Enterprise firewalls have been the quintessential security device for decades, standing guard at the perimeter, inspecting all inbound and outbound traffic for malware. So, what happens to firewalls as the perimeter fades away? They evolve.\nToday\u2019s firewalls are an essential piece of the enterprise security puzzle. They\u2019ve become the foundational device upon which security vendors have stacked all of their advanced features. Cloud-based, next-generation firewalls (firewall-as-a-service) are a core component of any secure access service edge (SASE) deployment. VPN remote access for work-at-home employees typically terminates at a firewall. And firewalls play a key role in zero-trust network access (ZTNA), serving as the device that enforces access control policies and network segmentation rules.\nKey questions to ask\nNetwork execs looking to upgrade their firewalls should ask these sets of questions.\n\nWhat is the level of basic functionality of the firewall in terms of performance, features, automation, and management?\nHow well do the firewall\u2019s capabilities and form factors fit with the use cases of the business? Are there hardware, software, virtualized and firewall-as-a-service (FWaaS) options to accommodate IoT traffic, multi-cloud environments, and internal (east-west) traffic generated by virtualized or containerized apps?\nHow well does the vendor\u2019s platform mesh with the broader security, IT and OT operations of the organization?\nWhat is the vendor roadmap for SASE, zero trust, and the inexorable movement of security functionality to the cloud?\n\nVendor landscape remains relatively static\nAccording to the latest numbers from the Dell\u2019Oro Group, the firewall market grew at a healthy 14% in Q3 2021, as enterprises caught up with their refresh cycles following 2020, a year in which firewall sales lagged because attention was diverted to the pandemic.\nThe market share leader is Palo Alto Networks, followed by Cisco in second place and Fortinet in third, according to Mauricio Sanchez, research director at Dell\u2019Oro Group. Without divulging exact numbers, Dell\u2019Oro puts Palo Alto\u2019s market share above 20%, with Cisco and Fortinet in double digits, and everyone else in the single digits.\nA recent Forrester report on enterprise firewalls that evaluated vendors on 20 criteria put Cisco and Palo Alto Networks in the leader category, with Check Point, Fortinet, Juniper, Forcepoint, Sophos and Huawei listed as \u2018strong performers.\u2019\nGartner\u2019s newest Magic Quadrant on firewalls identifies the leaders as Palo Alto, Fortinet and Check Point, with Versa and Barracuda described as visionaries.\nSanchez points out that the enterprise firewall market is very mature, and the traditional players continue to dominate without appreciable competition from the types of disruptive newcomers seen in other markets.\nAt the same time, vendors aren\u2019t sitting on their hands. Firewalls themselves continue to evolve in order to meet new security challenges, and they will play a vital role in enterprise security for many years to come.\nPerformance\nFirewalls must have the capacity to perform in-line, deep packet inspection without becoming a bottleneck that degrades application performance, so throughput is an important measure.\nVendors will claim to have the fastest firewalls or the best price\/performance, but it\u2019s critically important to conduct your own trial or pilot project that plugs the firewall into a production network to see how it handles your actual traffic. One thing you don\u2019t want at your organization is for IT pros under pressure to maintain network performance turning off key firewall security features in order to reduce the delay they might cause.\nSo, be sure to put the firewall that you\u2019re considering through its paces. Run it with your most bandwidth-intensive applications, with encryption turned on, with different packet sizes, protocols, and types of traffic. One by one, turn on additional features and measure the impact on throughput. Key metrics include: application throughput; number of connections per second; the maximum number of sessions for both IPv4 and IPv6 traffic; and SSL\/TLS performance.\u00a0\nBasic features and form factors\nToday\u2019s firewalls are jampacked with additional features that can include threat intelligence, application control, IDS, IPS, anti-virus, anti-malware, sandboxing, URL filtering, SSL traffic inspection, and many others.\nIf you already have point products that perform some of these functions, a decision needs to be made on whether to pull the plug on, say, your incumbent IPS or anti-virus tool, and to consolidate these features into one device.\nThe pros of bundling are ease-of-use, reduced complexity, and consolidated management that comes with a single-vendor approach. The cons are that you might not be getting best-of-breed performance, and you\u2019re relying on the firewall vendor to have the resources and technology chops to continue upgrading all of these features over time.\nAnother key consideration is how well the firewall integrates with SD-WAN, which is becoming a popular option for sending traffic from a branch office directly to the cloud, rather than backhauling to a centralized data center. The trend is for enterprises to replace separate branch-office routers and branch-office firewalls with a single SD-WAN device that incorporates security and routing features.\nMost firewall vendors have acquired SD-WAN startups in order to deliver that single-box branch-office device, but customers should press them on the level of integration between firewall functionality and WAN optimization.\nForm factors\u2014hardware, software, virtual\u2014are also a key consideration because of the complexity and variety of use cases. You need heavy-duty firewalls that can handle the high-capacity workloads of a data center; lighter-weight firewalls that can be deployed at the edge and in branch offices; and ruggedized firewalls for harsh environments, if applicable. Virtualized firewalls (also called cloud firewalls) come into play in public- and private-cloud environments, software-defined networks (SDN), or SD-WAN.\nAdvanced features\nThere are also several advanced features that prospective buyers should ask about:\n\nAI\/ML: Vendors are beginning to tout the use of AI and machine learning in their firewalls in order to sniff out zero-day attacks, to more efficiently inspect the vast amounts of traffic that IoT devices can generate, to better automate firewall functionality, and to analyze network traffic in order to deliver actionable recommendations for things like improvements to access-control policies.\nEndpoint security: Firewalls inspect traffic that originates from endpoint devices when that traffic reaches the network, but what about protecting endpoint devices from attack in the first place? Customers should ask whether the firewall vendor has an endpoint-security story, either with its own gear or through partnerships with leading endpoint-protection companies.\nContainers: If your organization has containerized apps running in the cloud or has plans to deploy containers, be sure to pin the vendor down on whether its firewalls have a virtualized or FWaaS option that covers containerized apps.\n\nManagement\nThe days of set-it-and-forget-it firewall rules are long gone. Today\u2019s security and networking professionals require firewalls that can be deployed, configured, monitored and managed by a single cloud-based dashboard no matter where they are deployed\u2014on-prem, cloud, edge.\nManagement functionality should enable IT staffers to keep rules and policies up to date, to change configurations on the fly, and to have visibility that extends everywhere, including into SaaS-based applications, IoT devices, even OT environments where things like building-access via two-factor authentication or biometrics are becoming part of the overall security infrastructure.\nAutomation plays a key role in firewall management. Prospective purchasers should ask about the level of automation for various tasks and processes. These include the automation of routine workflows, change-management processes, and updates, which often result in configuration errors when performed manually. Enterprise environments are extremely fluid, so an effective management system must embrace automation to dynamically deploy policy changes across the entire network.\nIn addition, the management system needs to monitor the network to make sure policies are being enforced. For example, in a manufacturing scenario, the OT staff might physically move a machine and its IoT sensors from one location to another. The management system should be able to recognize that the IoT device is now on a different network segment and should be able to automatically make sure that the firewall policy rules follow the device.\nThe most critical job for a firewall is preventing attacks. And that\u2019s where automation can play a key role, identifying threats much faster than a human could, and then responding to the threat in a proactive manner, effectively eliminating the threat with no human intervention required.\nAutomated systems can spot the smallest anomalies and take appropriate action, such as quarantining devices so that an attack can\u2019t spread while an investigation takes place to determine the type of attack and the appropriate countermeasures.\nThe management platform also needs the capacity to enforce not only hundreds of firewall rules, but broader security policies such as network segmentation or access controls that are linked to Active Directory or some other identity and access management scheme.\nLooking ahead: platforms, roadmaps, and cloud\nEach of the leading firewall vendors has a broad platform that includes multiple security products managed via one dashboard, preferably cloud-based. But not all of the individual products are at the same level of maturity. And for vendors that have recently made acquisitions to fill out their portfolios or that still have holes in their product lines integration becomes an issue that prospective buyers should ask about.\nSASE: If your company is considering moving to secure access service edge, it\u2019s important to ask the vendor to describe its roadmap, since few, if any, vendors currently have a complete suite of SASE capabilities. As defined by Gartner, a SASE deployment consists of SD-WAN, secure Web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access.\n\u201cBy 2024, more than 70% of SD-WAN customers will have implemented a SASE architecture, compared to 40% in 2021,\u201d according to Gartner. So, the expectation is that most organizations will embark on their SASE journey in the next couple of years and the selection of a firewall vendor with a clear SASE vision is a pivotal decision.\nZTNA: Zero trust has become the \u201ctrend du jour in the security vendor community,\u201d according to Forrester\u2019s "Practical Guide to a Zero Trust Implementation", which describes zero trust as \u201ca conceptual and architectural framework for moving security from a network-oriented, perimeter-based security model to one based on continuous verification of trust.\u201d\nSo, where does the venerable firewall fit into this zero-trust future? Forrester says, \u201cThe next-generation firewall was the original poster child for zero trust, and it is even better today.\u201d\nThanks to advanced chipsets, firewall appliances can now have the processing power to decrypt and inspect traffic without slowing down the network. In addition, use cases for virtualized firewalls are becoming common, such as inspecting application traffic in the cloud.\nOther components of a zero-trust strategy include micro-segmentation andidentity and access management. Firewalls can enforce those policies, so organizations shopping for firewalls should require vendors to spell out their zero-trust roadmap.\nFWaaS: The trend over the past few years has been for enterprise firewalls to get fatter as they incorporate new functionality. But Dell\u2019Oro\u2019s Sanchez says that is reaching an inflection point. He predicts that firewall functionality will slowly but steadily move to the cloud in the form of FWaaS.\nFWaaS provides several advantages over appliance-based firewalls, similar to the advantages that SaaS provides over on-prem applications. FWaaS offers a pool of resources that can deliver the type of instant scalability\u2014both scaling up and scaling down\u2014that can\u2019t be replicated with on-prem hardware.\nFWaaS enables companies to finally ditch their MPLS networks and direct all traffic to the cloud, where security policies can be consistently enforced across all traffic types. FWaaS also provide fast, flexible deployment.\nTaking a broad view, as network defense strategies grow, enterprises need to plan for how their firewalls will fit in over time. Sanchez sums it up this way: \u201cFirewalls aren\u2019t going away, but they\u2019re changing and evolving to address new use cases.\u201d Customers should be sure to ask firewall vendors, \u201cHow does the firewall mesh into the long-term journey the enterprise is on toward a more cloud-centric world?"