My Sonicwall SOHO TZW seems to be losing it's mind (persistent firmware corruptions) and I have been generally unhappy with it's performance. I am considering replacing it with a ZyXEL Zywall 5 or Watchguard Firebox X5 (wireless capability is not a concern). I am looking for any recommendations for either choice. I primarily want to make sure that I can VPN remotely with my laptop from various client sites to my network and have fairly granular control over inbound and outbound traffic via the firewall rules. It looks like the Firebox provides VPN client software...I cannot confirm for the Zywall. I am also not really interested in any annual subscription service which they both seem to offer, with the Zywall being less dependent on maintianing the service. My lean is toward the Zywall...
Some people feel the need to run the latest version of everything & those people feel the need to make sure they have the latest firmware version on their router at all times. I don't know if you are one of those type people or not.
Be aware that if you are one of those type that you will have to pay WatchGuard annual fees for the privilege to have access to the latest firmware code. Zyxel offers free firmware upgrades.
Support for the ZyWall may be a non-issue as well. Zyxel puts out one of the most comprehensive router manuals in the business. WatchGuard's router manuals leave much to be desired, IMHO.
Another issue is availability of features, both brands subscription services aside, with the ZyWall what you see is what you get. The full firmware feature-set is available to you right out of the box. A lot of WatchGuard's features are extra cost. If you do go the WatchGuard route make sure the unit you are buying has the feature-set you are wanting. Minimizing hidden gotchas is key.
This usenet group is usually so gung-ho on WatchGuard & I see less enthusiastic crowds elsewhere on the internet (such as the Ars Technica forums where more than one person has stated they'd never touch a WatchGuard device again.) so I thought I'd just weigh in with a couple points for the other side.
I don't own a Zyzel or WatchGuard device. I do not sell either brand either unlike some people who have replied to your thread. Both companies have their advantages and disadvantages & there's no such thing as the perfect router only the router that is perfect for your uses. Look at both closely and see what you are getting for your money with each one.
I'll put in my 2 cents for Fortigates, they do the full gambit of stuff and are very reliable, very reasonably priced, and when the new 3.0 OS comes out (I have Release Candidate builds on hand) they will raise the bar again.
If you read google you will find less complaints from people with WatchGuard products than Zywall. My experience with WatchGuard is that they are very reliable, last forever (I have some that are 6+ years old that are still in operation), that don't need constant updating, and can be purchased with different levels of functionality as needed. I've never used anything as small as an X5 (I start with the X700 now), but I've read about setup issues with the Zywall and when I contacted their support to ask questions before a purchase of a unit, it was 4 days before I got a response - I ended up not purchasing one because they could not provide answers back then.
I have a Watchguard X5 Wireless Firebox and love it. I have had no problems at all with it. The nice thing about it is that it has an option network that you can put all the wireless computers on and they have no access to the trusted network that the wired computers are on. The wireless network is very secure and also has MAC address filtering.
So, without a warranty or support, you're saying that Zywall will provide free updates?
Yea, go read it - I have read it several times. It's the most convoluted manual I've read (and I've read many). The WG manual is clear, direct, easy for a novice to understand, and is many hundred pages long. Please tell us what the WG manual leaves to be desired?
With WG, you get what you pay for, and can expand the unit without need to purchase additional hardware. The unit you purchase has a clear amount of features included, with a clear list of options you can purchase when needed.
As an example, I have a X700 unit, it as 6 jacks, in the base unit, 3 are enabled and provide WAN/LAN/DMZ port functions. If I want to enable the other ports all I need to do is purchase a license key and enter that in the management app and send it to the firewall - they are enabled.
The "Feature Set You Want" is something that all vendors products provide - you have to purchase what you want, no matter what vendor.
Why did they say that? I've seen many comments about Zywall that indicate one should stay away from them:
1) PPTP not working
2) IPSec tunnels not working
3) Issues with NAT
4) Issues with firmware breaking things that worked before an update
Please list specific items when you make those types of statements.
The problem is you call them Routers, and the WG units are NOT routers, they are firewalls. Sure, Firewalls can have routing functions, but they are not routers. Your post indicates that you don't have a lot of firewall experience, not a problem, but you should learn to post details instead of speculation.
I don't own a Zyzel firewall. Why? I could not get answers from their support team in 4 days when I was considering a purchase, I could not find the answer in their manual, I could not get an answer out of the sales team, and after purchasing a different vendors unit (not a WG) I got a call from them - 3 weeks later, and was told that they could not confirm if the setup I wanted to use would work with their product.
I'm sure, and see, that Zywall units are cheaper then WG units, as I've priced them, but, sometimes you DO get what you pay for.
Actually, the 50 and the 100 are both pretty much obsolete models. The 50A is the current entry level, for a 2-interface box -- thee 50 isn't produced any more and can't run 2.8 or 3.0 code. The 60 has 4 interfaces and is a very, very popular model. The 100A replaces the 100 with more interfaces (5 vs 3) and more horsepower for little upcharge.
I use 50A on heavily loaded ADSL-type feeds with all protections enabled... say up to 3Mbps, and the 60 on slightly bigger ones or places that want more interfaces. The 60 also supports HA and VLANs while the 50A does not.
FG60 with 1 year of all subscriptions less than $1000 US.
Yes, I am. Zyxel places all Zywall firmware updates on their public FTP servers for one and all to download regardless of the state of the warranty or if you are even a customer. I don't own a Zyxel product and yet I could go download every firmware revision for every product they make including their flagship Z70 UTM.
It is convoluted at times, yes, but it goes into a lot of detail. In constrast to the Watchgaurd Edge series manual I read in which in some spots you get the feeling they are just saying, "Ooo...it's magic. It'll work. Trust us." It doesn't matter to me...I'm one of those people who only reads a manual if things don't work. However, some people need a lot more hand-holding or just have a real desire to dig in and learn how everything works. I don't know which category the OP falls into so I mention it for completeness. Some people never give product manuals a second thought. For others, it's a bible.
Yes, I understand that...I understand that business model very well & I support it. But in your example, some people would look at those 3 ports they don't have access to out of the box & get upset that they are being charged for hardware they cannot use. It's more of a mental thing & like I told the original poster...always make sure you are getting the features you are wanting for the price you are paying. Going back to your example again, a person might see a picture of that box on a web site, see the 6 ports and think they are going to get full use of all those ports in the cheapest configuration. I was trying to explain that while Watchgaurd has a "pay to configure the features you want" business model Zyxel has a "one size fits all" business model. All ports and all features are enabled (other than subscription services). Period.
Dig enough and you find problems about every product. Nothing is truly bug-free & I was just pointing out that no product from any company is perfect. I'm sure as soon as a company comes out with one it'll be marketed as The Immaculate Contraption. ;)
Yep...guilty as charged. It's a bad, bad, bad habit of mine...I just get to typing sometimes and "router" comes out instead of "firewall". I'm getting better, but old habits die hard. Hopefully, it didn't cause any confusion in this thread as both the Watchguard and ZyWall devices are firewall appliances.
I didn't get too specific & load down my post with too many details as I was getting wordy enough. I didn't want to overwhelm the OP & figured he/she would ask for more details if needed. As it is, though, I haven't seen a post out of him since his original question so we may all be talking to ourselves in here.
I don't own a Zyxel firewall, either. Some people have nothing but praise for them, though.
I agree...some people see things differently, though. Just a personal observation I've noticed is that it seems like the people who yell the loudest about how some companies charge annual fees for support contracts & firmware updates are the same ones who yell the loudest when their Brand XYZ router/firewall that doesn't charge annual fees doesn't have timely firmware updates and bug fixes. Without those support contract fees there's not much financial incentive for a company to continue firmware development.
What I am dead-set against is those companies that have penalty reinstatement fees. I don't know if Watchguard is such a company or not, but one example of this kind of practice is Juniper. If you let your support contract lapse if you re-purchase a contract you have to pay all the way back to the lapse date. I just think that's wrong.
I've re-purchased support for lapsed units, also purchased additional licenses for units with no support/warranty, so I don't think that WG has that issue. I have more than 40 wg units in the field right now and have not found a better unit for the type of protection we expect for our clients. I like them so much I put a Firebox III/1000 in my home.
I'm very happy to hear that. That policy of Juniper's is nothing short of highway robbery. If I buy a device & do not need any support or maintenance on it for the first two years of its life before I need a contract why should I have to be expected to pay for support I didn't need or use? The Juniper and Netscreen names have their supporters but I cannot in good conscience recommend them to anybody.
If I owned a Netscreen unit I would keep expecting Tony Soprano to knock on my door with two of his enforcers & tell me that Netscreen units like mine have "accidents" every day & thankfully they are there to sell me some "protection."
And that's great...I always love to hear stories about people who have bought what they thought they needed & it turned out to be exactly so.
However, I felt the need to play Devil's advocate here. What's right for you or me may not be right for the original poster. When doing one's research just taking one's eye off the ball for even a minute could be a very costly mistake. A lot of vendors charge hefty restocking fees on these firewall units (all brands) or have a strict no-return policy even for some models so one might end up being stuck with something extremely undesireable for their situation.
Yep, one should always look at what they need and then review the spec's on what the products provide. The nice thing about the X700 and above is that if you buy too little it's only a firmware/key to upgrade to the next level(s).
With the lower end units I can't really say as none of them have fit into the networks we design.
If a poster asks for a product, based on the information they provide, I can generally get then what they need based on the information they provide - most times we have to ask for more information as most people looking for help never seem to provide enough info :)
UPDATE: After much investigation and going back and forth I decided to go with the ZyXEL Zywall 5. Key considerations:
1) No limit on internal LAN (Standard) - I have 10 IP machines now, but as more devices become network capable (eg, VoIP), that number will grow. Zywall 5 has no limit on internal IPs, Firebox X5 has 12. Can be expanded but you pay (upgradeable to 17).
2) VPN Licenses - Zywall 5 comes with 10, Firebox X5 comes with 1. Can be expanded but you pay (upgradeable to 11).
2) CLI access - This one appeals to the geek in me. Just like having the ability to get into the nuts and bolts beyond what the web interface provides. Zywall 5 has it, Firebox X5 does not.
3) Documentation - Though the Firebox X5 docs are good, I liked the extra level of detail in the Zywall 5 docs. I always consider more information better.
4) Bandwidth Management - The Zywall 5 offers this capability to insure certain traffic does not consume all your bandwidth and to guarantee specified traffic has priority. To the best of my knowledge Firebox X5 does not offer this.
5) Firmware Upgrades - Though I adhere to the adage, "If it ain't broke...don't fix it", not having to pay for firmware upgrades is nice to have available. ZyXEL gives you lifetime access to firmware upgrades, Watchguard requires you have a current support subscription.
6) Reinstatment fee - This was the kicker. Firebox comes with 90 days of support after which you must pay an annual fee (Watchgaurd $140/year
- CDW vs ZxYEL $60/Year - Provantage) I'm okay with that. The problem is that if you let the support laps (14 days) you have to pay a reinstatement fee and then pay the annual subscription fee. Reinstatment fee varies from $345 (Provantage) to $109.24 (CDW). This one just rubs me wrong.
Both devices are very capable and the decision was not easy but I felt the Zywall 5 gives mee more value for the money. I provide this info for other people to consider when looking for an Internet Security Appliance. You can't go wrong either way....
Thanks for coming back and let us know what you decided to buy. If you could come back after you get it up and running to your full satisfaction (or full dissatisfaction!) that'd be great, too.
A lot of people post asking for advice and then you never hear from them again.
Do seriously consider visiting the forums at
as there is a Zyxel-specific area there and it is populated with very knowledgeable people who'll be able to help you with any difficulties you may have & if you have no difficulties I'm sure they'd love to hear about any success stories as well.
Agreed! There is such a shortage of information available on routers & firewall appliances in general. We're expected to make leaps of faith on boxes that will cost us $100, $500, or more without any real benchmarks, in-depth reviews, and comparisons to go by. Owner experiences is the only thing we have to go by when when we are looking to purchase one.
There were lots of good reviews when Tim Higgins ran his web site, but he has since sold out & reviews on Tom's Hardware (who bought him out) have suffered drastically. Now we are left with lots of great reviews that are unfortunately several years old and are about products that are either obsolete or near-obsolete.
I think the lower-end units such as the X5 and X15 can be upgraded up to an X50, but my memory may be failing me on that so anybody contemplating purchasing a lower-end Watchguard should make sure before buying.
That is a very good feature for people who need to buy something for now, but know they are going to need something more powerful a year or so down the line, but do not want to lay out all the cash up front.