The proliferation of enterprise applications, the mainstream adoption of bring your own device (BYOD) and the hybrid cloud environment all increase the attack surface in the enterprise environment. The next generation firewall (NGFW) is the first line of defense against today’s threats and is a critical component of any defense-in-depth strategy. The NGFW market is one of the largest and most mature in the cybersecurity industry.

NGFW technologies have evolved from packet filtering and circuit-level gateways to application layer (proxy-based) and dynamic packet filtering firewalls that use port and protocol combinations to create and enforce access control policy between trusted and untrusted networks.

Traditional firewalls relied on common application ports to determine which applications were running and which attacks to watch for, but the NGFW can identify and either allow, block, or limit applications regardless of the ports and protocols used. The NGFW must also be capable of performing deep packet inspection on all packets, on all ports, and over all protocols in order to determine which applications are running over which ports and thus secure the applications effectively. Also, the expanded use of SSL/TLS in much of the traffic traversing the modern network makes it necessary for the NGFW to inspect encrypted content.

REPORT FOCUS:

This report uses data from NSS’ individual NGFW Test Reports to create Security Effectiveness ratings for each product. Products are scored on multiple factors that affect the overall security effectiveness of the system, including:

• Firewall policy enforcement
• Intrusion prevention
• Resistance to evasions

PRODUCTS EVALUATED:

The following products were evaluated:
Barracuda Networks CloudGen Firewall F800.CCE v7.2.0
Check Point 15600 Next Generation Threat Prevention (NGTP) Appliance vR80.20
Cisco Firepower 4120 Security Appliance v6.2.2
Forcepoint NGFW 2105 Appliance v6.3.3 build 19153 (Update Package: 1056)
Fortinet FortiGate 500E v5.6.3GA build 7858
Palo Alto Networks PA-5220 PAN-OS 8.1.1
SonicWall
Sophos XG Firewall 750 SFOS v17 MR7
Versa Networks FlexVNF 16.1R1-S6
WatchGuard M670 v12.0.1.B562953

To learn how vendors performed, download a copy of each Test Report. NSS clients can also download the NGFW Comparative Reports on TCO, Performance, and Security Value Map.

As with all NSS Labs group tests, there was no fee for participation. In addition, the