WatchGuard Firebox M695 review: Powerful enterprise network security at a sensible price

With their fire-engine red chassis, there's no mistaking WatchGuard's Firebox security appliances, and the M695 on review here comes in at the top of the company's freshly launched product range. Stepping up as a replacement for the four-year-old Firebox M690, it claims a substantial speed increase and teams this up with a versatile range of high-speed network ports.

Targeting large environments with around 1,250 users, the M695 moves to Intel power as this 1U rack appliance replaces the elderly NXP LX2160A SoC (system on chip) in the M690 with a more modern Gen14 8-core 2.6GHz Intel Core i7-14701E CPU. System memory sees a doubling to 32GB of DDR4 while internal storage is handled by a 128GB M.2 SSD.

The new hardware delivers an impressive performance, boasting a high raw firewall throughput of 45Gbps and 10.2Gbps with antivirus (AV), the intrusion prevention service (IPS), and application controls all activated. Compared with the M690, these numbers represent increases of 51.5% and 122% respectively.

WatchGuard Firebox M695 review: Hardware features

A quick glance at the front of the M695 shows that WatchGuard has removed the port expansion slot from the previous series. Instead, you get a much wider range of fixed ports that should cover most connection requirements.

Across the front, you have banks of eight and four 2.5GbE multi-Gig ports, four Gigabit SFP fibre, four 10GbE SFP+ fibre, and two 10GbE RJ-45 copper ports. One feature absent is PoE support, as the M690 accepted WatchGuard's optional four-port with PoE+ expansion module. Although we always thought this was a bit of a kludge, as it requires an extra 54V power brick plugged into a dedicated port at the rear to enable power delivery.

Power protection sees changes as all the new M-series appliances, except the entry-level M295, have a single PSU at the rear with an expansion bay next door. This accepts WatchGuard's proprietary WG9037 250W redundant PSU module, which costs around £340.

WatchGuard Firebox M695 review: Simple subscriptions

WatchGuard's subscription schemes cut through any confusion as you only have to choose from two. All Firebox appliances with a support contract come as standard with firewall, VPN, software-defined WAN (SD-WAN), and clientless VPN access portal services enabled.

WatchGuard's Basic Security Suite (BSS) subscription enables gateway antivirus (GAV), web filtering, antispam, HTTPS inspection, IPS, application controls, network discovery, and WatchGuard's RED (reputation enabled defence) cloud-based URL filtering. A Total Security Suite (TSS) subscription activates everything WatchGuard has to offer and includes its advanced persistent threat (APT) blocker with cloud sandboxing and ThreatSync XDR, which is part of WatchGuard's Automation Core (WAC) and provides collection, correlation, plus automated responses for threat events from all Fireboxes.

There's more as DNSWatch monitors client DNS requests and blocks access to known malicious domains, while the IntelligentAV anti-malware service uses the Cylance AI-based engine to scan files such as Office documents, Windows portable executables, and PDFs after they've passed through the GAV scanner. Access to the WatchGuard cloud portal for remote monitoring and management is included in both subscriptions, with TSS increasing its log and report retention periods to one year and 30 days, respectively.

WatchGuard Firebox M695 review: Cloud management

Deployment for cloud management is impressively swift as we registered the appliance with our WatchGuard support account, allocated it to our site, and chose the cloud management and monitoring option. Once the M695 had been configured, local management access was disabled, with its local web console only providing details of device and network status, options for firmware upgrades, and access to diagnostics tools

Another bonus of cloud management is zero-touch provisioning using WatchGuard's RapidDeploy service. Create a configuration file, upload it to your cloud account, send the appliance to the remote site, and once connected to the internet, it automatically downloads and applies the file for instant protection.

The portal dashboard tells you everything you need to know about all your Fireboxes, their status, and licence details, along with alerts and pending incidents. All other WatchGuard products can be accessed from the same portal and include its Wi-Fi access points, AuthPoint, EPDR, FireCloud, and the AI-powered ThreatSync + NDR service.

WatchGuard Firebox M695 review: Security services

Firebox configuration doesn't get any easier as all appliance hardware and security settings are presented in one web page. The mixed routing mode makes the M695 highly flexible, as you can segment your network by configuring each port as separate interfaces each with its own IP address and DHCP services, and designate them as external, trusted, optional, or custom.

Providing an alias for each port also makes it easier to assign custom firewall rules to them. Note that the network discovery service is not supported by cloud-managed Fireboxes as it can only be enabled in their local web console.

The content scanning section provides access to both AV scanners, the APT blocker, and spamBlocker for applying anti-spam policies to inbound SMTP, IMAP, and POP3 traffic. The network blocking section looks after botnet detection, IPS, port and site blocks, and detection of Tor (The onion router) exit points.

Move to the content filtering section, and you can create WebBlocker policies to manage access to 169 URL categories. While the Application Control service provides 1,267 predefined app and protocol signatures for creating granular access policies. Both can be applied to a firewall policy with one click.

VPN features are plentiful, with the M695 supporting 2,000 branch offices and mobile VPNs. WatchGuard's free mobile VPN with SSL client is available for Windows and macOS systems, and the latest Fireware firmware supports strong SAML user authentication.

WatchGuard Firebox M695 review: Is it worth it?

The Firebox M695 compares favourably on value with the competition in the enterprise gateway security space. WatchGuard Online is listing the appliance with a 1-year TSS subscription for £19,282 excluding VAT, rising to £35,184 for a 3-year subscription, making it very competitively priced.

The new Intel-powered architecture delivers a significant performance boost over its predecessor, and the appliance offers a good selection of high-speed network ports as standard. It's packed with great security features, the simple licensing schemes avoid any confusion, and WatchGuard's slick cloud portal makes light work of remote deployment, management, and monitoring.

WatchGuard Firebox M695 specifications