We went all in on Watchguard this year because the sales team talks a big game but I'm starting to regret it.
Here are my most painful points:
1. Support doesn't understand the product. I always have to try to escalate until I find someone that kind of understands it. Most of the time support wants to connect to one of my firewalls instead of TDR, when the issue has nothing to do with the firewall. Honestly this product is so different from the others, there should be a separate support team for it IMO.
2. Lack of documentation on things like best practices.
3. Loads of indicators on things that should be trusted. We see indicators on files signed by Microsoft. There is no way to exclude indicators based on publisher. Whitelisting doesn't solve the issue as most of the indicators are for updates or patches which is a routine thing that happens everyday and creates unique files.
4. No way to whitelist domains / report false positives. I understand that it's RED on my firewall that is blocking it and I can whitelist in the HTTP proxies but when something like my AV vendor domains are getting level 7 incidents because of RED, wouldn't the better solution be to submit the domain as a false positive and whitelist it?
5. Files don't upload to APT blocker 90% of the time due to file size. When they do upload, if the file is found to be by a trusted vendor the indicator still stays at the original level rather than being remedied.
6. No way to create rules to automatically remedy or take complex actions, there's not enough control over policy actions.
7. It doesn't interact / take advantage of intelligentAV. There are big holes in the intelligentAV product(no proper way to scan MAPI protocol without routing all mail through a single firewall) which could be remedied by directly interacting with TDR.
8. No true baselining. As far as I can tell it doesn't set a network baseline for things like traffic and activity on the host. I thought this was supposed to be an intelligent product that could detect and alert on abnormal behavior on the host. How can it do that if it doesn't set a network activity baseline.
9. Reporting is sparse and uses scary lingo in executive reports. I am yet to bring any of the reports to our board of directors because the language in the reports makes it seem like our network has been infected when in fact it was just a RED false positive or there are outstanding indicators for things like Microsoft patches.
TDR has a lot of potential but right now it seems half baked. It's frustrating how much was promised and how little was actually delivered.