Next-generation firewalls (NGFWs) are at the core of an enterprise security strategy, and the best ones incorporate policy enforcement for applications and user control, intrusion prevention, deep packet inspection, sandboxing, and threat intelligence feeds – the ones included in this buying guide all offer those features.
Where they differ from one another is in pricing, performance, ease of installation and use, effectiveness at blocking threats, and advanced features such as cloud protection, application visibility, and integration with other security products. Generally, the more you pay, the more features the product offers and the greater breadth of use cases covered, so buyers must decide what the right product is for them based on the level of protection they need, their budget, and their in-house technical expertise.
NGFWs won't protect an enterprise from everything, like all cloud and insider threats, and over time, NGFW vendors will face increased pressure from cloud and software solutions, but for now, the $10 billion enterprise firewall market remains strong and growing.
Here are our picks for top NGFW vendors, with links to in-depth pieces on each vendor, and we've included a chart at the end of this article comparing key features such as security effectiveness, value, technical support and ease of installation and management. Read more about our top security vendor methodology.
- Product features comparison chart
- Fortinet FortiGate
- Forcepoint NGFW
- Palo Alto Networks PA Series
- Barracuda F-Series
- Cisco Firepower NGFW
- Check Point Advanced Threat Protection
- Sophos XG Firewall
- Juniper Networks SRX
- Huawei USG
- Honorable mentions
Fortinet FortiGate firewalls offer top security at a good price point, making them one of the most popular firewall vendors and a frequent finalist on enterprise shortlists. FortiGate firewalls fared well in NSS Labs tests, where they received high marks for security effectiveness, performance and value. If you're looking for top security at a good price point, Fortinet should be on your evaluation list.
Forcepoint firewalls might set you back a little more, but you get best-in-class security and performance for your money. Top-notch R&D has produced features such as detection engines resistant to evasion techniques and a strong centralized management console.
Palo Alto Networks also isn't cheap, but offers NGFWs with strong security and performance that top all comers, and breadth of features to match. Gartner notes that Palo Alto frequently winds up with the highest overall evaluation score on shortlists.
SonicWall offers a firewall for everyone, and is ranked as a good value too, with good performance and ease of management. The company offers its SuperMassive line for the largest networks; NSA for midrange companies; and TZ series firewalls for small companies.
Not every NGFW vendor offers strong cloud support, but it's an area where Barracuda shines: With support for AWS, Azure, Google Cloud and VMware vCloud Air, the company's cloud capabilities are market-leading, and strong VPN features support distributed office use cases.
Cisco's biggest strength might be the breadth of security services it offers or integrates with its firewall, among them intrusion prevention, advanced malware protection, cloud-based sandboxing, URL filtering, endpoint protection, web gateway, email security, network traffic analysis, network access control and CASB. However, that broad protection comes with above average prices.
Check Point's breadth of offerings and features give it broad applicability, and centralized management and role-based administration are market-leading features. The firewalls combine perimeter, endpoint and mobile security, and also offer application control, URL filtering, data loss prevention and strong cloud protections.
Sophos XG Firewalls are good candidates for mid-sized and distributed enterprises and those already using Sophos' endpoint protection solution. Dedicated remote branch devices and an easy-to-learn management interface are also strengths.
See our in-depth look at Sophos XG Firewall.
Juniper is a good candidate for enterprises desiring high throughput at low cost and advanced routing support, and for those combining security and networking purchases. Ease of management, branch office offerings and software-defined secure network (SDSN) technology are also positives.
Huawei is strongest with Asia and EMEA countries seeking value and performance, and for Huawei networking customers. Support for EMEA compliance requirements are another strength.
See our in-depth look at Huawei USG.
Lastly, two honorable mentions: WatchGuard and Versa Networks both demonstrated good security performance and value in NSS Labs tests.