WatchGuard Security Appliance Keeps Close Watch on Network Activity

By Frank Ohlhorst

The M500 offers an intuitive browser-based dashboard that makes it easy to ascertain what is occurring throughout the network. A quick glance demonstrates top application activity, top destinations, top client activity and policies being executed. What’s more, administrators can quickly drill down into other informative areas to troubleshoot traffic or better understand traffic patterns.

The M500 is a member of the WatchGuard family of products that are managed via a centralized system. Each M500 has integrated controls that allow it to become part of a larger, centralized management structure, offering support for administrators looking to unify the control of several devices at various locations, such as branch offices and remote sites.

Out of the box, the M500 offers the ability to quickly take on some security roles. The device provides the capability to define or modify default packet handling rules, so that once deployed it can immediately offer protection against the most common forms of attack, such as port probes, ICMP attacks and so forth.

The M500’s OS offers some very powerful observational capabilities. For example, the FireWatch Application view screen gives a graphical representation of what is occurring on the network and uses sized boxes to illustrate activity.

The observational prowess of the M500 is further evidenced by the device’s ability to drill down into traffic details from the FireWatch Destination tab, which shows what sites are being visited and by whom.

The Network Interfaces dialog makes it simple to set up what mode the device should operate in and how each of the ports on the device is defined. This allows the unit to be deployed on one of several modes, making it easy to implement in a number of network infrastructures.

One of the most powerful aspects of the M500 is the ability to define detailed policies for how applications are dealt with. The device comes with thousands of predefined applications and allows administrators to add more. Administrators can then define policies for how a user can interact with a particular application, helping to secure the traffic around that application and to block unauthorized applications with ease.

Policy definition proved quite straightforward by using an intuitive interface that separates policy elements via tabs. From one screen, administrators can drill down into policy-based controls for applications, traffic, proxies and even scheduling when a policy is active. Other critical elements, such as intrusion prevention and logging, can be enabled with just a simple click.

One of the M500’s key features is the ability to deal with SSL traffic from HTTPS-based connections. The device can decode encrypted HTTPS traffic and detect any threats hidden within. An HTTPS-proxy defined policy makes that possible and offers varying levels of scanning, as well as certificate verification. Administrators can easily define what actions should be taken with encrypted traffic to fine-tune both performance and throughput based upon need.

All defined policies are gathered into a list, making it simple to enable, disable, modify or even clone policies. The list supports drill-down, preventing the need to open any other management sessions to delve deeper into individual policy controls.

The content filtering system employed by the M500 uses common definitions to ease policy definition. Administrators have the power to pick and choose content categories as well as define what happens when a particular category is accessed.

The M500 uses a subscription model to enable security features. The subscription services screen offers quick insight on what services are enabled and the usage of each subscription, making it a little easier to demonstrate the value offered by the services provided by the device.

The M500 includes real-time capabilities that offer an interactive view of what is occurring on the device. The traffic management screen shows active traffic, loads and connections (source and destination). Administrators can drill down, filter or sort traffic reporting via a variety of methods, making forensics chores a little easier to deal with.