Patch Me If You Can: Firewall Vendors Ranked by How Much They Care About Your Security
We compared how SonicWall, Fortinet, DrayTek, Zyxel, WatchGuard, Sophos, UniFi, TP-Link, and Netgear handle vulnerabilities in their firewalls. Spoiler: some make it dead easy, others practically dare attackers to have a go.
Your Firewall Is Only As Good As Its Last Patch
To make this more than just an opinion, we based our analysis on a typical small business setup: one firewall/router, one 24-port managed PoE switch, and two access points—nothing wild, just what most UK SMBs actually deploy.
We pulled publicly available pricing for each vendor's hardware and, where applicable, their first-year licensing costs. Then we calculated five-year total cost of ownership assuming no hardware refresh, just licensing. It gave us a clear view of who’s punishing your budget and who’s playing fair.
From that foundation, we looked at vulnerability handling: how fast vendors react, how easily they patch, and how well their systems are built for centralised control.
To keep things fair, we scored each vendor out of 50 across five criteria:
Initial Cost: How much the kit costs to buy outright
Ease of Config/Management: How user-friendly and accessible the system is to set up and manage
Licensing Costs: Ongoing fees, renewals, and subscriptions
Approach to Security Updates: Whether they patch quickly and communicate clearly
Ease of Applying Updates: How smooth or painful it is actually to install those patches
The result? A clear picture of which firewall vendors care about your security—and which ones are still winging it.
When a firewall company fails to patch a security hole, it’s not just a technical hiccup—it’s like leaving your office door wide open overnight. Your firewall is your digital doorman for small businesses, stopping cybercriminals and ransomware gangs from walking in. So we dug into how some of the biggest names in the firewall business actually handle these situations.
Who gets patches out fast? Who buries the details in jargon? And who makes fixing the problem harder than it needs to be?
Let’s break it down—plainly, practically, and without pulling any punches.
"Firewall Vendors Ranked: Who Wins on Value, Security, and Usability?"
This chart shows the total scores (out of 50) for 12 leading firewall vendors based on pricing, ease of management, licensing burden, and approach to security patching.
SonicWall: Expensive, Clunky, and Still Getting Breached
Score: 14/50
Recent example: CVE-2025-23006 – A serious flaw in SMA 1000 series
SonicWall should know better. It’s been in the game long enough to understand that critical vulnerabilities—like the kind that let attackers take over devices without logging in—need urgent, clear, and easy-to-apply patches. Instead, customers got radio silence unless they knew exactly where to look.
The update process is a mess. There's no central management worth using, no clear notifications, and the whole thing feels like it was built in 2008 and hasn’t had a design meeting since.
And you're paying premium licensing fees for the privilege. Subscriptions, renewals, maintenance plans—it adds up fast. All while you cross your fingers hoping your box isn’t already compromised.
Verdict: Outdated UI, slow fixes, and high costs. It’s time to stop giving SonicWall the benefit of the doubt.
Fortinet: The Patch Is Just the Beginning
Score: 25/50
Recent example: CVE-2025-24472 – Attackers could log in as admins without a password
Fortinet firewalls are everywhere. Unfortunately, they’re also regulars on the government’s list of known exploited vulnerabilities.
Many Fortinet devices remained compromised even after patching because attackers found ways to stick around. Fixing the issue meant not just updating the device but also digging through logs, checking settings, and sometimes starting from scratch.
On the management front, Fortinet offers FortiManager and FortiCloud, full-featured platforms for centralised control. FortiManager is aimed at large deployments and requires its hardware or VM, while FortiCloud is available via subscription and allows policy, patch, and config management from a central console. It’s powerful but not particularly friendly to smaller teams or budget-conscious deployments.
Verdict: Fortinet gets patches out—but cleanup is your problem. And while its management tools are strong, they’re priced and built more for the enterprise crowd than for the average SMB.
DrayTek: Old Bugs Never Die
Score: 29/50
Recent example: CVE-2020-8515 – A remote code flaw still being used by hackers in 2025
DrayTek gear is popular in smaller businesses because it’s cheap and familiar. However, many DrayTek routers and firewalls still run old firmware with known flaws. Updating isn’t easy: there are no automatic updates, and often, there are no clear instructions either.
DrayTek does offer VigorACS, a centralised management platform that lets you monitor, update, and configure DrayTek devices remotely. However, it’s not free, requires hosting or a paid subscription, and its interface still feels a bit dated compared to UniFi or Omada. It’s a step in the right direction but doesn’t remove the friction for smaller IT teams.
Verdict: If patching is hard, people won’t do it. DrayTek’s ACS platform helps, but it’s not the pretty slick, SMB-friendly controller experience others deliver.
Zyxel: A History of Missed Warnings
Score: 30/50
Recent example: CVE-2024-11667 – Used in ransomware attacks to access systems
Zyxel’s roots go back to the early broadband era, when it was one of the pioneers in DSL modem technology. Although it has since expanded into firewalls and enterprise gear, its approach to security often feels like it's stuck in that earlier time.
Zyxel has been repeatedly targeted by ransomware groups and botnets—not just because of technical flaws but also because of poor default configurations and a pattern of late, unclear vulnerability disclosures. For example, default credentials like admin/1234 remain common, and many of their firewall CVEs stem from basic oversights like improper authentication or command injection.
They offer a central management tool called Nebula Control Centre, which brings controller-style SDN features to their firewalls, switches, and wireless access points. It’s improving steadily and includes alerting and firmware updates, but it’s still not as seamless or widely adopted as UniFi or Omada. Crucially, many customers aren’t even using Nebula—especially at the lower end—because it's not always bundled or well promoted.
Verdict: Zyxel has the potential, but the execution still lags. If you want security out of the box, with clear updates and a user-friendly interface, you'll need to look elsewhere—or be prepared to work around the gaps.
UniFi (Ubiquiti): Smart, Centralised, and Cost-Efficient
Score: 43/50
Focus: UniFi Security Gateway, Dream Machine, UXG-Pro
UniFi takes a different approach. Instead of spreading patching and settings across dozens of clunky interfaces, it brings everything into a single, modern platform. Their controller-based system—also known as SDN (Software Defined Networking)—means updates can be pushed centrally. No jumping from screen to screen, no command line in sight.
You won’t get spammed with security bulletins, but updates land reliably, and the large user community fills the gaps. More importantly, you pay once. No annual licensing. No forced subscriptions. No "management license" is needed to access your own firewall logs.
For growing businesses looking for a clean, manageable ecosystem, UniFi is one of the strongest options available—especially if you're managing your Wi-Fi and switching with them too.
Verdict: Controller-based (sdn) management is affordable, intuitive, and ideal for SMBs. Once you’ve used it, you won’t want to return.
WatchGuard: Quietly Reliable—But Not Without Baggage
Score: 37/50
Notable history: CVE-2021-44228 – Exploited in the Cyclops Blink botnet campaign targeting WatchGuard Fireboxes
While WatchGuard has cleaned up its act recently, it's important to remember the major incident that put them on the front page of threat intel reports a couple of years ago. The Cyclops Blink malware, linked to Russian state-backed hackers, targeted unpatched WatchGuard Fireboxes and turned them into part of a global botnet. It wasn’t just a case of delayed patching—it highlighted fundamental gaps in update deployment, segmentation, and alerting.
In fairness, WatchGuard responded with clear mitigation guidance and has invested heavily in WatchGuard Cloud and better monitoring. Most of its recent bugs have been low-risk, and patches arrive quickly with clear guidance.
WatchGuard Cloud now offers controller-based management similar to UniFi and Sophos Central. The good news? It's generally much cheaper than Sophos—subscription costs can be as low as $200 (£160-ish) per year for standard tiers, making it a solid value for what you get.
Verdict: A strong, quiet performer today—more affordable than Sophos, with solid recovery since Cyclops Blink. Just keep your patching tight.
WatchGuard isn’t a flashy brand, but it handles security well. Most of its recent bugs have been low-risk, and patches arrive quickly with clear guidance.
Admins are usually notified through built-in alerts, and updates are straightforward. WatchGuard also plays nicely with monitoring tools that many IT teams already use.
Verdict: A strong, quiet performer. It doesn’t shout—but it doesn’t screw up either.
Sophos: Straight Talk and Fast Action—But It’ll Cost You
Score: 32/50
Recent example: CVE-2024-12727 – A serious flaw that was patched quickly
Sophos consistently gets high marks for transparency. They explain clearly what went wrong, how to fix it, and what to watch for next time. Their central management tools make patching simple across multiple sites.
They’re also not afraid to go after attackers—tracking advanced threat groups and sharing findings with the public. That’s rare.
But all that polish comes with a price. Licensing for Sophos firewalls regularly tips over £1,000 per year, especially once you factor in the enhanced services like web filtering, advanced threat protection, and support. It's powerful—but not cheap.
Verdict: Fast, clear, and confident—but if you're on a budget, be prepared for a hefty annual bill.
TP-Link: Consumer Roots Still Showing
Score: 39/50
TP-Link’s routers and firewalls have come a long way, especially with the Omada controller-based ecosystem. But their business-grade security story is still playing catch-up.
Firmware updates exist, but CVE-level disclosures are rare, and alerting is minimal. Omada’s controller makes life easier once set up, but it’s still more "network-first" than "security-first."
That said, the cost model is appealing. TP-Link offers two versions of Omada Cloud management:
Omada Cloud Essentials – completely free and includes basic centralised management, zero-touch provisioning, and unlimited sites.
Omada Cloud Standard – paid tier with professional features like automatic channel adjustment, Wi-Fi heatmaps, and multi-user roles. Licences start at around €20 per year per device (or about £18), and go as low as €12 per year if you buy a five-year licence.
This makes it one of the most budget-friendly controller-based ecosystems available, particularly attractive for small sites or multi-location setups without complex needs.
Verdict: A decent budget option for basic connectivity, with a surprisingly robust controller option. Still not full-featured for deep security use cases, but priced for scale.
Netgear: The Set-It-and-Forget-It Trap (Now With SDN—Sort Of)
Score: 29/50
Netgear equipment dominates the SOHO (Small Office/Home Office) space, but for years its firewall and security features have taken a backseat. Firmware updates are infrequent, often manual, and security communication is minimal.
To their credit, Netgear now offers a cloud-managed platform called Insight, which brings some SDN-style controller-based management into the mix. It lets admins monitor and configure supported devices centrally, either via a browser or mobile app.
Insight is offered in two tiers:
Insight Premium – around $10 (about £8) per device per year
Insight Pro – about $22 (roughly £18) per device per year, with MSP-friendly features like multi-tenancy and remote deployment tools
But even with Insight, Netgear’s SDN capabilities remain basic. It’s great for visibility and control, but it doesn’t offer the depth or polish of UniFi, WatchGuard Cloud, or Omada. Many Netgear models also don’t support Insight at all—so double-check compatibility.
Verdict: Decent SDN progress with Insight, but still very limited compared to the rest of the field. Good for visibility, not built for deep security.
pfSense: Open Source Flexibility with a Steep Learning Curve
Score: 39/50
pfSense, maintained by Netgate, is a free and open-source firewall platform based on FreeBSD. It’s popular with tech-savvy users and power MSPs who want complete control over every aspect of firewall policy, routing, VPN, and intrusion prevention.
You can run it on your own hardware or buy Netgate's ready-to-go appliances. There's no licensing fee for the core software, which keeps long-term costs down. But setup, tuning, and updates require technical confidence—and there's no glossy dashboard or central controller unless you opt for Netgate’s cloud-managed add-on service, which costs extra.
Verdict: Incredible power for those who know what they're doing. But not ideal for the average SMB unless you’ve got a networking nerd on payroll.
MikroTik: Feature-Rich, Confusing as Hell
Score: 32/50
MikroTik routers are cheap, packed with features, and widely used by ISPS and networking hobbyists. Their RouterOS firmware gives you granular control, from routing tables to bandwidth shaping and firewalls.
But the interface? It's called Winbox, and it looks and feels like it’s straight out of Windows XP. Centralised management tools exist (like The Dude) but are limited and fiddly to deploy.
Pricing is unbeatable—hardware often costs a third of what mainstream vendors charge. But you’re also on your own regarding documentation, patching, and security best practices.
Verdict: MikroTik might work if you want dirt-cheap hardware and total flexibility—and don’t mind hunting through obscure menus. For most SMBs? Not worth the headache.
Cisco Meraki: Enterprise Polish at a Premium
Score: 33/50
Cisco Meraki is the original poster child for fully cloud-managed networking. Its dashboard is clean, its alerts are detailed, and patching is automatic. The entire stack—from firewalls to switches to access points—is controlled via the Meraki cloud, with nothing installed locally.
It’s polished, reliable, and almost effortless to manage. You can control hundreds of sites with a few clicks. You’ll get timely vulnerability advisories and security patches without lifting a finger.
But that ease comes at a price. Licensing costs are high—often £300–£500 per device per year, depending on the tier and product line. Lose the licence? Your device becomes a paperweight. That’s not hyperbole—it stops working.
Verdict: Meraki is enterprise-grade simplicity, but it's priced like it. It's fantastic for MSPS and large organisations, but it's overkill for most UK SMBS unless budget is no object.
Controller-Based Management Isn’t Just Easier—It’s Smarter
Firewalls don’t exist in isolation anymore. They’re part of your network’s central nervous system. Trying to manage them in silos—like SonicWall still does—just doesn’t cut it in 2025.
Controller-based systems—built on SDN principles—like UniFi, Sophos Central, or WatchGuard Cloud let you:
Roll out updates centrally
Push config changes across multiple devices
Get clear alerts when something needs your attention
Save time and money on maintenance and training
But here’s where UniFi pulls ahead: no recurring licence fees, a modern and consistent interface across Wi-Fi, switching, and security, and a one-time hardware investment that doesn’t punish you annually. In a five-year TCO model, UniFi ends up being one of the most cost-effective choices while still delivering a polished, powerful SDN experience.
If you're a UK SMB looking to simplify security without handing over a chunk of your budget every year, UniFi gives you the power of enterprise networking without the enterprise nonsense.
So the next time you're choosing a firewall, ask yourself: do you want to pay for management, or just get on with managing?
Because the cybercriminals already know which doors are easiest to walk through
Glossary: Speak Firewall Without the Jargon
| Term | Meaning |
|---|---|
| CVE (Common Vulnerabilities and Exposures) | A public identifier system for known security bugs. CVEs make it easy to track and fix vulnerabilities. |
| Patch / Firmware Update | A software fix released by the vendor to resolve bugs or security flaws in the device. |
| Controller-Based Management (SDN) | Also called Software Defined Networking, this allows central control of firewalls, Wi-Fi, and switches via one platform. |
| Authentication Bypass | A vulnerability that allows attackers to log in without valid credentials. Often leads to full system compromise. |
| Remote Code Execution (RCE) | One of the most severe vulnerability types. Lets attackers run their own code on your firewall or router. |
| XSS (Cross-Site Scripting) | A flaw that lets attackers inject scripts into admin panels or dashboards. Less dangerous than RCE, but still serious. |
| Licensing Fees | Ongoing costs for updates, management features, or support. Some vendors charge annually per device, others don’t. |
| SMB (Small to Medium-Sized Business) | Generally, a business with fewer than 250 staff. Most UK SMBs have fewer than 50 people and limited IT resources. |
