need to replace watchguard firebox

xtra pc

xtra pc

New Member
Reaction score
13
Location
New Brunswick, Canada
I have a client that has a watchguard firebox xt1. They want to replace it because it's only capable of 100 Mbit and they have recently installed gigabit fiber in the building. I should mention that I have no previous experience with watchguard appliances as I usually use Ubiquiti products for most of my installations. They are using the "branch office vpn" option in the firebox settings. I've never seen that description before so am I right in assuming this is proprietary jargon used by watchguard? Is this what watchguard considers a site-to-site vpn and, if so, can I replace it with a unifi security gateway (or other brand like sonicwall)?
 
I have no previous experience with watchguard appliances
Click to expand...

@xtra pc, Ditto! We yank those boxes out and replace them with pfSense appliances as soon as we can. We have setup some Ubiquiti appliances in the past but I find them way more restrictive than pfSense. Ubiquiti to Ubiquiti works fine but I have trouble getting their Security Gateways to play well with others. So we exclusively stick with pfSense now.

Doing a quick Google search it looks like to me that "branch office vpn" is an IPSEC VPN so I'd guess you could use Ubiquiti, SonicWall, pfSense, or whatever as long as it can do IPSEC. However, your mileage may vary. I may be wrong but I'm sure you're gonna have to fight through some tunnel issues getting DNS to work on both sides.
 
I also prefer "same appliance at all sites" if you have a client with a WAN.
Our "go to" is Untangle.
While we move large volumes of Ubiquiti hardware, I focus on switches and APs and outdoor wireless, I'm not much of a fan of their gateways unless it's just a small client with the most basic of needs, no servers, no port forwarding, simple networks. I don't find the VPN of USG's reliable. EdgeRouters...yes. but not USGs.

Since it's possible a larger business (multi sites)...we'd want a full UTM in front of those. Like...Untangle. Years ago we did lots of PFSense..very strong for VPN and QoS...but limited in UTM features compared to todays nex gen firewalls. Or if you want "ready to go out of the box" stuff that is more widely supported, Sonicwall ...or Watchguard, or Sophos.
 
@YeOldeStonecat, we're a lot like you. We exclusively use Ubiquiti APs for all clients and their larger switches for our larger clients. Only issue I have with them is their stupid End of Life policy. Couldn't agree with you more on their USG's. No sir, don't like 'em.
 
xtra pc said:
I have a client that has a watchguard firebox xt1. They want to replace it because it's only capable of 100 Mbit and they have recently installed gigabit fiber in the building. I should mention that I have no previous experience with watchguard appliances as I usually use Ubiquiti products for most of my installations. They are using the "branch office vpn" option in the firebox settings. I've never seen that description before so am I right in assuming this is proprietary jargon used by watchguard? Is this what watchguard considers a site-to-site vpn and, if so, can I replace it with a unifi security gateway (or other brand like sonicwall)?
Click to expand...
Just make sure to properly set their expectations vis-a-vis what will really happen to their speeds.
 
nlinecomputers said:
I’d want matching toys at all the endpoints of the VPN network.
Click to expand...
That makes sense. In fact, it appears that they are connecting to another watchguard firebox so I should probably look at replacing with the same.
Markverhyden said:
Just make sure to properly set their expectations vis-a-vis what will really happen to their speeds.
Click to expand...
Good point. I'm also noticing the price seems exponentially more expensive if you want gig speed vpn throughput with these appliances.
 
thatdude said:
@xtra pc, Ditto! We yank those boxes out and replace them with pfSense appliances as soon as we can. We have setup some Ubiquiti appliances in the past but I find them way more restrictive than pfSense. Ubiquiti to Ubiquiti works fine but I have trouble getting their Security Gateways to play well with others. So we exclusively stick with pfSense now.

Doing a quick Google search it looks like to me that "branch office vpn" is an IPSEC VPN so I'd guess you could use Ubiquiti, SonicWall, pfSense, or whatever as long as it can do IPSEC. However, your mileage may vary. I may be wrong but I'm sure you're gonna have to fight through some tunnel issues getting DNS to work on both sides.
Click to expand...
Thanks for the info. It might be best if I stick with watchguard to avoid any connection issues.
 
xtra pc said:
Thanks for the info. It might be best if I stick with watchguard to avoid any connection issues.
Click to expand...
I would replace both with whatever product you normally support. Stick with what you are familiar with and can easily support. Just find out EXACTLY how they use the VPN. So that you can replicate the functionality.
 
YeOldeStonecat said:
I also prefer "same appliance at all sites" if you have a client with a WAN.
Our "go to" is Untangle.
While we move large volumes of Ubiquiti hardware, I focus on switches and APs and outdoor wireless, I'm not much of a fan of their gateways unless it's just a small client with the most basic of needs, no servers, no port forwarding, simple networks. I don't find the VPN of USG's reliable. EdgeRouters...yes. but not USGs.

Since it's possible a larger business (multi sites)...we'd want a full UTM in front of those. Like...Untangle. Years ago we did lots of PFSense..very strong for VPN and QoS...but limited in UTM features compared to todays nex gen firewalls. Or if you want "ready to go out of the box" stuff that is more widely supported, Sonicwall ...or Watchguard, or Sophos.
Click to expand...
Got it. I also prefer using just Ubiquiti AP's, but is it just me because every time there's an upgrade for the controller software, there seems to be more and more options that require a gateway to function?
 
xtra pc said:
Got it. I also prefer using just Ubiquiti AP's, but is it just me because every time there's an upgrade for the controller software, there seems to be more and more options that require a gateway to function?
Click to expand...

Eh...I'd say "no"....I have not run into any loss of functionality of an AP, when I did not have a Unifi gateway present.
Yes...the beauty of the Unifi controller itself is fully realized when you have all Unifi hardware in the 3x layer stack...from Gateway...to Switch, to AP. But...you can still squeeze all functionality out of the APs the old fashioned way without a UG or US.
 
xtra pc said:
Good point. I'm also noticing the price seems exponentially more expensive if you want gig speed vpn throughput with these appliances.
Click to expand...
Having a GB rated NIC port does NOT mean that one can achieve a GB level throughput. It depends on the underlying hardware, especially processor, layer. My previous location I added Google GB fiber as a backup circuit. Wasn't primary as they didn't offer static IP service in that area.

A Dell D630, with GB port, would get 900mb'ish directly hooked up to it. My USG3 and a custom micro atx, running Untangle, with GB ports both would get around 300-400 mb max at a wired device. Using a regular DT, running Untangle, with gave me a consistent 900mb'ish through put.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Can I use a UDM-Pro as a controller ONLY?
Replies
1
Views
139
phaZed
phaZed
iOnTech
MoCA possible? or ethernet?
Replies
7
Views
2K
iOnTech
iOnTech
B
Need to get up to speed as quick as possible
2
Replies
20
Views
5K
YeOldeStonecat
YeOldeStonecat
Chadhardy
Ready to launch. Need pricing feedback
Replies
16
Views
2K
Ken's PC Repair
Ken's PC Repair
Back
Top