IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

WatchGuard Firebox T35-Rugged review: Industrial-strength security

This affordable appliance delivers a wealth of security services to places where competitors fear to tread

£2,395 exc VAT (Appliance with 1yr Total Security)
  • IP64-rated
  • Specific protection for industrial systems
  • Great value
  • No wireless radio

As industrial control systems evolve and become internet-connected, they’re inevitably becoming a target for cybercriminals looking to wreak havoc on a grand scale. Protection is clearly a must, but traditional security appliances aren’t designed to cope with the extreme environments in which industrial systems are often deployed.

Enter WatchGuard’s Firebox T35-Rugged, which can withstand the harshest of conditions. Clothed in an aluminium casing that acts as a heatsink, it’s designed to work at temperature extremes between -40°C and +60°C, while its IP64 rating means it’s fully protected against dust and water splashes from all directions.

This go-anywhere philosophy makes the T35-Rugged extremely versatile. It’s being considered for deployment inside fire engines to provide secure wireless services to responders, as well as on trains to deliver in-transit Wi-Fi to commuters.

On that point, it’s worth noting that the T35-Rugged doesn’t include its own wireless radio. Aside from its WAN socket, physical connectivity extends only to four built-in Gigabit Ethernet ports (which come set into solid screw-fit connectors to maintain its IP rating). However, the built-in wireless controller can centrally manage all WatchGuard-branded access points, including the IP67-rated AP327X Wave2 AP, and provide them with all the same security services as wired traffic. 

Getting set up is easy. The web console greets you with a wizard-based routine that creates a base set of firewall policies for securing internet access; if you need the appliance to be installed in a remote location, you can alternatively use WatchGuard’s RapidDeploy cloud service to push a custom configuration file to the T35-Rugged as soon as it powers up.

You can then enjoy a huge range of security services: the price above includes a one-year subscription to WatchGuard’s Total Security Suite, which includes web-content and application controls, anti-spam, Gateway AV, network discovery, IPS, data loss prevention and an advanced persistent threat blocker, as well as WatchGuard’s RED (reputation-enabled defence) service for even tougher web protection. A Gold Support subscription rounds the package off with a free remote setup and configuration session with a WatchGuard engineer. 

In use, the T35-Rugged works by employing proxies to control your various traffic types, and each one loads a wizard the first time you access it. Web-content filtering took us a few minutes to configure, as you’re prompted to choose which of 130 URL categories to allow or block, and set blocking actions for the HTTP and HTTPS proxies, after which the wizard creates the appropriate firewall policy rules.

Interestingly, the Firebox T35-Rugged offers two levels of antivirus protection. The main Gateway AV feature uses the Bitdefender scanning engine, and can be enabled on a selection of proxies; the IntelligentAV feature uses the Cylance engine to give files such as Office documents and PDFs an additional AI-based scan.

Firewall policies control all the proxies, and within selected ones you can set allow, drop or block actions based on five threat levels. Those working in an industrial setting will appreciate the fact that the intrusion prevention service includes over 70 threat signatures aimed specifically at protecting supervisory control and data acquisition networks.

There are also options for keeping track of your security status. You can use WatchGuard’s free Dimension VMware or Hyper-V VM to access the executive dashboard and view security service activity, or log into WatchGuard’s Cloud service to access the T35-Rugged from anywhere.

The Firebox T35-Rugged isn’t just well-featured: within its class it’s excellent value, as Fortinet’s IP67-rated FGR-35D costs over twice as much, while Cisco’s ageing ISA-3000 lacks an IP rating altogether. If you want a true industrial-grade security appliance looking after your network services, this is the place to go. 

WatchGuard Firebox T35-Rugged specification


Desktop appliance, fanless chassis


1.4GHz NXP QorIQ T1024 dual-core 64-bit CPU



Storage included



5 x Gigabit Ethernet (WAN, 4 x LAN), RJ-45 serial port  

Other ports

2 x USB 2


Web browser, Dimension and cloud management

Dimensions (WDH)

240 x 198 x 43mm 



Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Most Popular

The human brain is far more complex than AI researchers imagine
artificial intelligence (AI)

The human brain is far more complex than AI researchers imagine

17 Sep 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022