WatchGuard XTM850, XTM860 & XTM870 Firewalls End of Life and Upgrade Path
Watchguard Firewalls have a good long support life, and the company is clear about communicating End of Sale (EOS) and End of Life (EOL) policies on their devices in good time. The older XTM 810, 820 and XTM830 units are already announced as End of Sale, though they are fully supported until 5th February 2020. At the higher end there are the XTM850, XTM860 and XTM870 units which cater for networks and organisations with over a thousand users on a network (typically while rarely breaking a sweat given the firewall's high processing and throughput capabilities).
The XTM850 and its brothers or sisters in the range were launched in 2013. Now that it is April 2017 as we write, we expect Watchguard to announce formal End of Sale for these quite soon. Support is normally available for three to five years after the End of Sale is announced so there is no need for any panic if you are currently running your network on an XTM850 or above; support will still be on tap for a good amount of time. Statistically, given that these are the higher end boxes and connect at Gigabit or 10 Gig to the Internet, you'll be likely to already have (sensibly) an HA (High Availability) active-passive cut over cluster in place for fast failover in case of a firewall hardware failure.
Newer models have also since been introduced to the WatchGuard range and the natural migration path from your current XTM860 will most likely be to either an M4600 or an M5600 firewall. These continue to up the game in terms of processing power and network throughput, but there are other reasons to upgrade aside from this.
So, lets answer the burning questions:
Q. Should I buy a new XTM850, 860 or 870?
A. We're going to be typical politicians here and say 'It depends'. These are powerful firewalls and if, for example, you have a policy to standardise on them across your international networks then it might make sense to stick with the known model for now to maintain a very homogeneous environment. On the whole though, it is likely that your needs will be better served by one of the new M4600 or M5600 units. The operating system is common across the WatchGuard range, and all in the series can be managed either by the WatchGuard System Manager software, via Dimension, or with the web administration interface. The new units will have longer service life ahead of them and can support more services than the older units to make sure your security is as good as it can be.
Q. I currently own an XTM850 / 860 / 870 and support and subscription renewal is coming up - what should I do?
A. There are two choices here which are equally valid.
- One is to renew your current firewalls under support and subs so that you get continued warranty cover, technical support, OS upgrades and patterns for the real-time AV engine, IPS / IDS system, Reputation Enabled Defence (RED) and Anti Spam patterns. If your CPU Usage is low on the device (you can see this very easily on the right hand side of the firewall web interface) then you've probably got plenty of room for growth; the throughput the device can handle even on an XTM850 is 3Gbps with UTM inspection on which gets you a long way. One thing you need to check though is your bandwidth use over time. We are finding in many organisations that the rise of video and rich media on the Internet means that bandwidth use is going up on a steep curve.
For example one page of text which would typically take two minutes to read takes 2 KBytes of data, 2 Minutes of audio takes abut 960 KBytes (64kbps MP3) and 2 mins of video takes approx 840 Mbytes of data (HD 1080p video with H264 Compression). So the two minutes of video takes approx 430,000 times as much data as the equivalent time of text! If you graph out (this may well be the back of an envelope) your bandwidth available and used over time and follow the line through then you get a good idea of what bandwidth you will be using in three years time. If you have a Gigabit line now upon which you had 200 Mbps open last year, 500 Mbps this year (and seeing 400-450 Mbps of consumption), then it is likely that you'll be up to the full gigabit in 12-18 months time, but then be needing to upgrade your line to a 10Gbps circuit so that your network can keep up with bandwidth demands.
If you're confident that you will be not needing a line upgrade within three years, then renewing the current firewall subs and support will be the easiest and most cost effective option. NB - if you are seeing (as we all are) your bandwidth going up, then do check what your network traffic is up to - we often help clients with analysing network bandwidth use and then setting policies to counter some of this if it is not traffic that relates to your business or academic organisational needs.
One computer running bit torrent or limewire etc. that downloads and shares media from the Internet (often illegally) can easily account for 100Mbps plus of 24/7 bandwidth use - a colleague or faculty member might get a free box set to watch, but your organisation pays the bandwidth cost and shares legal liability for these. Features like the Watchguard Application control can stop this happening. Egress control (practiced in the best controlled networks) also makes sure that traffic is only going out where it should. Sometimes a few logical rules can return 80% extra bandwidth to a network for legitimate use, making Internet browsing quicker for everyone and saving you (or deferring) the cost of an Internet connection upgrade.
- Upgrade to a new Watchguard M4600 or M5600 firewall. If you will need to break through the 1Gbps barrier within three years, if you would benefit from the new features (like the Watchguard Total Security Suite - see graphic below ), and especially if you are not running HA, then upgrading to a new M series firewall will be the logical path. These firewalls can take 10Gbps (and higher) speed fibre internet links and, being new units, will be at the start of the bathtub curve i.e. the nature of modern electronics is such that devices typically fail in the first few days or weeks, or else will have a good reliable life until they start to come to the end of their working lives and failure rates shoot up.
We find that failure rates in Watchguard firewalls are very low in the first three years of life, but the chances of a hardware failure in year 5, for example, is quite a bit higher as parts, like the power supplies, can fail. Remember that a firewall is turned on 24/7/365.25 days a year, so after 5 years you've had 43,830 solid hours of performance from the box and internal parts like capacitors will have incurred 131,490,000 charge / discharge cycles. Silicon also wears out over time though usually this will outlast design life of a unit - especially if your firewall is connected to a UPS in an air conditioned comms room. A new firewall will be at the start of the life cycle so chances of hardware failure over time will be far lower once the initial work bench burn-in period is over.
Summary of Upgrade Benefits when upgrading from an XTM800 Series Firewall to a new Watchguard M Series Firewall:
- The new firewalls have greater throughput ability and you can upgrade to 10Gbps fibre internet lines which we see being more and more common in offices. Will you be likely to go over the 1Gbps bandwidth boundary in the next three years? If so then stepping up to a new firewall is a good idea to be future-ready now.
- You are at the beginning of the hardware life cycle so chances of hardware failure are reduced vs the alternative of running a 5 year old unit down the line.
- You can benefit from the new features available in the Watchguard Total Security Suite bundle (see graphic here below):
Here at Onega we work with clients to understand your needs and what is the best solution for needs going forward. There are many factors that can dictate which firewall and security solution is right for you which is why our consultants first understand your needs and situation before recommending specific solutions. We have been WatchGuard partners since 2002 and held just about every award they have for partner status including Silver, Gold, Expert Partner and attained Platinum qualified status.
If you are considering some of these questions (or how to re-architect your network to make sure you don't have bottlenecks when you do need to step up beyond gigabit networking? ) then we can help - please do get in touch with us as we are engineering-lead as a company and enjoy working with clients to help ensure your networks are secure and fit for purpose for 'sleep easy IT'.
Watchguard XTM 810 XTM 820 XTM 830 & 830-F Devices would generally upgrade to the M4600 firewall, but don't forget that there is also the very capable M440 which can also support 10Gbps interfaces - it all comes down to your environment and number of users etc. A comparison chart between the M440, M4600 and M5600 Firewalls is to be found on this link. Another blog post we're tempted to write sometime is 'are you just about to waste thousands of pounds over-specifying your network equipment?' One thing we don't like to see is waste but that is indeed another story. If you're not familiar with the Project Management cartoons then do have a quick look and laugh at the example of this famous genre you see on our web page https://www.onega.net/what-makes-us-different/ .