WatchGuard Firebox M5600 review

WatchGuard’s Firebox M5600 delivers enterprise-grade network security and beats the rest on price

WatchGuard Firebox m5600 front and rear

IT Pro Verdict

WatchGuard’s flagship M5600 UTM appliance is a great choice for enterprises that want tough and easily deployed network security at a more sensible price


  • +

    Top security measures; High firewall throughput; Good value; Easy deployment; Optional 40GbE ports


  • -

    Noisy cooling system; Older Xeon CPU

Enterprise network security usually costs a king's ransom but WatchGuard's Firebox M5600 bucks the trend by delivering a wealth of features at a more palatable price. It may only be a 1U rack appliance but it's plenty powerful, with WatchGuard claiming a 60Gbits/sec firewall throughput and 11Gbits/sec with all UTM services enabled.

Targeting distributed environments of up to 7,500 users, the M5600 offers a versatile range of port options. The appliance has four expansion slots at the front and comes with the eight copper Gigabit and quad 10GbE SFP+ port modules as standard.

The two spare slots accept any module so you can add eight more 10GbE ports if you wish. However, the clincher is WatchGuard's dual-port 40GbE fibre module, as few competing vendors offer this as an option.

The M5600 is powered by elderly 10-core 2.8GHz E5-2680 v2 Xeon CPU teamed up with 16GB of DDR3 memory, while internal storage is handled by a 2GB CFast card and 250GB LFF SATA hard disk. Dual 400W PSUs come as standard, as do four hot-plug fan modules - but this combination produces annoyingly loud noise levels.

WatchGuard Firebox m5600 web console


The price may initially seem steep but it looks a lot more appealing when stacked up against the competition. The price we've shown includes the M5600 appliance and a full three-year subscription to the Total Security Suite, which activates everything WatchGuard has to offer.

Along with the firewall, VPNs and 24x7 Gold LiveSecurity support, it enables IPS, web content filtering, anti-spam, gateway anti-virus, application controls and HTTPS inspection, plus WatchGuard's reputation enabled defence, advanced persistent threat (APT) blocker service and data leak prevention (DLP) module.

There's more; WatchGuard's RED (reputation enabled defence) service is included for increased web protection. Web access requests send the URL in question to WatchGuard's RED cloud servers where they score it and instruct the appliance to either allow or block it.

To put the outlay into perspective, SonicWALL's top-of-the-line SuperMassive 9800 2U appliance (its E10xxx range recently went on EOL notice) starts at over 46K just for the hardware. Add in a three-year subscription to its Comprehensive Gateway Security Suite and the price jumps to nearly 100K.

WatchGuard Firebox m5600 web console subscription activity


The M5600 is very easy to deploy, as the web interface fires up a wizard to secure administrative access and get Internet access running on an external port along with DHCP services on your first trusted interface. Three operational modes are available and we opted for the mixed routing mode as it's the most versatile.

This mode allows all ports to be defined as separate interfaces where we could set them as external, trusted, optional or custom and add DHCP services on selected trusted ports. Port aliases streamline further configuration and we used these to assign multiple firewall policies to source and destination ports.

WatchGuard uses proxies to handle all traffic and includes ones for HTTP, HTTPS, FTP, SIP, IMAP, POP3 and SMTP. The relationship between proxies and actions takes a little while to get the hang of, but on first access, the web console provides a wizard for each one.

Enforcing web content filtering using the WebBlocker service was a three-step process. We chose from over 120 URL categories, applied HTTP and HTTPS filtering and on completion, the wizard created a new firewall rule.

WatchGuard Firebox m5600 web console firewall policies


Mail security is handled by the spamBlocker service, and to use it we set up the POP3 proxy to tag messages classed as spam, suspect and bulk. It's very effective: in live tests of other WatchGuard appliances, we've seen spam detection rates of 97-98 percent with no false positives.

Within selected policies, we could enable IPS and apply allow, drop or block actions based on five threat levels. Gateway AV is a cinch to set up - you enable it on selected policies and choose actions for virus detections, scan errors, oversized files and encrypted files.

You'll need to enable gateway AV if you want to apply APT protection. As files come in to the network, it scans them, creates an MD5 hash and checks the LastLine cloud service to see if they're known malware.

WatchGuard's application awareness controls access to hundreds of apps and has eleven entries for Facebook alone. DLP is another easy one to configure and uses predefined and custom rules on the HTTP, FTP and SMTP proxies to check for keywords such as credit card or social security numbers.

Dimension provides centralized management for all your WatchGuard security appliances

Security and management

The mobile security service queries Android and iOS devices and blocks access if they don't meet the minimum OS level. To use it on iOS devices, we loaded the free WatchGuard FireClient app and could then set blocking policies for any devices not running the latest OS version.

You can use the M5600 to centrally manage wireless networks that employ WatchGuard's own APs. Once paired with the appliance, they take all their settings from it and you can apply selected security policies to wireless traffic.

The appliance's web console provides plenty of detail about all activity and we also used WatchGuard's Dimension software on our Hyper-V host for centralized monitoring. It provides an impressive amount of information such as global threat maps and security service graphs and with Dimension Command activated, you can only log in to an appliance's web console from Dimension's interface.


Considering the price of the hardware, we would have liked a newer Xeon CPU and more memory (plus quieter fans) but performance is impressive and there's no denying the M5600's security credentials. WatchGuard offers a wealth of easily managed enterprise-grade security services at a price the competition will have trouble matching.


WatchGuard’s flagship M5600 UTM appliance is a great choice for enterprises that want tough and easily deployed network security at a more sensible price

As reviewed

Chassis: 1U rack

CPU: 2.8GHz Intel Xeon E5-2680 v2

Memory: 16GB DDR3

Storage: 2GB CFast 3SE SATA card, 250GB LFF SATA HDD

Network: 8 x Gigabit, 4 x 10GbE SFP+

Expansion: 4 x module slots (2 free)

Other ports: Gigabit management, 2 x USB 2, RJ-45 serial

Power: 2 x 400W hot-plus PSUs

Management: Web browser, WatchGuard Dimension/Command

Warranty: 3-year advanced hardware replacement

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.