WatchGuard Firebox T20-W review: Enterprise-grade protection for remote staff

The T20-W is the entry point of WatchGuard’s Firebox table-top security appliances, and is aimed primarily at small and home office deployments. It could also be a sound choice for larger businesses wanting to protect remote sites, as it offers cloud management and zero-touch deployment.

The latter is handled via WatchGuard’s RapidDeploy service: once you’ve register a new appliance with your support account, you can assign it a configuration file created from a local Firebox appliance. When the appliance is plugged in at the remote site, it grabs the file from your account and instantly starts providing protection.

For management, you can either use the local web console or enable full cloud management, which disables the local interface and provides remote access to all configuration settings. Whichever you choose, WatchGuard keeps the workload low with proactive protection: the ThreatSync service can collect and collate event data from multiple Firebox units, while DNSWatch blocks access to known malicious domains. The T20-W doesn’t support the IntelligentAV scanner found on other Firebox models like the M590, however – it’s too demanding for this appliance’s dual-core CPU.

Even so, the T20-W offers a good range of security measures. The price above includes a three-year Total Security subscription, which enables gateway antivirus, anti-spam, web content filtering, application controls, intrusion prevention services, an advanced persistent threat blocker and WatchGuard’s RED (reputation enabled defence) service – plus the aforementioned ThreatSync and DNSWatch features. All subscriptions include cloud management, and the Total Security licence includes log retention for up to 30 days.

Though compact, the T20-W offers a respectable range of connection options. Five Gigabit Ethernet ports handle WAN, LAN and DMZ duties, although there’s no PoE+ as found on the more powerful Firebox T40-W. Believe it or not, there’s built-in wireless too, although Wi-Fi 6 isn’t supported – you’re limited to Wave 1 802.11ac – and the 2.4GHz and 5GHz radios can’t be active simultaneously. Still, that will be fine for home workers, and if you need the extra performance of Wi-Fi 6 then the T20-W’s integrated wireless gateway can provision and manage WatchGuard access points such as the AP225W.

Performance, too, should be ample for the target market: WatchGuard claims top firewall and UTM throughput rates of 1.7Gbits/sec and 154Mbits/sec respectively.

For testing, we registered the T20-W with our cloud account and initially chose local management. Even with this option active, the unit remains visible in the cloud portal, allowing you to monitor a wealth of detail about traffic, detected threats and responses.

The web console, meanwhile, provides wizards for configuring the various traffic proxies, which cover a whole range of protocols including HTTP, HTTPS, FTP, SIP, POP3 and SMTP. Enabling gateway AV and APT blocking are one-click manoeuvres, while the WebBlocker service presents 130 URL categories that can be blocked or allowed. Strict controls can also be applied to over 1,100 predefined apps, including all popular social networking services.

Moving to full cloud management is as easy as clicking a button in the device configuration page. We tried this and were happy to see the T20-W immediately reconfigured itself and provided full access to the full set of security services.

If wireless services are a priority then the Firebox T20-W might not be the ideal choice, but it’s bursting with security features, and WatchGuard’s swift deployment and cloud management make it ideal for extending enterprise protection to home workers.

WatchGuard Firebox T20-W specifications