• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

Buy Cisco or Watchguard?

Hi Experts,

I would like to know if anyone can refer me to a site or provide me with information comparing Cisco and Watchguard firewalls.  We’ve recently received approval to purchase the Cisco ASA 5510 appliance, to replace our existing Watchguard Firebox 1000.  There are some people who are skeptical, because the Firebox contains more features then the ASA such as web filtering, spam blocking, etc.

However, the problem I have with the Firebox is remote connectivity via VPN.  The ASA features SSL, which will save me time by not installing VPN software onto people’s portable machines.  Also, I like the fact the ASA is coming with and IPS module, which will help in protecting our network.  Plus, we’re in the process of selecting a vendor for our new telephone system, which will probably be VoIP.  And I think the ASA is more adept to handle this addition to the network, rather than the Firebox (until I have some convincing material).  

The problem I have is convincing skeptics that the ASA is a better product the Firebox (assuming that’s true).  People like the fact the Firebox contain the features, as mentioned above.  If they ask me what the ASA has for this, my response would be they need a monitoring agent, like that of Websense or Surf Control.  The majority of my network (switches and routers) is Cisco.  I need to have a convincing argument to show this is a wise investment, and not that of a personal want.  

Can someone help me in this?  Thanks for your help.
5 Solutions
The ASA also contain the same feature and even more( anti-spyware, anti-virus, anti-spam etc) via a module called CSC-SSM. This link should give you an idea on how powerful ASA can be.


Disclaimer: I haven't had the pleasure of deploying an ASA yet, but this platform is based in large part off the outstanding PIX firewall line, which I have quite extensively deployed & still do.  lrmoore & others have used ASA & I believe the consensus is that it's a great platform.  I've dealt with several Watchguards for clients (from SOHO line up to the 1000), & all but 1 have ditched them primarily for Cisco PIXes plus a couple of SonicWalls.

>the problem I have with the Firebox is remote connectivity via VPN...
  This has been one of the top complaints from clients - either the VPN never worked correctly, or would work only sporadically.  Whereas all the Cisco VPNs have been rock solid, & have impressed the clients.  
  The 2nd top client complaint was the fact that their Fireboxes had to be rebooted at random times to restore WAN connectivity, etc.  About the only time I have to reboot a PIX, Cisco router or switch is when I've updated the OS.
   An important area to consider are the "soft costs" for a network device due to downtime, either overall or even just for remtoe access.

>some people who are skeptical, because the Firebox contains more features then the ASA...
   I seriously doubt the Firebox has more features - see the ASA software documentation for tremendous amount of capabilities.  The critical points to keep in mind are: either platform will support features the other doesn't, & which one best suits your needs currently & for the future.

>If they ask me what the ASA has for this, my response would be...
  Spam-filtering really isn't the job of a security appliance, however the ASA "Anti-X Edition" does support anti-spam, anti-spyware, anti-virus.  ASA has outstanding security features, including multiple security contexts, intelligent application-level inspection, IPSec VPN, 3DES & AES encryption, AAA, IPS, etc.

>majority of my network (switches and routers) is Cisco.
   As is the case for many many businesses.  Cisco doesn't spend billions each year on R&D for nothing - their gear has a proven track record for reliability.  

Another significant area of difference is support.  Watchguard support is usually abysmal, as many clients will relate.  Cisco offers various SmartNet support plans incl 24/7 phone support, they're a large stable company that'll be around for a long time, & if you do have a critical business emergency, they'll can get you on the phone with a very experienced engineer immediately; plus free no-hassle software upgrades with current SmartNet support.

  ASA Command Line Config Guide, v7.1:
  Release notes for v7.1:

  ASA product pg, with links to "Anti-X" & other "Enterprise Editions":

Just my $0.02.
well, between stressed and calvinetter they pretty well covered it.

However, you did mention that you want to use SSL VPN.  SSL VPN is still pretty new and each vendor still does their own thing.  As a result of getting more advanced features to work, they have to have the client download a small piece of software.

Also, SSL VPN is very expensive.  As such, if your getting the ASA5510 w/ the IPS module you only get 2 SSL VPN connections (not very good if using for general purpose VPN).  As such, if you want to use SSL VPN,  you need to buy the VPN edition.  Although I don't see why you wouldn't be able to just buy an upgrade license to add to the firewall (but I just can't find the literature saying you can do that if you have the IPS so I hope someone else can correct me if I'm wrong)

a little off topic, but if you're looking for quality spam filtering, I'd look at barracuda networks spam firewall.  Just my opinion, but if you are getting a device to do a job, you should get one that was meant for that job.  The ASA was not meant for spam filtering.

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Buy a watchguard the learning curve its much less than a Cisco.

The ssl unit that WatchGuard do is also very good and is a OEM'ed Citrix Apliance so you can be sure its works well.

Most people here will say get a Cisco, but unless you are familiar with Cisco already its going to be hard to learn. Also hackers tend to think Cisco kit protects big networks so you are likely to recieve more attention on the web as they think there is something good behind it.

I have used WatchGuard for years now and have never really has many problems at all. The new X range is very good and is good value also. I wouldnt bother looking at buying any of the add on such as spam webcontent etc. As there are better products for that. Just let the firewall be a firewall and keep other bits off box.


I'm a big fan of Cisco products, especially the PIX and now the ASA, so my vote is definately Cisco.
>The majority of my network (switches and routers) is Cisco.

Having said that, the real points are:

* A firewall is nothing more than an appliance that can enforce policies. Spend the time to define both inbound and outbound usage policies and other enforcement requirements
* No firewall or other security device will provide the required services unless you know how to implement them.
* You must maintain whatever security device you decide on. Your comfort level with the variations of configuration quirks and GUI quirks should influence your decision.
* If you can't understand the configuration from a command line perspective, you'll have a difficult time with the ASA
* It's easier to hire Cisco people than it is WatchGuard people
* Cisco is the 800 pound gorilla in the market. They spend more in R&D than all the other companies combined total revenue.
* If you've ever expeienced Cisco TAC support, you'd be hard pressed to find any other product support that can match it
* There is value in a single vendor solution, as well as there are risks
* With the new ASA modules, you can get WebSense right on the box in a module
* The IDS module is OK, but you have to monitor it for it to be effective. Budget in a workstation or something to display the realtime IDS events
* Cisco does not charge anything for their VPN clients, and it is the best I've seen, easiest to deploy and use

Joe_27Author Commented:
The particular unit we are looking at contains the IPS device, as well as licenses for the SSL VPNs.  After looking at the product images, how would one add the module that does the anti-spam/visrus scanning, if the available slot is occupied with the IPS module?

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now