We were pleased to see that this unit’s web GUI was one of the few being tested that defaults to a secure HTTPS connection. There is also a fully featured console available through serial connection, although it has a blank default password. That can be set, but a lot of users might forget, leaving their systems vulnerable.
The documentation was good, but hard to find. Instead of PDF manuals, we received a CD with documentation for a whole range of products, tied together through an HTML page. Almost inevitably we found errors in this, and had to trawl through the CD looking for the correct file.
The interface is elegant and does a good job of grouping items together, although we would have liked a little more linking between related tasks. Flashing red icons highlight items needing attention.
A set-up wizard started off, setting up a new admin password and configuring external interfaces and firewall rules for internal servers providing common services (SMTP, web, FTP, POP3), and a choice of security levels. We would have liked more information at this stage, rather than having to go digging in the documentation for what exactly "High" or "Medium" security might entail, but the basics are all clearly explained.
The unit does the standard tasks of traffic filtering and IPsec VPN, and has ICSA certification for both of these as well as its built-in anti-virus.
It also does content filtering, traffic shaping for bandwidth limiting and IPS, complete with creating custom signatures.
Some of the content filtering is offloaded on to a custom ASIC to speed up performance, although we did not stress the box enough to see a difference.
The filters include a lot of options to detect "grayware," including adware, Browser Helper Objects (BHOs) and more. These are disabled by default, and there is no whitelist facility to allow objects on a granular basis for, say, known good domains. But it is a useful addition that other units being tested did not provide.
High availability is an option, and the unit features redundant power supplies. We would like to see hot swappable RAID storage to complete the HA picture.
This is a fully-featured UTM offering that doesn’t skimp on the firewall and filtering features to do other, more glamorous tasks. It is pitched at the right price, with the right features to be attractive to many organizations.