 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Network Security Education Center 
|
Frequently Asked Questions
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comparison of Fireware® Pro and WFS on Firebox® X Core™ | ||
|---|---|---|
| WFS | Fireware | |
| Multi-Wan Interface Failover | N/A | Standard |
| Multi-WAN Load Sharing | N/A | Standard |
| Traffic Management/QoS | N/A | Standard |
| Port Independence | N/A | Standard |
| Dynamic Routing | N/A | Standard |
| Firewall Throughput | Higher on Fireware, for all models | |
| VPN Throughput | Higher on Fireware, for all models | |
| Concurrent Sessions | Higher on Fireware, for all models | |
| Intelligent Layered Security | Standard ILS features | Enhanced ILS features
|
| WatchGuard System Manager (WSM) | Standard WSM features | Enhanced WSM features
|
Q: Is the 3-Port and High Availability Upgrade Bundle offered for WFS needed when a Firebox X Core customer upgrades to Fireware® Pro?
A: No. Fireware Pro includes the features of the 3-Port and High Availability Upgrade Bundle offered for Firebox X Core appliances running WFS. With Fireware Pro, all six 10/100 ports are enabled and the high availability feature is available.
| WFS | Fireware | |
|---|---|---|
| High Availability | Optional with 3-Port/High Availability Upgrade Bundle | Standard |
| 10/100 Ports | 3 Standard 6 with 3-Port/High Availability Upgrade Bundle |
6 Standard |
Q: What are the performance differences when running Fireware® Pro versus WFS?
A: For Firebox X Core appliances, Fireware Pro offers firewall and VPN throughput performance improvements and increased concurrent sessions.
| Firebox® X500 | WFS | Fireware® Pro |
|---|---|---|
| Firewall Throughput | 100 Mbps | 110 Mbps |
| VPN Throughput | 20 Mbps | 30 Mbps |
| Concurrent Sessions | 20,000 | 25,000 |
| Firebox® X700 | WFS | Fireware® Pro |
|---|---|---|
| Firewall Throughput | 150 Mbps | 160 Mbps |
| VPN Throughput | 40 Mbps | 60 Mbps |
| Concurrent Sessions | 50,000 | 75,000 |
| Firebox® X1000 | WFS | Fireware® Pro |
|---|---|---|
| Firewall Throughput | 225 Mbps | 240 Mbps |
| VPN Throughput | 75 Mbps | 100 Mbps |
| Concurrent Sessions | 200,000 | 200,000 |
| Firebox® X2500 | WFS | Fireware® Pro |
|---|---|---|
| Firewall Throughput | 275 Mbps | 300 Mbps |
| VPN Throughput | 75 Mbps | 130 Mbps |
| Concurrent Sessions | 500,000 | 500,000 |
Q: What are the port configuration differences between running Fireware® Pro versus WFS?
A: Firebox X Core appliances running WFS have three 10/100 ports standard, with a maximum of six 10/100 ports possible through a 3-Port and High Availability Upgrade Bundle. When running Fireware Pro, all six 10/100 ports are included as standard.
| Firebox® X Core™ Appliance Features | WFS | Fireware® Pro |
|---|---|---|
| 10/100 Interfaces - included | 3 | 6 |
| 10/100 Interfaces - optional | 3 | 0 |
Fireware® Pro Features
Q: What enhanced security features does Fireware® Pro offer?
A: Security features offered in Fireware Pro, in addition to features available in both Fireware Pro and WFS, include:
- Inbound HTTP protection. Prevents attacks against Web servers
- Configurable attachment control. Attachments can be selectively allowed, permitting attachment downloads from trusted sources
- AES encryption. 128-, 192-, and 256-bit Advanced Encryption Standard offers the latest standard in strong encryption
- Progressive DDoS
- Fireware Pro supports these security services: Gateway AntiVirus/Intrusion Prevention Service, spamBlocker, and enhanced WebBlocker URL filtering.
Q: What are the advanced networking features in Fireware® Pro?
A: Advanced networking features offered in Fireware Pro include:
- Multi-WAN Failover and Load Sharing. Allows up to four ISP connections, letting you load share traffic across multiple ISPs or provide failover backup in the event of an ISP outage.
- Traffic Management and Quality of Service (QoS). Policy-based control of bandwidth usage, including the ability to prioritize traffic, ensures business critical applications get the bandwidth they need.
- Port Independence. Each port is configurable as Internal, External, or Optional, giving you complete flexibility without the limitations of fixed port settings.
- Dynamic Routing. Maximizes the reliability and resiliency of your network by incorporating dynamic routing protocols, including BGP, OSFP, and RIP.
- High Availability. Prevents network failure by allowing redundant Firebox appliances.
Q: What management improvements does Fireware® Pro offer?
A: WatchGuard System Manager (WSM) management features are enhanced when managing appliances running Fireware Pro. WSM feature enhancements provided by Fireware Pro include:
- Performance Console graphs
- All Firebox System Manager (FSM) modules (HostWatch, Traffic Monitor, Blocked Sites list, etc.) have enhanced functionality in support of Fireware
- SNMP support
- New Historical Reports on Gateway AntiVirus/Intrusion Prevention Service
- Policy Manager refinements (layout, icons)
- Choice of manual or auto rules ordering
- "From-To" traffic metaphor replaces "incoming-outgoing"
Fireware® Pro Multi-WAN Load Sharing and Interface Failover
Q: What is multi-WAN interface failover?
A: Multi-WAN failover allows up to four WAN ports to be configured to handle WAN traffic while providing failure backup and/or traffic load sharing across the ports. If connections are not possible via one WAN port, the next designated failover WAN port will be used.
Q: What types of WAN load sharing are supported?
A: Fireware Pro 8.0 supports per session round robin load sharing. All traffic for a given TCP session will be sent via the WAN port used when the session was initiated.
Q: Can traffic be sent out different WAN ports based on traffic type?
A: No. Policy-based routing is not supported in Fireware Pro 8.0.
Q: Is multi-WAN load sharing and interface failover possible on Firebox® X Core™ appliances?
A: Yes. The multi-WAN load sharing and interface failover feature is present if the appliance is running the Fireware Pro operating system.
Q: In WAN failover mode, how does Fireware® Pro determine if the WAN link is down?
A: Fireware checks the physical link status and also pings the default gateway to determine whether a WAN link is active. If the physical link status indicates the connection is broken or there is no response from the default gateway, then Fireware Pro will declare the WAN link down and failover to another WAN connection.
Fireware® Pro Traffic Management and Prioritization
Q: What traffic management and prioritization features are provided by Fireware® Pro?
A: Fireware Pro offers per policy traffic management. Settings include:
- Maximum bandwidth
- Maximum connections per second
- Priority
Q: Can traffic management be based on IP address or application type?
A: Yes. Fireware Pro traffic management is policy-based. Traffic management is applied at the policy level, so it can be based on IP address, traffic type, or any other user-defined policy specification.
Q: What priority settings are available?
A: Traffic matching a policy can be designated as low or high priority.
Q: Are priority settings based on 802.1p, or DiffServ?
A: No. Priority settings are policy-based. Traffic matching a user-defined policy can be specified as low or high priority.
Q: Are traffic management and prioritization possible on Firebox® X Core™ appliances?
A: Yes. The traffic management and prioritization feature is present if the appliance is running the Fireware Pro operating system.
Fireware® Pro Port Independence
Q: What is port independence?
A: Port independence allows any physical port on the Firebox X appliance to be configured as External, Trusted, or Optional. The port type is not fixed in the hardware.
Q: What are the benefits of port independence?
A: Port independence provides the most flexibility in configuring the Firebox X appliance to fit into your network environment and to respond to changes in the network configuration. Additionally, no ports are ever wasted because they are of the wrong type.
Q: Are there any limits on how many ports can be configured as WAN, Trusted, or Optional?
A: The only port independence limit is that a maximum of four ports can be configured as WAN ports. There is no limit to how many ports can be configured as Trusted or Optional.
Q: Is port independence possible on Firebox X Core appliances?
A: Yes. The port independence feature is present if the appliance is running the Fireware Pro operating system.
Fireware® Pro High Availability
Q: Which Firebox® X models offer the high availability feature?
A: High availability is available on:
- Firebox X Peak devices (X5000, X6000, X8000) running Fireware Pro 8.0
- Firebox X Core devices (X500, X700, X1000, X2500) running Fireware Pro
- Firebox X Core devices (X500, X700, X1000, X2500) running WFS and upgraded with the 3-Port and High Availability Upgrade Bundle
Q: What high availability failover modes are possible?
A: Firebox X Core or Peak devices support only active/passive failover, in which one appliance is active and the other is available as a hot standby.
Q: Can a Firebox device running Fireware® Pro and a Firebox device running WFS work together as a high availability pair?
A: No. High availability pairs must be identical appliances running the same appliance operating system.
Q: Can different Firebox model lines (e.g., a Firebox X Peak and a Firebox X Core) work together as a high availability pair?
A: No. High availability pairs must be identical appliances running the same appliance operating system.
Q: Can different models of Firebox devices within a product line (e.g., X500 and X2500) work together as a high availability pair?
A: No. High availability pairs must be identical appliance models running the same appliance operating system.
Q: If I upgrade my primary Firebox® X to a higher model, am I required to upgrade my standby appliance to a higher model as well?
A: Yes. You must model upgrade the standby appliance.
Q: What information is synchronized between high availability pair devices?
A: Synchronization includes:
- Firewall and VPN configuration settings
- Active Firewall and VPN session
Q: Is the high availability pair synchronization traffic encrypted?
A: By default, the high availability synchronization traffic is not encrypted; however, this is a user-selectable option.
Q: What physical connection is used for high availability pair synchronization?
A: High availability synchronization is done over an Ethernet connection between the two devices, using a cross-over Ethernet cable. The highest numbered port is always used for high availability synchronization. On a Firebox Core device, the next highest numbered port (eth4) can act as a redundant port for the high availability synchronization connection.
Q: Do I have to purchase security licenses for both appliances in the high availability pair?
A: No. If the primary unit has active licenses for additional security services such as WebBlocker and Gateway AV/IPS, the secondary unit will be provided with complimentary licenses for each like service. The LiveSecurity® Service subscription must be active on each device to receive the complimentary licenses.
Q: Is high availability possible on Firebox® X Core™ appliances?
A: Yes. The high availability feature is present if the appliance is running the Fireware Pro operating system. It is also available as a 3-Port and High Availability Upgrade Bundle for Firebox X Core appliances running WFS.
Fireware® Pro Dynamic Routing
Q: What dynamic routing protocols are supported on Fireware® Pro?
A: Fireware Pro supports BGP4, OSPF, and RIPv1-v2.
Q: What is the maximum routing table size?
A: Routing tables can be up to 32,000 entries, including both static and dynamic entries.
Q: Does OSPF support load balancing across multi-path equal-cost links?
A: OSPF multi-path equal-cost routing is not supported at this time.
Purchasing Fireware® Pro
Q: Does Fireware® Pro run as a stand-alone product or do I need to run it on a Firebox® X appliance?
A: Fireware Pro is the appliance operating system and must be run on Firebox X Core or Peak appliances. It is not a stand-alone software package.
Q: Can Fireware® Pro be purchased separately?
A: Yes. Fireware Pro is available as a purchase upgrade for Firebox X Core appliances.
Q: Why is Fireware® Pro a purchase upgrade for Firebox® X Core™ appliances?
A: It is typical in the security appliance industry to offer a "standard" appliance operating system geared toward typical customer needs and an "advanced" version with additional functionality required primarily in demanding, complex network environments. Fireware Pro has the advanced security and networking features required in these network environments. Customers who need those features should upgrade to Fireware Pro.
Q: Is upgrading to Fireware® Pro covered by a customer's LiveSecurity® Service subscription?
A: No. Fireware Pro is an advanced operating system. It is a separate product from WFS, the standard appliance software on Firebox X Core appliances. A customer's LiveSecurity® Service subscription covers software updates to and future releases of WSF, but does not cover the Fireware Pro software product.
Q: Can a customer get the same features as Fireware® Pro by purchasing the 3-Port and High Availability Upgrade Bundle?
A: No. The 3-Port and High Availability Upgrade Bundle for Firebox X Core appliances enables three additional 10/100 ports (for a total of six) and enables the high availability feature. Both of these are standard with Fireware Pro. However, none of the additional Fireware Pro features are available without upgrading from WFS to Fireware Pro.
Q: Does a customer using high availability on Firebox® X Core™ appliances get Fireware® Pro free of charge?
A: No. Fireware Pro is an advanced operating system and is a separate product from the WFS appliance operating system.
Upgrading Firebox® X Core™ Appliances to Fireware® Pro
Q: How do I upgrade my Firebox® X appliance running WatchGuard Firebox System (WFS) to Fireware® Pro?
A: After purchasing a Fireware Pro license key you activate that license key on the LiveSecurity site. Upon activation of the license key, you will be presented with a feature key and the software necessary to use Fireware Pro on your Firebox X Core appliance.
Q: Do customers using Gateway AV for E-mail and migrating from WFS 7.x to Fireware® Pro automatically get Gateway AV/IPS?
A: Yes. The Gateway for E-mail license will upgrade to Gateway AV/IPS when you move from WFS to Fireware Pro.
Q: What happens to the SpamScreen licenses when customers migrate from WFS 7.x to Fireware® Pro?
A: Because Fireware Pro does not currently support SpamScreen, the remainder of any subscription for SpamScreen will be forfeited upon activation of Fireware Pro.
Q: Do customers keep their LiveSecurity® Service subscription when they migrate from WFS 7.x to Fireware® Pro?
A: Yes. Upgrading to Fireware Pro has no effect on the LiveSecurity subscription.
Q: How do I convert my WFS configuration files to Fireware® Pro configuration files?
A: A configuration conversion utility is in development; however, it is not available at this time.
