WatchGuard Firebox T35-Rugged review: Industrial-strength security

This affordable appliance delivers a wealth of security services to places where competitors fear to tread

IT Pro Verdict


  • +


  • +

    Specific protection for industrial systems

  • +

    Great value


  • -

    No wireless radio

As industrial control systems evolve and become internet-connected, they’re inevitably becoming a target for cybercriminals looking to wreak havoc on a grand scale. Protection is clearly a must, but traditional security appliances aren’t designed to cope with the extreme environments in which industrial systems are often deployed.

Enter WatchGuard’s Firebox T35-Rugged, which can withstand the harshest of conditions. Clothed in an aluminium casing that acts as a heatsink, it’s designed to work at temperature extremes between -40°C and +60°C, while its IP64 rating means it’s fully protected against dust and water splashes from all directions.

This go-anywhere philosophy makes the T35-Rugged extremely versatile. It’s being considered for deployment inside fire engines to provide secure wireless services to responders, as well as on trains to deliver in-transit Wi-Fi to commuters.

On that point, it’s worth noting that the T35-Rugged doesn’t include its own wireless radio. Aside from its WAN socket, physical connectivity extends only to four built-in Gigabit Ethernet ports (which come set into solid screw-fit connectors to maintain its IP rating). However, the built-in wireless controller can centrally manage all WatchGuard-branded access points, including the IP67-rated AP327X Wave2 AP, and provide them with all the same security services as wired traffic.

Getting set up is easy. The web console greets you with a wizard-based routine that creates a base set of firewall policies for securing internet access; if you need the appliance to be installed in a remote location, you can alternatively use WatchGuard’s RapidDeploy cloud service to push a custom configuration file to the T35-Rugged as soon as it powers up.

You can then enjoy a huge range of security services: the price above includes a one-year subscription to WatchGuard’s Total Security Suite, which includes web-content and application controls, anti-spam, Gateway AV, network discovery, IPS, data loss prevention and an advanced persistent threat blocker, as well as WatchGuard’s RED (reputation-enabled defence) service for even tougher web protection. A Gold Support subscription rounds the package off with a free remote setup and configuration session with a WatchGuard engineer.

In use, the T35-Rugged works by employing proxies to control your various traffic types, and each one loads a wizard the first time you access it. Web-content filtering took us a few minutes to configure, as you’re prompted to choose which of 130 URL categories to allow or block, and set blocking actions for the HTTP and HTTPS proxies, after which the wizard creates the appropriate firewall policy rules.

Interestingly, the Firebox T35-Rugged offers two levels of antivirus protection. The main Gateway AV feature uses the Bitdefender scanning engine, and can be enabled on a selection of proxies; the IntelligentAV feature uses the Cylance engine to give files such as Office documents and PDFs an additional AI-based scan.

Firewall policies control all the proxies, and within selected ones you can set allow, drop or block actions based on five threat levels. Those working in an industrial setting will appreciate the fact that the intrusion prevention service includes over 70 threat signatures aimed specifically at protecting supervisory control and data acquisition networks.

There are also options for keeping track of your security status. You can use WatchGuard’s free Dimension VMware or Hyper-V VM to access the executive dashboard and view security service activity, or log into WatchGuard’s Cloud service to access the T35-Rugged from anywhere.

The Firebox T35-Rugged isn’t just well-featured: within its class it’s excellent value, as Fortinet’s IP67-rated FGR-35D costs over twice as much, while Cisco’s ageing ISA-3000 lacks an IP rating altogether. If you want a true industrial-grade security appliance looking after your network services, this is the place to go.

WatchGuard Firebox T35-Rugged specification

Swipe to scroll horizontally
ChassisDesktop appliance, fanless chassis
CPU1.4GHz NXP QorIQ T1024 dual-core 64-bit CPU
Memory4GB RAM
Storage included16GB mSATA
Network5 x Gigabit Ethernet (WAN, 4 x LAN), RJ-45 serial port
Other ports2 x USB 2
ManagementWeb browser, Dimension and cloud management
Dimensions (WDH)240 x 198 x 43mm
Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.