next-generation firewall (NGFW)

A next-generation firewall (NGFW) is a part of the third generation of firewall technology that is implemented in either hardware or software and is capable of detecting and blocking sophisticated attacks by enforcing security policies at the application, port and protocol levels.

NGFWs typically feature advanced functions including:

  • 1. application awareness
  • 2. integrated intrusion prevention systems (IPS)
  • 3. identity awareness -- user and group control
  • 4. bridged and routed modes; and
  • 5. the ability to use external intelligence sources.

Of these offerings, most next-generation firewalls integrate at least three basic functions: enterprise firewall capabilities, an intrusion prevention system (IPS) and application control.

Like the introduction of stateful inspection in traditional firewalls, NGFWs bring additional context to the firewall's decision-making process by providing it with the ability to understand the details of the web application traffic passing through it and to take action to block traffic that might exploit vulnerabilities.

Next-generation firewall features

NGFWs combine many of the capabilities of traditional firewalls -- including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) -- with quality of service (QoS) functionality and other features that are not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection, and reputation-based malware detection, as well as application awareness.

These application-specific capabilities are meant to thwart the growing number of application attacks taking place at Layers 4-7 of the OSI network stack.

Benefits of next-generation firewalls

The different features of next-generation firewalls combine to create unique benefits for users. NGFWs are often able to block malware before it enters a network, something that wasn't previously possible. NGFWs are also better equipped to address advanced persistent threats (APTs) because they can be integrated with threat intelligence services. NGFWs can also offer a low-cost option for companies trying to improve basic device security through the use of application awareness, inspection services, protection systems and awareness tools.


  • Cisco
  • Fortinet
  • Sophos