Leaving WatchGuard Firewalls - Fortinet or Check Point?

We have been a WatchGuard shop for years and years. Recently we have had so many big problems with them we are looking to start migrating away from WatchGuard to another UTM vendor. We have from the small XTM 2 & 3 series for the Small Business and the upper-end 5 series for some top of data-center rack stuff. All together about 20 boxes. With WatchGuard we have really enjoyed the XTM manager and user interface. Because of the familiarity of the product interface and number of boxes we already had we stayed for about a year to long at WatchGuard.

We have considered the following:

Palo Alto Networks - We love them. Read great reviews about them. Just to expensive..

Fortinet - Leaning towards Fortinet. Good reviews, good products, everything seems in-house. I don't like how many switch ports the Fortigate products come with for some reason.

Check Point - Close second to Fortinet. Looking for a reason to put them first.

SonicWALL - Have read better reviews for Fortinet and Check Point.

Ultimately I am looking for somebody that is familiar with WatchGuard, Check Point and Fortinet and can provide qualified feedback. So for the small office all the way to protecting web servers.
Who is Participating?
-TNT-Connect With a Mentor Author Commented:
After a lot of time, thought and testing we have so far chosen to go the Fortinet route. Fortinet has very aggressive pricing and honestly very similar to WatchGuard. Interface wise, WatchGuard has Fortinet beat, hands down, not even a question.

Fortinet has shown a 150ms decrease in our front end web server testing running full IPS compared to WatchGuard.... let me say that again.. 150ms decrease in latency! Furthermore IPS is supposed to be much more through.

Last week WatchGuard (because they outsource everything) had a problem with their Web Blocker which caused sites like yahoo to be categorized as "SEX" and tumblr as "Proxy Avoidance". This was really the last straw.

Like I have said before, I really want WatchGuard to work. Their boxes look cool, their interface or GUI is the best, we all know how to use them and we have a lot of money invested already. However, we can't buy things that just look cool.. they need to preform too and WatchGuard hasn't.

Fortinet boxes are cost effective, very fast and so far we have seen no problems.
Blue Street TechConnect With a Mentor Last KnightsCommented:
Hi -TNT-,

I know your not looking for feedback on SonicWALL. I'll weigh in. .. take it or leave it.

I'd strongly recommend SonicWALL. I'm not sure which reviews you're looking at. .. but from experience, I can't say enough good things about them.

There is no comparison IMO between these competitors and SonicWALL when you compare the NGFWs specs and cost. .. there's no better bang for your buck. Now Gen 3 & arguably Gen 4 SonicWALLs I wouldn't be singing the same tune.



Jon SnydermanConnect With a Mentor Commented:
So I am chiming in here primarily out of curiosity and to watch the thread.   I have worked with Watchguard, Sonic, Cisco ASA and PIX, Checkpoint years ago and even MS even though I try to avoid.   From a voiume and experience standpoint, I would put them in that order.   I have sites that are extremely complex and similarly sized and are very happy with Watchguard.   I dont want to paint a rosy picture because there have certainly been issues.   But I have had equal or more issues with other vendors also.  But when the going gets rough, WG usually comes through.   I am very curious about your decision to leave.   I know it may not seem relevant, but I believe it is since you want a replacement that will reduce that pain point.   I am also curious if you have had a quality vendor working on your behalf when you have an issue?   There were some issues with 11.7.4 and 11.8 but they were were resolved very quickly and effectively.

Anyway, I am not looking to change you mind (maybe just a little) but more interested in your reasons and where you end up.   I do agree with the previous poster that companyies like Watchguard and Sonic have the best bang for the buck by far.   But if you are stuck on moving away from Watchguard, I think that you are on the right track with going towards a higher grade solution like Fortinet or CheckPoint or Palo Alto or Juniper.    When you get to that level, It's not as much about the product as it is the companies support and their comfort working in large or data center type environments.   It's the innate understanding that larger businesses have the funds but don't have the flexibility and maintenance windows that smaller companies have.  They need the reliability and the support to go along.  Make sense?

I will disclose that I am primarily a Watchguard partner so that is my preference.  But as I mentioned, I will be interested in your feedback and how this thread plays out.    

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Jon SnydermanCommented:
Sorry, one more thing.   Be careful of the sites that the previous poster mentioned.   Although laid out nice, it is a reseller of Sonicwall and much of the information comparing the products is outdated and some is simply incorrect.  

I would continue down the research path that you are on by reading reviews and opinions (from unbiased sites that dont sell anything), put hard current numbers against each other and ask for input from others as you have done here.

-TNT-Connect With a Mentor Author Commented:

Thank you for your reply. You make a lot of valid points. There is a lot about WatchGuard that I love and I really want to make them work, like really bad. Last year alone I personally spent over a week, yes a week working with WatchGuard resolving issues they broke (11.6 -> 11.7).

WatchGuard really cost us a lot of time when deploying 11.7. When 11.8 was released we only updated a few boxes which all but blew up. The throughput numbers have never ever been close or realistic.

I'm the guy on the WatchGuard forum that begs for Betas to be public or note the firmware as "Pre-Release" until stable. When firmware is generally released I expect it to be stable and secure. 11.8 was a joke. It shouldn't be like that for a security company.

Message To WatchGuard LINK
This is a lot of well put points. Especially the employee exit interviews.

If I were new to this scene I think I would fall in love with WatchGuard, just like I did years ago. Now knowing what I know and seeing the company declining (Gartner agrees) I just can't keep investing in something that I don't see making it the long haul.

I think you were saying that Fortinet or CheckPoint or Palo Alto or Juniper are on another level and I honestly see that is what we need. From a support standpoint with WatchGuard any savings upfront just bites you in the end, like I said, we spent weeks supporting bugs that year.

Everything being outsourced is just icing on the cake. Their user forum being down for a month doesn't really instill confidence with anybody. The super sloppy integration of Sales Force just says to me... "if we could get somebody else to build these..that would be easier..and we should do that."

Firewalls.com: There reviews are from 2010 and biased. Thanks for the heads up though.
Jon SnydermanCommented:
Great detailed, informed and well grounded answer.   One note is that you are apparently dealing with the bottom of the barrel on support.   I assume that you have not purchased gold support or have a competent reseller.   I never roll a new release of Watchguard in large environments until testing it in my office and maybe rolling it to some of my more flexible customers.  Gold support customers and resellers get only US based engineers with 2-4 hour response time.   They are generally treated much more seriously.  Thank you very much for your comments.    

From my experience, I dont think that you will be any happier with companies like Sonicwall (even though they are Dell owned).   I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.

Good luck.  

-TNT-Author Commented:
Because of the frequency of problems and nature of them and the hell I raised we were allowed Gold Support or direct to tier 2.

And thank goodness for that.. No more. What is your operating system, what color is your computer.. Now give me remote access and I am going to do a full TCP dump of your traffic... Don't worry it is secure here... in SalesForce... sigh..

Did you leave our Fortinet on purpose?

I really think that companies like Palo Alto, Juniper or Cisco are going to be your best shot with that true understanding and commitment to enterprise needs.
Jon SnydermanCommented:
Not necessarily except that, of my larger custoers, the ones I mentioned are the ones I've seen most.

Best of luck.  I would be interested know know where you end up in the end.

Blue Street TechLast KnightsCommented:
Any update on this?
-TNT-Author Commented:
None of the comments were quite cohesive enough to provide the detail needed.
Blue Street TechLast KnightsCommented:
Yes, the reports are from 2010 (openly stated), but they are truthful and SonicWALL has only gotten better. ..I can't say the same for the other two. The bias comment is laughable, everything is bias, and they aren't making this stuff up or skewing results ...get to know the products and you'll see the hardline facts.
All Courses

From novice to tech pro — start learning today.