Old hardware as learning tool

I am new to Watchguard products and commercial firewall appliances. We are currently running an XTM 670. I can do the basic setup like vpn tunnels/gateways and monitor the system, but I would like to be able to get practice with the system programming, which I absolutely CANNOT do on the production unit. An older watchguard 520 was sitting in storage. Does anyone know if this would be a good unit to practice on? I'm not yet certain that it even works - no one knows how long its been sitting there, and there is some physical damage ( I think they just forgot to throw it out after transferring the licenses to a new unit), but I did boot it in safe mode and load a basic configuration. Thanks for any advice.


  • Options
    edited July 2019

    Your best option for a learning device is a new T15 with basic or total security. If you want to play with advanced features like clustering then you need two T35 Fireboxes. The older XTM models are missing lots of really useful features like Geolocation..

    Adrian from Australia

  • Options

    Thanks, I was hoping this one would match up to the newer units, but I'm not surprised. Our offsite reps use T15s in their offices - I can work on a new one before we ship it out. I guess I won't be taking that one home, however:)

  • Options

    The last release for an XTM 520 is Fireware v11.12.4 Update 1.
    Thus any enhancements in V12.x are not available for this unit. Significant ones include - DNSWatch, SD-WAN.
    If you don't have a current LiveSecurity license on this unit, then you can't upgrade it to a newer XTM version - so you will be testing with whatever XTM version is on that unit.
    Also, if you do not have current licenses on this unit for any of the security options, then you can't test those either.

    Presumably your current firewall is a M670, not an XTM 670.

  • Options

    My mistake on the name - I was thinking of the XTM 850 that we just retired. I'm assuming that it has no licenses. When the 850 hit EOL, I had to transfer everything to the 670 along with the config file. I'll look into it more, but from what you're saying, this 520 is nothing but a very basic firewall without the licensing, and even if it was licensed, it is missing a lot of bells and whistles.

  • Options

    Regarding "this 520 is nothing but a very basic firewall without the licensing" comment, it's actually still far better than a basic firewall. It still can do HTTPS content filtering and can block executable file downloads in FTP/HTTP/HTTPS/SMTP traffic.

    Blocking executable file downloads in FTP/HTTP/HTTPS stops drive-by downloads or users getting suckered by a fake support phone call and then downloading the remote access app the "support" person wants them to load.

    Gregg Hill

Sign In to comment.