What to look for in a unified threat management (UTM) device in 2024

A series of blue blocks with binary code displayed alongside yellow padlocks
(Image credit: Getty)

Small and medium businesses (SMBs) still relying on separate anti-malware, web security, and firewall products need to dump them and get a next-generation unified threat management (UTM) appliance. These are the perfect defenders as they amalgamate every service into a single, easily managed unit. 

There’s no place for separates, or point solutions, in today’s fearsome threat landscape: they’re complex to manage, prohibitively expensive, and require IT staff trained in many disciplines. Malicious online activity is increasing exponentially and using multiple security solutions that, in many cases, don’t even talk to each other is adding unnecessary risk. The latest UTM appliances are chock-full of security features.

Along with a business-class firewall, they offer virus and malware protection, threat detection, intrusion prevention systems (IPS) as well as web, email and application security. 

Running them all on one hardware platform means every feature is in lockstep, and most can be managed locally from a single administrative web console and from the cloud as well.

All-in-one security close to the edge

UTM appliances are designed to be deployed at the network perimeter so all inbound and outbound internet traffic passes through a single point. This makes it simple to apply company-wide security policies to every individual and device located behind it. 

The best products here are well suited to SMBs with limited on-site IT expertise. You connect them between your internet router and local network and run a quick-start wizard that activates essential protection by creating and applying a default security policy. 

Another advantage is it’s much easier to keep all security services updated with the latest attack signatures and intrusion prevention profiles. The best products can do this for you by automatically requesting updates at regular intervals and will also advise you of new firmware upgrades.

Top-of-the-line security features

Appliances have evolved rapidly to keep up with the latest threats and offer an incredible range of security measures. The biggest decision facing SMBs is deciding which ones they need, and the good news is most vendors offer a range of subscription services so you can pick and choose the features you want and stay within your budget.

Features to look out for

Digital shield emerging form a motherboard to denote safety and security

(Image credit: Getty Images)

1. Anti-malware
2. Sandboxing
3. Application controls
4. TLS 1.3 inspection
5. Great hardware specs

The Zyxel ZyWALL ATP500, for example, costs $1,000 and has anti-malware protections that use machine-learning algorithms. All unknown files received by its ATP gateway are stored on the device. This data is then used to evolve the device's security knowledge and bolster its threat detection. That's a high-grade security capability for an affordable price. 

Anti-malware should be high on the list of priorities when looking at UTM appliances; It is an essential component for verifying traffic and web downloads, and ultimately blocking all malicious content at the gateway. 

Sandboxing should also be considered: again, the ZyWALL ATP500 is a good example as it comes with a one-click sandbox service. Unknown files are run safely in the cloud and destroyed if they are identified as malicious.  This is the biggest benefit of sandboxing – the ability to use a cloud environment as a safe space to run potentially malicious files away from your device or network – and a feature that businesses should prioritize. 

Application controls use thousands of signatures for managing access to common applications and categories such as social networking. With the vast majority of web traffic now encrypted, transport layer security (TLS) 1.3 inspection is another must-have feature as this allows the appliance to decrypt and inspect HTTPS traffic at the network perimeter. This can place a heavy load on the appliance’s CPU so it’s important to choose a model with a good hardware specification – the performance number to look for in the datasheet is the SSL/TLS or HTTPS inspection throughput. One company goes even further, with its appliances having a separate processor dedicated to this task.

Protecting your network

No right-minded business will be without a wireless network and a security appliance can protect them as well. As long as you ensure that your existing wireless access points (APs) are deployed on the appliance’s LAN side, it will be able to inspect their traffic and apply security policies.


Threat intelligence integration: From source to secure

(Image credit: Graylog)

Discover what you can gain from using an integrated threat intelligence platform


Another alternative is to choose an appliance with an integrated wireless AP. The main advantage here is it sees the AP as just another network interface so you can apply the same security policies to wired and wireless clients.

Some top appliances include integral wireless services, but the differences could hardly be greater. Some expensive options only offer older Wi-Fi 5 services and basic WPA2 encryption, whereas you can get cheaper options that provide a Wi-Fi 6 AP and support the more secure WPA3 encryption.

Prioritizing cloud management

Businesses that want to deploy multiple UTM appliances to protect remote sites and home workers should make cloud management a top priority. Most vendors provide free cloud portal accounts and, after registering the appliances, you can monitor and configure them from anywhere over the internet.

The WatchGuard Firebox T85-PoE has an option for full cloud management, which takes just 5 minutes to set up. This provides a wealth of monitoring information such as live activity, top clients, application usage, a global threat map, and even a list of blocked websites. The device also provides a summary view, with an incident list, via its portal – for those that use multiple appliances in a network setup, the WatchGuard host sensor can pull up threat indicator information and the remedial actions taken across endpoints. These are features that will appeal to businesses that need to protect geographically distributed remote offices. 

Another good example is WatchGuard's M5800, which can also be used within a network setup. This includes controls for botnet detection and custom blocks for URLs and ports. You can also create custom policies by choosing from 130 URL categories and deciding whether to block or allow them. That includes direct access to WatchGuard's application control service which offers over 1,250 predefined app signatures making it simple to block unwanted apps and control access to social networking services such as Facebook and Twitter

Another great feature is zero-touch provisioning, as this reduces the burden on support staff and doesn’t require end users to do anything other than plug the appliance in and provide an internet connection.

After registering the appliance to your account, it can be sent to the remote site and, once connected, takes all settings and security policies from the cloud. You can also extend protection to remote workers beyond the firewall’s reach, as some vendors have integrated support into their appliances for their endpoint protection agents.  These link up with the appliance’s cloud management portal, provide status information, and issue alerts if threats have been detected.

No business is too small to be of interest to cyber criminals; everyone is fair game. It’s clear SMBs must take security seriously, and investing in a UTM device is a smart move. 

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.