With more employees accessing network resources remotely, the increase in companies deploying hybrid cloud architectures, and the overall escalation of security threats, firewall technology is critical to the integrity, security and the very lifeblood of any enterprise. \u00a0\nTraditional firewalls are security devices which inspect traffic at the point of network ingress\/egress, as well as provide Virtual Private Network (VPN) and encryption capabilities. Firewalls watch traffic by state, port and protocol, and control the flow of the traffic passing through. In a traditional firewall, advanced security features are typically provided by external appliances and services that live outside the firewall platform.\n[ Also see What to consider when deploying a next generation firewall. | Get regularly scheduled insights by signing up for Network World newsletters. ]\nWhat are next-generation firewalls\nNext-generation firewalls (NGFW) offer the same capabilities of a traditional firewall with added features such as Deep Packet Inspection (DPI), Integrated Intrusion Protection (IIP), Web Filtering, Antivirus, Antispam, Anti-Malware, SSL and SSH traffic inspection, all with an eye towards the detection and isolation of threats in real-time.\u00a0\nThese added features are integrated into the NGFW platform and are typically managed from a single console. Since all of these features are provided by the same vendor, next-gen firewalls are easier to maintain and are more convenient when vendor support is needed.\nWhile basic firewall functionality is foundational to all products in the NGFW market, the firewall is no longer just an appliance that sits in your data center. The adoption of cloud has required that a firewall must provide features beyond the physical device, such as virtualized appliances, firewall as a service (FWaaS) and containerized versions.\nNext-generation firewall vendors have SASE on their roadmaps\nSecure Access Service Edge (SASE) is an emerging service model that incorporates WAN optimization and other security services such as Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) through a cloud-based implementation that provides uninterrupted access for users anywhere and anytime.\u00a0\nForward-looking NGFW vendors have begun to incorporate these feature sets in their product lines. While widespread SASE implementation is considered a ways off, NGFW vendors have it on their product roadmap.\nThe top four vendors in this multibillion-dollar market are (in no particular order): Palo Alto Networks, Fortinet, Cisco, and Check Point Software Technologies. They represent roughly 64% of implementations according to IDC. Juniper Networks, SonicWall and Sophos fill out a good portion of the remaining market.\nHere is an analysis of the top NGFW vendors, including their strong points and weaknesses, based on reports from industry analyst groups such as Gartner and IDC.\n1. Palo Alto Networks: Pro: Broad product line, consolidated management. Con: Pricey\nPalo Alto Networks provides a wide selection of NGFW features packaged as hardware based (PA-Series), Virtual (VM-Series), FWaaS (Prisma Access) and containerized (CN-Series) options.\nAll of their products are managed through the same Panorama software, and they offer additional subscription-based features to manage Internet of Things (IoT) security, enterprise Data Loss Prevention (DLP), Software as a Service (SaaS) security, advanced URL filtering, threat prevention and DNS security. The company\u2019s WildFire Malware Analysis Engine can sandbox detected threats.\nPalo Alto Networks provides a consolidated, single-vendor solution for multiple security needs through a \u201csingle pane of glass\u201d.\nThese products do come at a cost, making them one of the highest-priced offerings in the marketplace. In addition, their SD-WAN product requires a separate license, while others include this in their basic offerings. Also of note, Palo Alto Networks doesn\u2019t offer a cloud-based firewall manager in Panorama, and instead requires a plug-in to be installed on the clients.\n2. Fortinet: Pro: Strong homegrown product line, integrated management. Con: Global PoPs lacking\nFortinet\u2019s NGFW product line, FortiGate, is available in hardware, as a virtual appliance and as a FWaaS (FortiSASE) option. They offer centralized management platforms in their FortiManager and FortiGate Cloud products. Their products offer capabilities such as a Secure Email Gateway (SEG), Web Application and API Protection (WAAP), Network Access Control (NAC), Identity and Access Management (IAM), a Security Operations Center (SOC) as a service, SASE and Zero Trust Network Access (ZTNA) products.\nFortinet offers integration between your network operations center (NOC) and SOC operations in their Fabric Management Center. Like the Palo Alto WildFire system, Fortinet offers Endpoint Detection and Response (EDR), which detects threats that exist in your environment and sandboxes them for analysis, while keeping them from spreading.\nFortinet is also pushing the FortiGate product line to be used in place of branch office routers. This would enable the management of Fortinet switches and wireless access points in remote office networks through the same FortiManager management interface.\nFortinet lacks a dedicated container firewall and requires basic management features through a distributed plug-in. They also tend to lag behind other vendors in rolling out cloud Points of Presence (PoPs) and the geographic diversity of their PoPs.\n3. Cisco: Pro: Extensive product offerings. Con: Maybe too extensive\nCisco offers intrusion prevention, advanced malware protection, cloud-based sandboxing, URL filtering, endpoint protection, web gateway protection, SEG security, network traffic analysis, network access control and a cloud access security broker (CASB) which helps protect other companies\u2019 cloud-hosted services through their Cisco Secure Firewall, Cisco Secure Workload, and the Meraki MX series products.\nThey offer centralized management through the Umbrella Secure Internet Gateway for FWaaS, the Cisco Firewall Management Center for on premises appliances and Cisco Defense Orchestrator for cloud-based solutions, in addition to a multi-cloud management and control product.\nTheir SecureX extended detection and response (XDR) platform provides XDR at no additional cost to detect, hunt and remediate threats. Additionally, Cisco supports the Snort open-source intrusion detection system\/intrusion prevention system (IDS\/IPS) which provides an enhanced signature set.\nCisco provides multiple firewall product lines for different use cases instead of taking a single platform approach. Also, their Umbrella product does not offer an integrated SASE and requires multiple different subscriptions to additional products such as Cloudlock (Cisco\u2019s stand-alone CASB) and an SD-WAN through their Meraki products.\n4. Check Point Software Technologies: Pro: Focused security solutions. Con: No integrated SD-WAN\nCheck Point focuses on preventing and blocking attacks. They offer hardware appliances (Quantum), as well as virtual appliances and cloud security products under the CloudGuard brand. They also have a FWaaS product (Harmony) as part of their Secure Access Service Edge (SASE) solution.\nCheck Point offers on-premises (Quantum Security Management) and cloud-hosted (Infinity Portal) centralized management and monitoring portals, as well as their Infinity SOC product, which comprises their security orchestration, automation, and response (SOAR) offering, and CloudGuard, their cloud security counterpart.\nCheck Point doesn\u2019t offer an SD-WAN solution, but instead works with partners to provide solutions to this rapidly growing market and their container product lacks application control.\n5. Juniper: Pro: Advanced threat detection. Con: Slow to adopt FWaaS and SASE\nJuniper offers its SRX Series Services Gateways in hardware appliances, virtual appliances (vSRX) and containers (cSRX). vSRX can be hosted on the customer\u2019s own hypervisor, AWS, Azure, Google Cloud, IBM Cloud and Oracle Cloud. Juniper also offers Security Information and Event Management (SIEM), Distributed Denial of Service (DDoS) mitigation and threat intelligence, advanced threat detection capabilities, and IoT security.\nIt also has partnerships for industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments that pull information from the company\u2019s threat prevention service and a third-party source to adapt their firewalls to new threats as they emerge.\nJuniper has been late to the party when it comes to FWaaS or SASE. Their business focus is more on networks and their security products reflect it, leading Gartner to consider them a challenger player in the NGFW space. Earlier this month, however, Juniper launched a new cloud-delivered security package, Juniper Secure Edge, as part of its SASE architecture. Secure Edge adds firewall-as-a-service capabilities and extends Juniper\u2019s Security Director Cloud management platform.\n6. SonicWall: Pro: Quality products. Con: Lacks FWaaS, containers\nSonicWall has three hardware appliance lines (TZ, NSa and NSsp series) along with a virtual appliance firewall (NSv series). The NSv products can be hosted on the customer\u2019s own hypervisor or can be found in the Amazon and Azure marketplaces. SonicWall also provides integrated EDR, SEG, ZTNA, CASB capabilities and SD-WAN workflow to simplify branch onboarding in their SonicWall Cloud Edge product.\nThe SonicWall Cloud App Security product handles CASB functionality for SaaS applications, focusing on Microsoft 365 and Google Workspace, Box and Dropbox. They provide centralized management for their SonicWall Switch, SonicWall Access Point and SonicWall Next-Gen Endpoints through their Network Security Manager.\nSonicWall lacks a containerized firewall, FWaaS and identity-based product offerings in their lineup.\n7. Sophos: Pro: Managed threat response. Con: No FWaaS or container\nSophos offers their Sophos Firewall hardware (XGS Series and SD-RED), a cloud security posture management (CSPM) product (Cloud Optix), endpoint and server protection (Intercept X) and products for EDR and ZTNA. \u00a0Through their Managed Threat Response product, Sophos provides the capabilities of a SOC as a managed service all through a centralized management portal (Sophos Central).\nSophos doesn\u2019t offer FWaaS or a containerized firewall. The CSPM product doesn\u2019t take full advantage of Infrastructure as a Service (IaaS) tags, making implementation of firewall policy rules more difficult.\nNext-generation firewall purchases require thorough product evaluations\nNetwork security is critical in today\u2019s world of bad actor attacks and ransomware attacks, so it is vital for network executives to do a thorough evaluation of any NGFW product before you bring it into your infrastructure. The work you do upfront will pay off in a good night\u2019s sleep going forward.