My Watchguard Experiment

[jcoehoorn]

So, I recently had an issue with my untangle server. For a number of reasons, it seemed like the time was right to at least try out an alternative, and so I've been running on a Watchguard for the last three weeks. I'm getting ready to return it and build a new untangle server, but I thought the lurkers here might appreciate hearing about my experience with Watchguard.

1. The watchguard was nowhere near as easy to set up, and it will be harder to maintain complicated rules. Untangle still has room for improvement here in my opinion, but they are still ahead of watchguard. This wasn't a show stopper, but it is worth mentioning.
2. Reporting. The watchguard has effectively zero out of the box reporting ability. For many users, this may not be an issue, especially if you already have a syslogd aggregator. Watchguard has some very nice tools for use with syslog. I don't have an aggregator.
   
   On the plus side, I can appreciate the watchguard approach. I've had so many untangle issues that could be traced back to disk performance resulting from reports: the server is too slow while generating daily reports, or the disk/database bogs down during high-traffic periods trying to log too much data. The watchguard can just send log messages out a network interface, and if the reporting server on the other end can't keep up... well, at least my internet traffic doesn't bog down because of it.
   
   However, the fact remains that I would need to add an additional server to get reports, and so for me this was a show-stopper.
3. Watchguard made it way easier to put a trace on one IP, computer name, or user name. I'm going to miss that.
4. Watchguard would be cheaper for us to purchase and and maintain the subscription. It's hard to understate how important that is here. When I first encountered untangle in January 2010, it seemed to quirky to me, but looking around at the time no one could hope to touch untangle on pricing. Since then, we've grown just enough to cross the threshold for the next subscription tier. We didn't change size that much: we were just below, now we're just above. and the price about doubled. We've also needed to jump from standard to premium, which ~ doubled the price again. At the same time, other options have become cheaper. Untangle may soon need to reconsider some pricing to remain competitive.
5. It seems like we're at the low end of the watchguard market, but the high end of the untangle market. This appealed to me, because it means they will have a product that supports our needs as our internet use grows. Part of this comes back to my reports item: I think not logging reports on the same device is a big key to helping them scale. I think untangle is actually well-positioned here. If I had a syslogd service available on a separate machine, I can already use untangle to send events that way, stop most logging locally, and use my syslog server reports instead of the untangle reports. Untangle just needs to push this option more for some of their bigger customers. Someday, it may be possible to send untangle events to a watchguard reporting server.
6. I could not find with Watchguard a way to do QoS on bittorrent, or QoS based on web violation, or anything other than QoS based on an entire policy category (and policies are hard to isolate). I've said before that outright blocking torrents is not an option for me, even if untangle could handle it (it can't, at least not very well). But I do need to be able to limit the impact, and I couldn't, in the time available to me, get that working. This was watchguard show-stopper #2.
7. My final issue was performance. Traffic right now is nothing compared to what it will be when students return in 3 weeks. At the point, traffic will increase 50-fold. My watchguard has performed flawlessly for the last few weeks, but I have been unable to find a way to adequately show it will work under the higher load. I think it will work. I'd even say I'm very confident it will work. But I have to know it will work, and there's no way for me to be sure of that right now. Watchguard sales was unable to give the kind of guidance and assurance that I needed. That was show-stopper #3.

[mrunkel]

Thanks, I appreciate the feedback.

[Casey]

Having come from a Watchguard environment to an Untangle one, I totally agree. I DO like that Untangle doesn't require a separate server for UTM capability and logging. That always irked me, because it's a hidden cost of implementation. I had to supply or buy a box that was adequate, which meant hardware and an MS license, since they don't have a Linux version.

Tracing a single IP out and watching traffic was fantastic, but the policy rules and such are very clunky and overly cumbersome for smaller businesses.