2.5/5Gbps WAN (and/or LAN) ports on newer Fireboxes?

This came up in a discussion about Internet connections starting to exceed 1Gbps and the fact that to take advantage of newer Internet connections (2Gbps was mentioned), one would need a device that has at least a 2.5Gbps WAN port (or 5Gbps, as some 5Gbps ports also negotiate 2.5Gbps - but most 10Gbps ports won't).

Are there plans for future Fireboxes (desktop and rack mount) to have 2.5/5Gbps WAN and/or LAN ports as standard?

Currently I see the only device that has said port standard is the M690 [interfaces 10 and 11, which do 1/2.5/10Gbps], and it is an add-on module option for the M290/M390/M590/M690 [1/2.5/5Gbps], which would be a near impossible sell for an office (or home!) that can only accommodate a desktop firewall but has a high-speed connection available to it.


  • Options

    Its one thing having a 10G WAN line and completely another thing being able to utilise all of it. ISP’s are throwing huge speeds at customers these days for very little cost and in my opinion its skewing the provisioning of correct firewall to customers needs.

    Fundamentally a firewall is doing things to all the traffic that passes through it, its not simply switching or routing which is easy, its scanning it, encrypting/unencrypting etc and all firewalls work hard across all layers. WatchGuard have 11 physical firewalls in the current range extending from a small & affordable right up to enterprise level devices with option for 40G interfaces etc. It is entirely correct that the increased capability of each firewall is reflected in an increased cost. The last time I looked at the CPU in a top spec box that CPU alone was a few thousand pounds.

    The focus should be on an average WAN utilisation rather than the speeds offered by the ISP, and looking at the performance section of the firewalls specifications https://www.watchguard.com/wgrd-products/appliances-compare?pid1=74741&pid2=54681&pid3=46806

    For example, the T25 the baby box, if your customer wanted that operating as a satellite remote site with a zero routed branch office tunnel, the performance figures suggest that it will top out at around 300 Mbps on VPN as the T25 is working its socks off processing that VPN. So, if the customer wants a T25 but also has a 1GB WAN line and wishes to utilise all of that 1GB line via a VPN then the T25 isn’t the correct device for that circumstance, they either accept the limitation and under provision themselves or they select a device higher up the range to make sure they the firewall capabilities match the traffic they will push through it and not just the WAN speed they have been offered.

    My guess is the newer generation of WatchGuards will come out in the next year or so, and my guess is they will have increased interface speeds and options both built in and modules.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PhilT_VIT

    The T80/T85 can be optioned with an interface module that will accept a SFP+ transceiver, but at this point in time will only accept 1 Gb and 10Gb transceivers.

    I suspect that there will be more 2.5Gb ports on appliances (as they've been making an appearance on WatchGuard APs for awhile now.)

    Customers with existing hardware that want to connect to other devices at speeds greater than 1Gb can add additional ports to that connection via a Link Aggregation.

    (About Link Aggregation)

    Please keep in mind that not all firewall models are capable of pushing traffic over 1Gb/s, so adding additional ports to a link aggregation, or installing a 10Gb port may not result in the speed increase you were expecting.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.