The Firebox range is always easy to pick out of a group, with its trademark red casing. The unit ships with a full complement of hardware, some enabled through software licenses.
The XCore 2500 we received is a medium-sized version, with six 10/100 ports and a throughput rated to 300Mbps, which is a bit low for the price, although the unit does have a good collection of security features.
Connecting to the unit can be done over a network connection, via a serial port or a combination of the two. A QuickSetup Wizard runs, prompting for a choice of transparent or routed mode, and interface set-up and configuring internal web and mail servers.
Management is conducted via the WatchGuard System Manager software, a Windows-only utility which is good enough, but we would like to see it complemented by an OS-agnostic web or java GUI. There are actually two separate tools, the System Manager and a Policy Manager, which is used to create rules.
The basic firewall policies start off in a familiar NAT configuration – allow everything out and block any non-established connection in.
New rules are easy to set up, but because the system only allows one read/write admin connection at a time, linking from the System Manager to the Policy Manager resulted in failed connections until we got used to disconnecting and reconnecting in read-only mode before updating policies.
Actually working with policies was a bit laborious, requiring password confirmation for every change. And some required a reboot without an obvious reason why: we dislike restarting edge devices for anything less than very substantial updates.
Hostwatch, a third utility (why aren’t these all grouped with access limited by roles?) shows what sessions are currently active in a real-time graphical display. This can also play back historic data, to replay attacks or monitor activity: a nice touch.
Multiple Fireboxes can be clustered for high availability, although an extra license is required for this. VPN features include IPsec and WatchGuard’s proprietary Dynamic VPN which can tie branch office networks together with requirements to use internal proxies, for example.
Some features are interesting extensions to what other vendors provide, and for everyday use Firebox products perform solidly. But the management software is looking outdated and some functions feel awkward to manage. Updated, this would be a much stronger offering.