IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

WatchGuard Firebox T35-Rugged review: Industrial-strength security

This affordable appliance delivers a wealth of security services to places where competitors fear to tread

Editor's Choice
£2,395 exc VAT (Appliance with 1yr Total Security)
  • IP64-rated
  • Specific protection for industrial systems
  • Great value
  • No wireless radio

As industrial control systems evolve and become internet-connected, they’re inevitably becoming a target for cybercriminals looking to wreak havoc on a grand scale. Protection is clearly a must, but traditional security appliances aren’t designed to cope with the extreme environments in which industrial systems are often deployed.

Enter WatchGuard’s Firebox T35-Rugged, which can withstand the harshest of conditions. Clothed in an aluminium casing that acts as a heatsink, it’s designed to work at temperature extremes between -40°C and +60°C, while its IP64 rating means it’s fully protected against dust and water splashes from all directions.

This go-anywhere philosophy makes the T35-Rugged extremely versatile. It’s being considered for deployment inside fire engines to provide secure wireless services to responders, as well as on trains to deliver in-transit Wi-Fi to commuters.

On that point, it’s worth noting that the T35-Rugged doesn’t include its own wireless radio. Aside from its WAN socket, physical connectivity extends only to four built-in Gigabit Ethernet ports (which come set into solid screw-fit connectors to maintain its IP rating). However, the built-in wireless controller can centrally manage all WatchGuard-branded access points, including the IP67-rated AP327X Wave2 AP, and provide them with all the same security services as wired traffic. 

Getting set up is easy. The web console greets you with a wizard-based routine that creates a base set of firewall policies for securing internet access; if you need the appliance to be installed in a remote location, you can alternatively use WatchGuard’s RapidDeploy cloud service to push a custom configuration file to the T35-Rugged as soon as it powers up.

You can then enjoy a huge range of security services: the price above includes a one-year subscription to WatchGuard’s Total Security Suite, which includes web-content and application controls, anti-spam, Gateway AV, network discovery, IPS, data loss prevention and an advanced persistent threat blocker, as well as WatchGuard’s RED (reputation-enabled defence) service for even tougher web protection. A Gold Support subscription rounds the package off with a free remote setup and configuration session with a WatchGuard engineer. 

In use, the T35-Rugged works by employing proxies to control your various traffic types, and each one loads a wizard the first time you access it. Web-content filtering took us a few minutes to configure, as you’re prompted to choose which of 130 URL categories to allow or block, and set blocking actions for the HTTP and HTTPS proxies, after which the wizard creates the appropriate firewall policy rules.

Interestingly, the Firebox T35-Rugged offers two levels of antivirus protection. The main Gateway AV feature uses the Bitdefender scanning engine, and can be enabled on a selection of proxies; the IntelligentAV feature uses the Cylance engine to give files such as Office documents and PDFs an additional AI-based scan.

Firewall policies control all the proxies, and within selected ones you can set allow, drop or block actions based on five threat levels. Those working in an industrial setting will appreciate the fact that the intrusion prevention service includes over 70 threat signatures aimed specifically at protecting supervisory control and data acquisition networks.

There are also options for keeping track of your security status. You can use WatchGuard’s free Dimension VMware or Hyper-V VM to access the executive dashboard and view security service activity, or log into WatchGuard’s Cloud service to access the T35-Rugged from anywhere.

The Firebox T35-Rugged isn’t just well-featured: within its class it’s excellent value, as Fortinet’s IP67-rated FGR-35D costs over twice as much, while Cisco’s ageing ISA-3000 lacks an IP rating altogether. If you want a true industrial-grade security appliance looking after your network services, this is the place to go. 

WatchGuard Firebox T35-Rugged specification


Desktop appliance, fanless chassis


1.4GHz NXP QorIQ T1024 dual-core 64-bit CPU



Storage included



5 x Gigabit Ethernet (WAN, 4 x LAN), RJ-45 serial port  

Other ports

2 x USB 2


Web browser, Dimension and cloud management

Dimensions (WDH)

240 x 198 x 43mm 



Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download


Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse

Why India wants to become a chipmaking powerhouse

28 Jun 2022