Buy Cisco or Watchguard?

Posted on 2006-05-09
Last Modified: 2013-11-16
Hi Experts,

I would like to know if anyone can refer me to a site or provide me with information comparing Cisco and Watchguard firewalls.  We’ve recently received approval to purchase the Cisco ASA 5510 appliance, to replace our existing Watchguard Firebox 1000.  There are some people who are skeptical, because the Firebox contains more features then the ASA such as web filtering, spam blocking, etc.

However, the problem I have with the Firebox is remote connectivity via VPN.  The ASA features SSL, which will save me time by not installing VPN software onto people’s portable machines.  Also, I like the fact the ASA is coming with and IPS module, which will help in protecting our network.  Plus, we’re in the process of selecting a vendor for our new telephone system, which will probably be VoIP.  And I think the ASA is more adept to handle this addition to the network, rather than the Firebox (until I have some convincing material).  

The problem I have is convincing skeptics that the ASA is a better product the Firebox (assuming that’s true).  People like the fact the Firebox contain the features, as mentioned above.  If they ask me what the ASA has for this, my response would be they need a monitoring agent, like that of Websense or Surf Control.  The majority of my network (switches and routers) is Cisco.  I need to have a convincing argument to show this is a wise investment, and not that of a personal want.  

Can someone help me in this?  Thanks for your help.
Question by:Joe_27
    LVL 9

    Accepted Solution

    The ASA also contain the same feature and even more( anti-spyware, anti-virus, anti-spam etc) via a module called CSC-SSM. This link should give you an idea on how powerful ASA can be.
    LVL 20

    Assisted Solution

    Disclaimer: I haven't had the pleasure of deploying an ASA yet, but this platform is based in large part off the outstanding PIX firewall line, which I have quite extensively deployed & still do.  lrmoore & others have used ASA & I believe the consensus is that it's a great platform.  I've dealt with several Watchguards for clients (from SOHO line up to the 1000), & all but 1 have ditched them primarily for Cisco PIXes plus a couple of SonicWalls.

    >the problem I have with the Firebox is remote connectivity via VPN...
      This has been one of the top complaints from clients - either the VPN never worked correctly, or would work only sporadically.  Whereas all the Cisco VPNs have been rock solid, & have impressed the clients.  
      The 2nd top client complaint was the fact that their Fireboxes had to be rebooted at random times to restore WAN connectivity, etc.  About the only time I have to reboot a PIX, Cisco router or switch is when I've updated the OS.
       An important area to consider are the "soft costs" for a network device due to downtime, either overall or even just for remtoe access.

    >some people who are skeptical, because the Firebox contains more features then the ASA...
       I seriously doubt the Firebox has more features - see the ASA software documentation for tremendous amount of capabilities.  The critical points to keep in mind are: either platform will support features the other doesn't, & which one best suits your needs currently & for the future.

    >If they ask me what the ASA has for this, my response would be...
      Spam-filtering really isn't the job of a security appliance, however the ASA "Anti-X Edition" does support anti-spam, anti-spyware, anti-virus.  ASA has outstanding security features, including multiple security contexts, intelligent application-level inspection, IPSec VPN, 3DES & AES encryption, AAA, IPS, etc.

    >majority of my network (switches and routers) is Cisco.
       As is the case for many many businesses.  Cisco doesn't spend billions each year on R&D for nothing - their gear has a proven track record for reliability.  

    Another significant area of difference is support.  Watchguard support is usually abysmal, as many clients will relate.  Cisco offers various SmartNet support plans incl 24/7 phone support, they're a large stable company that'll be around for a long time, & if you do have a critical business emergency, they'll can get you on the phone with a very experienced engineer immediately; plus free no-hassle software upgrades with current SmartNet support.

      ASA Command Line Config Guide, v7.1:
      Release notes for v7.1:

      ASA product pg, with links to "Anti-X" & other "Enterprise Editions":

    Just my $0.02.
    LVL 25

    Assisted Solution

    well, between stressed and calvinetter they pretty well covered it.

    However, you did mention that you want to use SSL VPN.  SSL VPN is still pretty new and each vendor still does their own thing.  As a result of getting more advanced features to work, they have to have the client download a small piece of software.

    Also, SSL VPN is very expensive.  As such, if your getting the ASA5510 w/ the IPS module you only get 2 SSL VPN connections (not very good if using for general purpose VPN).  As such, if you want to use SSL VPN,  you need to buy the VPN edition.  Although I don't see why you wouldn't be able to just buy an upgrade license to add to the firewall (but I just can't find the literature saying you can do that if you have the IPS so I hope someone else can correct me if I'm wrong)

    a little off topic, but if you're looking for quality spam filtering, I'd look at barracuda networks spam firewall.  Just my opinion, but if you are getting a device to do a job, you should get one that was meant for that job.  The ASA was not meant for spam filtering.

    LVL 4

    Assisted Solution

    Buy a watchguard the learning curve its much less than a Cisco.

    The ssl unit that WatchGuard do is also very good and is a OEM'ed Citrix Apliance so you can be sure its works well.

    Most people here will say get a Cisco, but unless you are familiar with Cisco already its going to be hard to learn. Also hackers tend to think Cisco kit protects big networks so you are likely to recieve more attention on the web as they think there is something good behind it.

    I have used WatchGuard for years now and have never really has many problems at all. The new X range is very good and is good value also. I wouldnt bother looking at buying any of the add on such as spam webcontent etc. As there are better products for that. Just let the firewall be a firewall and keep other bits off box.


    LVL 79

    Assisted Solution

    I'm a big fan of Cisco products, especially the PIX and now the ASA, so my vote is definately Cisco.
    >The majority of my network (switches and routers) is Cisco.

    Having said that, the real points are:

    * A firewall is nothing more than an appliance that can enforce policies. Spend the time to define both inbound and outbound usage policies and other enforcement requirements
    * No firewall or other security device will provide the required services unless you know how to implement them.
    * You must maintain whatever security device you decide on. Your comfort level with the variations of configuration quirks and GUI quirks should influence your decision.
    * If you can't understand the configuration from a command line perspective, you'll have a difficult time with the ASA
    * It's easier to hire Cisco people than it is WatchGuard people
    * Cisco is the 800 pound gorilla in the market. They spend more in R&D than all the other companies combined total revenue.
    * If you've ever expeienced Cisco TAC support, you'd be hard pressed to find any other product support that can match it
    * There is value in a single vendor solution, as well as there are risks
    * With the new ASA modules, you can get WebSense right on the box in a module
    * The IDS module is OK, but you have to monitor it for it to be effective. Budget in a workstation or something to display the realtime IDS events
    * Cisco does not charge anything for their VPN clients, and it is the best I've seen, easiest to deploy and use


    Author Comment

    The particular unit we are looking at contains the IPS device, as well as licenses for the SSL VPNs.  After looking at the product images, how would one add the module that does the anti-spam/visrus scanning, if the available slot is occupied with the IPS module?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now