Next generation firewall (NGFW) explained: What is a NGFW?

September 30, 2020  |  Mary Blackowiak

What is a next generation firewall?

Traditional firewalls have been around for decades. But NGFWs, uninhibited by the same technology limits, take advantage of significant advancements in storage space, memory, and processing speeds. The feature set for NGFWs build upon traditional firewall features by including critical security functions like intrusion prevention, VPN, and anti-virus, and even encrypted web traffic inspection to help prevent packets containing malicious content from entering the network. Many NGFWs are also capable of integrating with modern networking topologies like software-defined wide area networks (SD-WAN).

Look around at the different firewall solutions today, and you’ll discover that most vendors label their solution as NGFWs. However, without a consensus from the security industry about what a next-gen firewall is and what it is not, organizations must look at all the features and decide if the solution fits their business needs. 

What are the benefits of a next generation firewall?

Compared to traditional firewalls, there are myriad benefits to be aware of. At a high level, NGFWs provide comprehensive application visibility and control, can distinguish between dangerous and safe applications, and can help prevent malware from penetrating a network.

Here are five of the most important aspects of  how an NGFW helps organizations:

  1. Protects the network against viruses and trojans
    NGFW’s application awareness inspects the header information and the payload against pre-defined application signatures to provide that the application is exactly what it claims to be and one that has been approved for use. This could be a critical feature for any organization that allows network users to download applications from the internet.
  2. Blocks known productivity wasters
    With application control, the enterprise gains granular control over which applications can run, which features of an application can be used, and which applications should be given priority for bandwidth (such as VOIP). Applications such as Facebook, Twitter or YouTube, for example, can be blocked for users that don’t require them as part of their job function but allowed for departments that do need access (such as marketing). Another option is to enable posts to social media but disable the ability to chat.
  3. Identifies bandwidth hogs and mitigates risk
    NGFW’s identity awareness utilizes existing enterprise authentication systems such as Active Directory or LDAP. This feature allows for traffic monitoring by user or device as well as the ability to control the type of traffic a user may send or receive. As a result, organizations can identify users who gobble up bandwidth and help mitigate risk by allowing only legitimate business traffic to enter or leave the network.
  4. Simplifies administration, helping save money
    Integrated intrusion prevention systems (IPS) can detect attacks to the network by comparing traffic to a table of known threats or through anomaly-based or behavior-based detection methods. Before NGFWs, intrusion prevention systems had to be purchased separately alongside a traditional firewall, so this integration in one device is an ideal solution.
  5. Saving time and resources
    NGFWs allow organizations to tap into external security sources — including directory-based policies, allow lists, and block lists. No need to reinvent the wheel when there’s a whole world of information readily available.

Network-based firewall service

Fully managed, cloud-based firewall providing continuous inspection and treatment of internet traffic.

Learn more

Why invest in a next-generation firewall?

The primary function of any firewall is to help protect against unwanted or malicious traffic entering or exiting a network. However, as threats evolve and become more difficult to detect, enterprise network security must remain equally sophisticated.

Traditional firewalls can only filter traffic flowing in and out of the network based on port number, IP address or domain using an “all or none” methodology. In a time when most attacks targeted networking services and components, the security provided by a traditional firewall was once good enough. However, the majority of exploits are now directed towards a specific application weakness.

Over time, a complication had surfaced because many applications use the same port number: most commonly HTTP port 80. With most organizations needing the ability to distinguish which applications to allow into their network, blocking or allowing based on port number is not sufficient. A next-generation firewall addresses the many weaknesses of traditional firewalls and provides more granular control over network security.


So, we’ve covered the difference between traditional stateful firewalls and NGFWs, but the network security discussion can become even more obscure with the addition of unified threat management (UTM). First, it’s important to note that the two solutions are often used interchangeably. However, they are not one and the same. Many security industry analysts differentiate UTM as a solution that includes NGFW components and then stacks additional security capabilities — much like NGFWs build upon traditional firewalls.

NGFWs are firewalls that include IPS and offer some form of application intelligence. UTMs, on the other hand, include those features plus technologies such as wireless security, URL filtering, email security, VPNs and web application firewalls. Because UTM systems integrate so many security tools in one solution, they offer simplified deployment and management, reduced implementation costs, and allow for faster incident response times.

NGFW vs. virtual or cloud-based firewalls

Most firewalls on the market today are classified as NGFWs. So, when we’re comparing appliance, virtual and cloud-based firewalls (often offered as firewall-as-a-service or FWaaS), we’re not comparing features. Next-gen represents what a firewall does, whereas appliance, virtual or cloud-based firewalls represent a form factor or where the firewall resides.

If a firewall has any of the technical capabilities we’ve discussed here, it’s probably next-generation, regardless of where it is hosted. Cloud firewalls are specifically hosted, appropriately so, in the cloud and virtual firewalls could be hosted within a company’s data center on an appliance or elsewhere. Typically, cloud-based firewalls are managed, configured, updated by a third-party vendor to ease the management burden for the company deploying them.

Share this with others