Solved

Leaving WatchGuard Firewalls - Fortinet or Check Point?

Posted on 2013-12-14
12
5,835 Views
Last Modified: 2014-01-21
We have been a WatchGuard shop for years and years. Recently we have had so many big problems with them we are looking to start migrating away from WatchGuard to another UTM vendor. We have from the small XTM 2 & 3 series for the Small Business and the upper-end 5 series for some top of data-center rack stuff. All together about 20 boxes. With WatchGuard we have really enjoyed the XTM manager and user interface. Because of the familiarity of the product interface and number of boxes we already had we stayed for about a year to long at WatchGuard.

We have considered the following:

Palo Alto Networks - We love them. Read great reviews about them. Just to expensive..

Fortinet - Leaning towards Fortinet. Good reviews, good products, everything seems in-house. I don't like how many switch ports the Fortigate products come with for some reason.

Check Point - Close second to Fortinet. Looking for a reason to put them first.

SonicWALL - Have read better reviews for Fortinet and Check Point.

Ultimately I am looking for somebody that is familiar with WatchGuard, Check Point and Fortinet and can provide qualified feedback. So for the small office all the way to protecting web servers.
0
Comment
Question by:-TNT-
  • 4
  • 4
  • 3
12 Comments
 
LVL 24

Assisted Solution

by:diverseit
diverseit earned 100 total points
Comment Utility
Hi -TNT-,

I know your not looking for feedback on SonicWALL. I'll weigh in. .. take it or leave it.

I'd strongly recommend SonicWALL. I'm not sure which reviews you're looking at. .. but from experience, I can't say enough good things about them.

There is no comparison IMO between these competitors and SonicWALL when you compare the NGFWs specs and cost. .. there's no better bang for your buck. Now Gen 3 & arguably Gen 4 SonicWALLs I wouldn't be singing the same tune.

http://www.firewalls.com/sonicwall_vs_fortigate/

http://www.firewalls.com/sonicwall_vs_watchguard

Cheers!
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 200 total points
Comment Utility
So I am chiming in here primarily out of curiosity and to watch the thread.   I have worked with Watchguard, Sonic, Cisco ASA and PIX, Checkpoint years ago and even MS even though I try to avoid.   From a voiume and experience standpoint, I would put them in that order.   I have sites that are extremely complex and similarly sized and are very happy with Watchguard.   I dont want to paint a rosy picture because there have certainly been issues.   But I have had equal or more issues with other vendors also.  But when the going gets rough, WG usually comes through.   I am very curious about your decision to leave.   I know it may not seem relevant, but I believe it is since you want a replacement that will reduce that pain point.   I am also curious if you have had a quality vendor working on your behalf when you have an issue?   There were some issues with 11.7.4 and 11.8 but they were were resolved very quickly and effectively.

Anyway, I am not looking to change you mind (maybe just a little) but more interested in your reasons and where you end up.   I do agree with the previous poster that companyies like Watchguard and Sonic have the best bang for the buck by far.   But if you are stuck on moving away from Watchguard, I think that you are on the right track with going towards a higher grade solution like Fortinet or CheckPoint or Palo Alto or Juniper.    When you get to that level, It's not as much about the product as it is the companies support and their comfort working in large or data center type environments.   It's the innate understanding that larger businesses have the funds but don't have the flexibility and maintenance windows that smaller companies have.  They need the reliability and the support to go along.  Make sense?

I will disclose that I am primarily a Watchguard partner so that is my preference.  But as I mentioned, I will be interested in your feedback and how this thread plays out.    

~Jon
0
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Sorry, one more thing.   Be careful of the sites that the previous poster mentioned.   Although laid out nice, it is a reseller of Sonicwall and much of the information comparing the products is outdated and some is simply incorrect.  

I would continue down the research path that you are on by reading reviews and opinions (from unbiased sites that dont sell anything), put hard current numbers against each other and ask for input from others as you have done here.

~Jon
0
 

Assisted Solution

by:-TNT-
-TNT- earned 0 total points
Comment Utility
Jon,

Thank you for your reply. You make a lot of valid points. There is a lot about WatchGuard that I love and I really want to make them work, like really bad. Last year alone I personally spent over a week, yes a week working with WatchGuard resolving issues they broke (11.6 -> 11.7).

WatchGuard really cost us a lot of time when deploying 11.7. When 11.8 was released we only updated a few boxes which all but blew up. The throughput numbers have never ever been close or realistic.

I'm the guy on the WatchGuard forum that begs for Betas to be public or note the firmware as "Pre-Release" until stable. When firmware is generally released I expect it to be stable and secure. 11.8 was a joke. It shouldn't be like that for a security company.

Message To WatchGuard LINK
This is a lot of well put points. Especially the employee exit interviews.

If I were new to this scene I think I would fall in love with WatchGuard, just like I did years ago. Now knowing what I know and seeing the company declining (Gartner agrees) I just can't keep investing in something that I don't see making it the long haul.

I think you were saying that Fortinet or CheckPoint or Palo Alto or Juniper are on another level and I honestly see that is what we need. From a support standpoint with WatchGuard any savings upfront just bites you in the end, like I said, we spent weeks supporting bugs that year.

Everything being outsourced is just icing on the cake. Their user forum being down for a month doesn't really instill confidence with anybody. The super sloppy integration of Sales Force just says to me... "if we could get somebody else to build these..that would be easier..and we should do that."

Firewalls.com: There reviews are from 2010 and biased. Thanks for the heads up though.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Great detailed, informed and well grounded answer.   One note is that you are apparently dealing with the bottom of the barrel on support.   I assume that you have not purchased gold support or have a competent reseller.   I never roll a new release of Watchguard in large environments until testing it in my office and maybe rolling it to some of my more flexible customers.  Gold support customers and resellers get only US based engineers with 2-4 hour response time.   They are generally treated much more seriously.  Thank you very much for your comments.    

From my experience, I dont think that you will be any happier with companies like Sonicwall (even though they are Dell owned).   I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.

Good luck.  
~Jon

http://jsbusinesssolutions.com
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:-TNT-
Comment Utility
Because of the frequency of problems and nature of them and the hell I raised we were allowed Gold Support or direct to tier 2.

And thank goodness for that.. No more. What is your operating system, what color is your computer.. Now give me remote access and I am going to do a full TCP dump of your traffic... Don't worry it is secure here... in SalesForce... sigh..

Did you leave our Fortinet on purpose?

I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Not necessarily except that, of my larger custoers, the ones I mentioned are the ones I've seen most.

Best of luck.  I would be interested know know where you end up in the end.

Jon
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Any update on this?
0
 

Accepted Solution

by:
-TNT- earned 0 total points
Comment Utility
After a lot of time, thought and testing we have so far chosen to go the Fortinet route. Fortinet has very aggressive pricing and honestly very similar to WatchGuard. Interface wise, WatchGuard has Fortinet beat, hands down, not even a question.

Fortinet has shown a 150ms decrease in our front end web server testing running full IPS compared to WatchGuard.... let me say that again.. 150ms decrease in latency! Furthermore IPS is supposed to be much more through.

Last week WatchGuard (because they outsource everything) had a problem with their Web Blocker which caused sites like yahoo to be categorized as "SEX" and tumblr as "Proxy Avoidance". This was really the last straw.

Like I have said before, I really want WatchGuard to work. Their boxes look cool, their interface or GUI is the best, we all know how to use them and we have a lot of money invested already. However, we can't buy things that just look cool.. they need to preform too and WatchGuard hasn't.

Fortinet boxes are cost effective, very fast and so far we have seen no problems.
0
 

Author Closing Comment

by:-TNT-
Comment Utility
None of the comments were quite cohesive enough to provide the detail needed.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Yes, the reports are from 2010 (openly stated), but they are truthful and SonicWALL has only gotten better. ..I can't say the same for the other two. The bias comment is laughable, everything is bias, and they aren't making this stuff up or skewing results ...get to know the products and you'll see the hardline facts.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now