Filed Under (Geekspeak, Work) by Justin on 2008-05-28

As previously mentioned, we’re switching away from a one-year old Watchguard Core x750e to SonicWALL NSA 3500 at my place of employment in order to deploy a nice, widespread (geographically speaking), and expensive VPN.

I received the first half of my gear from Mark Moreno two weeks ago and immediately unboxed the NSA. It’s quite a purdy device! It’s sleek, silver, and has a very bright blue LED on the front. I powered it up and upon logging in to the web management interface, I was equally impressed by how shiny and web 2.0 the web UI was. Sadly, that’s where my enthusiasm ends for SonicWALL right now. I started digging around and was just overwhelmed at the options and difference in terminology between the NSA and the Watchguard. After talking it up in the CITRT IRC channel, I was informed that the “public server wizard” was the way to go with configuring NAT policies since SonicWALL  actually needs THREE rules to create one NAT rule. Not only the the NAT policies have to be defined, but then there is the firewall policy. Best I can tell, to NAT one port to one service would require the following steps without the wizard:

  1. Create “Address Objects”
  2. Create “Service” or “Service Group” if not predefined
  3. Create Firewall rule
  4. Create the three NAT policies

While four steps seems simple, it’s a lot of clicking and a lot of digging around, and so far, I’m not a fan. The wizard did a good enough job for some of my rules, but others don’t work right (will work for a few hours and then stop) and others don’t even work at all. At this point, the firewall is doing WAY too good of a job at blocking services from the outside world!

I’m sure it’s a PEBKAC or maybe even an ID ten T error, because so many people just love their SonicWALL stuff. A few minutes ago, I said this in the IRC channel, and I think it’s fairly accurate at a certain level:

<wantmoore> i’d almost go out on a limb and say “windows is to linux as watchguard is to sonicwall”
<DavidSzp>    wantmoore: That’s an interesting analogy
<wantmoore>    watchguard: much easier to do stuff and make it work. sonicwall: a lot more flexibility, but not nearly as straightforward
<stephensflc>    I would totally agree with that statement at this point
<wantmoore>    the analogy doesnt stick where cost is concerned though 😉
<wantmoore>    in that regard, watchguard is a WHOLE lot cheaper. sonicwall will nickel and dime you to death

And I’ll stand by those statements for now. I’m sure that Moreno will help me get my issues resolved and I’ll join the Happy SonicWALL Club soon enough. Until then, I really miss my Watchguard and I’ll be hanging out in the corner with my friend Ed talking about our plans to startup and anti-SonicWALL user group.

(6) Comments   


Ed on 28 May, 2008 at 3:39 pm #

Believe it or not I thought my FreeBSD firewall was more intuitive…

Bill on 28 May, 2008 at 5:27 pm #

Just curious… why did you change from WatchGuard? Were there certain features not supported that SW had?

Nangra on 30 May, 2008 at 3:21 pm #

I’ve been very happy with our Checkpoint Appliance. It also was a little different to configure compared to our Watchguard, but after playing around a little, it’s been great…especially their vpn. Also, their tech support is superb.

Swimming in SonicWALL» justin moore on 3 June, 2008 at 12:07 am #

[…] posting last week about my troubles treading in to SonicWALL water, I think my issues have all been resolved and things are really humming right along. Truth be told, […]

Mike Tupker on 13 April, 2009 at 12:53 pm #

I’m actually trying to decide between the sonicwall NSA 5000 and a watchguard x6500e. I’ve been seeing comments all over the place that are not all that favorable for either one. Now that you have had some time on the sonicwall what do you think of it compared to the watchguard. Honestly I’m having a hard time beating the watchguards price.

The issue you outlined in your post with the sonicwall sounds similar to the process for a Sidewinder G2. (thats what we have now)

Justin on 18 April, 2009 at 8:43 am #

Mike – for just a single-location firewall, I think Watchguard is still pretty solid. Now that I’ve spent more than a year working closely with SonicWALL products and deploying a 25-site VPN, the SonicWALL stuff is hands-down better for the things I do. I can give you references for several non-profit organizations that are using the SonicWALL E-Class E5500 and E6500 devices and love them. I also have contact info for a Gold-level SonicWALL partner who is a great resource for awesome prices or just general questions about the SonicWALL line. Let me know if you want any of that info from me.

Post a Comment