US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Which Next Generation Firewall to choose – Report

    Which Next Generation Firewall to choose – Report

    Date: 10.10.2017


    Which Next Generation Firewall to choose? No simple answer…

    NGFW comparisonOften, during my meetings with clients, network engineers and security specialists the following question gets asked: “Which firewall product best suits my environment and which one is the best solution currently available on the market?” And usually my answer starts with “Well, it depends…”. When someone answers directly without asking additional questions to narrow down the requirements, the answer could be motivated, for example by willingness to sell a particular product rather than to provide correct advice. To show how much effort it takes before choosing the right platform for a particular environment we took it upon ourselves to publish our Guidepaper on “Overview of Next Generation Firewall Security Products” which shows that the first stage; where one should consider high level overview of model types for particular scale, licensing models and key parameters like interface types and numbers, statefull processing performance, IPS performance, ability to install NGFW within the public or private cloud environment etc. for the different products available in the market. Then the next stage is to carry out a comparison effort for the different products.


    First – what is Next Generation Firewall and why you might need it?

    Next Generation Firewalls are designed to provide context and better visibility for traffic flowing through the network in comparison to legacy stateful firewalls where Layer 3 and 4 information of OSI were the only subject for classification. Based on different processing engines responsible for providing “next generation” functions, NG Firewalls are able to mitigate security risks more precisely and under different angles than legacy security devices. Performing many operations such as: application layer inspection, user identity recognition, intrusion prevention mechanisms, antivirus, malware code detection, web filtering based on category and with conjunction with cloud based security feeds, Next Generation Firewall products provide modern line of defense.


    Making effort to provide the right answer

    After the quick overview of what is Next Generation Firewall its time to make a short outlook of vendors which offer NGFW products in the market. In our report you can get the list of products from following vendors list:

    • Cisco ASA Firewall with FirePOWER
    • Meraki MX Firewalls
    • Barracuda
    • Sonic Wall
    • Fortinet Fortigate
    • Juniper SRX Series
    • Check Point
    • Palo Alto
    • WatchGuard

    Next Generation Firewall comparison

    Why above? Simply because they have a long history, specialize in making firewalls, are known and tested by most enterprises around the world. We have compared 9 NGFW products and carried out research in areas of functionality, scalability, performance and licensing. The important thing at this stage of comparison is that all above parameters are declared by vendors, not yet measured in our testing center. Based on data sheets, whitepapers and marketing materials we have made a collation of appliances positioned to medium scale enterprise networks.


    Inspection performance or number of users?

    First point that might seem confusing is why some of appliances scaled to the mid-size enterprise have better statefull inspection performance whereas the others have significantly higher number of users supported? So the questions you should ask here are: if you need more statefull firewall performance or more VPN users, more SSL VPN tunnels or more IPSec Site to Site tunnels etc. and which parameters better suits to your environment? Example can be firewall sitting on the DC and LAN demarcation line vs firewall on Internet Edge concentrating many remote access VPN users. If you need the first, choose higher statefull performance, if the second, choose the one with more tunnels supported.


    Licensing. The a la carte or all-in-one model?

    The next thing to consider is not strictly technology related but very important for managers and CxO’s. This is licensing. In our paper you can read about the license types, licensing models and what is included without any extra fees. This could be also decision of what you really need vs what you have with no license. Many vendors license NGFW functions like application control, ips, web or url filtering, anti-malware and antivirus subscriptions. Some of them offer a la carte model that you can choose from the list and some of them have bundles.


    Let’s push them to the limit.

    After making the initial decision many of clients would like to have objective comparison on the table, meaning if the vendor actually delivers what it says. This point really opens up a discussion regarding the real performance of networking products. Especially in Next Generation Firewalls market there is a chance to overstate facts. NGFWs have many features and factors that can be differently interpreted and measured under different conditions. An example could be regular firewalling (statefull) performance that measured with large 1500-byte packet traffic can be several times higher that the one measured with small 60-byte packets. The truth is that every vendor has his own method of testing and gives his own result in data sheet. When we add the app control performance of many different inspection algorithms, IPS or malware analysis performance, results can be slightly different. That is why giving objective answer should be preceded by doing series of comparable tests under identical testing conditions. Objective environmental testing is not subject of our first report but will be part of our successive research work.


    Threats recognition and stability

    Another angle of comparison should be effectiveness of threats detection and stability under high infected traffic that should be analysed, mitigate, logged and reported. Today it is very common to compete with the speed of zero day recognition and mitigation. This is importent how fast is the vendor in sending zero day threat to the sandbox on premise or in cloud and mitigate it in turn. There are also some vendors introducing bunch of new functionalities that competition do not offer yet. One needs to be careful here because having wide range of functions does not necessarily mean they are better. Often when introducing the jack-knife of MacGyver there are many bugs introduced making the solution not as stable as competition. This often happens with new software, apps and so on and it is natural. Threat recognition and stability testing is also not subject of our first report but will be part of our successive research work.


    Takeaways from the first report.

    With our overview we can see that most of NGFW products have very similar functionalities, some are declared faster and some more scalable. But the right solution needs to be chosen based on your special requirements and objective testing results. Going deeper into the traffic processing specifics, features behavior and real measured performance will be the subject of consecutive reports. Stay connected with our coming Grandmetric Guidepapers.


    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    10 July 2018 at 09:41


    10 July 2018 at 11:10

    In my opinion sangfor NGAF is best firewall in the market.


    Leave a Reply

    Your email address will not be published. Required fields are marked *