WatchGuard Firebox X550e Core review
At the beginning of the year, WatchGuard was bought out by two investment firms, and it’s put this cash injection to good use, adding a number of improvements to its Firebox security appliances.
On test here is the entry-point X550e. It’s designed to be upgradable to full UTM capabilities, offering IPS, antispam, antivirus and web-content filtering, but features such as content filtering operate as a separate service. WebBlocker must be run on a different system on the LAN, for which the appliance proxies all HTTP traffic.
The WatchGuard System Manager looks after multiple Fireboxes. Each one is individually accessed using the Firebox System Manager, and a separate component is also used to create and deploy your security policies. During installation, you download the latest Fireware software image (Fireware is essentially the Firebox’s OS), boot the appliance into a safe mode using the keypad on the front and run through a browser-based quick-start wizard, which uploads the image.
For testing, we implemented the appliance in router mode, which supports DHCP on the external port and requires the networks on each interface to be different. The WebBlocker, logging and spam quarantine servers are loaded on your system of choice; we had no problems using a Windows XP SP2 system. The Firebox System Manager opens with a handy star-shaped graphic showing traffic passing between the various interfaces, and tabs are provided for more in-depth graphs of traffic, bandwidth usage and service status.
The system defaults to allow outbound traffic: configuring inbound access rules and creating other security settings involves the Policy Manager, in which you set up different services and proxies, decide how inbound and outbound traffic is handled, and save each one in a different file as a backup.
You need to tell it the IP address of the WebBlocker server where it sends all web page requests for approval. WebBlocker policies can include up to 40 categories and use different HTTP proxy policies to determine what web access is allowed during specific times. It’s easy enough to use, although we were surprised to see that you still have to use the Windows Task Scheduler to automate category database downloads. But, with SurfControl behind the scenes, WebBlocker performed well: with the Gambling category blocked, it denied us access to 48 out of 50 online bingo websites.
The gateway antivirus and IPS services are easily configured, and can be enabled on selected proxy policies. The spamBlocker utility uses SMTP and POP3 proxy policies, and the former requires the address of an email server behind the firewall. You can use multiple policies to schedule different spam responses, and actions have now been expanded to include the new message-quarantining server.
SMBs requiring a single security appliance will find the distributed services and management method too complex and would be better off with vendors such as SonicWALL. But, the X550e offers plenty of strong features, its use of proxies and policies make it versatile, and it can be easily upgraded to cope with future demand.