Firewalls lie at the heart of any IT security strategy. Survey any organization for the type of security tools they deploy and they will vary on many points, but all will include a network firewall. But firewalls aren't so simple or basic anymore. They have evolved significantly over the past decade to include an array of advanced features, and these more advanced offerings are called next-generation firewalls (NGFWs).
Firewalls are so critical to IT security that the $10 billion market is the largest IT security product market and is still growing around 8% per year. Gartner analyst Adam Hils notes that NGFWs are now the norm.
"Next-generation capabilities have been achieved by all products in the enterprise network firewall market, and vendors differentiate on feature strengths," said Hils.
Some vendors continue to differentiate an old-school firewall from an NGFW. You can see that in some of the vendor specs where they report firewall throughput and NGFW throughput as separate metrics.
- Product features comparison chart
- Sophos XG Firewall
- Barracuda F-Series
- Juniper Networks SRX
- Fortinet FortiGate
- Forcepoint NGFW
- SonicWall SuperMassive
- Palo Alto Networks PA Series
- Cisco Firepower NGFW
- Huawei USG
- Check Point Advanced Threat Protection
NGFWs contain features such as support for single-enterprise firewalls, as well as branch offices, multi-tiered demilitarized zones (DMZs), and virtual versions that can be deployed within the cloud. In addition, NGFWs come with comprehensive management and reporting, policy enforcement for applications and user control, intrusion prevention, deep packet inspection, sandboxing, and incorporate threat intelligence feeds.
All NGFW products contained in this guide include those features. But some seek to differentiate themselves by adding additional functionality. We also provide a chart at the bottom of this article comparing features from the different vendors. For an overview of network firewall features, read Network Firewalls: How to Protect Your Network from Unauthorized Access.
Top NGFW vendors
This guide focuses on the top NGFW vendors and their various offerings. All scored well in Gartner's most recent Magic Quadrant (MQ) for firewalls.
Below is a brief summary of the top next-generation firewall vendors, in no particular order, along with a chart giving basic details of each product. The summaries link to a detailed analysis of each product, including target markets and use cases, features, metrics, intelligence, use of agents, security certifications, product delivery (e.g., cloud, software or hardware), and pricing.
Sophos XG Firewall blocks unknown threats, automatically responds to security incidents by isolating compromised systems, and exposes hidden user, application and threat risks on the network. It also includes synchronized security, a web application firewall, email protection, ransomware protection, phishing prevention, and a secure web gateway. Its target market is small and mid-sized companies.
The Barracuda NextGen Firewall F-Series is a family of hardware, virtual and cloud-based appliances designed to protect a hybrid network at the headquarters, cloud location and every WAN endpoint. It integrates Layer 7 application control, intrusion prevention, web filtering, malware and advanced threat protection, anti-spam and network access control, with SD-WAN capabilities. Target market is mid-sized and large enterprises.
The Juniper Networks SRX Series Services Gateways combine information from Juniper Sky Advanced Threat Prevention cloud-based service and third-party GeoIP feeds to block malicious activities. The gateways can also perform deep-packet inspection (DPI) and apply role-based access policies. The firewalls can support small enterprises and up to service providers.
FortiGate next-generation firewalls use security processors, threat intelligence updates and automated mitigation. The firewalls integrate with other Fortinet security products for the network, endpoint, application, data center, cloud and access layer, as well as third-party solutions. The target market is mid to large enterprises.
Forcepoint NGFW enables security teams to deploy, monitor, and update thousands of firewalls, VPNs and IPSs rapidly, whether in-house or via a managed server provider. It includes high-availability clustering and SD-WAN networking. The firewall works in tandem with the Forcepoint Human Point System, spanning user and data protection as well as cloud and access gateway security. The target market is distributed enterprises.
For the largest networks, SonicWall SuperMassive has sandboxing, SSL inspection, intrusion prevention, anti-malware, application identification, content filtering, real-time threat handling, centralized management, analytics and reporting. Supports small companies up to large enterprises.
The Palo Alto Networks PA Series run on the PAN-OS. They classify all traffic, including encrypted traffic, based on application, application function, user and content. Models range from the low-end PA-200 to the high-end PA-7000. Used across all industries.
The Cisco Firepower NGFW includes URL filtering, cloud-based sandboxing and malware protection, as well as integration with endpoint security, network traffic analysis, web gateway, email security and network access control. Supports small companies up to large enterprises and service providers.
Huawei Unified Security Gateway (USG) includes fine-grained application access control, policy automation, threat prevention technologies (cloud, sandbox and defense against unknown threats). Aimed at enterprises and service providers.
See our in-depth look at Huawei USG.
Check Point's Advanced Threat Prevention is packaged with zero-day protection and next-generation firewall technologies. It includes application control, URL filtering, IPS, antivirus, anti-bot, email security, policy management, monitoring and event management. It can support small offices up to large enterprises.