Watchguard Firebox X2500 Rack Mount Firewall
I’m new to building my homelab and wanted to play with a hardware firewall. Any advice? Are Watchguard Firebox’s any good?
I’ve been looking into Mikrotik myself. No licensing required and have a strong user base.
Watchguards are my favorite enterprise firewall, but they are somewhat of a niche.
If you’re going to run an old, unsupported firewall, don’t expose any services to the internet, including management or the VPN client download portal.
I’ve worked with watchguard firewalls primarily for the last 9-10 years both in a contractor position where the majority of our clients were using watchguard and as an admin for an org of about 2000 users. They are good devices with much more user friendly interface than some other options. Depending what your internet connection is that model might bottleneck you. Looks like it has a max throughput of 275mbps.
While it is a pain that you can’t install firmware updates without a license key. Or a trial license at least. They are nice in that the physical hardware has vpn licenses so within a few minutes you can have a vpn setup into your network.
Overall I’ve been happy with WG. I wish it was affordable to have paid services on the unit I run at home but they are still useful devices when expired.
As a sysadmin who used to manage a dozen and then worked for an MSP that sold a ton of them, they work well.
However, in the grand scheme of the industry, they are a very niche player. If you’re looking to tinker, they’re good for that. If you’re looking for experience for a career, I’d lean more towards Cisco or Fortinet. They’re far more common.
Nice! I’ll check it out
@humblehome - I’ve been checking out Mikrotik kit, not clear on firewalls though… what do you have?
Mikrotik does not have firewalls, you can buy Mikrotik router device who have access lists (ACL).
That’s a fairly broad generalization… You’ll see all in play at many mid-large sized companies, although they do tend to settle with mid/small-sized businesses. Cisco licenses are (many times) cost-prohibitive in mid-size, Fortinet has their own set of issues including greater SDWAN limitations and a fair history of firmware issues. Having used all 3 vendors and more, I’d say any would be a good start for learning. YMMV.
That’s good advice thank you! I’ve just picked up a Cisco ASA 5540 so will see if I can get that running. On a previous post someone gave me a few pointers for the ASA, but if you’ve got any advice that would be great!
You can use any of the Routerboard models as a Firewall.
Yes, Mikrotik doesn’t make a dedicated hardwire Firewall but the RouterOS on their routers have plenty of firewall capabilities. Many companies deploy these due to their lack of licensing to unlock features (unlike Fortinet, Cisco, etc).
I’m not a Cisco guy anymore. I’d get the Fortinet logo tattooed on my arm if I were in the market.
So, sorry for my ignorance, but my Cisco ASA (or if I buy a Fortinet or Watchguard) all need a subscription to run? Like a normal Antivirus subscription for virus definitions?
Pay attention to EOL/EOS… The x2500 was EOL’ed in 2009… You won’t be able to get licenses or updates. You can install something to replace the OS, but the built-in services are useless.
You don’t have to have a subscription for the firewall and routing pieces to work. The subscription is just for AV, application control, etc and support.
Perfect thanks - good that I can still learn the firewall and routing part.
this is true… whats the point without real-time protection? 
(I kid)
No but you do need some sort of Feature Key for it to work. It can be an expired key but it needs to be the one registered for the unit. Otherwise only one device will be allowed out to the internet.