WatchGuard Firebox T85-PoE review: Big security in small spaces

A table-top appliance offering tough security measures for SMBs and remote offices at a great price

The WatchGuard Firebox T85 hardware on the ITPro background
(Image: © Future)

IT Pro Verdict


  • +

    Excellent value

  • +

    Easy deployment

  • +

    Extensive security features


  • -

    Modest hardware upgrade over the T80

WatchGuard's Firebox table-top security appliances are a great choice for SMBs and remote offices as they have traditionally offered a strong set of protection services at sensible prices. Aimed at sites with up to 50 users, the latest T85-PoE continues this tradition and gets a boost in performance over its predecessor – the three-year-old T80.

There aren't any radical changes afoot as the T85-PoE has the same 4GB of DDR4 memory and internal 128GB M.2 SSD but sports a faster 1.8GHz quad-core NXP LS1046A CPU – the T80 has the slower 1.2GHz version. You also get eight Gigabit ports with PoE+ services presented on the last two and an expansion bay at the rear which supports optional 10GbE SFP+ or LTE interface modules.

That boost in processing power has a positive impact on performance as the T85-PoE boasts a high raw firewall throughput of 4.96Gbits/sec and a respectable 943Mbits/sec with WatchGuard's anti-virus (AV), intrusion prevention service (IPS) and application control services enabled. These represent performance increases of 6% and 49% respectively over the T80.

WatchGuard Firebox T85-PoE review: Subscription suites

Unlike some security appliance vendors that like to confuse you with a vast array of optional features, WatchGuard keeps things nice and simple. All Firebox appliances with a support contract come as standard with firewall, VPN, software-defined WAN (SD-WAN) plus clientless VPN access portal services enabled and WatchGuard offers two security subscriptions.

The Basic Security Suite (BSS) subscription activates gateway antivirus (GAV), antispam, web filtering, HTTPS inspection, IPS, application controls, WatchGuard's RED (reputation enabled defence) cloud-based URL filtering and network discovery. We've shown the price for a 3-year Total Security Suite (TSS) subscription which enables everything WatchGuard has to offer.

This includes its advanced persistent threat (APT) blocker with cloud sandboxing, ThreatSync XDR which provides collection, correlation plus automated responses for threat events from all Fireboxes, DNSWatch for monitoring client DNS requests and blocking access to known malicious domains and WatchGuard's Gold support which provides advanced hardware replacement and a one hour targeted response time for high priority issues.

The T85-PoE has enough grunt to run the IntelligentAV anti-malware service which uses the Cylance AI-based engine to scan files such as Office documents, Windows portable executables and PDFs after they've passed through the GAV scanner. Access to the WatchGuard cloud portal for remote monitoring and management is included with both subscriptions but TSS increases its log retention period to 30 days.

You're spoilt for choice with management options as the T85-PoE can be monitored and configured in standalone mode via its local web console. Next up is WatchGuard's free System Manager (WSM) suite which you run on a separate on-premises Windows host to provide central management, logging and reporting services. 

WatchGuard Firebox T85-PoE review: Management choices

WatchGuard's Dimension software is also free and can be virtualized on a Hyper-V or VMware host. This provides a separate web console for viewing appliance utilization, an executive dashboard, policy activity graphs, a global threat map and the optional Dimension Command feature for Firebox management.

The WatchGuard Firebox digital dashboard

(Image credit: Future)

Most businesses, and particularly those protecting geographically distributed remote offices, will prefer WatchGuard's Cloud service. Even here, you have two choices as you can retain local management and set the appliance to send its logs to the cloud for monitoring and reporting or disable local management and move it all into the cloud.

We opted for full cloud management and after registering the appliance with our customer account and allocating it from the inventory, we applied our TSS feature key and ran through a brief wizard in our cloud portal to enable it. This took around 5 minutes after which the appliance had its local web console disabled and appeared in our portal ready for remote configuration.

WatchGuard Firebox T85-PoE review: Cloud management

Cloud configuration is simple as the portal provides full access to all the same settings you'll find in the appliance's local console. Just choose your Firebox from the left pane and you can enable the ThreatSync service, configure gateway AV scanning and APT blocking, activate IntelligentAV with one click and create anti-spam policies for SMTP, IMAP or POP3 traffic and tag spam messages in their subject line for ongoing local rule processing.


The network blocking section covers botnet detection, IPS plus custom blocked URLs and ports and WatchGuard has added a new category for detecting Tor (The onion router) exit points. A default content filtering policy blocks access to common unwanted web site categories and you can create custom policies by choosing from 130 URL categories and deciding whether to block or allow them.

The portal's content filtering section also provides access to Watchguard's application control service which offers over 1,250 predefined app signatures. You can block all social networking activity with one click or choose from 40 subcategories to fine tune workplace access to the likes of Facebook and Twitter.

The WatchGuard online user interface

(Image credit: Future)

The portal provides a wealth of monitoring information with views including live activity, all traffic, the top clients, application usage, blocked websites, executive and security dashboards, a global threat map and policy activity graphs. It's easy to see threats with the portal providing a summary view and incident list of those detected on all Fireboxes in our account and as we had the WatchGuard host sensor installed on some of our Windows endpoints, we could pull up the TDR dashboards and see threat indicators and remedial actions taken by our ThreatSync policies.

WatchGuard Firebox T85-PoE review: Verdict

Probably one of the most powerful table-top security appliances on the market, the Firebox T85-PoE delivers enterprise-class security features at an SMB price. Very easy to deploy, it offers an impressive range of management facilities including the slick WatchGuard Cloud portal while the ThreatSync with XDR services provide joined up protection against the latest cyberattacks.

WatchGuard Firebox T85-PoE specifications

Swipe to scroll horizontally
CPU Quad-core 1.8GHz NXP LS1046A
Memory 4GB ECC DDR4
Storage128GB M.2 SATA SSD
Network8 x Gigabit (WAN, 7 x LAN with PoE+ on Ports 6 and 7)
Expansion1 x module bay
Other ports2 x USB 3, RJ-45 serial
PowerExternal 120W PSU
ManagementWeb browser, WatchGuard WSM/Dimension/Command/Cloud
WarrantyIncluded in subscription
Optional modules1 x 10GbE SFP+, £148; LTE interface, £583 (all exc VAT)
Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.