WatchGuard UTM for small and medium businesses with even greater efficiency

Developer: WatchGuard
Product name: WatchGuard FIrebox
Tested version: firmware 12.0
SRP price: kontakt z dystrybutorem


In the Polish realities, where access to super-fast internet connections is limited, WatchGuard solutions, having a technological advantage over the competition, may turn out to be a black horse in the race for the client.

Editor's opinion


One of the basic factors of security products that have an impact on the proper functioning of the network is performance degradation. Theoretically speaking, the more modules that protect an organization against online threats, the greater the chance of detecting and neutralizing the danger. In practice, however, it happens that the need for protection is accompanied by a significant decrease in the original bandwidth of the Internet connection. As a consequence, some administrators have no choice but to take radical steps - they disable certain security features to improve performance. Choosing the perfect hardware solution is not easy. Large corporations with significant security resources can afford to maintain a test environment. However, the practice has its own rules and tests usually take place under production conditions. This affects the temporary complication of the security management process, because for the time of implementation, users and resources become a testing ground.

New offer from WatchGuard

Since August 2017, WatchGuard Technologies has expanded its offer with new firebox equipment models: M370, M470, M570 and M670. The devices replace the ones offered so far: M300, M400 and M500. The manufacturer also released the new software version "12", which in relation to the previous release is characterized by Bitdefender antivirus technology operating at the gate level, as well as support for scanning emails sent via IMAP. In addition, the manufacturer declares that new devices are characterized by increased efficiency by about 50% while maintaining almost the same price. This is very good news for end customers and supplier partners. Crushing competition results shown in the test conducted in July 2017. consolidate in conviction that the announced productivity increase is not just getting the customer into a marketing bottle.

Osiągnięta przepustowość sieci (max. 1Gb/s dla każdego z 6 portów) przy skanowaniu pakietów dla protokołu UDP przez moduł firewall.

Miercom laboratory, together with NSS Labs the world leader in conducting independent tests of security products, has prepared a comparative test of UTM devices from four leading suppliers: WatchGuard Firebox M370, SonicWALL NSA 2600, Fortinet FortiGate 100-E and Sophos XG 210. Using professional simulation equipment real internet traffic (including BreakingPoint Firestorm and Spirent Avalanche), testers in the device impact category on network bandwidth during the maximum (MTU) and mixed (IMIX) size of datagrams for UDP connectionless protocol and packets for HTTP and HTTPS protocols, showed performance The gulf between the WatchGuard M370 device and the SonicWALL, Sophos and Fortinet vendor devices.

Wydajność poszczególnych urządzeń podczas skanowania protokołu HTTP.

With all protection functions enabled (UTM), performance simulation of 3 pairs of 1GbE interfaces for the client and 3 pairs of interfaces for the server (100 GET requests were sent from the client to the server to download a 1MB file from another LAN subclass) causes only a slight decrease in performance the company's internet connection protected by the WatchGuard device. The drop in the bandwidth declared by the manufacturer from 3Gb / s to 2.6Gb / s for optical fiber networks is still more than twice as good as the second product rated in the same category - Sophos XG210.

W teście Miercom przy włączonych wszystkich funkcjach ochrony WatchGuard nie miał sobie równych.

With all protection functions enabled and when measuring performance while decrypting, scanning and re-encrypting data sent over an encrypted channel (HTTPS), the WatchGuard M370 was unmatched.

WatchGuard for the M370 model declares the full performance of "UTM" at the level of 2.6Gb / s with a load of 6 1GbE ports. Researchers from Miercom noted just over 800Mb / s during "mixed" tests (IMIX), which is the most common scenario during everyday work. The recorded bandwidth drop from 2.6Gb / s to 800Mb / is more than four times less than the value declared by the manufacturer, however, it is still over 4 times better than the Sophos XG210 device with the second result in this category, about 240Mb / s.

The tests do not end at Mierom. Periodic research is carried out by none other than NSS Labs. It is worth paying attention to the categories of tests that prove the efficiency of the device. Taking into account the version 7.0 methodology, the products have been evaluated under real conditions, in terms of: effectiveness of protection , stability and reliability, quality of management, efficiency and total cost of ownership (Total Cost of Ownership, TCO). NSS Labs recommends only the best devices on the market, but the recommendation does not depend on the market share or popularity of the brand.

Czerwiec 2017: rekomendacja od NSS Labs dla urządzenia WatchGuard M4600.

The WatchGuard Firebox M4600 received references from NSS Labs due to the very good results in all test categories. Thus, the WatchGuard manufacturer has proven that it is able to meet the strict requirements set by end customers while maintaining the optimal overall quality of the device in relation to the price.

Advanced protection at the interface with the Internet

Small and medium-sized enterprises are constantly becoming victims of malware. The vectors of delivering malware to workers' computers with today's techniques of circumventing security do not matter much. A properly configured WatchGuard device will be an extremely difficult barrier to overcome in targeted attacks, as well as attacks of those less sophisticated, but due to social engineering - still effective.

The WatchGuard manufacturer promises total organization security by correlating several modules that make up:

  • intrusion prevention and intrusive prevention system with Trend Micro technology;
  • controlling launched applications (App Control), also from Trend Micro;
  • scanning of web content (WebBlocker), technology provides WebSense;
  • safer browsing of Internet resources - based on automatic or custom rules, it is possible to block IP addresses of servers and URLs if their reputation level is low or does not exceed the level set by the administrator (Reputation Enabled Defense);
  • e-mail scan (spamBlocker);
  • Bitdefender anti-virus protection (until August 2017, WatchGuard devices used AVG technology) at gateway level (Gateway AntiVirus);
  • informing the administrator about hosts currently connected to the corporate network (Network Discovery);
  • blocking advanced and unconventional remote attacks (APT Blocker) thanks to the solution from LastLine;
  • preventing theft of files and intellectual property from the company network (Data Loss Prevention);
  • advanced log analyzer, reporting and visualization system in one, functioning as an internal security audit (Dimension Command);
  • protection in the cloud against 0-day and ransomware threats (Threat Detection & Response);
Okno TDR z podstawowymi informacjami o potencjalnych zagrożeniach.

According to the manufacturer, one of the key components of collecting information about threats is the mentioned Threat Detection & amp; Response (TDR for short). TDR functionality is available in the "Total Security" license package and includes all current protection modules, including those that will be added in the future during the software upgrade. This is a very important message for end customers, because their devices will always have the latest and tested security options. Not every producer approaches the flagship offer in this way, which is why WatchGuard belongs to an additional point in the category of customer support.

Zestaw funkcjonalności dla trzech planów ochrony.

TDR can "run alongside" an installed security product - it does not provide antivirus protection in the traditional sense of the word, so it does not interfere with third party technologies. He has several other advantages that are difficult to find in antivirus software. The manufacturer gives the customer a choice, offering protection in the form of an agent requiring minimal processor power and bandwidth, not only at the interface with the Internet, but also on end devices. In the end, the purchase of the device of this class is determined by the performance with all available security enabled.

Wskaźniki zagrożeń zebrane z komputerów firmowych.

The manufacturer on his website devotes a lot of attention to the module Threat Detection & amp; Response. Correlation with other functionalities of WatchGuard devices is basically reduced to cloud protection or to protect the corporate network at the interface with the Internet. It does not burden the workstation, as in the case of security software for workstations: the agent provides basic static information to the WatchGuard analytical systems that assign the risk assessment. In response, the action is taken to transfer the malware to quarantine, terminate the process and remove the remains from the system registry. In addition, TRD, correlating information about threats from the cloud and from all hosts in the organization, has instant insight into malware indicators and network attack signatures. But that's not all - TDR integrates with the APT Blocker module, so it is able to stop 0-day threats, including attacks using malicious "fileless" software, attacks including known and unknown vulnerabilities, as well as suspicious network activity noticeable in attacks using cryptographic functions when communicating with servers supervising the exchange of information between the victim and the cybercriminal.

Konfiguracja TDR.

Module Threat Detection & amp; Response is characterized by one more important functionality, namely it is mentioned protection against malware ransomware: TDR operating in correlation with other modules, has access to information about malicious Internet addresses spreading encryption viruses. Can use proprietary behavioral algorithms to detect the threat already on the hard disk. The producer adds that he has a honeypots farm, which play a very important role in collecting information about 0-day threats and blocking communication with C & amp; C servers.

Protection against cryptographic attacks

The distinguishing feature of WatchGuard's products are modules for detecting advanced threats based on data collected from endpoints. As cybercriminals increasingly use diverse and sophisticated attack vectors, and endpoints will always be cannabis, the need for protection to detect potential threat indicators and attacks in real time is an absolute "must have". & Nbsp;

There is no shortage of ready exploits and tools that automate attacks. Contrary to appearances, such a cybercriminal repository is the public GitHub service, which generously rewards patience seekers. Thousands of items can be found in public repositories, including: exploits for Windows, Mac OS, iOS, Android and their source files ready for compilation, scripts that automate attacks, malware generators, or even advanced tools used by spy and intelligence agencies and private companies. As they say - there will be something for everyone. The worst thing is that these tools in the hands of the right people are quite a decent arsenal in cyberwar against public and private entities.

Na przełomie 2016 i 2017 roku pojawiło się kilka razy więcej odmian ransomware niż w latach 2013-2016.

Is your company ready for it? Research carried out by PwC Polska shows that it probably is not - In 96% of medium and large enterprises operating in our country in the last 12 months there have been over 50 cyber attacks. In the case of 64%, the number of such events was greater than 500. Assuming that even every tenth attack used malware from the ransomware family, then taking into account the number of variants of this type of viruses (over 500), comprehensive protection of enterprises at the interface with the Internet and end stations is simply essential.

What does WatchGuard do?

The producer prepared the answer to this question much earlier. The anti-encryption module (Host Ransomware Prevention) along with APT Blocker functionality blocking, among others, network communication with malicious hosts, they can together prevent the virus from running on the workstation. The sensor will create a kind of local honeypot (traps) in the form of hidden folders and files - if they are removed or encrypted by the virus, they will be restored on the next boot. Of course, this has no effect on continuity of protection.

This ransomware protection is embedded in the TDR agent - it works at the host level and is something like a sensor that includes protection capable of identifying and quarantining files or processes characteristic of ransomware. The sensor can operate in two modes:

  • Set to "detect" will search for processes and files that are characteristic of ransomware. Reports from such events will be sent to the admin console.
  • Set to "prevent" will additionally close processes and place malicious files in quarantine before encryption or delete backup of restore points is started (eg it will be recognized when the shell command is run with the parameter:
C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet

This works regardless of Internet communication - it will be possible to stop the threat even if the virus causes network problems and even before sending the suspect file to the cloud for behavioral analysis in an isolated producer environment. What's more, if the hash of a file expressed in the MD5 hash function is added to the whitelist (and this can happen), then the host sensor will still stop the process where the threat will be detected.

Practical? Even very much. You do not need to look far to use this protection feature. This is how the public infrastructure of Ukraine, Great Britain, Spain, the Netherlands, Sweden and several other countries was infected, including many Polish companies. Unfortunately, the infrastructure of companies, which was not protected by similar technologies, did not manage to resist the effects of the attack: everything started from server hacking with ME DOC accountant update files. Instead of new installation files, the application downloaded and launched the Trojan. The NotPetya ransomware effect is now widely known:

Zaufana aplikacja pobrała trojana, a ten ściągnął i uruchomił ransomware NotPetya.

The Host Ransomware Prevention module is one of the components of WatchGuard protection. All technologies are independent of the signatures, so an automatic reaction based on the evaluation of the threat in the cloud is undertaken instantly using the proprietary solutions of the manufacturer. WatchGuard Firebox T and M devices use for this purpose event data from hosts in the corporate network and from the WatchGuard cloud (ThreatSync) - everything is correlated in the entire watch for security completely automatically and without charging workstations or network bandwidth.

Reporting and administrative actions from interactive maps

The feature distinguishing the firmware that drives the WatchGuard device is the Dimension Command module. It is a very advanced log analyzer and reporting system in one. It has an important function during internal security audits and organizing the rights policy for users in real time. From the level of graphical information (logs and interactive maps), it allows creating rules that allow or restrict access to certain parts of company resources and the Internet. The presented technical data in a clear and visual form are for the administrators a perfect display of information about the infrastructure and systems elements used: internet link, network protocols, applications, most visited pages, blocked malicious URLs, blocked pages of the so-called landing page initiating drive-by attacks and many, many more. And all this divided into a specific employee.

Mapa źródłowej lokalizacji zagrożeń i ataków na firmowe stacje robocze.
Szczegółowe informacje o zatrzymanych atakach przez moduł IPS (wchodzi w skład APT Blocker).

Access to this and other parts of the WatchGuard software may be granted to non-technical people at any time without transferring them permission to edit security policies. Decision-makers will be happy to look at the irregularities in the organization and in cooperation with the IT administrators will take appropriate steps to minimize the scale of the problem.

Generated data visualization will help you quickly identify which user, application or protocol threatens the security of the organization or have an impact on the deterioration of the bandwidth.

TOP wykorzystywanych aplikacji posortowanych według kategorii.
TOP wykorzystywanych aplikacji według rzeczywistych nazw.
TOP protokołów i portów z wyszczególnieniem zużycia łącza.

From these interactive maps it is possible to create rules that block specific websites, applications or protocols.

Najczęściej odwiedzane strony według kategorii, z uwzględnieniem polityki oraz interfejsu urządzenia.

Offer for small and medium businesses & nbsp; & nbsp; & nbsp; & nbsp;

In the magical square of Gartner, WatchGuard Technologies based in Seattle (USA) is one of the visionaries in the field of security and network products and services. The manufacturer has over 75,000 customers in North America, Europe, Asia and Latin America. WatchGuard products are an ideal solution for network-distributed enterprises that expect from a configurable and simple provider in software management for MAN and WAN networks.

Performance is of great importance for this class of products. Miercom and NSS Labs, trying to answer the need of comparative performance tests of UTM and NGFW devices, help end customers and resellers recommend a specific supplier. In Polish realities, where access to super-fast internet connections is limited, WatchGuard solutions, having a technological advantage over competitors, may turn out to be a black horse in a client race.

Detailed information about WatchGuard devices can be obtained by contacting a representative of Net Complex - a Polish resseler with a wide range of UTM / NGFW solutions in the portfolio. Bielsko company streamlines the process of familiarizing with the brand as the only one in Poland by running an online store with WatchGuard solutions, running numerous technical webinars, supporting the test process and just after the purchase - providing assistance during implementation and further technical support.

Workshops and webinars

On behalf of Net Complex, we invite people interested in the subject of hardware security products, in particular managers of various levels of IT management, network administrators and architects, IT specialists and managers and specialists from outside the IT area for specialized trainings organized for several months. The next meeting regarding the detailed presentation of products, configuration and administration of WatchGuard devices will take place on November 29 - December 1, & nbsp; at the Net Complex headquarters in Bielsko-Biała. Training is very popular, as well as workshops and webinars about the gartner leader. If you want to learn more about the secrets of the red box, you should follow the site, where WatchGuard events never go missing.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.