What is a next-generation firewall (NGFW)?

A next-generation firewall is within the third generation of firewall technology, designed to address advanced security threats at the application level through intelligent, context-aware security features. An NGFW combines traditional firewall capabilities like packet filtering and stateful inspection with others to make better decisions about what traffic to allow. 

A next-generation firewall has the ability to filter packets based on applications and to inspect the data contained in packets (rather than just their IP headers). In other words, it operates at up to layer 7 (the application layer) in the OSI model, whereas previous firewall technology operated only up to level 4 (the transport layer). Attacks that take place at layers 4–7 of the OSI model are increasing, making this an important capability.

Next-generation firewall specifications vary by provider, but they generally include some combination of the following features:

• Application awareness, or the ability to filter traffic and apply complex rules based on application (rather than just based on port). This is a key feature of next-generation firewalls: They can block traffic from certain applications, as well as maintain greater control over individual applications.
• Deep-packet inspection, which inspects the data contained in packets. Deep-packet inspection is an improvement over traditional firewall technology, which only inspected a packet’s IP header to determine its source and destination.
• Intrusion Prevention System (IPS), which monitors the network for malicious activity and blocks it where it occurs. This monitoring can be signature-based (matching activity to signatures of well-known threats), policy-based (blocking activity that violates security policies), or anomaly-based (monitoring for abnormal behavior).
• High performance, which allows the firewall to monitor large amounts of network traffic without slowdown. Next-generation firewalls include a number of security features that require processing time, so high performance are important to avoid disrupting business operations.
• External threat intelligence, or communication with a threat intelligence network to ensure that threat information is up to date and help identify bad actors.

In addition to these foundational features, next-generation firewalls may include additional features such as antivirus and malware protection. They may also be implemented as a Firewall as a Service (FWaaS), a cloud-based service that provides scalability and easier maintenance. With FWaaS, the firewall software is maintained by the service provider, and resources scale automatically to meet processing demand. This frees enterprise IT teams from dealing with the burden of handling patches, upgrades, and sizing.

Next-generation firewalls provide much better and more robust security than a traditional firewall. Traditional firewalls are limited in their capabilities: They may be able to block traffic through a particular port, but they can’t apply application-specific rules, protect against malware, or detect and block anomalous behavior. As a result, attackers can evade detection by entering through a nonstandard port, something that a next-generation firewall would prevent. Thanks to their context-aware nature and their ability to receive updates from external threat intelligence networks, next-generation firewalls are able to protect against a broad and ever-changing array of advanced threats, and may even use intelligent automation to keep security policies up to date without requiring intervention from busy IT staff. 

In addition, next-generation firewalls offer streamlined security infrastructure that’s easier and cheaper to maintain, update, and control. They combine several security features into one solution and report incidents through a single reporting system. The alternative of maintaining many different security products places an additional burden on IT staff and increases the potential for security breaches.