rumblings you see in this thread on their products, but they seem to work just fine.
I’m sure there are better products out there from more established vendors, but I don’t think the new Watchguard devices are as bad as their reputation online.
We use 2 Fortigate 1000D’s in HA in our environment, and they are very easy to use. We had some issues with one tenant’s VPN for a while, where client VPNs would drop randomly, sometimes after a few minutes, sometimes after a few hours. After working with Fortinet Support for several months and escalating it to tier 3 engineering, I found that disabling Dead Peer Detection on the client software seemed to resolve the issue. This workaround would cause problems if there are a large number of users on the VPN tunnel, but we only had a handful, so we haven’t had issues. Fortinet support is pretty knowledgeable and very responsive. The interface is very user friendly, and the command line isn’t difficult either. There are a ton of resources for Fortigate online, mostly in the form of Cookbooks that give great instructions and details. That said, they are very expensive. For licensing and support for our two firewalls, were looking at $26k for a year.
I don’t know anything about WatchGuard though.
We’re using FortiGate for the VPN at the moment. It works really well for the most part, but it seems you need the support contract in order to download firmware, which is pretty absurd to me. Almost as absurd was that when time came to renew the contract I tried looking up what the contract would give us, but the only features I found were features we don’t use anyway, so we opted not to renew.
Now there are vulnerabilities on the current firmware version and I’m not allowed to download newer versions.
I figured this should at least be mentioned since it was’t that obvious when we bought the VPN boxes.
I make my living implementing these type of solutions. I’ve deployed literally hundreds of Watchguards over the past decade, and some Fortigate as well.
Watchguard is great if you’re looking for a cheaper, simple to manage UTM. It is not exceptionally reliable, but for the most part it does what it’s supposed to.
Fortigate is a more mature platform, it’s got a better ecosystem and it’s objectively a superior product.
We use Watchguard for SMB clients and Fortigate for SME/Enterprise.
With regards to your specifics, Watchguard VPN is just a wrapper on OpenVPN. It has no advanced functionality (check for up-to-date Antivirus, only allow domain joined systems to connect, pre-windows login connection, command line arguments, etc) but it’s pretty stable for what it is.
Watchguard uses Dimension for logging. It’s SUPER inefficient at parsing log data for queries and reports, but if you’re only going to have a few firewalls logging to it you’ll probably be fine. Fortigate uses FortiManager/FortiAnalyser can’t complain about them.
Web filtering and App blocking are pretty much a wash between the two products. Implemented a little differently, but you can get effectively the same behaviours.
Fortigate for career advancement and less headache
How is Watchguard still in business? They have been hot garbage for 10+ years now…
Long time ago, 2011.
Left a company that had watchguard to one that had an asa, and the asa was way better.
This year, at a different company, we are replacing our asa’s with fortigate’s. They seem comparable, but without any real training the conversion has been very frustrating.
To sum it up, watchguard was crap, fortigate good, but some form of training will be needed to become proficient with it.
I use both. Fortigate at work and Watchguard at home. I prefer Fortigate. The UI feels more refined. Web filtering is great on both. VPN is decent on Fortigate.
How many users going through the VPN? Using the network?
I’ve never actually seen a Watchguard being used in my town. None of my friends run it.
Our Forti ran solid until we switched it out for ASA (as long as you keep up on updates). Easy to understand firewall.
I had a 30 day demo of Watchguard as my vendor was pushing it heavily and I hated it so much. Not a fan of xml configs, inconsistent GUI, can’t modify many things after entering them, etc. I returned it and bought a HA pair of Fortinet 500Es and haven’t looked back. It was more expensive since there was no trade-in promotion and I have to license the HA pair identically, but it is probably the best purchase we’ve made this past year. Also, through a large firewall reseller I found on google (I don’t want to advertise but you can guess), I got the price of the combined package SUBSTANTIALLY cheaper than list and more competitive with Watchguards offer, so don’t go off list pricing alone when making decisions. Either way, even if it were hypothetically double, it would still be worth it IMO.
I would look at what your use case is. If you are going to use just the basic/core features, either is probably fine. If you are going to get deeper into it or use some of the more advanced features I lean toward Fortigate. The enterprise support and integrations seems to be a little bit better.
I am a bit biased toward Fortigate as that is what we run at our primary and colo sites. However two of our smaller sites have WatchGuard devices that we inherited. So far they have been fully capable of doing what we need them to do, which, to be honest, is fairly basic stuff so far.
I can tell you the remote user VPNs on my Watchguard M200 are borderline useless. Nothing I do seems to have any effect whatsoever.
I have seen to many problems with Watchguard that their support was never able to fix. Fortinet has been pretty good and support is decent.