Sorry. There are no results for ""

Return to Blog

What is SD WAN NGFW (Next Generation Firewall)?

3 min. read

Last updated: November 12, 2021

Answer 10 questions to find your Top 3 SD WAN solution match. Take the SD WAN Assessment to compare startups, niche players and Gartner rated leaders.

The Netify assessment is free to use, answer 10 questions to begin finding your perfect SD WAN or cybersecurity solution.

Click to compare SD WAN solutions

What is SD WAN NGFW (Next Generation Firewall)?

What is SD WAN NGFW (Next Generation Firewall)? 

When comparing NGFW Enterprise Firewall capabilities vs legacy traditional Firewall, typical enhanced features include improved unified threat management, threat protection, application and identity control, advanced security and cloud firewall orchestration with delivery as a physical appliance or virtual firewall instance.

Businesses constantly evaluate new technologies against their organisational security policy to combat the latest threats and sophisticated attacks across branch office and remote users. One of the most commonly discussed security products is the next generation Firewall, known as NGFW. Next Generation Firewall technology consolidates anti-virus features, application awareness, deep stateful inspection capability, real-time web application firewall, cloud-based protection systems and awareness tools that are visible via sophisticated and comprehensive reporting.

“One of the most commonly discussed security products is the next generation Firewall, known as NGFW.”

NGFW is available from both traditional security companies as SD WAN with SASE vendors..

Where requirements exist to access cloud applications from users located within the branch-office and remote locations, Software WAN with NGFW consolidates both network VPN and security in one device or client.

As with almost every networking or security product, NGFW technology is cloud-based which positions devices to retrieve the most up to date configuration policies wherever they are located.

Note: Learn about the Gartner SASE security framework here.

Why is network security an important topic?

Private MPLS WAN services are in decline due to the aforementioned change in working across public applications. And, consequently, Internet traffic is increasing significantly every 12 months. With news channels reporting state-sponsored security attacks, malware and advanced multi-vector threats, it becomes obvious why advanced prevention solutions are required.

The business cost is high with data breaches costing an average of $3.92 million for the average corporate.

What exactly is Next Generation Firewall and how does the cybersecurity technology apply to SD WAN VPN?

NGFW is used by IT teams to collectively describe Enterprise-grade Firewall services which are positioned to protect businesses against the threats seen today. We have categorised the main elements to help understand 'security effectiveness' across next-generation capability.

Threat intelligence.

Security vulnerability requires real time threat assessment with cloud-based access to the very latest data. Vendors are required to protect against known threats and potential vulnerabilities as they take shape. NGFW improves upon the legacy Firewall which cannot keep up with the world in which users operate today. Threat detection with an intrusion prevention system is provided by the use of sandboxing, anti-phishing and anti-virus.

Examples of threats include: WannaCry, NotPetya and VPNFilter.

Identity control and inspection.

The use of Microsoft Active Directory integrates well with how NGFW deals with identifying users and controlling network resources. Organisations that use Active Directory can group users and apply policy control with access restriction based on identity. NGFW takes the concept of identity to a new level by leveraging zero trust access which involves identifying the user using different attributes. IPS (Intrusion Protection System) examines network traffic flows to flag and detect exploits which could cause open network access and denial of service for a particular web application.

Application control.

Traditional Firewalls and routers were capable of identifying IP addresses, ports and protocols using stateful packet inspection. The average WAN generates IP traffic to hundreds of applications creating both threats but also trends over time. When network issues occur or a threat is identified, the ability to view users and data on a real-time basis means high-risk applications can easily be identified and removed from the WAN.

Cloud support and deployment.

Automation and orchestration of security via cloud management models is critical to the success of NGFW. In addition to the ease of deployment, instant updates are required to deal with the nature of real-time threats which exist. Netify recommends understanding reporting and analysis product features associated with cloud-based threat protection as false positives (genuine apps which may look like malicious traffic) continue to create heavy administration for IT teams.

Deep packet inspection.

DPI (Deep Packet Inspection) inspects both the IP header and the actual packet contents to ensure any unwanted protocols, spam and viruses are stopped prior to entering the network. DPI operates at the OSI application level to conduct packet filtering and block them in real-time. The deep packet examination feature is a major benefit for organisations with the need to assign multiple policies both to users and applications.

Should you investigate standalone NGFW or SD WAN with security capability?

With SD WAN vendors implementing SASE security solution features, IT teams are challenged to understand whether to use SD WAN VPN with NGFW or to select from standalone NGFW vendor solutions. Which option is best suited to your organisation is typically dictated by the complexity of your business requirements.

In many cases, organisations may have already invested in security products or services. When this scenario occurs, IT teams are reluctant (for obvious reasons) to select SD WAN vendors with built-in NGFW capability. The alternative is an SD WAN vendor that integrates with an existing NGFW solution via API access, resulting in control of security and WAN via one management interface.

Silver Peak is perhaps a good example of SD WAN (encrypted traffic) and NGFW integration, creating a single capability. With Silver Peak, customers can manage Zscaler with API access via the SD WAN interface.

Security requirements are often more complex when the Enterprise is globally distributed. Vendors such as Checkpoint, Fortinet and others offer significant experience and resources to deal with large global Enterprise security which may not be met by the more vanilla offerings from SD WAN products.

Conversely, simpler networks will benefit from selecting an SD WAN vendor with SASE in one device. Deployment, orchestration and ongoing management is made much easier via a consolidated approach resulting in less onus on the IT team and ultimately less expense.

Which vendors offer next generation security?

Create a login to Netify to find out which SD WAN vendors offer NGFW security.

The following vendors lead with NGFW services.

  • Checkpoint
  • Fortinet NGFW
  • Palo Alto (Note their purchase of CloudGenix)
  • Juniper
  • Huawei
  • Cisco
  • Sophos
  • SonicWall
  • VMware


Robert Sturt

Robert Sturt is Managing Director of Netify, an SD-WAN, SASE security & connectivity market network where you can login free to compare and shortlist vendors. Last Updated: 12.11.2021
Forbes Netify Circle Badge

Medivet, CDC Global, British Legion, Permira & Tilney used the Playbook.

Download the SD WAN Playbook

Download the most comprehensive top 10 vendor and provider research paper we have ever created.
And, take the SD WAN assessment. Answer 10 questions and find which Top 3 solutions match your needs.