Next-generation firewalls (NGFWs) are a core cybersecurity product, up there with endpoint protection as a foundational security tool every organization needs. As defending data and applications become more complicated, the security products built to withstand evolving threats also grow more powerful. The vast expansion of IoT devices, remote work, and advanced threats like ransomware has made protecting the perimeter both harder and more critical than ever, thus making firewall evaluation more complicated. Here then are eSecurity Planet’s picks for the top next-generation firewalls (NGFWs), with special emphasis on the firewalls’ advanced features, followed by an in-depth guide on features and the NGFW market.
- Top NGFW Solutions
- Analysis of the Top NGFWs
- Next-Gen Firewall Comparison
- What is a Next-Generation Firewall?
- What Are NGFW Features?
- Methods for Deployment
- Firewall Trends in 2021
- NGFWs: The Precedent for Firewall Technology
Top NGFW Solutions
Alongside an industry-leading suite of security products, Crowdstrike’s straightforward firewall management solution has been highly regarded by users since launching in late 2019. No custom firewall implementation is required, and the solution is priced on a subscription basis per endpoint.
Palo Alto Networks came out on top of both the Gartner Magic Quadrant and Forrester Wave and scored well in our evaluation too. If you’re looking for top security and performance, Palo Alto’s NGFWs should be on your evaluation list. We’ve been impressed by the level of security provided by Palo Alto – see our top EDR products report – and NGFWs are no exception.
Fortinet is another perennial firewall favorite. Its NGFWs scored above average in NSS Labs tests, while its TCO per protected Mbps was near the top – in short, good security and performance for a good price. Fortinet has also posted strong test results in data center gateways, intrusion prevention, breach prevention and SD-WAN, so you’d be hard-pressed to find a cybersecurity vendor more willing to let its products undergo rigorous testing.
Forcepoint offers some of the best security for the money, scoring high in both security effectiveness and TCO in NSS Labs tests. Behavioral analytics, SD-WAN, SASE, cloud support, management and FWaaS are strengths. Cloud and distributed offices are two particularly good use cases. Users report integration challenges and would like to see more robust reporting, but Forcepoint’s combination of security and value should bring Forcepoint greater consideration.
Cisco’s biggest strength may be the breadth of its offerings. Its zero trust, microsegmentation and SD-WAN capabilities have made it the early leader in the emerging zero trust market. In addition to its Firepower and Meraki firewalls, Cisco also offers impressive integration with its endpoint, cloud, networking and application security products.
WatchGuard shares a distinction with Palo Alto Networks: they were the only two vendors to have no observed evasions of the 11 firewalls tested in NSS Labs’ 2019 NGFW tests. WatchGuard came in fourth in TCO per protected Mbps, putting them right behind Forcepoint for best combination of security and value. WatchGuard was an honorable mention in our last NGFW report in August 2018; this time they’re moving up to a top vendor, and the acquisition of Panda Security will make them even better.
Juniper and Huawei share the Most Popular award – their users rave about them. Juniper has been coming on strong in the security market with advanced features like machine learning-based detection. Cloud and zero trust features could use more development, but Juniper networking customers in particular should give the company’s SRX firewalls a serious look, and the company has strong capabilities for just about all enterprise use cases.
Huawei scored highest in TCO in the 2019 NSS tests, making the company’s firewalls a compelling value for Huawei customers in particular, and data centers in general. CASB-like features make it good for SaaS use cases, and machine learning-based detection, SD-WAN and early 5G adoption are other strengths. FWaaS and better cloud-based management are needs. Users love everything about the company’s Unified Security Gateways (USG): value, implementation, capabilities and even support.
Analysis of the Top NGFWs
The Barracuda CloudGen Firewall has the hybrid era in mind with its Firewall F-Series designed to preserve legacy hardware while meeting new challenges in hybrid network environments. Administrators have the latest features to combat advanced threats with traffic management, SD-WAN, IDPS, and VPN capabilities built-in. Barracuda relies on multiple detection layers, including threat signatures and static code analysis, in an era where signature-based defenses are increasingly unreliable.
Barracuda CloudGen Firewall Features
- Hybrid infrastructure compatible with firewalls for on-premises, virtual, and cloud
- Advanced threat protection enabling full system emulation for detecting malware
- Stateful deep packet inspection to block malformed packets and attacks
- High availability with automated load balancing and uplink options
- Control over objects, repositories, updates, privileges, and configuration management
Recognition for Barracuda
Barracuda Networks receives consistent mentions as a firewall vendor to consider. Barracuda earned the Niche Player designation from the Gartner Magic Quadrant for Network Firewalls the last three years and Contender status in the Forrester Wave in 2020. In the latest CyberRatings test results, Barracuda firewalls received an A rating (the third-highest rating of ten).
On Gartner Peer Insights, the firewall vendor has an average score of 4.7/5 stars with 197 reviews. Barracuda’s highest reviews and ratings cited the quality of technical support and services, including the vendor’s ability to understand organizational needs and the quality of end-user training.
Longtime firewall vendor Check Point Software Technologies delivers a robust NGFW solution with its series of Quantum Security Gateways. The American-Israeli vendor has threat prevention solutions for organizations of all sizes that include IPS, anti-bot, application control, URL filtering, and more. Check Point’s modern solution is also a draw for its SandBlast Zero-Day Protection, offering threat emulation and extraction for the most advanced attacks.
Quantum Security Gateway Features
- Hybrid infrastructure compatible, including physical, virtual, cloud, and mobile segments
- SandBlast, the cloud-based emulation engine for stopping hackers in their tracks
- Extensive physical appliance options featuring single and multi-domain management
- Central management with rollouts and rollbacks of policy configurations
- Maestro Orchestrator, a network security solution for hyperscale implementations
Recognition for Check Point
Check Point is widely known as one of the earliest innovators of the firewall industry. Check Point earned the Leader designation from the Gartner Magic Quadrant for Network Firewalls in 2018 and 2019 and Challenger in 2020. In the 2020 Forrester Wave for Enterprise Firewalls, the vendor received Leader status.
On Gartner Peer Insights, the firewall vendor has an average score of 4.5/5 stars, with over 1,200+ reviews. Check Point’s highest reviews and ratings cited product capabilities followed by ease of the contracting and deployment process. In the latest CyberRatings test results, Check Point firewalls received the highest rating, AAA (the highest rating of ten).
Networking leader Cisco Systems has consistently innovated to keep pace with an ever-changing IT and cybersecurity ecosystem. In 2015, its acquisition of SD-WAN startup Embrane pushed the vendor further into the future with application-level traffic protection. In 2021, the Cisco Secure Firewall offers real-time workload and network security across dynamic environments. Cisco Secure Workload integration helps administrators scale in the modern computing era to protect distributed and dynamic applications across expanding networks.
Cisco Secure Firewall Features
- Unified control over firewall tools through the Secure Firewall Management Center
- Dynamic policy support with tag-based policies and attribute support
- Developer-friendly, highly elastic, cloud-native firewall options built on Kubernetes
- Log management with security incidents and behavioral analysis
- Rapid and actionable threat intelligence delivered by the Cisco Talos Intelligence Group
Recognition for Cisco
Cisco earned the Leader designation from the Gartner Magic Quadrant for Network Firewalls in 2018 and 2019 and Challenger in 2020. In the Forrester Wave for Enterprise Firewalls, Cisco received Leader status in 2020. In the latest CyberRatings test results, Cisco firewalls received a BB rating (the fifth-highest rating of ten).
On Gartner Peer Insights, the firewall vendor has an average score of 4.5/5 stars with 1,274 reviews. Cisco’s highest reviews and ratings cited the quality of technical support, timeliness of vendor’s responses, and product capabilities. The Cisco Partner Program gives the vendor’s extensive channel partners access to an incredible technology stack, including its Secure Firewall.
With a track record serving public agencies and global enterprises and a growing stack of security solutions, Forcepoint developed its own SASE platform to protect data in the cloud era. The Forcepoint Next Generation Firewall prides itself as an enterprise SD-WAN combined with its industry-tested security tools providing high availability, scalability, and security across an evolving ecosystem. With strong cluster management capabilities, large organizations have the most to gain from Forcepoint’s NGFW.
Forcepoint NGFW Features
- Centralized management for enhanced implementation of distributed network policies
- High-availability clustering of devices, VPN connections, and SD-WAN networks
- Unified software for on-premises, cloud (AWS and Azure), and VMware deployments
- Integrated tools for CASB, web security, and anti-malware sandboxing
- Allowing and blocking traffic by application, version, user, and device
Recognition for Forcepoint
Though Forcepoint might not be at the top of the firewall industry, its product strategy is solid and innovative. Forcepoint earned the Visionary designation from the Gartner Magic Quadrant for Network Firewalls the last three years and Strong Performer status in the Forrester Wave in 2020. In the latest CyberRatings test results, Forcepoint firewalls received a AAA rating (the highest rating of ten).
On Gartner Peer Insights, the firewall vendor has an average score of 4.4/5 stars with 91 reviews. Forecepoint’s highest reviews and ratings cited ease of deployment, product capabilities, and client services.
With roots at NetScreen, brothers Ken and Michael Xie continue developing some of the industry’s most robust firewall technology twenty years later. Its firewall series, FortiGate NGFWs, serves a range of clients from the home office to distributed enterprise organizations and data centers. FortiGate combines SSL inspection, IPS, and web filtering to consolidate security capabilities and give administrators visibility across network segments.
FortiGate NGFW Features
- Real-time threat intelligent defenses informed by AI-powered FortiGuard Services
- Security Processing Units (SPUs) and vSPUs accelerate network security computing
- Fortinet’s security-focused operating system, FortiOS, with federated upgrades
- Zero trust capabilities to identify suspicious users and devices and protect segments
- Scalable IPsec VPN tunneling for securing a remote and distributed workforce
Recognition for Fortinet
Fortinet sits atop the firewall industry for many enterprise organizations. Its Fortigate solution earned the vendor Leader designation from the Gartner Magic Quadrant for Network Firewalls the last three years and Strong Performer status in the Forrester Wave in 2020. In the latest CyberRatings test results, Fortinet firewalls received a AA rating (the second-highest rating of ten).
On Gartner Peer Insights, the firewall vendor has an average score of 4.6/5 stars over 1700+ reviews. Fortinet’s highest reviews and ratings cited ease of deployment, product capabilities, and improving compliance and risk management.
Telecommunications giant Huawei has a comprehensive technology stack, including its next-generation firewalls, the Huawei USG (Unified Security Gateway) Series, designed for modern data centers and large enterprise organizations. The vendor boasts its most recent edition – the USG6700E Series AI Firewall – which reduces operating expenses by more than 80% with simplified service deployment and change policies.
Huawei USG6700E Series Features
- Works with local or cloud sandbox to detect, analyze, and prevent zero-day threats
- Utilizes policy-based routing (PBR) to manage bandwidth per user and IP
- Deception system for identifying threat actor scans and investigating the incident
- Chip-level pattern matching and accelerated cryptography for enhanced performance
- Integrated tools include URL filtering, data loss prevention, VPN, AV, and IPS
Recognition for Huawei
Huawei has a suite of solutions to supplement its reputable firewall solutions. In the last three years, Huawei earned the Challenger designation from the Gartner Magic Quadrant for Network Firewalls and Strong Performer status in the Forrester Wave in 2020.
On Gartner Peer Insights, the firewall vendor has an average score of 4.9/5 stars with 136 reviews. Huawei’s highest reviews and ratings cited are high across categories, with top scores in deployment, vendor timeliness, and technical support. Huawei’s track record doesn’t come without some controversy. In recent years, multiple industrial nations including Australia, Brazil, Canada, the European Union, Russia, and the United States enforce some restrictions on use of Huawei products.
In 2004, Juniper Networks acquired firewall innovator NetScreen Technologies for $4 billion to enter the cybersecurity market. Today, its security solutions continue to evolve to meet hybrid IT needs. For NGFWs, Juniper offers its SRX Series Gateways to defend the network edge, data centers, virtual and cloud environments (vSRX), and containers (cSRX). With centralized policy control, administrators for SMBs up to enterprise data centers and service providers can use the SRX Series to scale operations.
Juniper SRX Series Gateways Features
- Identify, secure, and manage traffic by applications and users with AppSecure
- Streamline configuration management and scaling with centralized controls
- Intrusion prevention system capable of accomodating custom signatures
- Policy-based routing and SDN across wired, wireless, and WAN networks
- Microsegmentation, validated threat prevention, and VPNs for enriching security
Recognition for Juniper
Juniper Networks’ firewall solutions are gaining growing industry acclaim. Juniper earned the Niche Player designation from the Gartner Magic Quadrant for Network Firewalls in 2018 and 2019, upgrading to market Challenger in 2020. In the 2020 Forrester Wave for Enterprise Firewalls, Juniper was dubbed a Strong Performer. In the latest CyberRatings test results, Juniper firewalls received a AA rating (the second-highest rating of ten).
On Gartner Peer Insights, the firewall vendor has an average score of 4.7/5 stars with 237 reviews. Jupiter’s highest reviews and ratings cited the contract process, the vendor’s ability to understand client needs, and the availability of quality third-party resources. The SRX Series Gateways is a good choice for existing Juniper customers, but the company’s strong security focus should put it on other shortlists too.
Palo Alto Networks
Born from the mind of Nir Zuk – who helped develop the first stateful inspection firewall and IPS – Palo Alto Networks was the first company to release a “next-generation firewall” in 2007. From introducing application-aware and in-line deployable NGFW, the market leader continues to innovate with physical (PA-Series), virtual (VM-Series), and container (CN-Series) firewall solutions. PAN’s firewalls provide comprehensive visibility and control of distributed network segments with increasingly complex network architecture.
Palo Alto Networks Firewalls Features
- Options for SMBs up to enterprise-scale organizations, MSPs, and large data centers
- Integrate existing user repositories to control application access with user-based policies
- Central management (Panorama) gives administrators a single point to manage NGFWs
- Threat detection and intrusion prevention informed by machine learning
- Protection for Kubernetes with exfiltration prevention and DevOps-friendly configuration
Recognition for Palo Alto Networks
Palo Alto Networks is widely considered one of the best firewall solutions in the marketplace. The PA-Series earned the vendor Leader designation from the Gartner Magic Quadrant for Network Firewalls the last three years and Leader status in the Forrester Wave in 2020.
On Gartner Peer Insights, the firewall vendor has an average score of 4.6/5 stars over 900+ reviews. Palo Alto Networks’ highest reviews and ratings cited product capabilities, integrations, and deployment. In the latest CyberRatings test results, Palo Alto firewalls received a AAA rating (the highest rating of ten).
UK-based cybersecurity vendor Sophos offers a stack of firewall solutions under the Sophos Firewall Xstream’s architecture. With increasingly complex network segments, the XGS Series of firewalls meets organizations where they’re at to provide modern data protection for SaaS, SD-WAN, and cloud traffic. Informed by SophosLabs data scientists, XGS Firewalls use global threat data to automate detection and response, isolating suspicious behavior and blocking lateral movement.
Sophos XGS Series Firewalls Features
- Deep packet inspection, including intrusion prevention and proxy-based scanning
- Threat intelligent traffic selection covering all ports and supporting modern cypher suites
- Dynamic sandboxing and deep learning static file analysis capabilities
- Machine learning models to identify advanced and unidentified threats
- Monitoring offering visibility into content, web, and application traffic data
Recognition for Sophos
Sophos continues to impress industry analysts as its reputation grows. Sophos was named a Niche Player in the Gartner Magic Quadrant for Network Firewalls in 2018 and upgraded to Visionary the last two years. In the 2020 Forrester Wave, Sophos received Strong Performer designation.
On Gartner Peer Insights, the firewall vendor has an average score of 4.5/5 stars with 409 reviews. Sophos’s highest reviews and ratings cited the evaluation process, product capabilities, and ease of deployment.
Next-Gen Firewall Comparisons
- Sophos XG vs. SonicWall
- Fortinet FortiGate vs. Forcepoint
- Sophos XG vs. Fortinet
- Fortinet vs. Palo Alto
- Check Point vs. Palo Alto
- SonicWall vs. Palo Alto
- SonicWall vs. Fortinet
- Cisco vs. Juniper
What is a Next-Generation Firewall (NGFW)?
Next-generation firewalls (NGFWs) are the third-generation and current standard for firewall technology. After adopting unified threat management (UTM) and web application firewalls (WAF) in the 2000s, the innovation of NGFWs was a giant leap forward. These advanced firewalls cover the gamut of traditional firewall services but go farther in offering intrusion prevention systems (IPS), deep-packet inspection (DPI), advanced threat protection, and Layer-7 application control technologies.
What Are NGFW Features?
Organizations expect the most up-to-date tools and resources for managing their security infrastructure, including NGFW capabilities. When considering NGFW vendors and products, look for the following standard and advanced features.
Application and Identity Awareness
A critical difference between traditional firewalls and NGFWs is the latter’s ability to offer protection at the application and user identity levels. Whereas traditional firewalls relied on standard application ports, NGFWs can identify, allow, block, and limit applications regardless of port or protocol. NGFWs’ ability to recognize identity adds to its control by enabling administrators to apply firewall rules more granularly to specific groups and users.
Centralized Management, Visibility, and Auditing
To actively manage a network’s defenses, administrators need an accessible and configurable dashboard to view and manage security systems like NGFWs. Most NGFWs contain log analysis, policy management, and a management dashboard that offer a way to track security health, analyze traffic patterns, and export firewall rules for use elsewhere.
Also known as dynamic packet filtering, traditional firewalls used stateful inspection to inspect traffic up to Layer-4. NGFWs are built to track Layers 2-7. This advancement allows NGFWs to perform the same stateful inspection duties of a traditional firewall—distinguishing between safe and unsafe packets. The extension of dynamic packet filtering to the application layer is invaluable as critical resources move towards the network edge.
Deep Packet Inspection
Deep packet inspection (DPI) goes a step further in inspecting traffic from stateful inspection. More targeted than stateful inspection, which monitors all traffic and just the packet headers, DPI inspects the data part and header of transmitted packets. Executed at the application layer, DPI can locate, categorize, block, or reroute packets with problematic code or data payloads not detected in stateful inspection.
Also Read: What is Application Security?
Integrated Intrusion Prevention (IPS)
Intrusion prevention systems (IPS) once sat adjacent to the firewall, playing defender against new threats outside the protected network. While traditional firewalls managed traffic flows based on network information, IPS devices took on inspecting, alerting, and even actively ridding malware and intruders from the network.
As cybersecurity products have evolved, IPS technology has been a valuable integration into NGFW product offerings. While the distinction is growing narrower, the challenge for buyers becomes whether the IPS technology included with their NGFW is good enough to forego a standalone IPS product. Critically, IPS can prevent attacks like brute force, known vulnerabilities, and Denial of Service (DoS).
Depending on your NGFW selection, you may have access to a network sandbox or have the option of adding such on a subscription basis. Network sandboxing is one method of advanced malware protection because it allows IT professionals the chance to send a potentially malicious program to a secure, isolated, cloud-based environment where administrators can test the malware before using in-network.
HTTPS is the current standard for network communication over the internet, using the SSL/TLS protocol for encrypting such communications. As the leading network traffic inspector, NGFWs are now being used to decrypt SSL and TLS communications, often coming with remote access VPN capabilities.
To secure encrypted traffic, NGFWs support all inbound and outbound SSL decryption. This monitoring ensures that the infrastructure can identify and prevent threats rooted in encrypted network flows.
Threat Intelligence and Dynamic Lists
Most NGFW vendors offer some form of threat intelligence. New threats arise daily, and expecting firewall administrators to be aware and online around the clock can be a recipe for disaster. NGFWs can use a global network’s updates on the latest threats and attack sources through third-party threat intelligence feeds to block threats and implement policy changes in real-time.
Indicators of compromise (IoC) are shared globally, informing your NGFW of malicious traffic to eliminate or block automatically without the 3 a.m. call or to surface events that do require attention. Threats identified in-house can also be countered with the use of dynamic lists. NGFWs make threat hunting more automated and less prone to human error with threat intelligence feeds and dynamic lists in your toolbox.
Organizations, small and large, continue to ramp up third-party services that enhance business processes, including numerous popular and mission-critical SaaS applications and APIs. As IT managers look at new products to incorporate into their organization’s infrastructure, the product’s ability to integrate third-party applications is a must.
Easy integration means less stress for personnel navigating between software. Examples of standard integrations include SIEM software, 2FA, Active Directory, and reporting tools. Application programming interfaces (API) play a critical role in policy orchestration and provisioning where multiple software applications are in use.
Methods for Deployment
With organizations at varying stages of cloud development, it’s essential to consider which NGFW deployment method is the best fit for your organization:
Using AWS, Microsoft Azure, or Google Cloud Platform
Using HPE, VMWare, Cisco, or NetApp
NGFWs positioned at the edge of the network
NGFWs positioned at internal segment boundaries
While NGFWs are critical cybersecurity instruments, they alone are not a fix-all. Organizations most often consider deploying an NGFW (or additional NGFWs) when replacing a firewall, IDPS, both, or even to add more control and visibility. With firewall vendors hoping to keep your business, most providers offer technical guidance on replacing legacy devices and optimizing the deployment process.
Like implementing a ZTNA, NGFWs must be strategically positioned based on the organization’s security posture and most valuable assets. With visibility into how network traffic interacts with critical resources, NGFWs aren’t just for the network perimeter anymore. Placing NGFWs at internal segment boundaries is catching steam and is a popular method for implementing microsegmentation.
Depending on the NGFW vendor, organization environment, and security needs, installing an NGFW can be as simple as a few clicks. Once activated for a cluster of an organization’s network, the fun of managing security specific to that segment’s traffic begins. Managing one or multiple NGFWs with different configurations from a single dashboard has dramatically eased the task of enforcing cross-network traffic policies.
Also Read: How To Implement Microsegmentation
Firewall Trends in 2021
In 2020, the next-generation firewall market was valued at $2.8 billion, according to Mordor Intelligence. By 2026, the industry expects to double in size, with an expected value approaching $6 billion. The explosion of internet-connected devices–both consumer and enterprise–means vendors, organizations, and individuals require more robust security. NGFW features from advanced traffic monitoring to granular policy control provide needed visibility into network traffic.
For SMBs and enterprise organizations developing an infrastructure mainly built in the cloud, NGFW vendors continue to adapt to this demand by offering Firewalls as a Service (FWaaS) and cloud support. FWaaS offers many of the same NGFW features in a scalable, intuitive environment.
Comprehensive Solutions: NGFW Plus
Standard NGFW features like application and user control, intrusion prevention, deep packet inspection, sandboxing, and threat intelligence are increasingly being augmented or integrated with newer edge-focused technologies like zero trust, SD-WAN security, microsegmentation, SASE, XDR, and 5G support. Just as NGFWs have accumulated features that were once standalone products, innovative vendors could integrate the power of NGFWs into the next-generation cybersecurity frameworks.
What Do NGFW Buyers Consider?
For thousands of user reviews on Gartner Peer Insights, the most important consideration in purchasing an NGFW is the product’s functionality and performance. Second to the firewall capabilities, organizations also strongly consider the overall cost, strong service expertise, pre-existing relationships, and the product roadmap.
As to the underlying driver for purchasing an NGFW in the first place, users widely state improving compliance and risk management is the most significant objective. Not far behind is cost management, while other reasons include creating operational efficiencies, driving innovation, and improving business process outcomes.
NGFWs: The Precedent for Firewall Technology
Somewhere in the world, a nostalgic IT professional is thinking, “Firewalls just aren’t what they used to be,” and they’re correct. Firewalls today in the form of NGFWs are robust, adaptive, and full-featured, with a growing number residing entirely in the cloud. By integrating application and identity awareness, DPI, IPS, sandboxing, encryption, and threat intelligence into NGFWs, these devices go beyond the first defense line. The NGFW plate of responsibilities is fuller and more critical than ever.
eSecurityPlanet’s Top Products Methodology
Our top products methodology is based on independent tests, user reviews, pricing data, vendor information, analyst reports, use cases, and market trends.
Also Read: Securing the Network Edge