Fortinet Fortigate and Watchguard Firebox Buyer'S Guide and Reviews March 2020

Fortinet FortiGate
and
WatchGuard Firebox
Buyer's Guide and Reviews
March 2020
Fortinet FortiGate and WatchGuard Firebox
Get a custom version of this report...personalized for you!

Thanks for downloading this IT Central Station report.
Note that this is a generic report based on reviews and opinions from the entire IT
Central Station community. We offer a customized report personalized for you based on:
• Your industry
• Company size
• Which solutions you're already considering
It includes recommendations for you based on what other people like you are researching and
using.
It takes 2-3 minutes to get the report using our shortlist builder wizard. We recommend it!
Get your personalized report here.
2
Contents
Advice From Real Users 4-9
Top Review by Topic of Fortinet FortiGate and WatchGuard Firebox 10-12
Overview 13
Reviews From Real Users 14-22
Vendor Directory 23
Top Firewalls Vendors 24-25
Top 5 Solutions by Ranking Factor 26
About This Report and IT Central Station 27
© 2020 IT Central Station

To read more reviews please visit https://www.itcentralstation.com/products/comparisons/fortinet-fortigate_vs_watchguard-firebox?tid=pdf_comp_20215-31908
3
Advice From Real Users
Fortinet FortiGate
PROS
"SSL-VPN is very useful for us and has been very reliable." [Full Review]
Mark
DeLong
"FortiGate Secure SD-WAN includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN
optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering." [Full Review]
Mohsinoddi
Mohammed
"Advanced routing (RIP, OSPF, BGP, PBR)." "It gives you a seamless and simple integration into a large network." [Full Review]
Chingiz
Abdukarimo
v
"The most valuable feature is the VDOM, which allows the customer to have multiple firewalls in a single campus." [Full Review]
Narendra
Singh
"The security features are about the best that I've seen anywhere." [Full Review]
Kofi Osei-
Appaw
"It blocks the vulnerabilities that can negatively impact us." [Full Review]
Ibrahim El
Sayed
"Anti-Spam web content filterinG." [Full Review]
MaheshPate
l

4
Fortinet FortiGate
CONS
"The user interface could be improved to make it less confusing and easier to set up." [Full Review]
Mark
DeLong
"There is a lot of improvement needed with SSL-VPN." [Full Review]
Mohsinoddi
Mohammed
"I think there could be more QoS features" [Full Review]
Chingiz
Abdukarimo
v
"Improvement is needed in the Web Filter quotas to restrict users with allocated quotas." [Full Review]
Narendra
Singh
"Technical support for this solution can be improved." [Full Review]
Kofi Osei-
Appaw
"I would like to have logs, monitoring, and reporting for a month without extra fees." [Full Review]
Ibrahim El
Sayed
"The Web-filter in this solution is not very good." [Full Review]
Zhargal
Solovyev

5
Fortinet FortiGate
PRICING AND LICENSING ADVICE
"Fortinet Secure SD-WAN delivered the lowest total cost of ownership (TCO) per Mbps among all other vendors." [Full Review]
Mohsinoddi
Mohammed
"Setup cost may be not so low, as you expect, because it depends on different factors, but TCO for 5 years may pleasantly surprise
you." [Full Review]
Chingiz
Abdukarimo
v
"The pricing for this solution is good." [Full Review]
Kofi Osei-
Appaw
"Before choosing a piece of equipment you have to take into account the cost-benefit offered by each one." "Sometimes it is not
worth paying a very cheap price to have a minimum level of security." [Full Review]
Fernando
Neto
"Each feature costs money, so it is important to study your needs." [Full Review]
Directcust45
64
"I would say that all things considered, the pricing is pretty good." [Full Review]
VeerSharma
"Fortinet is reasonable in pricing and licensing." "Overall, FortiGate is affordable." "The licensing fee can be a little high, depending
on the budget for your project." [Full Review]
DaleYeh

6
WatchGuard Firebox
PROS
"The solution has increased productivity with our outside salespeople being able to connect into their computers and use those
remotely." [Full Review]
Tyson
Swank
"It's hard to pick one feature over another." "But if I had to pick one, the UTM would be the most valuable because of the
notification." "I get notified via email if there is any type of threat detection or alert, telling me something is wrong." [Full Review]
reviewer123
0873
"The most valuable feature is the ease of use of the interface." [Full Review]
reviewer122
9901
"It's very easy to use, especially compared to similar products." "A lot more users use the WatchGuard appliance now than use the
SonicWall appliance because of the ease of usability." [Full Review]
AllenHillstro
m
"The most valuable features of this solution are live logging, rule setup and maintenance, and VPN creation." [Full Review]
Christian
Watt
"Intrusion Prevention is my primary focus so that's what I find most useful." "The why is straightforward: It's to prevent intrusion." [Full
Review]
HalChernoff
"[A] valuable feature would be the branch office." "We have five offices throughout the United States, and it coordinates the
connections of those offices." [Full Review]
JasonGiles

7
WatchGuard Firebox
CONS
"The few issues that we have had, such as not knowing where to go, they have been answered quickly." [Full Review]
Tyson
Swank
"Websense is an application that monitors and filters internet traffic." "Websense was derived from WatchGuard." "But when you go
to WatchGuard to actually implement that particular feature, you have to use some type of additional feature and you have to pay
for it, unfortunately." "I think it should be free or free in the WatchGuard box itself, as an option." "It would be nice if they didn't
reviewer123 charge us for that." [Full Review]
0873
"The reporting is a little on the weak side." "I would like to see a better reporting set and easier drill-down options." [Full Review]
reviewer122
9901
"There is a slight learning curve." [Full Review]
AllenHillstro
m
"We would like to see granular notification settings and more advanced filtering in traffic monitoring." [Full Review]
Christian
Watt
"I'd like to have better access to workstation monitoring, connection monitoring, and the amount of time an address is being used,
to better gauge proper network utilization." "If I knew that something was connected to a particular external location for an
extended period that seems abnormal, I'd be able to act upon it." [Full Review]
HalChernoff
"In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be more of an
industry-wide issue — you get reports, but a lot of times you don't know what you're looking at." "You're so overwhelmed with the
data." "You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to know."
JasonGiles [Full Review]

8
WatchGuard Firebox
PRICING AND LICENSING ADVICE
"We don't have any other costs other than the licensing stuff." [Full Review]
Tyson
Swank
"The cost was somewhere in the vicinity of $2,000 to $3,000 for each one..." [Full Review]
reviewer123
0873
"It costs me about $800 a year." [Full Review]
HalChernoff
"I buy a three-year renewal on the main device, which is usually around $3,000 to $4,000." "They usually upgrade the device when
I do it." "You get a big discount when you do three years." [Full Review]
JasonGiles
"Their price point worked, which is the reason why we stayed with WatchGuard." [Full Review]
John Giacco
"We pay about $3,500 every three years." [Full Review]
John Rhines
"I think we might be subscribed to one or two of the premium features." [Full Review]
Jon Leib

9
Top Reviews by Topic

Fortinet FortiGate WatchGuard Firebox
VALUABLE
FEATURES Chingiz Abdukarimov ITManagedf70
Good VPN, both IPSEC and SSL (web-mode, One of my favorite features is the Geolocation
tunnel-mode). An engineer/network administrator service, where you can actually block specific
has tools to debug VPN issues that can occur activity or IP addresses registered to certain
during tunnel setup with other vendors' countries. For example, I don't want any web
equipment. SD-WAN feature at no cost. This is traffic from Russia or North Korea. I may even lock
really great feature for remote locations (branch down certain policies down to "I only want U.S. IP
offices) and HQ, application steering between addresses." I find that very useful. That was not a
many ISP links becomes a simple task. Steering feature that was initially there for us. It was
can be done dynamically by measuring link quality something WatchGuard released after we bought
(latency, jitter, packet loss, available bandwidth). our first device with them and it is one I am very
Single Sign On support with deep LD... [Full happy with. I ... [Full Review]
Review]
JasonGiles
Andrew S. Baker (ASB)
The basic firewall features, or just the routing, are

* The CLI is robust and powerful, enabling rapid, the most valuable because that's how we
consistent changes via SSH. The device configure our network. The second valuable
identification is very flexible, facilitating the feature would be the branch office. We have five
creation of rules to regulate all sorts of devices offices throughout the United States, and it
that might spring up on a network, especially via coordinates the connections of those offices. And
WiFi. * The IPsec tunnels are very easily created, the filtering features are okay. It layers security in
and quite interoperable with devices from other the sense that it does isolate different networks. I
vendors. * WAN load-balancing has improved, but have in-house web hosting and that's more of a
needs some refinement. You can set up a different DMZ-type thing sitting out in the open, so that it
DDNS config for each WAN link. It is great to be has to be iso... [Full Review]
able largely u... [Full Review]
Joseph Jansen
Cesar Nieves
What I like most is the analytical side. It's pretty

It's a complete solution. You can purchase simple to understand when you want to do any
switches and you don't need to do anything with diagnostics on your network. If you want to go in
them. You just put in the firewall and the switches and see what packages are having trouble getting
get all the policies and rules that you already have through, what's being held, stalled, etc., it's very
in the firewall. That's a very nice feature because easy to use in that way. In terms of the usability
with, for example, Cisco, you need to set the overall, it's pretty simple but, at the same time, it's
switch, you need to set the firewall, and you need pretty full-featured in terms of what it can do. We
to test it. With Fortinet, you just connect the only use part of it, only because that's where we're
FortiSwitch to the Fortinet and that's it. It's very at right now. But for a small network,... [Full
easy. In the last version of the FortiOS - the Review]
operati... [Full Review]

10

IMPROVEMENTS
TO MY Chingiz Abdukarimov ITManagedf70
ORGANIZATION
Better manageability: opening and closing With WatchGuard, I've got a lot of WebBlocker
ports/services, adding addresses is done very rules set up which help quite a bit, blocking a lot
quick (can be done in single page of the web GUI). of suspicious and parked domains. Between
Outstanding reporting tools when coupled with WebBlocker, the Botnet Detection, the website
FortiAnalyzer (Fortinet's log collector and reputation filters going, and IPS - which is one that
reporting tool) help meet compliance (there are is essential, but nobody really talks about a whole
PCIDSS, HIPAA and many more report types). lot; between all those things working together,
Better security posture: safe web access, less and even the antivirus, I feel our network is pretty
spam and viruses in incoming email messages, clean. And if there is some suspicious activity, I
very granular AppControl, blocking vulnerability think I have a better chance of being alerted to it.
exploitation attempts and traffic anoma... [Full I'v... [Full Review]
Review]
JasonGiles
Andrew S. Baker (ASB)
The biggest way that it has advanced us is that

The first implementation I performed of a when we started adding additional locations, it
FortiGate 200D was to replace a Juniper SSG-140 became surprisingly easy to do that, to create
in a main corporate office. This implementation branch-office VPNs. When I was first tasked with
provided improved network administration and that, I was overwhelmed with it. I thought, "This is
network performance. We also received more going to be really difficult." But it was really simple.
timely security updates, and it became easier to I've never actually done this, but they have the
connect all of the other offices together (via an ability to program a box and ship it out there. It'll
IPsec VPN mesh). As additional FortiOS releases identify it by its number and just do the setup
have come out, we have obtained more flexibility automatically. I've never been brave enough to ...
in device identification and WAN load-balancing, [Full Review]
among other things. [Full Review]
Joseph Jansen
Neal Tipton
It has made firewall configuration really simple. It

We use a southern institution that's audited for IT doesn't take years of training or certificates to go
security and the reporting that automatically in and manage it. That's a big deal. We set up our
comes off the unit makes it much easier to meet firewall, operating as a VPN. It's bringing several
compliance standards and makes it easier as far networks together and it made that process easy.
as the amount of time that has to be spent to In terms of my job, it's taken so little of my
compile that information. If you get your reporting attention. I have worked with Cisco firewalls and
set up correctly when you initially set it up, you they were complex. WatchGuard is easily
just select the one you want and hit print. The understood and managed. It's easy to watch traffic
auditing trail on it is the best features. [Full Review] go through the network, to look for ports that are
clo... [Full Review]

11

ROOM FOR
IMPROVEMENT Chingiz Abdukarimov ITManagedf70
I think there could be more QoS features in GUI. Reporting is something you've got to set up
FortiGate has Traffic Shaping feature that is separately. It's one of those things that you've got
enough in most cases when shaping egressing to put some time into. One of the options is to set
packets, but sometimes I just need 802.1p up a local report server, which is what I did. It's not
prioritizing (Class of Service) of incoming packets great. It's okay. I've heard their Dimension control
and manual ingress queue assignment. This is reporting virtual machine is supposed to be a lot
what would be nice to have, but I realize that such better, but I haven't had the time our resources to
a job is more efficiently done by L4 switch set that up. Some of the stuff is a little complicated
standing before firewall. Fortinet has a FortiSwitch to get up and running. Once you do, it becomes
that can do it, and it also can be controlled by very user-friendly and easy to work wi... [Full
FortiGate via FortiLink ... [Full Review] Review]
Andrew S. Baker (ASB) JasonGiles
WAN load-balancing could be a lot better at We have several branch offices. Those things run,
detecting when a link is poor or inconsistent, and you forget about them. My biggest gripe was
not just flat out dead. There are lots of options for when I went to update some of my devices, to try
routing traffic over a specific path when you have to make some speed improvements, not only did I
WAN load-balancing enabled, but they are not as get hit with, "You need to renew your
clear and consistent as they could be, and most LiveSecurity," but there was this reinstatement fee
can only be set at the CLI. Some configuration that they threw in on top of it. That really angered
elements cannot be easily altered once created. me, to the point that I canceled the entire order. I
For instance, there is no way to rename an actually almost replaced some of those devices
interface (say, for a VPN tunnel), unless you create and I'm looking to replace them because of that
an entirely n... [Full Review] type of thing. It'... [Full Review]
Neal Tipton Joseph Jansen
They should make the rule sets more One of the things that is always valuable is
understandable for the end user. When you're workshops. It's really hard to get away and do
trying to explain to somebody how a computer webinars, but what I would like is a selection of
network is secured, sometimes it's difficult for an webinars. I see WatchGuard comes forward with a
end user or customer to understand. If there was a webinar where they're going to introduce this or
way to make the terminology more accessible to that. I'd like to see a lot more of those and a lot
the end user, the set up could be easier. They shorter. On lynda.com I can just point to a video to
should translate the technical jargon to an easily show me something I need to know how to do; for
relatable and understandable conversation for the example, how to merge contacts in Outlook. But it
end user, the customer. Particularly in an is a ten-minute video. I would like to see more of
environment where the IT structur... [Full Review] that ki... [Full Review]

12
Overview
SOLUTION Fortinet FortiGate WatchGuard Firebox
OVERVIEW The FortiGate family of NG firewalls provides WatchGuard's approach to network security
proven protection with unmatched performance focuses on bringing best-in-class, enterprise-
across the network, from internal segments, to grade security to any organization, regardless of
data centers, to cloud environments. FortiGates size or technical expertise. Ideal for SMBs and
are available in a large range of sizes and form distributed enterprise organizations, our award-
factors and are key components of the Fortinet winning Unified Threat Management (UTM)
Security Fabric, which enables immediate, appliances are designed from the ground up to
intelligent defense against known and new threats focus on ease of deployment, use, and ongoing
throughout the entire network. management, in addition to providing the
strongest security possible.
SAMPLE Pittsburgh Steelers, LUSH Cosmetics, NASDAQ, Ellips, Diecutstickers.com, Clarke Energy, NCR,
CUSTOMERS
Verizon, Arizona State University, Levi Strauss & Wrest Park, Homeslice Pizza, Fortessa Tableware
Co. Solutions, The Phoenix Residence
Whitepaper and case studies here
TOP Cisco ASA NGFW vs. Fortinet FortiGate Fortinet FortiGate vs. WatchGuard Firebox
COMPARISONS Compared 19% of the time Compared 24% of the time
Sophos UTM vs. Fortinet FortiGate pfSense vs. WatchGuard Firebox

Compared 14% of the time Compared 14% of the time
Palo Alto Networks WildFire vs. Fortinet FortiGate Sophos XG vs. WatchGuard Firebox
Compared 11% of the time Compared 10% of the time
TOP INDUSTRIES, Healthcare Company ... 8% Museum Or Institution ... 6%

BASED ON Real Estate/Law Firm ... 8% Health, Wellness And Fitness Company ... 6%
REVIEWERS*
Financial Services Firm ... 9% Construction Company ... 17%
Comms Service Provider ... 13% Manufacturing Company ... 22%
TOP INDUSTRIES, Cloud Provider ... 5% Media Company ... 9%
BASED ON Media Company ... 8% Comms Service Provider ... 12%
COMPANIES
READING REVIEWS* Comms Service Provider ... 18% Transportation Company ... 13%
Software R&D Company ... 23% Software R&D Company ... 16%
COMPANY SIZE, 1001+ Employees ... 25% 1001+ Employees ... 4%
BASED ON 201-1000 Employees ... 26% 201-1000 Employees ... 26%
REVIEWERS*
1-200 Employees ... 49% 1-200 Employees ... 70%
COMPANY SIZE, 1-200 Employees ... 55%
BASED ON 201-1000 Employees ... 27%
COMPANIES
READING REVIEWS* 1001+ Employees ... 17%
* Data is based on the aggregate profiles of IT Central Station Users researching this solution.

13
Fortinet FortiGate review by a real user
Don't underestimate FortiAnalyzer. It can give you a better

understanding of what is going on in your network.
Senior Network & Security Engineer at a

integrator with 11-50 employees
Chingiz
Abdukarimov
WHAT IS OUR PRIMARY USE CASE?
We used FG-90D as UTM device to protect some users and servers, and also to enable inter-vlan routing with advanced security
policies inside our lab zone. We also use FG-500D in transparent mode in front of Cisco ASA for advanced and high performance
protection by applying IPS, AV, AntiSpam, App.Control and DoS-protection profiles.
HOW HAS IT HELPED MY ORGANIZATION?
Better manageability: opening and closing ports/services, adding addresses is done very quick (can be done in single page of the
web GUI). Outstanding reporting tools when coupled with FortiAnalyzer (Fortinet's log collector and reporting tool) help meet
compliance (there are PCIDSS, HIPAA and many more report types). Better security posture: safe web access, less spam and
viruses in incoming email messages, very granular AppControl, blocking vulnerability exploitation attempts and traffic anomalies
by IPS, preventing DoS attacks by DoS policies.
WHAT IS MOST VALUABLE?
Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that
can occur during tunnel setup with other vendors' equipment.
SD-WAN feature at no cost. This is really great feature for remote locations (branch offices) and HQ, application steering between
many ISP links becomes a simple task. Steering can be done dynamically by measuring link quality (latency, jitter, packet loss,
available bandwidth).
Single Sign On support with deep LDAP integration (several variants for environments with different scales), RADIUS
authentication. Can work as transparent and explicit web-proxy, the last option supports Kerberos authentication which requires
no agents installed on any windows server.
Human readable firewall policies with editable security policies and addresses in single page. This is very useful and time saving
feature.
Firmware upgrade process is very simple, even for cluster configurations it is fully automated by default.
Straightforward SNAT and DNAT; you may work in two ways: with Central NAT rules configuration and by applying translation
directly inside firewall policies.
14
Bulk CLI commands are uploaded via gui in script file (portions of config file). VDOMs are very useful when you need to grant
admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which
can have different log storage policies, event handling and alerting configurations. You can create one VDOM working in
NAT/Route mode, and another VDOM working in Transparent mode.
If you don't want to create and use second VDOM you can still transparently inspect traffic at layer 2 level while having only one
VDOM in NAT/Route mode. This is achived by configuring Virtual Wire Pair ports that work like a separate bridge.
Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by
IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite
programm. Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network. IPS, AV,
Web Filter, AppControl profiles are working very well. SSL Inspection and CASI (Cloud Access Security Inspection) profiles. Rich
logging options allow you troubleshoot most problems.Straightforward HA with different redundancy schemas.IPv6 support.
WHAT NEEDS IMPROVEMENT?
I think there could be more QoS features in GUI. FortiGate has Traffic Shaping feature that is enough in most cases when shaping
egressing packets, but sometimes I just need 802.1p prioritizing (Class of Service) of incoming packets and manual ingress queue
assignment. This is what would be nice to have, but I realize that such a job is more efficiently done by L4 switch standing before
firewall. Fortinet has a FortiSwitch that can do it, and it also can be controlled by FortiGate via FortiLink protocol.
[Firmware version FortiOS 6.2 update]: There are a lot of improved and newly added things, so it is very hard to imagine any
additional features.
FOR HOW LONG HAVE I USED THE SOLUTION?
Four years.
WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?
Small models (up to FG-90) are build on SoC (System on a Chip), so they need to be mounted in places with enough airflow and
right temperature, otherwise they could hang, slow down traffic processing, but more often you just can't log in to the device's
web-interface (reboot won't help you until it cools down). Actually, that's not an issue. It is a technical requirement for operating
environment to be 5-40 degrees (but at 35 degrees with poor airflow there may be issues mentioned above).
WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?
For large scale deployment I would suggest to look at FortiManager, a central management point for large amount of FortiGates. I
have tested the solution and found it quite useful. I could download configuration from any device and install edited list of policies
to several devices simultaneously through a couple of clicks. Also I liked functionality of clearing out Address objects list from
unused entries. It can be configured to be a central repository of firmware and updates, and a local rating server (url and antispam
rating services) which can improve rating lookup latency value.
15
Continued from previous page
HOW ARE CUSTOMER SERVICE AND TECHNICAL SUPPORT?
Technical support is good (in average).
WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?
We used an old IPS from Cisco. We switched because of End-of-Support on that device.
HOW WAS THE INITIAL SETUP?
Initial setup in plain networks is very straightforward. For large environment you should prepare beforehand, because FortiGate is
a highly-tunable and feature rich product, so you must have a plan with many considered details.
WHAT ABOUT THE IMPLEMENTATION TEAM?
We did not engage a vendor team. Documentation is good enough to implement with an in-house team.
WHAT'S MY EXPERIENCE WITH PRICING, SETUP COST, AND LICENSING?
Setup cost may be not so low, as you expect, because it depends on different factors, but TCO for 5 years may pleasantly surprise
you.
WHICH OTHER SOLUTIONS DID I EVALUATE?
Palo Alto, Cisco ASA, CheckPoint
16
WHAT OTHER ADVICE DO I HAVE?
Many interesting things are hidden in CLI, they can help you in different situations. Web-interface (GUI) is primarily intended for
day-to-day routine. Don't underestimate FortiAnalyzer. It can give you a better understanding of what is going on in your network.
When FortiGate sends logs to FortiAnalyzer, FortiAnalyzer inserts received log data into database. Predefined and customizable
data queries, charts and reports can significantly help you by visualizing problem points, so you can thoroughly investigate
security events and traffic behavior anomalies. FortiGate is a constantly evolving product, so pay attention to FortiOS version it
runs.
WHICH DEPLOYMENT MODEL ARE YOU USING FOR THIS SOLUTION?
On-premises

17
WatchGuard Firebox review by a real user
Setup, and setting up the routing — normally very complicated

processes — are intuitive
IT Manager at WTS Media (Wholesale Tape &

Supply)
JasonGiles
WHAT IS OUR PRIMARY USE CASE?
It's our main firewall. We have over 120 hosts that flow through it.
HOW HAS IT HELPED MY ORGANIZATION?
The biggest way that it has advanced us is that when we started adding additional locations, it became surprisingly easy to do
that, to create branch-office VPNs. When I was first tasked with that, I was overwhelmed with it. I thought, "This is going to be
really difficult." But it was really simple. I've never actually done this, but they have the ability to program a box and ship it out
there. It'll identify it by its number and just do the setup automatically. I've never been brave enough to just let it go automatically,
but when I do get it in my office and set it up for the branch office, it's just a matter of just plugging in the right numbers. It works
and it's very stable. That enables us to do some incredible things. WatchGuard has been mostly cost-effective compared to other
firewall systems that are out there, given the power that it has and the ease. I complain about the usability, but things such as how
to set them up and how to set up the routing up are, at least, intuitive. So that's been invaluable. It's one of the reasons why I
haven't moved away from them or been tempted to move away from them. These setups are very complicated and WatchGuard
makes it very easy. It does simplify my job in the sense that it's easy to set up a VPN. Setting up a branch-office VPN is rather
simple, but when I have remote users, such as myself or remote salespeople who are operating out of their homes, I can use
whatever solutions are out there; the software that makes it easy for them to connect. That avoids my having to go out and buy
really expensive solutions like TeamViewer or LogMeIn. They are always clunky, always hard to navigate around in. With
WatchGuard, remote users can pop in straight through the VPN and then RDP into their remote desktops. And everything works
very smoothly and rather quickly. Anytime you VPN it's not super-fast, but it has been rather efficient and is a huge advantage. It
makes my job a lot easier because I don't have to try to troubleshoot somebody else's TeamViewer account. WatchGuard has
saved me time versus having to manually help people with their remote connections. It saves me about ten to 15 hours a month of
work, not having to do all that.
18
WHAT IS MOST VALUABLE?
The basic firewall features, or just the routing, are the most valuable because that's how we configure our network. The second
valuable feature would be the branch office. We have five offices throughout the United States, and it coordinates the connections
of those offices. And the filtering features are okay. It layers security in the sense that it does isolate different networks. I have in-
house web hosting and that's more of a DMZ-type thing sitting out in the open, so that it has to be isolated from our network. It has
Gateway antivirus, which is important. It has Gateway spam protection, but I've never actually seen it do anything. That could be
because our regular spam filters grab it before it gets a chance to. It's not a direct user-security thing. Another level of security is
that I do keep our guest WiFi network separate from our main WiFi network. Even though WatchGuard doesn't manage our WiFi, it
does play the traffic-cop between those two networks and keeps them separate. It's more IP-based routing security than anything
else.
WHAT NEEDS IMPROVEMENT?
We have several branch offices. Those things run, you forget about them. My biggest gripe was when I went to update some of my
devices, to try to make some speed improvements, not only did I get hit with, "You need to renew your LiveSecurity," but there
was this reinstatement fee that they threw in on top of it. That really angered me, to the point that I canceled the entire order. I
actually almost replaced some of those devices and I'm looking to replace them because of that type of thing. It's fair to pay for
services like filtering, etc., but I don't feel it's fair to pay for updates to a product because they're patching and fixing and updating
their product because of bugs. If I want to pay for the next version of something that gives me additional features, that's fair. But to
have to pay a reinstatement fee and that sort of thing, I find it to be a very poor and unethical practice. We'd never do that to our
customers. The reason I haven't thrown a huge fit is because everybody does it. SonicWall will do it; Cisco. All those guys do that
kind of thing. I really don't like that, particularly because you're talking about a device that you paid $300 for, and the
reinstatement fees are another $200-plus. I can just buy a brand-new device for that, get a faster unit, and get another year of
stuff. Maybe that's what they're trying to encourage me to do. But there are firewall devices out there that I can buy that will do a
lot of the stuff that I need to do in the remote offices, without having to purchase a yearly or three-year plan. I keep our main
system up to date, but for the small edge units, it's just an unneeded expense. That's my biggest negative and biggest gripe about
WatchGuard. In terms of the reporting and management features — and this isn't necessarily a WatchGuard issue, this seems to be
more of an industry-wide issue — you get reports, but a lot of times you don't know what you're looking at. You're so overwhelmed
with the data. You're getting a lot of stuff that doesn't matter, so it takes time to parse through it, to actually get what you want to
know. If it gives me a threat assessment such as, "You received an attack from North Korea," I don't know what that means. I know
that an IP address from North Korea hit our server, and they tried a certain attack. Is that something I should take seriously or not?
I don't know. But that seems to be true with a lot of the solutions out there. They tend to report everything, and there's not a lot of
control over getting rid of the noise. I've had it report threat attacks from devices within my network, from my own PC, in fact. So
it's misinterpreting some things, obviously. Reporting is not something I rely very heavily on because of that. I look at it but I don't
know what I'm looking at. Instead, I have a monitor that displays various things about my network, and I will have the main screen
up just to see things like which host in the network is the busiest. I tend to use the main dashboard to get real-time information.
19
FOR HOW LONG HAVE I USED THE SOLUTION?
I've been using this solution for over 15 years.
WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?
The solution is very stable. I don't think I've ever had one crash in 15 years. I did have one fail, but that was just a hardware failure.
That was one of the very first, early units. That was years and years ago. I've never had one fail since then.
WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?
It's not very scalable. You get what you get. You buy for your application but if you grow, if you were to double your network
bandwidth or the like, you would have to upgrade the product. That's because the hardware can't handle that. You could say it is
scalable if want to add additional networks and that sort of thing. It makes that fairly simple. But you do need to buy the appliance
that's applicable to your network. It's used at all of our locations and it traffic-cops our entire network. But we're not adding any
new networks. As we buy companies, which we've been doing, I usually pull their firewalls out and put these in, because that's
what I'm familiar with, if I can't interface their existing firewalls with it.
HOW ARE CUSTOMER SERVICE AND TECHNICAL SUPPORT?
Their tech support, the few times I've used them, have been excellent. Their staff has been very knowledgeable. I've had several
instances where, when fixing a problem, they've made suggestions about other things not related to that problem, as they
inspected the setup. They have a very good system for logging in securely and seeing configurations without being able to check
it. That's been very helpful. I've always given an "A+" to their tech support.
WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?
It was so long ago, but I used some PC-based proxies at the time. So there was something before this solution, but my first, actual,
dedicated appliance was WatchGuard. It might be that we purchased this back in the late '90s, because our previous solutions
were back during the dial-up age. It wasn't until we started getting always-on internet in the late '90s or early 2000s that we
looked at a firewall. Someone suggested WatchGuard.
20
HOW WAS THE INITIAL SETUP?
The initial setup is straightforward. Network setup is complex because setting up networks is complex. I will give them props for
making a very complex task a little easier. I don't know a way you could make it any easier than they do. I have done network
setups in other firewalls that I thought were way more complicated and more convoluted. We've set up a branch office with some
SonicWall devices and my setup screen was a whole lot easier than theirs. The deployment itself takes an hour, if that. I've done
upgrades, but I haven't done a straight, flat-out deployment in a long time. But usually, when I deploy a branch office or upgrade
the main unit, it's usually up and running within ten to 15 minutes in most cases. If I get something wrong, then it might go to an
hour or so, but usually they're very straightforward. If it's a branch-office deployment, it's just a matter of plugging it in. It takes five
to ten minutes. The configuration might take another ten to 15 minutes. The one thing that's difficult when you're setting one up is
that you have to isolate a computer that you can connect directly to. They have things that make that easier, but I've never tried it.
Our implementation strategy, back then, was to bring branch offices online. The process of deploying the product to distributed
locations usually means that I bring the device in-house and preconfigure and test it before I send it out to a remote location. I'm
usually onsite at remote locations to install it. So my process is to order the product, configure it locally, get it correct, and then
install it onsite. In terms of using it, there are maybe ten users and they use a VPN client. They directly interface with it. It's
primarily me who manages it. I'm the only user who actually sets the configurations up in it.
WHAT ABOUT THE IMPLEMENTATION TEAM?
I purchased it from a retailer at CDW and did the deployment myself.
WHAT WAS OUR ROI?
Being able to control network traffic and being able to monitor employee activity on the network are things you can't quantify, but
there's definitely a cost that you could attach to each. If we have users that we find are spending too much time on social
networks, we can address those issues, replace the employee if they don't comply, or help them with their productivity, etc. A
firewall is a necessary evil. You've got to have one. It's one of the less expensive but powerful models. I've always been very
impressed with that. There's a definite return on investment in terms of that the branch-office option. I didn't have to pay anything
extra for that. It was just built-in. Those can get upwards of thousands of dollars with other solutions. One solution I saw was $15 a
month per user. It would be astronomical if we tried to go that route. I don't have a number, but the return on investment is good.
WHAT'S MY EXPERIENCE WITH PRICING, SETUP COST, AND LICENSING?
I buy a three-year renewal on the main device, which is usually around $3,000 to $4,000. They usually upgrade the device when I
do it. You get a big discount when you do three years. If I were to renew my other devices — we haven't renewed them — it
would probably be around a couple of thousand dollars for the little edge devices. In addition to the standard licensing fees, we
pay for the filtering software. There's a web blocker, Gateway antivirus, intrusion prevention. Those sorts of things are extra. They
call it LiveSecurity. I do the LiveSecurity update and that includes a lot of those features. It's a type of a-la-carte scenario. You pick
what you want, and that then includes maintenance and support.
21
WHICH OTHER SOLUTIONS DID I EVALUATE?
I can't remember what we looked at, at that time. I have looked at more recent solutions like Untangled, SonicWall, and the like,
just to see what else is out there.
WHAT OTHER ADVICE DO I HAVE?
Make sure you buy the device that fits your environment. Don't try to do too much with too little. You can buy one of the edge
devices, and you could technically run a large network on it, but it's not going to work as smoothly. Your firewall is your primary
point of security from outside intrusion so you want to do it right. Be very meticulous about your configuration. Straight-up,
walking-to-the-console usability of the solution is not very user-friendly. It's not very intuitive. However, compared to other
firewalls, it's very user-friendly. So it's more user-friendly than most, but it's just not something anybody could walk up to and use. If
I had to walk someone through it remotely, it wouldn't be very easy for them to do. Each upgrade of the device, and I've had about
five of them — five main devices — has allowed an increase in bandwidth and performance. They tend to work fairly consistently,
but as speeds have gotten faster, you've got to upgrade the device to keep up with it. They seem to be doing an adequate job at
that. I have used the solution's Cloud Visibility feature. I wasn't really blown away. I thought, "Okay, that's neat." I haven't really dug
into it deeply. I don't really think about it in the context of detecting and reacting to threats or other issues in our network. I like to
be aware of threats, but threats in networking terms are always not practical. For a company like ours, we know there are going to
be internet probes out there, and they're going to hit our network. The WatchGuard identifies them and locks them down. There's
nothing I can do about it. It's more along the lines of, "For your information, there was an attempted attacked last night." What I'd
rather have is internal threat assessment. I want to know: "This machine started doing something last night it wasn't supposed to
do. It was sending out emails at two in the morning. It shouldn't be doing that." Since it's sitting here watching the network, I'm
more concerned with internal threats, and people doing things they shouldn't be doing, than I'm worried about the external
threats. I probably should be equally concerned about them but I've never found a really good solution on that. I have some
customized things that I've done that try to send me alerts if certain behavior patterns are detected. I'm scanning through the logs,
and if certain keywords pop up, then I'm alerted. That's been somewhat helpful, but most of the time I get more false positives
than I get actual. We have web filtering, so I'm looking to see if anyone is going to pornographic or hacker or peer-to-peer sites. I
get alerts from that and it logs those. But most of the time, I'll get hundreds of alerts on sites for a user, and I'll go over and find
that the user was looking for fonts and one of the ads happened to be on a server that caused a trigger. It was a complete false
positive but I don't know how to filter all that out. So the alert becomes useless. That may be an industry problem. I would rate
WatchGuard at eight out ten. There is a need for improvements in the reporting. There needs to be more granular, built-in filtering
in the reporting, so that you can drill it down to exactly the information you want. The second thing would be the cost-plan of
renewals. They can have a security plan and they can have a renewal plan. But if you lapse and they charge a penalty on top of
that, to me that's really unacceptable. I should be able to let a product lapse if I want to. It may not be a priority. It might be
something I have in someone's home and then there's just a new feature I need to add. As I'm going down the road I should just
be able to buy that when I want. To put in reinstatement fees is a big negative to me. Granted, they all do it, but they all shouldn't
do it.

22
Vendor Directory
A10 Networks A10 Networks Thunder CFW Juniper Juniper NetScreen [EOL]
AhnLab AhnLab TrusGuard McAfee McAfee StoneGate
Barracuda Networks Barracuda CloudGen Firewall McAfee McAfee Firewall Enterprise MFE
Check Point Check Point Power-1 [EOL] Microsoft Azure Firewall
Check Point Check Point UTM-1 [EOL] NetFortris NetFortris Hosted Firewall
Check Point Check Point VPN-1 [EOL] NetFortris NetFortris Threat Analyzer
Check Point Check Point Virtual Systems OPNsense OPNsense
Check Point Check Point NGFW Palo Alto Networks Palo Alto Networks VM-Series
Cisco Cisco ASA NGFW Palo Alto Networks Palo Alto Networks NG Firewalls
Cisco Meraki MX Firewalls Palo Alto Networks Palo Alto Networks K2-Series
Cisco Cisco Firepower NGFW pfSense pfSense
Cisco Cisco ASAv Sangfor Sangfor NGAF
Cisco Cisco IOS Security ShieldX Networks ShieldX
Comodo Comodo Dome Firewall SonicWall SonicWall TZ
Forcepoint Forcepoint Next Generation Firewall SonicWall SonicWall NSA
Fortinet Fortinet FortiGate Sophos Sophos Cyberoam UTM
Fortinet FortiGate-VM Sophos Sophos UTM
Fortinet Fortinet FortiOS Sophos Sophos XG
GFI Kerio Control Stormshield Stormshield Network Security
Hewlett Packard 3Com H3C Firewall Trustwave Trustwave Firewalls

Enterprise
Untangle Untangle NG Firewall
Hillstone Networks Hillstone E-Series
WatchGuard WatchGuard XTM [EOL]
Hillstone Networks Hillstone T-Series
WatchGuard WatchGuard Firebox
Hillstone Networks Hillstone X-Series Data Center Firewalls
WiJungle WiJungle
Hillstone Networks Hillstone CloudEdge
Zscaler Zscaler Cloud Firewall
Huawei Huawei NGFW
Juniper Juniper SRX
23
Top Firewalls Vendors

Over professionals have used IT Central Station research. Here are the top vendors based on product reviews, ratings, and comparisons.
All reviews and ratings are from real users, validated by our triple authentication process.
Chart Key
Views Comparisons Reviews Words/Review Average Rating
Number of views Number of times compared Total number of reviews on Average words per review Average rating based on
to another product IT Central Station on IT Central Station reviews
Bar length
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score. The score is calculated as follows:
For each of Reviews, Views, and Comparisons, the product with the highest count in each area gets a maximum 18 points.
Every other product gets assigned points based on its total in proportion to the #1 product in that area.
For example, if a product has 80% of the number of reviews compared to the product with the most reviews then the product's points for reviews
would be 18 * 80% = 14.4.
Both Average Rating and Words/Review are awarded on a fixed linear scale.
For Average Rating, the maximum score is 28 points awarded linearly between 6-10 (e.g. 6 or below=0 points; 7.5=10.5 points; 9.0=21 points;
10=28 points).
For Words/Review, the maximum score is 18 points awarded linearly between 0-900 words (e.g. 600 words = 12 points; 750 words = 15 points;
900 or more words = 18 points).
If a product has fewer than ten reviews, the point contribution for Average Rating and Words/Review is reduced:
1/3 reduction in points for products with 5-9 reviews, two-thirds reduction for products with fewer than five reviews.
Reviews that are more than 24 months old, as well as those written by resellers, are completely excluded from the ranking algorithm.
All products with 50+ points are designated as a Leader in their category.
1 Fortinet FortiGate
170,205 views 118,527 comparisons 53 reviews 364 words/review 8.6 average rating
2 Cisco ASA NGFW
3 pfSense

24
4 Sophos UTM
5 WatchGuard Firebox
7,424 views 5,193 comparisons 24 reviews 1,101 words/review 9.0 average rating
6 Cisco Firepower NGFW
27,965 views 22,990 comparisons 20 reviews 1,104 words/review 7.9 average rating
7 Sophos XG
8 Meraki MX Firewalls
9 Palo Alto Networks NG Firewalls
10 Check Point Virtual Systems

25
Top 5 Solutions by Ranking Factor

Views
VIEWS
1 Fortinet FortiGate 170,205
2 pfSense 94,968
3 Sophos UTM 71,891
4 Cisco ASA NGFW 70,430
5 Meraki MX Firewalls 47,617
Reviews
REVIEWS
1 Cisco ASA NGFW 58
2 Fortinet FortiGate 53
3 WatchGuard Firebox 24
4 Sophos UTM 22
5 Juniper SRX 20
Words / Review
WORDS /
REVIEW
1 ShieldX 2,154
2 Cisco Firepower NGFW 1,104
3 WatchGuard Firebox 1,101
4 Sangfor NGAF 962
5 McAfee Firewall Enterprise MFE 931

26
About this report

This report is comprised of a list of enterprise level vendors. We have also included several real user reviews posted on ITCentralStation.com.
The reviewers of these products have been validated as real users based on their LinkedIn profiles to ensure that they provide reliable opinions
and not those of product vendors.
About IT Central Station

The Internet has completely changed the way we make buying decisions. We now use ratings and review sites to see what other real users think
before we buy electronics, book a hotel, visit a doctor or choose a restaurant. But in the world of enterprise technology, most of the information
online and in your inbox comes from vendors but what you really want is objective information from other users.
We created IT Central Station to provide technology professionals like you with a community platform to share information about enterprise
software, applications, hardware and services.
We commit to offering user-contributed information that is valuable, objective and relevant. We protect your privacy by providing an environment
where you can post anonymously and freely express your views. As a result, the community becomes a valuable resource, ensuring you get
access to the right information and connect to the right people, whenever you need it.
IT Central Station helps tech professionals by providing:
• A list of enterprise level vendors

• A sample of real user reviews from tech professionals
• Speciﬁc information to help you choose the best vendor for your needs
Use IT Central Station to:
• Read and post reviews of vendors and products

• Request or share information about functionality, quality, and pricing
• Contact real users with relevant product experience
• Get immediate answers to questions
• Validate vendor claims
• Exchange tips for getting the best deals with vendors
IT Central Station
244 5th Avenue, Suite R-230 • New York, NY 10001
www.ITCentralStation.com
reports@ITCentralStation.com
+1 646.328.1944

27

Fortinet Fortigate and Watchguard Firebox Buyer'S Guide and Reviews March 2020

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortinet Fortigate and Watchguard Firebox Buyer'S Guide and Reviews March 2020

Uploaded by

Copyright:

Available Formats

Fortinet FortiGate

Get a custom version of this report...personalized for you!

Get your personalized report here.

Advice From Real Users 4-9

Top Review by Topic of Fortinet FortiGate and WatchGuard Firebox 10-12

Reviews From Real Users 14-22

Top Firewalls Vendors 24-25

Top 5 Solutions by Ranking Factor 26

About This Report and IT Central Station 27

© 2020 IT Central Station

Advice From Real Users

"Anti-Spam web content filterinG." [Full Review]

© 2020 IT Central Station

Advice From Real Users

"There is a lot of improvement needed with SSL-VPN." [Full Review]

"I think there could be more QoS features" [Full Review]

"Technical support for this solution can be improved." [Full Review]

"The Web-filter in this solution is not very good." [Full Review]

© 2020 IT Central Station

Advice From Real Users

PRICING AND LICENSING ADVICE

"The pricing for this solution is good." [Full Review]

© 2020 IT Central Station

Advice From Real Users

© 2020 IT Central Station

Advice From Real Users

"There is a slight learning curve." [Full Review]

© 2020 IT Central Station

Advice From Real Users

PRICING AND LICENSING ADVICE

"It costs me about $800 a year." [Full Review]

"We pay about $3,500 every three years." [Full Review]

© 2020 IT Central Station

Top Reviews by Topic

The basic firewall features, or just the routing, are

What I like most is the analytical side. It's pretty

© 2020 IT Central Station

Top Reviews by Topic

The biggest way that it has advanced us is that

It has made firewall configuration really simple. It

© 2020 IT Central Station

Top Reviews by Topic

Andrew S. Baker (ASB) JasonGiles

Neal Tipton Joseph Jansen

© 2020 IT Central Station

Whitepaper and case studies here

Sophos UTM vs. Fortinet FortiGate pfSense vs. WatchGuard Firebox

TOP INDUSTRIES, Healthcare Company ... 8% Museum Or Institution ... 6%

© 2020 IT Central Station

Fortinet FortiGate review by a real user

Don't underestimate FortiAnalyzer. It can give you a better

Senior Network & Security Engineer at a

WHAT IS OUR PRIMARY USE CASE?

HOW HAS IT HELPED MY ORGANIZATION?

WHAT IS MOST VALUABLE?

WHAT NEEDS IMPROVEMENT?

FOR HOW LONG HAVE I USED THE SOLUTION?

WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?

WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?

Continued from previous page

HOW ARE CUSTOMER SERVICE AND TECHNICAL SUPPORT?

Technical support is good (in average).

WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?