Good things come in (very) small packages, or so they say. The WatchGuard T30-W, with WatchGuard Dimension included, certainly supports that claim. When we received a small box in the lab, we thought that we were getting a delivery of connectors we ordered as we were updating the lab systems. We opened the box and inside was a small red plastic device that said "WatchGuard" on the front. Surprise!
The T30-W is a UTM for small- to medium-sized organizations. Used with Dimension it provides most of the functionality needed for today's threatscape. By communicating with the WatchGuard cloud, the T30-W can take advantage of such next-generation capabilities as sandboxing and threat intelligence. Even so, the standard offering - without Dimension (although, since it is included, why would anyone not use it?) - still does all of the things that a competent UTM should do. It handles malware, firewall, IDS/IPS, anti-spam, reputation defense and other typical gateway functions. Adding the DLP module adds $90/year and the APT Blocker, which includes advanced malware detection and sandbox analysis, adds $200 per year.
When we powered up the product we had a choice of RapidDeploy QuickStart Setup or Classic Activation Setup. The difference is that the Classic Activation Setup has a wizard that walks you through full configuration of the product. We connected the WAN port to our outbound network and our computer to the LAN port. The box has a DHCP server built in and it assigns an IP to the computer. Once you have that you can start the configuration process.
The next step is to make sure that you have the latest version of the software. That is done directly from the appliance as soon as you connect to the WatchGuard site. Once that is done you can start walking through the features available for your deployment. The system uses a PostgreSQL database and you can use its internal one or set up an external version. It also has Wi-Fi capability and offers power over Ethernet. It also is available in a virtual machine version for VMware and Hyper-V.
Once we were up and running, we started browsing through the various screens and drilldowns. The UI is very creative and clearly is designed to support smaller organizations that may not have access to high-priced security experts. Everything is intuitive from the Threat Map clear through to the drilldowns and the executive dashboard. One of the more interesting screens is the policy map. This shows the impact of policies on the actual operation of the enterprise. This lets you identify misconfigured policies and drill down to find the misconfiguration.
Drilldowns go all the way to log data and there are plenty of opportunities to pivot along the way making it possible to see exactly what you need to. More generally, a real-time, interactive report tool called FireWatch shows who the top talkers on the enterprise are, where there might be unexpected or unusual traffic patterns, most popular destination URLs, application use and bandwidth consumption by applications. Naturally, all of this comes with the expected drilldowns for more detail and pivoting. We liked FireWatch's screen. It is reminiscent of a freeware tool, called SpaceSniffer, that maps disk usage. The purpose is about the same, although SpaceSniffer shows how the disk drive is being used by applications, operating system and data, while FireWatch shows how the enterprise is being used.
Support for the tool is basic no-cost phone support and the website is quite complete. Documentation is a bit thin, but it did get us going and the product is fairly intuitive.