WatchGuard Firebox T55-W review

A wealth of security measures at a knock-down price

IT Pro Verdict

SMEs that want tough gateway security, a good range of wireless services and a low price will find WatchGuard’s T55-W ticks all their boxes


  • +

    Excellent value; Huge range of security services; Easy to deploy; Integral dual-radio wireless AP


  • -

    Could do with a little more internal memory

Stepping in to the middle of WatchGuard's desktop security appliance family, the Firebox T55-W is equally at home protecting SMEs, remote workers or branch offices. Clothed in the classic bright red Firebox chassis, this desktop box delivers an impressive range of security measures and amalgamates them with integral 11ac dual-band wireless.

It may be small but it's no lightweight for performance, with WatchGuard recommending it for up to 30 users and claiming a 1Gbits/sec raw firewall throughput and 523Mbits/sec with all UTM services enabled. It has five Gigabit ports for WAN, LAN and DMZ duties with PoE+ presented on the fourth LAN port.

The appliance doesn't give the wireless game away as its aerials are tucked away inside the chassis. Another useful wireless feature present on all Firebox appliances is their integral gateway controller which can centrally manage and provision WatchGuard's own APs.

WatchGuard Firebox T55-W: Security features

Prices starting at 960 for the hardware, plus a one-year 24/7 support contract and all software updates. Where you go from here is up to you; suffice to say that WatchGuard offers plenty of choice.

A one-year Basic Security Suite subscription pushes the price to 1,293 and activates anti-virus, anti-spam, web filtering, HTTPS inspection, IPS, application controls and WatchGuard's reputation enabled defence. The price we've shown is for a three-year Total Security Suite subscription which adds WatchGuard's data leak prevention (DLP) and advanced persistent threat (APT) blocker service.

Along with a Gold 24/7 support contract, Total Security includes WatchGuard's RED (reputation enabled defence) service. Web access requests send the URL to WatchGuard's RED cloud servers where they assign a score and instruct the appliance to either allow or block it.

VPN services are extensive as the T55-W supports site-to-site IPsec tunnels plus mobile IPsec, PPTP and L2TP clients along with SSL VPNs. Note that the new Access Portal feature which provisions secure, client-free VPN connections, is not supported on the Firebox 'T' models.

WatchGuard Firebox T55-W: Installation and management

The T55-W is easy to deploy: the web console runs a wizard to secure the appliance and get Internet access running on an external port along with DHCP services on the first trusted LAN interface. Large distributed businesses will like WatchGuard's RapidDeploy cloud service as they can send new appliances to remote offices and have them receive a configuration file as soon as they are powered up.

The wizard defaults to the flexible mixed-mode routing which allows wired and wireless ports to be defined as separate interfaces. Configuring the remaining ports is a cinch as we defined them as external, trusted, optional or custom and added DHCP services on selected trusted ports.

WatchGuard's browser interface is well-designed and standard across all Firebox appliances. It opens with a tidy dashboard showing a breakdown of traffic for the top clients, web destinations, policies and applications with options to drill down for more detail on each entry.

Management choices are extensive, and you can load the WatchGuard System Manager (WSM) suite on a separate Windows host to provide central management, logging and reporting services. We run WatchGuard's Dimension as a VMware VM in the lab and after linking it to the T55-W, used it for viewing appliance utilisation plus an executive dashboard, global threat map and policy activity graphs.

WatchGuard Firebox T55-W: Rules and proxies

The T55-W uses proxies for all security services and there are plenty to choose as you have ones for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP. Firewall rules are created for each proxy which define the interfaces they apply to and their actions - and WatchGuard provides wizards for all of them.

Highly granular web content filtering policies are possible where you choose from 130 Websense URL categories, enable blocking actions on the HTTP and HTTPS proxies, add exceptions and enable alerting. Anti-spam measures are just as easy to configure; you can select incoming SMTP, IMAP or POP3 traffic and block or tag spam messages.

Gateway AV scanning can be enabled on selected proxies, which you'll need running if you want to enable the APT service. This scans inbound files, creates MD5 hashes and checks them with the LastLine cloud service to see if they're known malware.

We noticed that Dimension was reporting a total appliance memory usage of between 65-90% and WatchGuard advised us this is due to the demands of the new BitDefender AV engine. It can get close to the edge although we didn't encounter any performance issues during testing.

WatchGuard Firebox T55-W: Wireless features

The T55-W can present up to three separate APs that act as DHCP relays or provide their own DHCP services. Along with all key encryption schemes, their SSIDs can be broadcast or hidden and you can apply client isolation so users on the same wireless network can't see each other.

Global wireless settings include 2.4GHz and 5GHz radio modes, a choice of channel widths and protection against the WPA/WPA2 KRACK vulnerability for unpatched wireless clients. Rogue AP detection can be enabled - but be careful when you schedule it as it will temporarily disable the appliance's APs while it's running.

If you want more APs, you can add any of WatchGuards's four available models and pair them with the appliance's wireless gateway controller. Once paired, you can assign SSIDs to their dual radios, enforce wireless security and apply custom firewall policies to the ports they are connected to.

WatchGuard Firebox T55-W: Verdict

The T55-W is a versatile security appliance that's well-suited to deployments in SMEs and enterprise branch or remote offices. For the price, it's offering a remarkable range of easily configured security features, all management components are inclusive and the icing on the on the cake is its integral wireless network services.


SMEs that want tough gateway security, a good range of wireless services and a low price will find WatchGuard’s T55-W ticks all their boxes

Chassis: Desktop

Memory: 2GB RAM

Network: 5 x Gigabit (Port 4 with PoE)

Wireless: 2.4/5GHz 802.11ac

Other ports: 2 x USB 2, RJ-45 serial

Power: External PSU

Management: Web browser, WatchGuard Dimension/Command

Warranty: 3-year Gold 24/7 support

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.