Author: Sean Michael Kerner
Review Date: 8/22/2005


Price: $569

  • IPsec VPN
  • Easy to use Management UI
  • Commercial grade firewall and security


  • Not all features enabled without additional purchase.

Most wireless (and wired) routers marketed for small businesses today offer some degree of firewall protection, and some even allow for a basic level of VPN tunneling. Few, however, offer more than a handful of options to secure and properly configure your network security. With Firebox Edge X5, WatchGuard promises you an all-in-one wireless firewall and VPN appliance that does it all. It’s a promise that it strives hard to meet.

What It Is: Seeing Red
The Firebox is all about security. The first visual cue about the device’s purpose is its distinctive red color (which is common on WatchGuard’s security appliances). The color obviously doesn’t make the product any more secure, but it certainly does make a strong first impression and differentiates it (visually) from the typical grey/black/silver/white schemes you find with most networking gear. In my test environment it got noticed by a few people simply because of its color. If only looks alone could stop bad traffic.

Fire-engine red color aside, the WatchGuard Firebox Edge X5w is a serious firewall and VPN security appliance. The X5w is the entry-level device in the Firebox X Edge line, which is specifically geared for edge of network applications for SMB’s of varying sizes. The X5w is a 9-port appliance (the 10th port requires an additional license to activate) that allocates six 10/100 ports the “trusted” network, 1 for the “optional” (essentially a DMZ) network and one enabled WAN port. An SPI firewall is also part of the mix, helping to keep the bad traffic out of your network.

On the wireless side it has 802.11b and 802.11g, WEP (40- and 128-bit ASCII, 64- and 128-bit hexadecimal) WPA, SSID masking and MAC address filtering all pumped out via its two 5dBi antennas.

VPN figures strongly into the appeal of the X5w thanks to its easy-to-use and easy-to-set-up IPsec capabilities that features both Data Encryption Standard and 3DES. The X5w is enabled for two branch office VPN tunnels and optionally up to 11 mobile user VPN tunnels.

Configuration: You Make the Call
Setting up the X5w can be as easy or as complex as you want to make it. That is, the device has a layered browser-based management interface. which at first looked easy enough. However, as I dug deeper, I quickly realized the complexity and power that the X5w offers. The start System Status page offers (as you’d expect) an overview of all Firebox features (user licenses, managed and manual VPN, Mobile Use VPN, Trusted, Optional and External network configuration and status as well as firewall status).

You can dig deeper on any of those or use the side tab menu (Network, Firebox Users, Administration, Firewall, Logging, WebBlocker, VPN, Wizards and Authenticate User) for even more control and options. While all this may sound a bit overwhelming, the well-designed user interface never lets it look too daunting.

On the theme of easy and comprehensive, WatchGuard has also thrown in a Quickstart Guide that really is quick. There’s also one of the most comprehensive and insightful user guides that I’ve come across from a networking appliance manufacturer. The documentation is a textbook on what networking is about and how to use the Firebox edge to make your network secure for your own particular environments needs and requirements.

The capability to segregate your network into different areas of trust (and thus permissions and access) is not a new concept, but it is one that hasn’t always been all that easy to execute. Most of the SMB-focused devices will allow you to set up a DMZ of sorts, but it usually end there. The division of optional (mixed trust), trusted and external with bridges between them is a subtle yet powerful concept that is well-executed and implemented on the Firebox. For example, you can set rules that will restrict traffic between the option and trusted networks as well as limit wireless users to either of those trust zones. In terms of both user license and features, WatchGuard makes the X5w an upgradeable device. However, it is bit annoying that optional items such as WebBlocker and WAN failover are included on the user interface, but you need to pay extra to get them to work. I guess you can’t blame a company for upselling — everyone’s got to make an extra bill or two when they can. The only other nitpick I have about this excellent device is related to service and update discovery. WatchGuard includes 90 days of its LiveSecurity service with the X5w, but in my experience of 60 days or so of use, the only “contact” I had was via e-mail. Certainly I could easily have gone to the WatchGuard support site, but I personally would have preferred an RSS or some other feed directly into the management user interface.

Also, the UI doesn’t tell you if you’re running the latest firmware. Sure, it’ll tell you what version you’re running, but when you click update you’re left with a blank dialogue box that you need to fill with an update file that you’re supposed to go and get yourself from WatchGuard. Again, this is easily done, but it would have been a whole lot easier if the software update actually directly validated the version in use and automatically downloaded and/or prompted the user for the relevant update.

Keep the Fires Outside Your Network
All told, WatchGuard’s Firebox X5w Edge Wireless is one of the most powerful and robust SMB firewall, VPN appliances that I’ve tested. In more than two months of regular use and testing in a pair of different environments, it performed exceedingly well. Out of the box it worked better than any other solution I’ve yet tried. Though with its configuration options and add-ons that I have yet to fully use in an actively trafficked environment, it’s likely that I have not fully recognized all the benefits that it offers. That’s a good thing in my opinion. Each time I encounter a new networking or security conundrum, I can go back to WatchGuard and see if the Firebox has a setting (or solution) that will address my issue.

If you own or run a small business and are looking to step up from a retail-store-bought broadband router/firewall to a commercial-grade solution, the Firebox X5w Edge Wireless is a great choice.

Sean Michael Kerner is a regular contributor to PracticallyNetworked.