WatchGuard Firebox T35-Rugged review: Industrial-strength security

This affordable appliance delivers a wealth of security services to places where competitors fear to tread

Editor's Choice
£2,395 exc VAT (Appliance with 1yr Total Security)
  • IP64-rated
  • Specific protection for industrial systems
  • Great value
  • No wireless radio

As industrial control systems evolve and become internet-connected, they’re inevitably becoming a target for cybercriminals looking to wreak havoc on a grand scale. Protection is clearly a must, but traditional security appliances aren’t designed to cope with the extreme environments in which industrial systems are often deployed.

Enter WatchGuard’s Firebox T35-Rugged, which can withstand the harshest of conditions. Clothed in an aluminium casing that acts as a heatsink, it’s designed to work at temperature extremes between -40°C and +60°C, while its IP64 rating means it’s fully protected against dust and water splashes from all directions.

This go-anywhere philosophy makes the T35-Rugged extremely versatile. It’s being considered for deployment inside fire engines to provide secure wireless services to responders, as well as on trains to deliver in-transit Wi-Fi to commuters.

On that point, it’s worth noting that the T35-Rugged doesn’t include its own wireless radio. Aside from its WAN socket, physical connectivity extends only to four built-in Gigabit Ethernet ports (which come set into solid screw-fit connectors to maintain its IP rating). However, the built-in wireless controller can centrally manage all WatchGuard-branded access points, including the IP67-rated AP327X Wave2 AP, and provide them with all the same security services as wired traffic. 

Getting set up is easy. The web console greets you with a wizard-based routine that creates a base set of firewall policies for securing internet access; if you need the appliance to be installed in a remote location, you can alternatively use WatchGuard’s RapidDeploy cloud service to push a custom configuration file to the T35-Rugged as soon as it powers up.

You can then enjoy a huge range of security services: the price above includes a one-year subscription to WatchGuard’s Total Security Suite, which includes web-content and application controls, anti-spam, Gateway AV, network discovery, IPS, data loss prevention and an advanced persistent threat blocker, as well as WatchGuard’s RED (reputation-enabled defence) service for even tougher web protection. A Gold Support subscription rounds the package off with a free remote setup and configuration session with a WatchGuard engineer. 

In use, the T35-Rugged works by employing proxies to control your various traffic types, and each one loads a wizard the first time you access it. Web-content filtering took us a few minutes to configure, as you’re prompted to choose which of 130 URL categories to allow or block, and set blocking actions for the HTTP and HTTPS proxies, after which the wizard creates the appropriate firewall policy rules.

Interestingly, the Firebox T35-Rugged offers two levels of antivirus protection. The main Gateway AV feature uses the Bitdefender scanning engine, and can be enabled on a selection of proxies; the IntelligentAV feature uses the Cylance engine to give files such as Office documents and PDFs an additional AI-based scan.

Firewall policies control all the proxies, and within selected ones you can set allow, drop or block actions based on five threat levels. Those working in an industrial setting will appreciate the fact that the intrusion prevention service includes over 70 threat signatures aimed specifically at protecting supervisory control and data acquisition networks.

There are also options for keeping track of your security status. You can use WatchGuard’s free Dimension VMware or Hyper-V VM to access the executive dashboard and view security service activity, or log into WatchGuard’s Cloud service to access the T35-Rugged from anywhere.

The Firebox T35-Rugged isn’t just well-featured: within its class it’s excellent value, as Fortinet’s IP67-rated FGR-35D costs over twice as much, while Cisco’s ageing ISA-3000 lacks an IP rating altogether. If you want a true industrial-grade security appliance looking after your network services, this is the place to go. 

WatchGuard Firebox T35-Rugged specification


Desktop appliance, fanless chassis


1.4GHz NXP QorIQ T1024 dual-core 64-bit CPU



Storage included



5 x Gigabit Ethernet (WAN, 4 x LAN), RJ-45 serial port  

Other ports

2 x USB 2


Web browser, Dimension and cloud management

Dimensions (WDH)

240 x 198 x 43mm 



Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity

The enemy of security is complexity

9 Oct 2020
IBM and SAP expand partnership to support software on hybrid cloud

IBM and SAP expand partnership to support software on hybrid cloud

21 Oct 2020