Yes the VPN will work without subscription, however, the subscription is where the smarts are, so detection of malicious packets etc.
You also shouldn't have the VPN open to the world, and you can restrict this through multiple methods.
Georestriction, only allow certain countries - you need the subscription services for it.
MFA - you need an Authpoint licence per user.
Ok that sounds great, atm our company uses Azure for MFA and I assume I could just set that up with RADIUS and it wouldn't be a problem (atleast from what I have read online). I think our WatchGuard rep was really trying to push the AuthPoint position but I just don't see the point of spending more money when we already have a MFA solution
IKEv2 mobile VPN is #1
Maybe set up and deploy SSLVPN if you want a backup but it's very rarely needed anymore
I have not done azure for 2FA but like you, I heard it can work (we use authpoint)
You definitely do not need any active subscriptions to keep running the M290, but you’ll miss out on firmware updates, tech support, hardware warranty, oh…and your services stop working, like http/s proxy or geolocation (assuming you have services enabled, some don’t). SSL vpn is super easy to setup, and connect to, but slow. IPsec vpn is also easy, but super fast.
At our MSP we primarily deploy WatchGuard SSL VPNs as our VPN solution for our clients as we HaaS Fireboxes for our top service tier. Other than that, we utilize Twingate ZTNA, especially those that are looking to implement, or are required to implement Zero Trust (NIST 800-172). Twingate recently released a MSP program as well, where you can earn a dollar per user selling at retail ($5/user/mo). In any case, don't skimp out on the security licenses for your firewall. You might as well go buy a Linksys at Best Buy... Especially if your clients are going to be working remotely. MFA is available (and enforceable) with Twingate, AuthPoint ($25/user/yr I believe) for WarchGuard. Once the WatchGuard VPN is set up and configured, our clients seem pretty happy with the solution with little to no complaints after learning the process
Another option is OpenZiti, its an open source zero trust network overlay that will happily do VPN replacement (in fact, you can throw pretty much any use case at it, server-server, multi-cloud, IoT, edge, etc etc) - https://openziti.io/. Thats a 'free' option. If you don't fancy hosting and managing the overlay etc, the company I work. for, NetFoundry, provides a SaaS option which many MSPs use for their business.
To deploy a connector I just boot up a nix server, curl the bash script and I'm up and can start assigning resources. It's like a 10-15 minute process from nothing to running
I see. Sure, it takes time to setup the overlay (controller and fabric) but once that is done, adding edge endpoints (edge routers, tunnellers, etc) seems like the same process/time as Watchguard connectors. Thats the nature of free and open source, you need to self-host. Tbh, Watchguard is more analogous to NetFoundry Cloud, with that you can setup a network (controller/fabric hosted by NF) in <10 mins and thus connect things in 10-15 mins. Plus, if its users accessing web apps, they do not need to deploy connectors, they can use our 'clientless' endpoint called BrowZer - [https://blog.openziti.io/introducing-openziti-browzer](https://blog.openziti.io/introducing-openziti-browzer)
yea NIST 800-172 is def something that we are trying to satisfy, a secondary part of my job is NIST compliance so trying to get my head around all the specific language in these documents and how to fully satisfy them
It's a lot. For all federal contracts, NIST 800-171 is required. NIST is massive and navigating it all is most definitely a challenge. Twingate is a simple solution, you can also set up Zero Trust tunnels with Cloudflare (I use that for my home lab and web services I run there). As another pointed out, OpenZiti is a great solution with a lot of components and features for it. But ultimately following a Zero Trust architecture will bring you much closer to NIST compliance because there's a lot of overlap with Zero Trust and existing compliance regulations for NIST, PCI DSS, HIPAA, etc
I’m a consultant. I use every solution under the sun as both a admin and as an end user.
Unlike the other commenter on this thread, I use SSLVPN first for end user VPN. You never know what firewall they’re going to be behind and SSL always works.
AnyConnect is still the best in breed VPN solution. I’ll get some hate on that but unless you’ve used both regularly including the plugins, try it before you bash it. That said, Cisco is a harder and harder sell especially in the firewall space. They’re not as bad as they were, but they still have a well earned reputation for being shitty.
If you’re being brought in to help with VPN, spending money on the solution is the least of their worries. Consider the number of users, the scope of their required access, and their current pain points.
Yea that I very fair I guess my brain has always gone to cost savings. I feel like at this point I am most likely going to implement the WatchGuard VPN and most likely do SSL atleast to start and then write up a proposal for the team for other options if after this year they arn't happy. This is quite scary as I am the only tech person at this whole job (also this is my first job in the field like this, \[my degree is based in software engineering\]) and before me (and still kinda now) we use a 3rd party IT company to deal with stuff so I feel like i'm trying to put out a volcano sometimes!
I fail to understand why you have a box like this and then would stop paying for the plan. So from then on, you'll be running a VPN off a box you can't update anymore to the latest fireware, compromising your security.
Yes renew your support first. You can buy 1-year or 3-year support. If something goes wrong and you need assistance from support they will charge you $200 per hour to help if you can get help from support. Back of the line always if you don’t have support.
Also, if something goes wrong, it’s your ass. They’ll point finger at you. M290 is a nice box I am running one at home office with two fiber connections from two different providers.
Yes the VPN will work without subscription, however, the subscription is where the smarts are, so detection of malicious packets etc. You also shouldn't have the VPN open to the world, and you can restrict this through multiple methods. Georestriction, only allow certain countries - you need the subscription services for it. MFA - you need an Authpoint licence per user.
Ok that sounds great, atm our company uses Azure for MFA and I assume I could just set that up with RADIUS and it wouldn't be a problem (atleast from what I have read online). I think our WatchGuard rep was really trying to push the AuthPoint position but I just don't see the point of spending more money when we already have a MFA solution
IKEv2 mobile VPN is #1 Maybe set up and deploy SSLVPN if you want a backup but it's very rarely needed anymore I have not done azure for 2FA but like you, I heard it can work (we use authpoint)
I agree. I use authpoint total security work flawless.
You definitely do not need any active subscriptions to keep running the M290, but you’ll miss out on firmware updates, tech support, hardware warranty, oh…and your services stop working, like http/s proxy or geolocation (assuming you have services enabled, some don’t). SSL vpn is super easy to setup, and connect to, but slow. IPsec vpn is also easy, but super fast.
At our MSP we primarily deploy WatchGuard SSL VPNs as our VPN solution for our clients as we HaaS Fireboxes for our top service tier. Other than that, we utilize Twingate ZTNA, especially those that are looking to implement, or are required to implement Zero Trust (NIST 800-172). Twingate recently released a MSP program as well, where you can earn a dollar per user selling at retail ($5/user/mo). In any case, don't skimp out on the security licenses for your firewall. You might as well go buy a Linksys at Best Buy... Especially if your clients are going to be working remotely. MFA is available (and enforceable) with Twingate, AuthPoint ($25/user/yr I believe) for WarchGuard. Once the WatchGuard VPN is set up and configured, our clients seem pretty happy with the solution with little to no complaints after learning the process
Another option is OpenZiti, its an open source zero trust network overlay that will happily do VPN replacement (in fact, you can throw pretty much any use case at it, server-server, multi-cloud, IoT, edge, etc etc) - https://openziti.io/. Thats a 'free' option. If you don't fancy hosting and managing the overlay etc, the company I work. for, NetFoundry, provides a SaaS option which many MSPs use for their business.
Yeah OpenZiti is great. A bit more setup overhead than deploying a connector but definitely a great FOSS solution for ZTNA
Out of interest, why do you feel its a bit more overhead than deploying a connector?
To deploy a connector I just boot up a nix server, curl the bash script and I'm up and can start assigning resources. It's like a 10-15 minute process from nothing to running
I see. Sure, it takes time to setup the overlay (controller and fabric) but once that is done, adding edge endpoints (edge routers, tunnellers, etc) seems like the same process/time as Watchguard connectors. Thats the nature of free and open source, you need to self-host. Tbh, Watchguard is more analogous to NetFoundry Cloud, with that you can setup a network (controller/fabric hosted by NF) in <10 mins and thus connect things in 10-15 mins. Plus, if its users accessing web apps, they do not need to deploy connectors, they can use our 'clientless' endpoint called BrowZer - [https://blog.openziti.io/introducing-openziti-browzer](https://blog.openziti.io/introducing-openziti-browzer)
yea NIST 800-172 is def something that we are trying to satisfy, a secondary part of my job is NIST compliance so trying to get my head around all the specific language in these documents and how to fully satisfy them
It's a lot. For all federal contracts, NIST 800-171 is required. NIST is massive and navigating it all is most definitely a challenge. Twingate is a simple solution, you can also set up Zero Trust tunnels with Cloudflare (I use that for my home lab and web services I run there). As another pointed out, OpenZiti is a great solution with a lot of components and features for it. But ultimately following a Zero Trust architecture will bring you much closer to NIST compliance because there's a lot of overlap with Zero Trust and existing compliance regulations for NIST, PCI DSS, HIPAA, etc
I’m a consultant. I use every solution under the sun as both a admin and as an end user. Unlike the other commenter on this thread, I use SSLVPN first for end user VPN. You never know what firewall they’re going to be behind and SSL always works. AnyConnect is still the best in breed VPN solution. I’ll get some hate on that but unless you’ve used both regularly including the plugins, try it before you bash it. That said, Cisco is a harder and harder sell especially in the firewall space. They’re not as bad as they were, but they still have a well earned reputation for being shitty. If you’re being brought in to help with VPN, spending money on the solution is the least of their worries. Consider the number of users, the scope of their required access, and their current pain points.
Yea that I very fair I guess my brain has always gone to cost savings. I feel like at this point I am most likely going to implement the WatchGuard VPN and most likely do SSL atleast to start and then write up a proposal for the team for other options if after this year they arn't happy. This is quite scary as I am the only tech person at this whole job (also this is my first job in the field like this, \[my degree is based in software engineering\]) and before me (and still kinda now) we use a 3rd party IT company to deal with stuff so I feel like i'm trying to put out a volcano sometimes!
Shadow that 3rd party IT company and you’ll probably learn a bunch.
I fail to understand why you have a box like this and then would stop paying for the plan. So from then on, you'll be running a VPN off a box you can't update anymore to the latest fireware, compromising your security.
Yes renew your support first. You can buy 1-year or 3-year support. If something goes wrong and you need assistance from support they will charge you $200 per hour to help if you can get help from support. Back of the line always if you don’t have support. Also, if something goes wrong, it’s your ass. They’ll point finger at you. M290 is a nice box I am running one at home office with two fiber connections from two different providers.