Next-generation firewalls (NGFWs) play a critical role in cybersecurity architectures the world over. As defending data and applications become more complicated, the security products built to withstand evolving threats also grow more powerful. The proliferation of IoT devices and a work-from-home craze that began in 2020 have made protecting the perimeter harder than ever. NGFWs are here for the challenge. Without further ado, here are eSecurity Planet’s picks for the top next-generation firewalls (NGFWs):
Top NGFW solutions
1 CrowdStrike
Alongside an industry-leading suite of security products, Crowdstrike’s straightforward firewall management solution has been highly regarded by users since launching in late 2019. No custom firewall implementation is required, and the solution is priced on a subscription basis per endpoint.
2 Palo Alto Networks
Palo Alto Networks came out on top of both the Gartner Magic Quadrant and Forrester Wave and scored well in our evaluation too. If you’re looking for top security and performance, Palo Alto’s NGFWs should be on your evaluation list. We’ve been impressed by the level of security provided by Palo Alto – see our top EDR products report – and NGFWs are no exception.
3 Check Point
Check Point has long been a leader in the firewall market. It offers Quantum Security Gateways for a wide range of use cases and CloudGuard FWaaS and cloud security products too. NSS Labs scored Check Point just behind Palo Alto in security effectiveness and ahead of Palo Alto in TCO. Check Point’s management features are among the best in the business, but SD-WAN capabilities are lagging.
4 Fortinet
Fortinet is another perennial firewall favorite. Its NGFWs scored above average in NSS Labs tests, while its TCO per protected Mbps was near the top – in short, good security and performance for a good price. Fortinet has also posted strong test results in data center gateways, intrusion prevention, breach prevention and SD-WAN, so you’d be hard-pressed to find a cybersecurity vendor more willing to let its products undergo rigorous testing.
5 Forcepoint
Forcepoint offers some of the best security for the money, scoring high in both security effectiveness and TCO in NSS Labs tests. Behavioral analytics, SD-WAN, SASE, cloud support, management and FWaaS are strengths. Cloud and distributed offices are two particularly good use cases. Users report integration challenges and would like to see more robust reporting, but Forcepoint’s combination of security and value should bring Forcepoint greater consideration.
6 Cisco
Cisco’s biggest strength may be the breadth of its offerings. Its zero trust, microsegmentation and SD-WAN capabilities have made it the early leader in the emerging zero trust market. In addition to its Firepower and Meraki firewalls, Cisco also offers impressive integration with its endpoint, cloud, networking and application security products.
7 WatchGuard
WatchGuard shares a distinction with Palo Alto Networks: they were the only two vendors to have no observed evasions of the 11 firewalls tested in NSS Labs’ 2019 NGFW tests. WatchGuard came in fourth in TCO per protected Mbps, putting them right behind Forcepoint for best combination of security and value. WatchGuard was an honorable mention in our last NGFW report in August 2018; this time they’re moving up to a top vendor, and the acquisition of Panda Security will make them even better.
8 Juniper Networks
Juniper and Huawei share the Most Popular award – their users rave about them. Juniper has been coming on strong in the security market with advanced features like machine learning-based detection. Cloud and zero trust features could use more development, but Juniper networking customers in particular should give the company’s SRX firewalls a serious look, and the company has strong capabilities for just about all enterprise use cases.
9 Huawei
Huawei scored highest in TCO in the 2019 NSS tests, making the company’s firewalls a compelling value for Huawei customers in particular, and data centers in general. CASB-like features make it good for SaaS use cases, and machine learning-based detection, SD-WAN and early 5G adoption are other strengths. FWaaS and better cloud-based management are needs. Users love everything about the company’s Unified Security Gateways (USG): value, implementation, capabilities and even support.
NGFW contenders
These are other strong firewall offerings that have found favor with buyers for particular use cases or markets:
Sophos: Sophos offers strong security and its users are happy, but deployment has mainly been tied to its XDR platform and excellent EDR product. A good choice for SMBs and some edge uses. Gartner lists Sophos as a Visionary in its Magic Quadrant, which should give you some idea of its capabilities and potential for growth.
SonicWall: A wide range of products, good security and positive user feedback. A good choice for SMBs in particular.
Barracuda Networks: Particularly good for AWS and Azure use cases.
Hillstone Networks and Sangfor: Positive user reviews but largely limited to China and Asia, with some presence in other regions.
Versa Networks: Strong security, but the vendor has been focused more on SD-WAN and SASE markets.
NGFW product comparisons
Here are a number of product comparisons that remain popular with readers. We are in the process of updating them.
- Sophos XG vs. SonicWall
- Fortinet FortiGate vs. Forcepoint
- Sophos XG vs. Fortinet
- Fortinet vs. Palo Alto
- Check Point vs. Palo Alto
- SonicWall vs. Palo Alto
- SonicWall vs. Fortinet
- Cisco vs. Juniper
NSS Labs NGFW tests
NSS Labs closed down a few months ago, so in the public interest we’re reproducing a graphic of its NGFW tests below. Note: former NSS Labs CEO Vikram Phatak is starting a new testing service at CyberRatings.org.
What is an NGFW?
Next-generation firewalls (NGFWs) are the third-generation and current standard for firewall technology. After the adoption of unified threat management (UTM) and web application firewalls (WAF) in the 2000s, the innovation of NGFWs was a big leap forward. These advanced firewalls cover the gamut of traditional firewall services but go farther in offering intrusion prevention systems (IPS), deep-packet inspection (DPI), advanced threat protection, and Layer-7 application control technologies.
Also Read: Everything You Need to Know about NGFW
Common features of NGFWs
Organizations expect the most up-to-date tools and resources for managing their security infrastructure, including NGFW capabilities. When considering NGFW vendors and products, look for the following standard and advanced features.
Application and Identity Awareness
A critical difference between traditional firewalls and NGFWs is the latter’s ability to offer protection at the application and user identity levels. Whereas traditional firewalls relied on standard application ports, NGFWs can identify, allow, block, and limit applications regardless of port or protocol. NGFWs’ ability to recognize identity adds to its control by enabling administrators to apply firewall rules more granularly to specific groups and users.
Centralized Management, Visibility, and Auditing
To actively manage a network’s defenses, administrators need an accessible and configurable dashboard to view and manage security systems like NGFWs. Most NGFWs contain log analysis, policy management, and a management dashboard that offer a way to track security health, analyze traffic patterns, and export firewall rules for use elsewhere.
Stateful Inspection
Also known as dynamic packet filtering, traditional firewalls used stateful inspection to inspect traffic up to Layer-4. NGFWs are built to track Layers 2-7. This advancement allows NGFWs to perform the same stateful inspection duties of a traditional firewall—distinguishing between safe and unsafe packets. The extension of dynamic packet filtering to the application layer is invaluable as critical resources move towards the network edge.
Deep Packet Inspection
Deep packet inspection (DPI) goes a step further in inspecting traffic from stateful inspection. More targeted than stateful inspection, which monitors all traffic and just the packet headers, DPI inspects the data part and header of transmitted packets. Executed at the application layer, DPI can locate, categorize, block, or reroute packets with problematic code or data payloads not detected in stateful inspection.
Also Read: What is Application Security?
Integrated Intrusion Prevention (IPS)
Intrusion prevention systems (IPS) once sat adjacent to the firewall, playing defender against new threats from outside the protected network. While traditional firewalls managed traffic flows based on network information, IPS devices took on inspecting, alerting, and even actively ridding malware and intruders from the network. As cybersecurity products have evolved, IPS technology has been a valuable integration into NGFW product offerings. While the distinction is growing narrower, the challenge for buyers becomes whether the IPS technology included with their NGFW is good enough to forego a standalone IPS product.
Network Sandboxing
Depending on your NGFW selection, you may have access to a network sandbox or have the option of adding such on a subscription basis. Network sandboxing is one method of advanced malware protection because it allows IT professionals the chance to send a potentially malicious program to a secure, isolated, cloud-based environment where the malware can be tested before using in-network.
Also Read: Types of Malware & Best Malware Protection Practices
HTTPS, SSL/TLS, and Encrypted Traffic
HTTPS is the current standard for network communication over the internet, using the SSL/TLS protocol for encrypting such communications. As the leading inspector of network traffic, NGFWs are now being used to decrypt SSL and TLS communications. To secure encrypted traffic, NGFWs support all inbound and outbound SSL decryption capabilities. This monitoring ensures that the infrastructure can identify and prevent threats rooted in encrypted network flows.
Also Read: Tokenization vs. Encryption: Which is Better for Protecting Critical Data?
Threat Intelligence and Dynamic Lists
Most NGFW vendors offer some form of threat intelligence. New threats arise every day and expecting firewall administrators to be aware and online around the clock can be a recipe for disaster. Through third-party threat intelligence feeds, NGFWs can use a global network’s updates on the latest threats and attack sources to block threats and implement policy changes in real-time. Indicators of compromise (IoC) are shared globally, informing your NGFW of malicious traffic to eliminate or block automatically without the 3 a.m. call, or to surface events that do require attention. Threats identified in-house can also be countered with the use of dynamic lists. With threat intelligence feeds and dynamic lists in your toolbox, NGFWs make threat hunting more automated and less prone to human error.
Integration Capacity
Organizations, small and large, continue to ramp up third-party services that enhance business processes, including numerous popular and mission-critical SaaS applications and APIs. As IT managers look at new products to incorporate into their organization infrastructure, the product’s ability to integrate third-party applications is a must. Easy integration means less stress for personnel navigating between software. Examples of standard integrations include SIEM software, 2FA, Active Directory, and reporting tools. Application programming interfaces (API) play a crucial role in policy orchestration and provisioning where multiple software applications are in use.
Methods for deployment
With organizations at varying stages of cloud development, it’s essential to consider which NGFW deployment method is the best fit for your organization:
| Method | Example |
| Public cloud | Using AWS, Microsoft Azure, or Google Cloud Platform |
| Private cloud | Using HPE, VMWare, Cisco, or NetApp |
| On-premises (edge) | NGFWs positioned at edge of network |
| On-premises (internal) | NGFWs positioned at internal segment boundaries |
Deployment Considerations
While NGFWs are critical cybersecurity instruments, they alone are not a fix-all. Organizations most often consider deploying an NGFW (or additional NGFWs) when replacing a firewall, IDPS, both, or even to add more control and visibility. With firewall vendors happy to keep your business, most providers offer technical guidance on replacing legacy devices and optimizing the deployment process.
Similar to implementing a ZTNA, NGFWs must be positioned strategically based on the organization’s security posture and most valuable assets. With visibility into how network traffic interacts with critical resources, NGFWs aren’t just for the network perimeter anymore. Placing NGFWs at internal segment boundaries is catching steam and is a popular method for implementing microsegmentation.
Depending on the NGFW vendor, organization environment(s), and security needs, installing an NGFW can be completed within a few clicks. Once activated for a cluster of the organization network, the fun of managing security specific to that segment’s traffic begins. Being able to manage one or multiple NGFWs with different configurations from a single dashboard has greatly eased the task of enforcing cross-network traffic policies.
Also Read: How To Implement Microsegmentation
NGFW Trends
Demand Grows
In 2020, the next-generation firewall market was valued at $2.8 billion. By 2026, the industry is expected to double in size with an expected value of $5.52 billion. The explosion of internet-connected devices–both consumer and enterprise–means vendors, organizations, and individuals require more robust security. NGFW features from advanced traffic monitoring to granular policy control provide needed visibility into network traffic.
Cloud-Built NGFWs
For SMBs and enterprise organizations developing an infrastructure mainly built in the cloud, NGFWs continue to adapt to this demand by offering Firewalls as a Service (FWaaS) and cloud support. FWaaS offers many of the same NGFW features in a scalable, intuitive environment.
Also Read: Firewalls as a Service (FWaas): The Future of Network Firewalls?
Comprehensive Solutions: NGFW Plus
Standard NGFW features like application and user control, intrusion prevention, deep packet inspection, sandboxing, and threat intelligence are increasingly being augmented or integrated with newer edge-focused technologies like zero trust, SD-WAN security, microsegmentation, SASE, XDR, and 5G support. Just as NGFWs have accumulated features that were once standalone products, the power of NGFWs could be integrated into the next-generation cybersecurity frameworks.
NGFWs: Precedent for firewall technology
Somewhere in the world, a nostalgic IT professional is thinking, “Firewalls just aren’t what they used to be,” and they’re correct. Firewalls today in the form of NGFWs are robust, adaptive, meticulous, and a growing number entirely reside and work in the cloud. By integrating application and identity awareness, DPI, IPS, sandboxing, encryption, and threat intelligence into NGFWs, these devices go beyond being the first defense line. The NGFW plate of responsibilities is fuller and more critical than ever.
eSecurityPlanet’s Top NGFW Methodology
Our top NGFW products methodology is based on independent tests, user reviews, pricing data, vendor information, analyst reports, use cases, and market trends.
Also Read: Securing the Network Edge
