What is SD-WAN NGFW (Next Generation Firewall)?

Next Generation Firewall (NGFW) is an advanced security feature integrated into SD-WAN to offer threat intelligence, application control, deep packet inspection and Zero Trust access.
What is NGFW?
What is NGFW?

Businesses constantly evaluate new technologies against their organisational security policy to combat the latest threats and sophisticated attacks across branch office and remote users. One of the most commonly discussed security products is the next generation Firewall, known as NGFW. Next Generation Firewall services and technology consolidates anti-virus features, application awareness, deep stateful inspection capability, real-time web application firewall, cloud-based protection systems and awareness tools that are visible via sophisticated and comprehensive reporting.

Table of Contents

“One of the most commonly discussed security products is the next generation Firewall, known as NGFW.”

NGFW is available from both traditional security companies as SD WAN with SASE vendors..


Where requirements exist to access cloud applications from users located within the branch-office and remote locations, Software WAN with NGFW consolidates both network VPN and security in one device or client.

As with almost every networking or security product, NGFW technology is cloud-based which positions devices to retrieve the most up to date configuration policies wherever they are located.

Note: Learn about the Gartner SASE security framework here.

Why is network security an important topic?

Private MPLS WAN services are in decline due to the aforementioned change in working across public applications. And, consequently, Internet traffic is increasing significantly every 12 months. With news channels reporting state-sponsored security attacks, malware and advanced multi-vector threats, it becomes obvious why advanced prevention solutions are required.

The business cost is high with data breaches costing an average of $3.92 million for the average corporate.

What exactly is Next Generation Firewall and how does the cybersecurity technology apply to SD WAN VPN?

NGFW is used by IT teams to collectively describe Enterprise-grade Firewall services which are positioned to protect businesses against the threats seen today. We have categorized the main elements to help understand ‘security effectiveness’ across next-generation capability.

Threat intelligence.

Security vulnerability requires real time threat assessment with cloud-based access to the very latest data. Vendors are required to protect against known threats and potential vulnerabilities as they take shape. NGFW improves upon the legacy Firewall which cannot keep up with the world in which users operate today. Threat detection with an intrusion prevention system is provided by the use of sandboxing, anti-phishing and anti-virus.

Examples of threats include: WannaCry, NotPetya and VPNFilter.

Identity control and inspection.

The use of Microsoft Active Directory integrates well with how NGFW deals with identifying users and controlling network resources. Organizations that use Active Directory can group users and apply policy control with access restriction based on identity. NGFW takes the concept of identity to a new level by leveraging zero trust access which involves identifying the user using different attributes. IPS (Intrusion Protection System) examines network traffic flows to flag and detect exploits which could cause open network access and denial of service for a particular web application.

Application control.

Traditional Firewalls and routers were capable of identifying IP addresses, ports and protocols using stateful packet inspection. The average WAN generates IP traffic to hundreds of applications creating both threats but also trends over time. When network issues occur or a threat is identified, the ability to view users and data on a real-time basis means high-risk applications can easily be identified and removed from the WAN.

Cloud support and deployment.

Automation and orchestration of security via cloud management models is critical to the success of NGFW. In addition to the ease of deployment, instant updates are required to deal with the nature of real-time threats which exist. Netify recommends understanding reporting and analysis product features associated with cloud-based threat protection as false positives (genuine apps which may look like malicious traffic) continue to create heavy administration for IT teams.

Deep packet inspection.

DPI (Deep Packet Inspection) inspects both the IP header and the actual packet contents to ensure any unwanted protocols, spam and viruses are stopped prior to entering the network. DPI operates at the OSI application level to conduct packet filtering and block them in real-time. The deep packet examination feature is a major benefit for organizations with the need to assign multiple policies both to users and applications.

Should you investigate standalone NGFW or SD WAN with security capability?

With SD WAN vendors implementing SASE security solution features, IT teams are challenged to understand whether to use SD WAN VPN with NGFW or to select from standalone NGFW vendor solutions. Which option is best suited to your organization is typically dictated by the complexity of your business requirements.

In many cases, organizations may have already invested in security products or services. When this scenario occurs, IT teams are reluctant (for obvious reasons) to select SD WAN vendors with built-in NGFW capability. The alternative is an SD WAN vendor that integrates with an existing NGFW solution via API access, resulting in control of security and WAN via one management interface.

Silver Peak is perhaps a good example of SD WAN (encrypted traffic) and NGFW integration, creating a single capability. With Silver Peak, customers can manage Zscaler with API access via the SD WAN interface.

Security requirements are often more complex when the Enterprise is globally distributed. Vendors such as Checkpoint, Fortinet and others offer significant experience and resources to deal with large global Enterprise security which may not be met by the more vanilla offerings from SD WAN products.

Conversely, simpler networks will benefit from selecting an SD WAN vendor with SASE in one device. Deployment, orchestration and ongoing management is made much easier via a consolidated approach resulting in less onus on the IT team and ultimately less expense.

Which vendors offer next generation security?

Visit the Netify Marketplace to find out which SD WAN vendors offer NGFW security.

The following vendors lead with NGFW services.

  • Checkpoint
  • Fortinet NGFW
  • Palo Alto (Note their purchase of CloudGenix)
  • Juniper
  • Huawei
  • Cisco
  • Sophos
  • SonicWall
  • VMware