WatchGuard Firebox T55-W review

A wealth of security measures at a knock-down price

Editor's Choice
  • Excellent value; Huge range of security services; Easy to deploy; Integral dual-radio wireless AP
  • Could do with a little more internal memory

Stepping in to the middle of WatchGuard's desktop security appliance family, the Firebox T55-W is equally at home protecting SMEs, remote workers or branch offices. Clothed in the classic bright red Firebox chassis, this desktop box delivers an impressive range of security measures and amalgamates them with integral 11ac dual-band wireless.

It may be small but it's no lightweight for performance, with WatchGuard recommending it for up to 30 users and claiming a 1Gbits/sec raw firewall throughput and 523Mbits/sec with all UTM services enabled. It has five Gigabit ports for WAN, LAN and DMZ duties with PoE+ presented on the fourth LAN port.

The appliance doesn't give the wireless game away as its aerials are tucked away inside the chassis. Another useful wireless feature present on all Firebox appliances is their integral gateway controller which can centrally manage and provision WatchGuard's own APs.

WatchGuard Firebox T55-W: Security features

Prices starting at 960 for the hardware, plus a one-year 24/7 support contract and all software updates. Where you go from here is up to you; suffice to say that WatchGuard offers plenty of choice.

A one-year Basic Security Suite subscription pushes the price to 1,293 and activates anti-virus, anti-spam, web filtering, HTTPS inspection, IPS, application controls and WatchGuard's reputation enabled defence. The price we've shown is for a three-year Total Security Suite subscription which adds WatchGuard's data leak prevention (DLP) and advanced persistent threat (APT) blocker service.

Along with a Gold 24/7 support contract, Total Security includes WatchGuard's RED (reputation enabled defence) service. Web access requests send the URL to WatchGuard's RED cloud servers where they assign a score and instruct the appliance to either allow or block it.

VPN services are extensive as the T55-W supports site-to-site IPsec tunnels plus mobile IPsec, PPTP and L2TP clients along with SSL VPNs. Note that the new Access Portal feature which provisions secure, client-free VPN connections, is not supported on the Firebox 'T' models.

WatchGuard Firebox T55-W: Installation and management

The T55-W is easy to deploy: the web console runs a wizard to secure the appliance and get Internet access running on an external port along with DHCP services on the first trusted LAN interface. Large distributed businesses will like WatchGuard's RapidDeploy cloud service as they can send new appliances to remote offices and have them receive a configuration file as soon as they are powered up.

The wizard defaults to the flexible mixed-mode routing which allows wired and wireless ports to be defined as separate interfaces. Configuring the remaining ports is a cinch as we defined them as external, trusted, optional or custom and added DHCP services on selected trusted ports.

WatchGuard's browser interface is well-designed and standard across all Firebox appliances. It opens with a tidy dashboard showing a breakdown of traffic for the top clients, web destinations, policies and applications with options to drill down for more detail on each entry.

Management choices are extensive, and you can load the WatchGuard System Manager (WSM) suite on a separate Windows host to provide central management, logging and reporting services. We run WatchGuard's Dimension as a VMware VM in the lab and after linking it to the T55-W, used it for viewing appliance utilisation plus an executive dashboard, global threat map and policy activity graphs.

WatchGuard Firebox T55-W: Rules and proxies

The T55-W uses proxies for all security services and there are plenty to choose as you have ones for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP. Firewall rules are created for each proxy which define the interfaces they apply to and their actions - and WatchGuard provides wizards for all of them.

Highly granular web content filtering policies are possible where you choose from 130 Websense URL categories, enable blocking actions on the HTTP and HTTPS proxies, add exceptions and enable alerting. Anti-spam measures are just as easy to configure; you can select incoming SMTP, IMAP or POP3 traffic and block or tag spam messages.

Gateway AV scanning can be enabled on selected proxies, which you'll need running if you want to enable the APT service. This scans inbound files, creates MD5 hashes and checks them with the LastLine cloud service to see if they're known malware.

We noticed that Dimension was reporting a total appliance memory usage of between 65-90% and WatchGuard advised us this is due to the demands of the new BitDefender AV engine. It can get close to the edge although we didn't encounter any performance issues during testing.

WatchGuard Firebox T55-W: Wireless features

The T55-W can present up to three separate APs that act as DHCP relays or provide their own DHCP services. Along with all key encryption schemes, their SSIDs can be broadcast or hidden and you can apply client isolation so users on the same wireless network can't see each other.

Global wireless settings include 2.4GHz and 5GHz radio modes, a choice of channel widths and protection against the WPA/WPA2 KRACK vulnerability for unpatched wireless clients. Rogue AP detection can be enabled - but be careful when you schedule it as it will temporarily disable the appliance's APs while it's running.

If you want more APs, you can add any of WatchGuards's four available models and pair them with the appliance's wireless gateway controller. Once paired, you can assign SSIDs to their dual radios, enforce wireless security and apply custom firewall policies to the ports they are connected to.

WatchGuard Firebox T55-W: Verdict

The T55-W is a versatile security appliance that's well-suited to deployments in SMEs and enterprise branch or remote offices. For the price, it's offering a remarkable range of easily configured security features, all management components are inclusive and the icing on the on the cake is its integral wireless network services.


SMEs that want tough gateway security, a good range of wireless services and a low price will find WatchGuard’s T55-W ticks all their boxes

Chassis: Desktop Memory: 2GB RAM Network: 5 x Gigabit (Port 4 with PoE) Wireless: 2.4/5GHz 802.11ac Other ports: 2 x USB 2, RJ-45 serial Power: External PSU Management: Web browser, WatchGuard Dimension/Command Warranty: 3-year Gold 24/7 support

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now


Sophos XG 135w Rev. 3 review: The full package
unified threat management (UTM)

Sophos XG 135w Rev. 3 review: The full package

25 Feb 2020
WatchGuard Firebox T70 review: Compact but capable
unified threat management (UTM)

WatchGuard Firebox T70 review: Compact but capable

24 Feb 2020
Zyxel NSG200 review: A fine spread of features
unified threat management (UTM)

Zyxel NSG200 review: A fine spread of features

21 Feb 2020

Most Popular

The enemy of security is complexity

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020