WatchGuard Firebox T80 review: Small in stature, big on security

It’s been a busy year for WatchGuard so far. Along with acquiring Panda Security and its excellent cloud endpoint protection services, it has now launched a range of three new Firebox tabletop security appliances. We review the top-dog Firebox T80 which targets mid-sized offices and offers total gateway security and more at a very competitive price.

The T80 is a very different beast to WatchGuard’s older T70 tabletop appliance. Whereas the T70 uses a 1.6GHz Intel Celeron CPU, 2GB of DDR3 memory and a 16GB SSD, the T80 boasts a 1.2GHz quad-core NXP LS1046A CPU, 4GB of faster DDR4 memory and a 128GB SSD.

The new hardware allows the T80 to offer a high raw firewall throughput of 4.7Gbits/sec dropping to a respectable 631Mbits/sec with the AV, IPS and application control services enabled. As with the T70, it has the same octet of Gigabit ports with PoE+ on the last two but scores higher for expansion as it supports an optional 10GbE SFP+ module, which costs a modest £153.

WatchGuard Firebox T80 review: Security choices

WatchGuard offers a flexible range of one- and three-year subscriptions, with the Total Security Suite (TSS) offering the best value. Easily activated with a single feature key, it enables gateway anti-virus, anti-spam, web content filtering, application controls, an advanced persistent threat (APT) blocker, IPS and network discovery.

TSS includes WatchGuard’s RED (reputation enabled defence) service for tougher web security and the T80 has enough horsepower to run the IntelligentAV feature, which employs the Cylance AI-based scanning engine. WatchGuard’s DNSWatch service also monitors client DNS requests and blocks access to known malicious domains.

Secure software-defined WAN (SD-WAN) services are provided so you can designate multiple ports as external interfaces, link them together with rules and use packet loss, latency or jitter thresholds to determine routing decisions and failover. The T80 offers a wealth of VPN services with support for site-to-site IPsec tunnels plus mobile IPsec, PPTP and L2TP clients along with SSL VPNs.

Unlike the entry-level tabletop Fireboxes, the T80 supports the Access Portal feature which provisions secure, client-free VPN connections to cloud-hosted apps and can integrate with SSO and MFA providers. However, a feature not available on any of the tabletop models is data leak prevention (DLP) as the OEM partner WatchGuard worked with failed to update its signatures and was dropped.

Paragraph heading: Multiple management modes

The TSS Gold Support contract also provides a free remote setup and configuration session with a WatchGuard in-house engineer. Not that you’ll need the extra support though, as we found the T80 easy to deploy as a quick start wizard steps through securing admin access, adding the feature key and enabling Internet access with DHCP services on the LAN interface.

Along with the appliance’s local web console, you can manage the T80 using the free WatchGuard System Manager (WSM) suite which runs on a separate Windows host to provide central management, logging and reporting services. We also use WatchGuard’s free Dimension app as a Hyper-V VM in the lab and after linking it to the T80, could view appliance utilisation, an executive dashboard, a global threat map and policy activity graphs.

WatchGuard’s Cloud portal remotely monitors all your Fireboxes regardless of their physical location and the TSS subscription activates a 30-day log retention service. The portal dashboards provide views of all security services, detected threats and appliance performance - WatchGuard advised us that full remote configuration services are currently in alpha testing and should be available in September.

WatchGuard’s RapidDeploy zero-touch cloud service makes light work of deploying multiple appliances to home workers and remote sites. Once new appliances have been registered to your support account, you assign a predefined configuration file to them from the portal which they will download and apply when they have been powered on at the remote location and receive internet access.

WatchGuard Firebox T80 review: Configuration

The T80 supports three operational modes and defaults to the mixed routing mode which allows all ports to be defined as separate interfaces. Configuring the remaining ports (including the 10GbE port) is simple; we simply defined them as external, trusted, optional or custom and added DHCP services on selected trusted ports.

A range of proxies are used to inspect all traffic and you create firewall rules for each one, define the source and destination network interfaces they are to be applied to and assign actions. There are plenty to choose as you have proxies for HTTP, HTTPS, FTP, SIP, H.323, POP3 plus SMTP and the web console provides wizards for them all.

Applying web content filtering is a swift process using the Forcepoint–powered WebBlocker service, which offers 130 URL categories to choose from and the setup wizard already blocks 24 in its default security policy. You can tweak this policy or create new actions, apply HTTP and HTTPS filtering and when you’re done, leave the wizard to create a new firewall rule.

Gateway AV scanning can be enabled on selected proxies and you can choose to block or drop infected payloads. The IntelligentAV service scans files such as Office documents and PDFs, is enabled with one click and is automatically applied to all proxies that have gateway AV enabled.

The LastLine cloud service provides APT services and scans inbound files, creates MD5 hashes and checks them to see if they’re known malware. Anti-spam is just as easy to configure as you select incoming SMTP, IMAP and POP3 traffic and tag spam messages for further processing by rules set up in your users’ mail clients.

WatchGuard Firebox T80 review: Verdict

WatchGuard’s Firebox T80 is a remarkable little appliance that delivers an impressive range of security services at a price the competition will find tough to beat. It’s easy to deploy and the fact that all of WatchGuard’s management services are included as standard and not as expensive options just adds even more to its value proposition.

WatchGuard Firebox T80 specifications