Watchguard Firebox V200

Watchguard Technologies, known for its SOHO firewall/VPN appliances, is moving up to play with the big boys.

Watchguard has come out with its high-end, enterprise-class Firebox V200, aimed squarely at the likes of Cisco’s PIX 535 and NetScreen’s NetScreen-5200 series. The Reviewmeister held this product’s feet to the fire and here’s what we found.

On the plus side, this $60,000 device is lot less expensive than competing products from Cisco, NetScreen, or Nokia.

In our performance tests, the V200 set up 42,000 concurrent IPSec tunnels, a useful capability when dealing with huge numbers of dial-up users in an enterprise setting. And when configured as a firewall, the V200’s performance is essentially the same with two access rules or 1,000 rules in place.

But on the minus side,  we found that security always come with a performance cost. Latency and throughput testing simply wasn’t possible with tens of thousands of IPSec tunnels in place. Even with a much-reduced number of tunnels, the V200’s latency and throughput are much degraded compared with its performance when configured as a firewall.

The V200 offers firewall, VPN, and network address translation (NAT) via two, gigabit Ethernet interfaces. The V200 also offers BGP routing and two out-of-band interfaces for high-availability applications. 

The V200 offered impressive VPN tunnel capacity, but the version we evaluated shone a bit less brightly when it came to moving packets through those tunnels.

When it comes to measuring latency, we found that latency is higher with IPSec enabled than without it – around four to six times higher. The most pronounced increase was for 1,518-byte frames, the maximum length allowed in Ethernet. We observed average latency of 818 microseconds across a pair of V200s. 

Added delay for maximum-length frames is not surprising, considering that IPSec’s encapsulating security payload (ESP) method fragments and then reassembles these frames. Given the added processing involved, an extra 100 microseconds of latency – 818 microseconds, vs. 725 microseconds for unfragmented 1,440-byte frames – is not a huge increase.

Latency with IPSec disabled, but with firewall rules enabled, was far lower. More impressive still was the fact that latency was essentially the same with two firewall rules configured, or 1,000 rules. That’s because the V200 loads all firewall rules onto its ASICs.

Throughput, like latency, is lower on the V200 when IPSec is enabled than when it’s acting purely as a firewall. In this test, there was a significant throughput difference depending on whether the V200 had to fragment frames.

With maximum-size 1,518-byte frames, which do get fragmented, throughput was equivalent to around 23% of line rate. With 1,440-byte frames, which IPSec doesn’t fragment, throughput more than doubled to the equivalent of 54 percent of line rate, or nearly 533M bit/sec.

The V200’s throughput compares favorably with the 440M bit/sec claimed by Cisco for its flagship PIX-535 in a similar configuration, but it’s less than the line-rate numbers cited by NetScreen for its flagship NetScreen-5200 line.  For the full report, go to https://www.nwfusion.com/reviews/2003/0428rev.html