Understanding the current state of enterprise firewall technology requires first debunking two broadly held misconceptions:

The reality is that the firewall is rapidly evolving, not only in what it can do, but also in its business value to the enterprise. It is becoming the cornerstone of hybrid cloud network security, offering integration enablement, consistent controls and comprehensive monitoring and alerting across multiple cloud and on-premises environments. Simultaneously, the firewall’s feature set is expanding beyond the realm of traditional network security to include a fascinating variety of features not necessarily limited to security. Looking forward, key technological developments, including encryption, artificial intelligence/machine learning (AI/ML) and the internet of things (IoT), will arguably make the enterprise firewall more important than it has ever been.

While many of the common features long associated with enterprise firewalls have become commoditized and should have decreasing impact on purchasing decisions, major enterprise firewall vendors now seek to differentiate with a surprisingly wide variety of emerging capabilities, many of which highlight the strategic direction of their product portfolios. This report will discuss the specifics the “new” next-generation firewall for the enterprise, how it is evolving, where it is going next, and what decision makers must know when approaching the product-selection process.

 [ Related IDG artcile: What are next generation firewalls? How the cloud and complexity affect them ]

As the commercial enterprise firewall approaches its 30th birthday, it is hard to overstate how dramatically the product has evolved. Following its humble beginnings as a packet-filtering mechanism to interrupt unwanted inbound network traffic, the firewall quickly evolved to add capabilities such as stateful inspection (awareness of open connections), network address translation, VPN and many others.

A major shift in the market occurred with the debut of application-aware firewalls, which added the ability to identify and control TCP/IP network traffic between certain types of internet-enabled applications such as web browsers and email clients that enterprises needed control over. The addition of security-driven capabilities beginning in the late-2000s such as intrusion prevention, port/protocol-independent inspection and increased throughput and reliability soon led vendors to redefine these multifunction, application-aware firewalls as “next-generation firewalls.”

The segment shifted again with the popularization of server virtualization a decade ago. The need to identify and control “east-west” network traffic traversing between virtual servers – often residing on the same physical server – led to the creation of virtual firewalls, software-based firewall instances that get inserted as needed to inspect traffic, segment virtual local area networks (VLANs), and bridge physical and virtual networks, among other functions. Demand skyrocketed as virtual servers found their way into hosted and emerging cloud computing environments, and enterprises demanded firewall solution sets offering integrated physical-virtual firewalling.

Today, despite vendor claims to the contrary, many traditional firewall features have become commoditized; in other words, there is little meaningful differentiation among top-tier competitors in regard to these longstanding features. This is the result of a maturing market segment – many vendors’ core firewall technology has been in use for well over a decade – and robust competition among at least five top-tier enterprise-caliber competitors.

[ Related IDG article: What you should know about Next Generation Firewalls ]

For organizations beginning their enterprise firewall purchasing cycles, the effect of this feature commoditization should be to reconsider the importance of overvaluing what have become commoditized features during the product-evaluation process. Below are some specific examples:

Next, organizations should understand features and functions that are both relatively new and of increasing importance. See the following examples.

Every organization’s requirements are unique, and exceptions to general product-selection guidelines are common. That said, organizations must be actively adjusting the weighting of their firewall-selection criteria to reflect the firewall market’s changing dynamics.

As noted, the commoditization of many enterprise firewall features has created a fiercely competitive vendor landscape. Conversely, each of the five top-tier enterprise firewall vendors has a unique set of strengths and weaknesses that should be considered when preparing for a product-selection process.

Check Point: The Israel-based vendor has long been known for excellent firewall scalability and reliability. Its firewall management features are remarkably fine-grained, its support for public cloud platforms is unsurpassed, and its expertise in enterprise network perimeter security is well-established. However, the vendor has been slow to evolve with the market; its hardware performance hasn’t kept pace with rivals, it has done little to invest in emerging technologies such as cloud network traffic analysis, and its move to subscription-based pricing across its portfolio has obfuscated component cost.

Perhaps what’s most telling about its fortunes is that Check Point once boasted more than 180,000 security appliance customers, but due largely to the above-mentioned issues, it has lost nearly half of those customers in the past several years.

Cisco: The networking equipment giant has created a multibillion-dollar security business, and few rivals can match the breadth, integration options and efficacy of Cisco's network security solution set. Its Firepower next-generation firewall combines IP from its venerable ASA firewall and Sourcefire IPS in a single code base. Growing integration with its Stealthwatch advanced threat detection and Encrypted Traffic Analytics solutions position Cisco with a sizable advantage in detecting advanced threats and identifying malicious packets in encrypted flows. However, customer feedback on Cisco’s unified Firepower Threat Defense firewall management system has been dicey, and its eventual transition from on-premises NAC to cloud-based NAC is expected to be complex and disruptive to customers.   

Forcepoint next-gen firewalls: A relatively new brand representing elements of the former Websense and Raytheon, Forcepoint has rebranded the Stonesoft firewall it acquired from McAfee. The renamed Forcepoint NGFW offers optional IPS functionality, lauded high-availability clustering and the industry’s most established built-in SD-WAN capabilities. Its vision involves using the firewall as the centerpiece of an adaptive network security paradigm that involves constantly reassessing network risk and enabling automation-driven threat response.

The vendor’s greatest challenges are a lack of brand awareness, a fair number of integration and technical debt following numerous acquisitions and complimentary solutions  ̶  malware sandboxing (OEM via Lastline), endpoint visibility and threat intelligence – that fall short of best-of-breed. 

Fortinet: Synonymous with speed and performance, Fortinet’s flagship FortiGate next-generation firewall appliances employ custom-built security processors to accelerate traffic decryption and flow inspection. Most of its appliances offer across-the-board throughput numbers that easily beat other top-tier vendors, often at highly competitive price points.

While Fortinet has been working to bolster its network security ecosystem and now also offers built-in hardware-accelerated SD-WAN support, it is perceived to lack some of the bells and whistles of competing solutions, and its integrated management vision falls short of the “single pane of glass” buyers increasingly demand.