Solved

Leaving WatchGuard Firewalls - Fortinet or Check Point?

Posted on 2013-12-14
12
5,925 Views
Last Modified: 2014-01-21
We have been a WatchGuard shop for years and years. Recently we have had so many big problems with them we are looking to start migrating away from WatchGuard to another UTM vendor. We have from the small XTM 2 & 3 series for the Small Business and the upper-end 5 series for some top of data-center rack stuff. All together about 20 boxes. With WatchGuard we have really enjoyed the XTM manager and user interface. Because of the familiarity of the product interface and number of boxes we already had we stayed for about a year to long at WatchGuard.

We have considered the following:

Palo Alto Networks - We love them. Read great reviews about them. Just to expensive..

Fortinet - Leaning towards Fortinet. Good reviews, good products, everything seems in-house. I don't like how many switch ports the Fortigate products come with for some reason.

Check Point - Close second to Fortinet. Looking for a reason to put them first.

SonicWALL - Have read better reviews for Fortinet and Check Point.

Ultimately I am looking for somebody that is familiar with WatchGuard, Check Point and Fortinet and can provide qualified feedback. So for the small office all the way to protecting web servers.
0
Comment
Question by:-TNT-
  • 4
  • 4
  • 3
12 Comments
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 100 total points
ID: 39719593
Hi -TNT-,

I know your not looking for feedback on SonicWALL. I'll weigh in. .. take it or leave it.

I'd strongly recommend SonicWALL. I'm not sure which reviews you're looking at. .. but from experience, I can't say enough good things about them.

There is no comparison IMO between these competitors and SonicWALL when you compare the NGFWs specs and cost. .. there's no better bang for your buck. Now Gen 3 & arguably Gen 4 SonicWALLs I wouldn't be singing the same tune.

http://www.firewalls.com/sonicwall_vs_fortigate/

http://www.firewalls.com/sonicwall_vs_watchguard

Cheers!
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 200 total points
ID: 39719944
So I am chiming in here primarily out of curiosity and to watch the thread.   I have worked with Watchguard, Sonic, Cisco ASA and PIX, Checkpoint years ago and even MS even though I try to avoid.   From a voiume and experience standpoint, I would put them in that order.   I have sites that are extremely complex and similarly sized and are very happy with Watchguard.   I dont want to paint a rosy picture because there have certainly been issues.   But I have had equal or more issues with other vendors also.  But when the going gets rough, WG usually comes through.   I am very curious about your decision to leave.   I know it may not seem relevant, but I believe it is since you want a replacement that will reduce that pain point.   I am also curious if you have had a quality vendor working on your behalf when you have an issue?   There were some issues with 11.7.4 and 11.8 but they were were resolved very quickly and effectively.

Anyway, I am not looking to change you mind (maybe just a little) but more interested in your reasons and where you end up.   I do agree with the previous poster that companyies like Watchguard and Sonic have the best bang for the buck by far.   But if you are stuck on moving away from Watchguard, I think that you are on the right track with going towards a higher grade solution like Fortinet or CheckPoint or Palo Alto or Juniper.    When you get to that level, It's not as much about the product as it is the companies support and their comfort working in large or data center type environments.   It's the innate understanding that larger businesses have the funds but don't have the flexibility and maintenance windows that smaller companies have.  They need the reliability and the support to go along.  Make sense?

I will disclose that I am primarily a Watchguard partner so that is my preference.  But as I mentioned, I will be interested in your feedback and how this thread plays out.    

~Jon
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39719960
Sorry, one more thing.   Be careful of the sites that the previous poster mentioned.   Although laid out nice, it is a reseller of Sonicwall and much of the information comparing the products is outdated and some is simply incorrect.  

I would continue down the research path that you are on by reading reviews and opinions (from unbiased sites that dont sell anything), put hard current numbers against each other and ask for input from others as you have done here.

~Jon
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Assisted Solution

by:-TNT-
-TNT- earned 0 total points
ID: 39720117
Jon,

Thank you for your reply. You make a lot of valid points. There is a lot about WatchGuard that I love and I really want to make them work, like really bad. Last year alone I personally spent over a week, yes a week working with WatchGuard resolving issues they broke (11.6 -> 11.7).

WatchGuard really cost us a lot of time when deploying 11.7. When 11.8 was released we only updated a few boxes which all but blew up. The throughput numbers have never ever been close or realistic.

I'm the guy on the WatchGuard forum that begs for Betas to be public or note the firmware as "Pre-Release" until stable. When firmware is generally released I expect it to be stable and secure. 11.8 was a joke. It shouldn't be like that for a security company.

Message To WatchGuard LINK
This is a lot of well put points. Especially the employee exit interviews.

If I were new to this scene I think I would fall in love with WatchGuard, just like I did years ago. Now knowing what I know and seeing the company declining (Gartner agrees) I just can't keep investing in something that I don't see making it the long haul.

I think you were saying that Fortinet or CheckPoint or Palo Alto or Juniper are on another level and I honestly see that is what we need. From a support standpoint with WatchGuard any savings upfront just bites you in the end, like I said, we spent weeks supporting bugs that year.

Everything being outsourced is just icing on the cake. Their user forum being down for a month doesn't really instill confidence with anybody. The super sloppy integration of Sales Force just says to me... "if we could get somebody else to build these..that would be easier..and we should do that."

Firewalls.com: There reviews are from 2010 and biased. Thanks for the heads up though.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39720156
Great detailed, informed and well grounded answer.   One note is that you are apparently dealing with the bottom of the barrel on support.   I assume that you have not purchased gold support or have a competent reseller.   I never roll a new release of Watchguard in large environments until testing it in my office and maybe rolling it to some of my more flexible customers.  Gold support customers and resellers get only US based engineers with 2-4 hour response time.   They are generally treated much more seriously.  Thank you very much for your comments.    

From my experience, I dont think that you will be any happier with companies like Sonicwall (even though they are Dell owned).   I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.

Good luck.  
~Jon

http://jsbusinesssolutions.com
0
 

Author Comment

by:-TNT-
ID: 39720294
Because of the frequency of problems and nature of them and the hell I raised we were allowed Gold Support or direct to tier 2.

And thank goodness for that.. No more. What is your operating system, what color is your computer.. Now give me remote access and I am going to do a full TCP dump of your traffic... Don't worry it is secure here... in SalesForce... sigh..

Did you leave our Fortinet on purpose?

I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39720360
Not necessarily except that, of my larger custoers, the ones I mentioned are the ones I've seen most.

Best of luck.  I would be interested know know where you end up in the end.

Jon
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39778839
Any update on this?
0
 

Accepted Solution

by:
-TNT- earned 0 total points
ID: 39779765
After a lot of time, thought and testing we have so far chosen to go the Fortinet route. Fortinet has very aggressive pricing and honestly very similar to WatchGuard. Interface wise, WatchGuard has Fortinet beat, hands down, not even a question.

Fortinet has shown a 150ms decrease in our front end web server testing running full IPS compared to WatchGuard.... let me say that again.. 150ms decrease in latency! Furthermore IPS is supposed to be much more through.

Last week WatchGuard (because they outsource everything) had a problem with their Web Blocker which caused sites like yahoo to be categorized as "SEX" and tumblr as "Proxy Avoidance". This was really the last straw.

Like I have said before, I really want WatchGuard to work. Their boxes look cool, their interface or GUI is the best, we all know how to use them and we have a lot of money invested already. However, we can't buy things that just look cool.. they need to preform too and WatchGuard hasn't.

Fortinet boxes are cost effective, very fast and so far we have seen no problems.
0
 

Author Closing Comment

by:-TNT-
ID: 39791923
None of the comments were quite cohesive enough to provide the detail needed.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39793798
Yes, the reports are from 2010 (openly stated), but they are truthful and SonicWALL has only gotten better. ..I can't say the same for the other two. The bias comment is laughable, everything is bias, and they aren't making this stuff up or skewing results ...get to know the products and you'll see the hardline facts.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp - not allow a subnet from advertising 1 38
VPN tunnel between Watchguard and OpenVPN? 1 36
Running a 2nd company from the same location 3 43
Sonicwall SHA issue 4 28
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question