How to choose a NGFW?

With the evolution of technology and the digital space, business today operates predominantly online. This means that most organizations are highly dependent on network security to protect and guard their data and that of clients, partners, and suppliers. In 2020, more than 300 million people were affected by data breaches. Despite the fact that this number represents a 66% drop from 2019 when more than 880 million were impacted, it’s still a big number.

The good news is that although hackers are becoming more experienced and innovative in the ways they attempt cyberattacks, the available protection is also being enhanced. While businesses used to rely on standard firewalls in the past, today they can take advantage of a more sophisticated and guaranteed solution – next-generation firewalls.

In this article, we’ll briefly explain what a next-generation firewall is and share some of the features that you should look for when choosing the right NGFW for your business.

What is an NGFW?

Firewall vendorsIn short, a next-generation firewall is a third-generation firewall technology that is applied to hardware or software. It’s an advanced version of a standard firewall that offers a number of improvements and additional features, providing additional support and security for your network. It’s able to prevent potential complex attacks by applying security policies and parameters at different levels, including port, application, and protocol.

However, not every next-generation firewall is the same. Although they serve the same purpose, different providers will offer different products. This is why it’s important to know what you’re looking for to make the right decisions and enjoy peace of mind that your business is protected.

Let’s see what some of the features that you should be on the lookout for are.

How to develop requirements?

Working in a small remote team can require predominantly VPN connectivity and a nicely isolated internal environment. Exposing sites to the public internet is making the efforts exponentially growing. Having a publicly accessible vector to attack the business, any hacker will try at least some automated tools checking your precious website for vulnerabilities.

You may not need malware protection if the office is running on linux, but for many other setups the OS could be a vulnerable point needing extra protection.

How to properly size your hardware?

Perfect sizing is almost impossible as the needs vary in time. For brand new deployments choosing the right size is critical. The throughput should be calculated keeping in mind the volume of the desired traffic, but also the number of the enabled capabilities and the processing power they need, also the plans of the organization in terms of expansion for the future.

If less than 50% utilization is low, then over 80% utilization can be fine, but only during the peak hours. 90% utilization is not a good baseline because it cannot handle any fluctuations in the traffic demand.

How to choose between firewall brands?

We all know that it is difficult and here is why. Your business can buy the best firewall (if such exists) but the network security team is trained to use another vendor. Should you change the team? Mostly not, but having this in mind when buying the firewall, can save the whole deployment project and the following support and utilization. Listen to your people. Many firewall vendors are interchangeable, but your people are really precious. And still if they ask you to buy a half a million dollars firewall for a branch office, it could be better to consult with another vendor or ask for proof of concept.

How are the firewalls sold, priced and licensed?

Firewalls are not a tool you simply plug and play. Believe it or not, having a nice long licensing plan for usage and support from the vendor could be the best thing you have paid for. Take the firewall as a service. The business pays a subscription plan and then it can ask for more than just a product, but some basic consultation, advanced troubleshooting, new beta features and more.

What about the scalability, performance, and upgradeability?

To scale twice is easy, to scale tenfold time is achievable, but to scale a thousandfold times, you may need a different solution, designed to be highly scalable. Cloud solutions are also available, right? Firewalls in the DC are not so easy to scale, but easy to maintain. Talking about scalability, the cloud is the king. Performance needs customization of the hardware and here is the high value of the on-premise firewall. It can include specific processors for network traffic forwarding, encryption modules, additional drives for malware analysis and storage for forensic, also physical firewalls can be connected to a TAP switches and provide high resiliency and availability and way more additional features for deep packet inspection and analysis.

In-house staff, outsource, or managed solutions?

If your organization is focused on products different from IT and you need to fit into regulations and basic industry standards, then why should you keep costly high-skilled IT personnel? Maybe it is better if you include the management costs into the same subscription model and deal with a company which can not only consult you, but also, operate the security for you. It is not a matter in which someone can guarantee 100% protection, but can you?

NGFW features you should look for

A next-generation firewall has all the features of a standard firewall and more. But what are the basic features a standard firewall should have in the first place?

It must:

  • Keep records of all active sessions going through the firewall
  • Offer network layer access controls
  • Have network address translation
  • Be capable of logging information on all active sessions
  • Usual practice is to have a second firewall from another vendor in-path to provide maximum availability

Now that we’ve covered the basics when it comes to standard firewalls, we can move on to explore all that a next-generation firewall should provide as an enhanced version of the traditional solution.

Deep Packet Inspection and Intrusion detection IPS/IDS

Deep Packet Inspection is also commonly referred to as DPI and is among the most fundamental benefits of next-generation firewalls. It guarantees that every packet is inspected in detail in order to detect malformed packets, mistakes, potential attacks, and any other threats or anomalies.

IDS and IPS stand for intrusion detection or prevention systems. They’re responsible for observing and analyzing the content and information found in the packets flowing through the firewall. Their responsibility is to detect potential threats.

We can say that IDS/IPS devices work on the basis of signatures in order to discover existing attacks. However, they are also on the lookout for broad types of attacks, which are not dependent on signatures. It’s possible that IDS/IPS devices may be more beneficial in the beginning and their stability could deteriorate over time. You can prevent this from happening by regularly updating their signatures.


A sandbox is an enhanced version of malware scanning. To describe it in simple terms, sandboxing is the process of isolating one program from the rest in an independent environment, where errors or security issues can’t influence the other parts of the computer. The NGFW can detect malicious files or threats and send them to the sandbox where they’re detonated (executed and monitored).

After a certain amount of inspection to identify where the file comes from, it is safely deleted, preventing any damage.

SSL Monitoring

Another feature that NGFWs provide and you should look for when choosing the right partner to work for is the ability to monitor SSL or encrypted traffic, including HTTP tunnelled traffic. Next-generation firewalls include full inbound and outbound SSL decryption capabilities to completely secure encrypted traffic. With this advantage, organizations can stop threats and malware in encrypted network streams.


Another feature that NGFWs offer as an improvement from standard firewalls is geolocation or the ability to connect IP addresses to physical locations. Geolocation can help you define a whole country rather than separate IP addresses that will be exposed to change. For example, this feature could be used to limit or prohibit entirely access from certain countries where the organization doesn’t have a legitimate business.

Additionally, it can be used to establish certain NAT rules that direct traffic from a certain country to one web server and that of another country to a different server.

Load Balancing

Load balancing is not a feature that all next-generation firewalls possess but it’s certainly one that you want to take advantage of. A load balancer helps you divide the load on multiple web servers on your DMZ. It’s useful to unite the reverse proxy and WAF functions with the load balancer. After all, they’re complementary in terms of HTTPS traffic. However, if the traffic is in large quantities, it’s easier to divide the firewall and all other functions. This makes it easier to manage and control.

Additional features that NGFWs can offer

By now, you’re probably thinking that your business can certainly benefit from an NGFW for protection and security. And we haven’t explained all of the diverse features that this enhanced type of firewall can offer. Some additional benefits and features include:

  • Anti-spyware
  • Anti-virus
  • DNS Security
  • Behaviour analysis
  • Central management

When you begin your search for an NGFW, make sure to request as much information as possible on its abilities and special features. Determine whether the protection will be enough to support your business and partner with a reliable and legitimate partner with experience on the market.

Embrace the future of cybersecurity by taking advantage of all that a next-generation firewall has to offer.