Next-Generation Firewalls (NGFW) combine the functions of a traditional firewall (packet filtering, stateful inspection, Network Address Translation (NAT), etc. with other network security functions. They are called “next generation” to differentiate them from older firewalls that do not have these capabilities. When an NGFW is hosted in the cloud and offered as a service, it is called FireWall-as-a-Service (FWaaS), or next-generation cloud firewall (please see figure 1.0 below).
Key NGFW technologies include:
- Intrusion Prevention System (IPS): Scans network traffic, identifies malware, and blocks it
- Deep Packet Inspection (DPI): Improves packet filtering by analyzing the body of each packet in addition to the header
- Application awareness and control: Identifies and blocks traffic based on which applications the traffic is going to
- Threat intelligence feeds: Incorporates streams of updated threat intelligence to identify the latest threats
NGFW emerged as a response to enterprises that wanted to combine traditional port and protocol filtering with IDS/IPS functionality and the ability to detect application-layer traffic; over time they added more features like deep-packet inspection and malware detection. The goal of NGFW is to include more layers of the OSI model and improve the filtering of network traffic that is dependent on the packet contents. NGFWs perform even deeper inspections than stateful firewalls and offer administrators a deeper awareness and control over individual applications. This additional feature enables it to address a greater variety of organizational security needs.
Some NGFW providers also combine it with software-defined wide area network (SD-WAN) capabilities delivered from the cloud. One of such providers is Forcepoint. Forcepoint NGFW combines SD-WAN with industry-leading security to connect and protect modern organizations and their data. In this article, we’re going to review the Forcepoint NGFW solution and possible alternatives. Hopefully, this will guide you in the process of choosing the right solution for your business.
Overview of Forcepoint NGFW Solution
Forcepoint NGFW is an award-winning “intelligence-aware” firewall solution that blocks malicious attacks and prevents the theft of data and intellectual property while transforming infrastructure and increasing the efficiency of your operations. Forcepoint NGFW combines SD-WAN, secure access service edge (SASE) security, intrusion prevention, and centralized management across all types of deployments to keep your network and data safe.
Key Features:
- SD-WAN connectivity and policy-driven centralized management at the enterprise scale.
- Built-in IPS with anti-evasion defenses and anti-malware sandboxing.
- High-availability clustering of devices and networks.
- High-performance decryption with granular privacy controls.
- Whitelisting/blacklisting by the client application and version.
- Supports integration with Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) such as Forcepoint Web Security Cloud.
- Unified software for physical, AWS, Azure, and VMware deployments.
The Forcepoint NGFW solution includes NGFW Engines, Security Management Center (SMC) server components, SMC user interface, and other components as shown in the table below. The SMC can configure, monitor, and update up to 2000 Forcepoint NGFW appliances, all from a single pane of glass. It supports deployments across physical, virtual, and cloud environments. Forcepoint NGFW pricing varies according to the capacity and the capabilities desired. A customized demo is available on request.
Component | Description |
---|---|
Management Client | The Management Client is the user interface for the SMC. You use it for all configuration and monitoring tasks. |
Web Portal | The Web Portal is the browser-based user interface for the services provided by the Web Portal Server. |
Management Server | The Management Server is the central component for system administration. One Management Server can manage many different types of engines. |
Log Servers | Log Servers store traffic logs that can be managed and compiled into reports. They also correlate events, monitor the status of engines, show real-time statistics, and forward logs to third-party devices. |
Web Portal Server | The Web Portal Server is a separately licensed optional component that provides restricted access to log data, reports, and policy snapshots. |
NGFW Engines | NGFW Engines inspect traffic. You can use it in the Firewall/VPN, IPS, or Layer 2 Firewall role. |
Table 1.0 | The Forcepoint NGFW solution components
Forcepoint NGFW Models
The Forcepoint NGFW comes in various models. Each model includes centralized management, built-in VPN, IPS, anti-evasion, encrypted inspection, SD-WAN, application proxies, and regular update service, among others. The following describes the various Forcepoint NGFW models:
- Forcepoint 3400 Series NGFW The Forcepoint 3400 Series NGFW is a compact 2U rack-mounted appliance that delivers high-speed networking with up to 67 interfaces, firewall throughput of 200-300 Gbps, and IPS and NGFW throughput of 15-35 Gbps. This makes it ideal for campus networks and data centers. It combines multi-link SD-WAN and site-to-site multi-Link connectivity, high-availability clustering, advanced intrusion prevention, and anti-malware blocking. It also supports integration with Forcepoint Web Security Cloud, CASB, and data loss prevention (DLP). The 3400 series is centrally managed via Forcepoint’s renowned Security Management Center (SMC).
- Forcepoint 2200 Series NGFW The Forcepoint 2200 Series NGFW is a compact 1U rack-mounted appliance that delivers high-speed networking with up to 25 interfaces, 120 Gbps firewall throughput, and 13.5 Gbps IPS and NGFW throughput. It can connect directly to the cloud and integrates full SD-WAN connectivity and strong security that’s managed at an enterprise scale from Forcepoint Security Management Center (SMC). This makes it ideal for mid-size and large offices requiring enhanced performance and scalability. It also supports integration with Forcepoint Web Security Cloud, CASB, and DLP.
- Forcepoint 2100 Series NGFW The Forcepoint 2100 Series NGFW is a compact 1U rack-mounted appliance that delivers high-speed networking with up to 28 interfaces, 60-80 Gbps firewall throughput, and 5-7.5 Gbps IPS and NGFW throughput. This makes it ideal for use as a network edge for enterprises and small data centers. It integrates full SD-WAN and site-to-site multi-Link connectivity that’s managed at an enterprise scale by Forcepoint Security Management Center (SMC). It also supports integration with Forcepoint Web Security Cloud, CASB, and DLP.
- Forcepoint 1100 Series NGFW The Forcepoint 1100 series NGFW is a compact 1U rack-mounted appliance that delivers high-speed networking with up to 16 interfaces, 50-60 Gbps firewall throughput, and 1.5-3 Gbps IPS and NGFW throughput. This makes it ideal for use as a network edge for branch offices, mid-size organizations, and small data centers. It integrates full SD-WAN and site-to-site multi-Link connectivity that’s managed at an enterprise scale from Forcepoint’s Security Management Center (SMC). It also supports integration with Forcepoint Web Security Cloud, CASB, and DLP.
- Forcepoint 300 Series NGFW The Forcepoint 300 Series NGFW delivers high-speed networking with up to 8 interfaces, 4-7 Gbps firewall throughput, and 350-1000 Mbps IPS and NGFW throughput. This makes it ideal for remote sites and branch offices (desktop design). Remote sites and branch offices requiring enhanced performance can easily connect directly to the cloud with Forcepoint NGFW 300 Series. It integrates full SD-WAN and site-to-site multi-Link connectivity in a compact, desktop appliance that’s managed at an enterprise scale from Forcepoint’s Security Management Center (SMC). It also supports integration with Forcepoint Web Security Cloud, CASB, and DLP.
- Forcepoint 120 Series NGFW The Forcepoint 120 series NGFW delivers high-speed networking with up to 8 interfaces, 4Gbps firewall throughput, and 450 Mbps IPS and NGFW throughput. This makes it ideal for stores and branch offices. The Forcepoint NGFW 120 Series enables remote offices, branches, and stores to securely connect directly to the cloud. This compact, desktop appliance offers wired and optional Wi-Fi and LTE as a single solution with secure SD-WAN and site-to-site multi-Link connectivity, advanced intrusion prevention, and anti-malware capabilities. It also supports integration with Forcepoint Web Security Cloud, CASB, and DLP. The 120 Series is centrally managed via Forcepoint’s Security Management Center (SMC).
- Forcepoint 60 Series NGFW The Forcepoint 60 series NGFW delivers high-speed networking with up to 4 interfaces, 2 Gbps firewall throughput, and 350 Mbps IPS and NGFW throughput. This makes it ideal for remote offices, branches, and stores, and they can connect directly to the cloud more easily and affordably than ever before. The Forcepoint NGFW 60 Series integrates full secure SD-WAN connectivity, advanced high-availability clustering, and strong security in a compact, desktop appliance—all managed at enterprise scale from the Forcepoint Security Management Center (SMC).
Forcepoint NGFW Alternatives
If you figure out that Forcepoint NGFW is not best suited for your environment and you’re considering a suitable alternative, you’ll find lots of them out there. To help you decide between the countless options out there, we’ve put together a list of the ten best Forcepoint NGFW alternatives.
- Palo Alto Networks NGFW Palo Alto Networks NGFW gives security teams complete visibility and control over all networks using powerful traffic identification, malware prevention, and threat intelligence technologies. The product can be deployed as a physical appliance, virtualized firewalls, or cloud-delivered NGFW service. Palo Alto Networks was named a leader in the 2021 Gartner Magic Quadrant for Network Firewalls.
- FortiGate Network Firewall The FortiGate network firewall is among the leading next-generation firewalls (NGFW) in the market. It has been recognized as a leader in the 2021 Gartner Magic Quadrant for Network Firewalls. FortiGate NGFW supports deployments across physical, virtual, and cloud environments.
- Check Point NGFW Check Point has one of the best NGFW solutions for small, midsize, large-scale, and data center organizations. It is recognized as a leader in the Gartner 2021 Network Firewall Magic Quadrant for its enterprise-quality security features and ease of management. Check Point is best suited for midrange organizations seeking strong security and robust management features.
- Juniper NGFW Juniper Networks is known to deliver high-performance NGFW that provides granular control and visibility from client to cloud. Juniper has been recognized as a challenger in the 2021 Gartner Magic Quadrant for Network Firewalls. Juniper gives you the flexibility to deploy its network firewall as physical (SRX series), virtual appliance (vSRX), and containerized firewalls (cSRX).
- Huawei Unified Security Gateway (USG) Huawei network firewall solution, which it brands as Unified Security Gateway (USG), provides integrated NGFW security for midsize, large enterprises, chain organizations, cloud service providers, and large data centers. One of the remarkable features of the Huawei USG NGFW solution is the innovative AI capabilities it brings to threat defense.
- Sophos SG Firewall Sophos gives you the flexibility to deploy its network firewall as hardware (SG series), software (virtual appliance), or cloud-based appliance. The Sophos SG series firewall appliance comes in Desktop, 1U, and 2U models.
- Cisco Umbrella Cisco Umbrella is a cloud-delivered service that combines multiple security functions such as SWG, CASB, NGFW, DNS-layer security, interactive threat intelligence, and SD‑WAN into a single cloud security service. Cisco was recognized as a challenger in the 2022 Gartner Magic Quadrant for SSE. A live demo is available on schedule.
- WatchGuard Firebox WatchGuard network firewall solution, which it brands as Firebox, delivers an all-in-one network security platform and protection for primarily small, midsize, and distributed enterprises. WatchGuard Firebox comes in tabletop, rackmount, and software virtual appliances to give you the needed deployment flexibility.
- SonicWall Network Security Appliance (NSA) The SonicWall NSA is a class of NGFW designed specifically for businesses of 250 users and up. With cloud-based and on-box capabilities, secure SD-WAN, real-time visualization, and WLAN management. SonicWall provides the security, control, and visibility you need to maintain an effective cybersecurity posture.
- Hillstone NGFW Hillstone Networks has emerged as a global competitor in the network firewall space. Its NGFW products, such as Edge Protection solutions, help enterprises, and service providers mitigate cyber-attacks. Hillstone NGFWs can be purchased directly from the manufacturer or via channel partners or authorized resellers. Online product demonstrations are also available on request.
Conclusion
Organizations with networks that extend to the cloud, and a growing hybrid workforce and data that need to be protected require the full capabilities of NGFW and more. If your organization falls into this category, and you are considering deploying NGFW to meet challenging security needs, the best approach is to go for a Security Service Edge (SSE) solution that unifies secure web gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), FWaaS (cloud-delivered NGFW), and more in one solution.
Most SSE vendors also provide SD-WAN services, which is altogether called SASE solution. This approach eliminates the management and integration costs associated with the multi-vendor approach. Forcepoint ONE, Cisco Umbrella, and other SSE and NGFW solutions from Palo Alto Networks, FortiGate, and Checkpoint possess many of the desired features modern organizations look for to protect their fluid network and hybrid workforce.