WatchGuard Firebox T35-Rugged review: Industrial-strength security

As industrial control systems evolve and become internet-connected, they’re inevitably becoming a target for cybercriminals looking to wreak havoc on a grand scale. Protection is clearly a must, but traditional security appliances aren’t designed to cope with the extreme environments in which industrial systems are often deployed.

Enter WatchGuard’s Firebox T35-Rugged, which can withstand the harshest of conditions. Clothed in an aluminium casing that acts as a heatsink, it’s designed to work at temperature extremes between -40°C and +60°C, while its IP64 rating means it’s fully protected against dust and water splashes from all directions.

This go-anywhere philosophy makes the T35-Rugged extremely versatile. It’s being considered for deployment inside fire engines to provide secure wireless services to responders, as well as on trains to deliver in-transit Wi-Fi to commuters.

On that point, it’s worth noting that the T35-Rugged doesn’t include its own wireless radio. Aside from its WAN socket, physical connectivity extends only to four built-in Gigabit Ethernet ports (which come set into solid screw-fit connectors to maintain its IP rating). However, the built-in wireless controller can centrally manage all WatchGuard-branded access points, including the IP67-rated AP327X Wave2 AP, and provide them with all the same security services as wired traffic.

Getting set up is easy. The web console greets you with a wizard-based routine that creates a base set of firewall policies for securing internet access; if you need the appliance to be installed in a remote location, you can alternatively use WatchGuard’s RapidDeploy cloud service to push a custom configuration file to the T35-Rugged as soon as it powers up.

You can then enjoy a huge range of security services: the price above includes a one-year subscription to WatchGuard’s Total Security Suite, which includes web-content and application controls, anti-spam, Gateway AV, network discovery, IPS, data loss prevention and an advanced persistent threat blocker, as well as WatchGuard’s RED (reputation-enabled defence) service for even tougher web protection. A Gold Support subscription rounds the package off with a free remote setup and configuration session with a WatchGuard engineer.

In use, the T35-Rugged works by employing proxies to control your various traffic types, and each one loads a wizard the first time you access it. Web-content filtering took us a few minutes to configure, as you’re prompted to choose which of 130 URL categories to allow or block, and set blocking actions for the HTTP and HTTPS proxies, after which the wizard creates the appropriate firewall policy rules.

Interestingly, the Firebox T35-Rugged offers two levels of antivirus protection. The main Gateway AV feature uses the Bitdefender scanning engine, and can be enabled on a selection of proxies; the IntelligentAV feature uses the Cylance engine to give files such as Office documents and PDFs an additional AI-based scan.

Firewall policies control all the proxies, and within selected ones you can set allow, drop or block actions based on five threat levels. Those working in an industrial setting will appreciate the fact that the intrusion prevention service includes over 70 threat signatures aimed specifically at protecting supervisory control and data acquisition networks.

There are also options for keeping track of your security status. You can use WatchGuard’s free Dimension VMware or Hyper-V VM to access the executive dashboard and view security service activity, or log into WatchGuard’s Cloud service to access the T35-Rugged from anywhere.

The Firebox T35-Rugged isn’t just well-featured: within its class it’s excellent value, as Fortinet’s IP67-rated FGR-35D costs over twice as much, while Cisco’s ageing ISA-3000 lacks an IP rating altogether. If you want a true industrial-grade security appliance looking after your network services, this is the place to go.

WatchGuard Firebox T35-Rugged specification