WatchGuard Firebox X6500e review
WatchGuard has always had a strong presence in the burgeoning UTM appliance market, and its latest Firebox X Peak e-Series aims to deliver a complete security solution that can be easily upgraded. The Firebox X6500e targets medium-sized businesses looking for a one-stop security shop. It delivers standard SPI and application inspection firewalls, plus extensive support for site-to-site and mobile client IPsec VPNs, but augments these with optional gateway anti-virus and IPS, anti-spam and web content filtering services as well.
The X6500e supports two deployment options, where a drop-in mode expects all IP addresses on the LAN, WAN and optional networks to be in the same subnet. We opted for the routed mode, which supports DHCP on the external port and requires the networks on each interface to be different. Initial installation requires the latest software image for the appliance and the management software to be downloaded first. Using the keypad, the appliance is booted into a Safe mode ready to receive the downloaded image. Once the browser-based configuration is complete, all further management is via the System Manager utility.
The WatchGuard System Manager utility looks after all Firebox appliances, while each one is individually accessed using the Firebox System Manager. The latter opens with a display using a star-shaped graphic to show traffic passing between the external interface and all the others, plus colour-coded bars for general traffic and the load on the appliance. Defaulting to passing outbound traffic only let us deploy the appliance with minimal interruption to network services. Setting up inbound access and creating other security settings involves the Policy Manager, where you set up different services and proxies, decide how inbound and outbound traffic is handled, and save each one in different configuration files.
WebBlocker is a separate service run from a LAN system for which the Firebox proxies all HTTP traffic. During setup, you tell the Firebox the IP address of the local WebBlocker server and it sends all web page requests over for approval. It does seem complicated, but we found it easy to use; it’s just a shame the Windows Task Scheduler has to be used to automate category database downloads. WebBlocker is configured for all outbound traffic from the Policy Manager, where you can choose from 40 categories. Different HTTP proxy policies determine what web access is allowed during certain hours and a warning web page will be sent to users trying to access banned sites.
SpamBlocker works in the same manner, as it uses SMTP proxy policies to function, but also requires the address of an email server behind the firewall. You can use multiple SMTP policies to schedule different spam responses. But actions on suspect messages are limited to denying them, tagging the subject line or allowing them through. The gateway anti-virus and IPS services are easier to configure, and can be enabled or disabled on selected proxy policies.
There’s no denying the Firebox 6500e is offering a fully featured UTM solution. However, we did find the management method is overly complex and, for the price, the anti-spam features are basic.