There are four reasons I can imagine someone wanting a watchguard:
1) Reflective port forwarding
If a LAN user accesses
http://wan-ip:xxx, and port xxx is forwarded to a different LAN workstation, the watchguard uses NAT to re-source the traffic locally on the firewall, then sends it to the intended LAN workstation, allowing the connection to succeed. While this generates terrific amounts of traffic through the firewall it is easy on the admin.
In SME networks, I do this by making sure that "xxx" is the right port number both locally and remotely, then by making sure that my DNS returns the WAN IP for remote users and the LAN IP for local users.
(The Watchguard also supports multiple WAN IPs, so you could have
http://wan-ip-1 going to LAN-Server-1 and
http://wan-ip-2 going to LAN-Server-2 -- this would require creative use of ProxyPass and VirtualDomains on a SME network)
2) "Transparent" mode
Watchguard firewalls support a "transparent" mode that I have never seen anywhere else.
In transparent mode, the LAN workstations can have public IP addresses on the same subnet as your ISP's gateway/router while still being protected by the firewall.
Basically, you take an existing, working network - then drop the watchguard down between the gateway and everything else in "transparent" mode - and you're done. No routing configuration necessary, no port forwarding rules required, no NAT -- just login to the watchguard and tell it which services should be permitted for which internal host.
I do this on SME networks by using intelligence and planning...
3) Connection Monitoring
I really enjoyed the watchguard's connection monitoring capabilities. While it is possible to monitor traffic internet traffic from your LAN using a SME (using iptraf, or examining the log files manually), the Watchguard has some easy-to-use options that provide very useful real-time connection information.
4) Laziness, Ignorance or Greed
A lazy vendor who really knows his stuff and always uses Watchguard might want to continue using watchguard to minimize the training/retraining required for his support staff.
An ignorant vendor who just barely knows how to use a Watchguard might be afraid to use anything else for fear of making a stupid mistake that compromises his client's data.
A greedy vendor who gets great commissions, incentives, etc for selling Watchguards might want to sell a Watchguard to every client in order to maximize the amount or size of the prizes s/he wins.
These are the *only* reasons I can imagine someone specifically wanting a Watchguard. I got so frustrated with them that I vowed never to use one again -- mostly over little things like the firewall breaking when you apply updates or create new rules. Granted, this was in the 1990's, but how many times should I have to completely re-program my firewalls after installing software updates? And how frustrating is it to have to do this for units located at remote offices (apply update, lose connectivity, travel to office, reprogram)?
I don't remember the specifics, but I also have a clear sense that seemingly simple operations aimed at solving challenge "x" would break the solution implemented last quarter for challenge "b".
Maybe Watchguard has solved the issues that frustrated me so, but I'll never know
15 Replies
5711 Views