This product comes in a 1U, fire-engine red, rack-mountable unit. The front panel has indicator lights, an LCD screen for status messages and six Ethernet ports (only three are available for use, but the vendor told us the other three can be activated with a license key).

A 1.26 GHz Pentium III processor and a SafeNet 1141 crypto accelerator chip supply its processing power. The documentation is extensive, with three printed guides for hardware, VPN management and system administration.

The device is supplied with an array of color-coded connection cables and has two modes: drop-in and routed. The installation requires the WatchGuard administration software to be installed on a management PC running Windows NT 4.0 or higher, with at least 40 MB of disk space for the management software and the log files.

There is an option to download the latest WebBlocker database during installation, but this can be deferred until the setup is complete. The device will enable outgoing traffic to access the internet, but will deny incoming traffic.

In the default configuration, the device logged our port scans. Many displays are available, including traffic monitoring and bandwidth metering, as well as a log viewer. A report generator is also provided.

Our port scanning revealed a number of ports, but the system refused connection attempts on them. We would have preferred the system to operate in stealth mode and ignore the connection attempts without revealing its presence.

The system blocks some ports by default, and these did not respond to port scanning.

It is tedious to block inbound ports except the ones needed, but there is no stealth feature, so this may be necessary. The Firebox has options enabled by default, even though the documentation implies that they have to be specifically set.

WatchGuard provides a 90-day subscription to its LiveSecurity Service offering software upgrades, email alerts for new threats, online resources, and access to technicians.