Firefox https://www.comparitech.

com/net-admin/next-gen-firewalls/

Here is a list of the nine best Next-Gen Firewalls (NGFW):

1. Perimeter 81 FWaaS EDITOR’S CHOICE This cloud-based network

protection service is part of a collection of edge services and
connectivity systems that keep distributed businesses secure.

2. Fortinet FortiGate (7000 series) -A leading next-gen firewall with

intrusion prevention, AI, SSL inspection, management console, and
more.
3. Forcepoint NGFW – Next-gen firewall with automated failover,
advanced malware detection, application whitelisting/blacklisting,
and more.
4. Palo Alto Networks PA Series – Machine learning next-gen firewall
with TLS/SSL decryption, QoS policies, automated threat
prevention, and more.
5. Juniper Networks SRX Series – A range of firewalls and SD-WAN
solutions with unified threat management, advanced threat
protection, centralized security management, and more.
6. SonicWall Next-Generation Firewall TZ Series – Next-gen
firewalls with zero-touch deployment, deep memory inspection,
SSL/TLS decryption, and more.
7. Barracuda CloudGen Firewall – Next-gen firewall with advanced
threat protection, an IDS/IPS, VPN, and more.

1 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

8. Cisco FirePOWER Series – Series of network firewalls with an IPS,

malware detection, centralized policy management, URL filtering,
and more.
9. Sophos XG Series – Series of next-gen firewalls with threat
intelligence, intrusion prevention, a web application firewall, anti-
spam solution, and more.

See also: NGFW Guide: What are Next-Generation Firewalls?

The Best Next-Gen Firewalls

What should you look for in a next-generation firewall for your

network? 

We reviewed the market for next-gen firewalls and analyzed the

tools based on the following criteria:

• Cloud-based options
• Systems that can protect multiple sites
• Behavior analytics for activity baselining
• Automated responses
• Alerts for suspicious activity
• A free trial or a demo system for a cost-free assessment
opportunity

2 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

• Good value for money from a comprehensive tool that doesn’t

require paid add-ons in order to provide full protection for your
systems.

With these selection criteria in mind, we looked for reliable next-gen

firewalls that can be used to block suspicious activity as well as
identify it.

1. Perimeter 81 FWaaS EDITOR’S CHOICE

Perimeter 81 produces a range of edge services, including its Firewall-

3 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

as-a-Service (FWaaS). The FWaaS concept has many advantages over

onsite firewall appliances. You don’t need to house, power, maintain, or
protect the Perimeter 81 system – all of the hosting and management of
the firewall is taken care of by the Perimeter 81 staff.

Key Features:

• Enforces traffic encryption

• Implements Single Sign On and 2FA
• Covers multiple sites and remote workers
• Software maintenance included in the price

The FWaaS architecture is an interesting proposition for all sizes and

configurations of enterprises. Small businesses probably don’t have a
very complicated network and wouldn’t have the expertise on site to
manage a comprehensive firewall. The Perimeter 81 system gives those
small enterprises the full protection level experienced by big
businesses, without any of the hassles of having to look after a
complicated piece of equipment.

Larger businesses would also benefit from the Perimeter 81 FWaaS

because it enables the protection of networks on multiple sites to be
integrated into one service – watched from one single console. For
businesses that prioritize IT service centralization, this is a very
interesting option.

4 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Flexible, innovative businesses that practice a virtual office strategy

would be particularly interested in the Perimeter 81 FWaaS. If your
business doesn’t operate any premises and uses freelance remote
workers, then the task of linking all of those endpoints together into a
secure whole can be problematic.

5 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Pros: Cons:

+ Flexible features and offers that – Would like to see a trial as

cater to smaller networks as opposed to a demo
well as enterprises
+ Multi-site management makes
this viable for MSPs
+ Easy to use object-based
configurations

The FWaaS is an edge service and it fronts all of your business’s

communications with the world, so it is able to present a single entry
point to front a distributed workforce. Request a demo to get started.

EDITOR'S CHOICE

Perimeter 81 FWaaS is our top pick for a NextGen firewall because it

has all of the advantages of a cloud service while fully protecting your
endpoints and services no matter where in the world they are located.
The FWaaS is located away from your network and protects the link
from its base through to your facilities with encryption. This service
also manages secure connections between all of your sites, providing
one entrypoint for a distributed business.

6 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Request a Demo and Start: perimeter81.com/lp/next-gen-

firewall-as-a-service

OS: Cloud-based

2. Fortinet FortiGate

Fortinet FortiGate is a series of next-gen firewalls that includes an

intrusion prevention system that can automatically detect threats. The
Fortinet Fortigate 7000 series is the gold standard of next-gen firewalls
with threat detection powered by AI, which can inspect plain text or
encrypted traffic and identify cyber-attacks.

Key Features:

• Intrusion prevention system

• AI-threat detection
• SSL inspection
• Centralized management console

7 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

In terms of throughput, Fortinet FortiGate offers 100 GBPS of NGFW

throughput, 120 GBPS of intrusion prevention throughput, 50 GBPS of
SSL inspection throughput, and 80 GBPS of threat protection throughput.
The high throughput enhances performance and lowers latency for end-
users.

Users can manage their network settings through the management

console, which comes with features like compliance checklists you can
use to manage your environment.

Pros: Cons:

+ Uses machine learning and AI – Better suited for larger

to detect and stop threats environments
+ Can identify threats even when
embedded in encrypted traffic
via SSL inspection
+ Ideal for enterprises and MSPs

Fortinet FortiGate is one of the top solutions to research if you want a

top-of-range next-gen firewall. It is available as an appliance and virtual
machine. You can request a demo from this link here.

Related post: The best Fortinet analyzers

8 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

3. Forcepoint NGFW

Forcepoint NGFW is a solution that combines a next-gen firewall with

an SD-WAN for high availability. With Forcepoint NGFW you can deploy
broadband, wireless, and dedicated lines on-premises with automated
failover to protect against service disruptions. Through the dashboard
you can view a top-down perspective of network activity, helping you to
identify and respond to security events quickly.

Key Features:

• High availability
• Dashboard
• Automated failover
• Anti-malware

9 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

• Decryption

The firewall comes with Forcepoint Advanced Malware Detection to

detect zero-day ransomware threats. Zero-day protection is useful
because it protects against unknown strains of malware and
ransomware, reducing the chance of your network falling victim to the
latest online threats.

At the application-level, Forcepoint NGFW provides whitelisting and

blacklisting to control which applications can access the internet.
Application controls are customizable so you can select which services
will be able to access online services. The firewall also includes
accelerated decryption to inspect HTTPS and SSL/TLS traffic to ensure
that no malicious activity takes place.

Pros: Cons:

+ Supports automated failover – Not the best option for smaller

through multiple interfaces networks
+ Uses AI-powered malware
detection to prevent zero-day
attacks
+ Can inspect a large volume of
traffic quickly for threats

10 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Forcepoint NGFW is ideal for enterprises that require a high-availability

and secure firewall solution. For pricing information, you need to contact
the sales team to request a quote. You can request a demo from this link
here.

4. Palo Alto Networks PA Series

Palo Alto Networks PA Series is a machine learning-powered next-gen

firewall. With Palo Alto Networks PA Series you can use TLS/SSL
decryption and inspection to monitor traffic and ensure that no encrypted
malicious traffic gets through your defenses. There is also DoS
protection to defend against brute force attacks on your network.

Key Features:

11 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

• Machine learning
• TLS/SSL decryption
• QoS policies
• DoS protection
• Automated threat detection

The Palo Alto Network PA series comes with a range of administration

options you can use to manage your network. For example, configurable
QoS policies allow you to optimize network performance and determine
which applications and users take priority.

A threat prevention feature uses payload-based signatures to block

malware and zero-day attacks. Palo Alto Networks updates the
signatures daily to ensure the firewall can detect the latest threats. In
addition, URL filtering automatically detects and prevents web-based
threats like phishing links and phishing sites.

Pros: Cons:

+ Uses machine learning to – Many advanced options require

monitor traffic patents, provide professional setup and
insights, and detect threats management
+ Offers DoS protection and brute
force prevention
+ Offers highly customizable QoS

12 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

options – great for larger

networks and MSPs

Palo Alto Networks PA Series is one of the top firewalls for enterprises in
the market for an advanced next-gen firewall with anomaly detection
capabilities and QoS settings. For pricing information, you need to
contact the company directly to request a quote. You can request a demo
from this link here.

5. Juniper Networks SRX Series

Juniper Networks SRX Series is a range of firewalls and SD-WAN

13 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

solutions designed for private, hybrid, and public cloud environments.

The firewall addresses online threats head-on by scanning incoming
traffic with deep packet inspection to identify viruses, malware, and other
malicious attachments.

Key Features:

• Firewall and SD-WAN

• Unified threat management
• Juniper advanced threat prevention
• Centralized security management

The firewalls also come with Juniper Advanced Threat Prevention, which
can identify known and unknown threats with machine learning and
advanced malware analysis. Centralized security management gives
users the option to manage the security settings of multiple locations
from one place.

Pros: Cons:

+ A great fit for larger – Must request a quote for pricing

environments that leverage
cloud resources
+ Leverages machine learning
and AI for malware detection
and prevention

14 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

+ Offers built-in UTM

Juniper Networks SRX Series is an excellent choice for enterprises that

need to defend against day-one threats. For pricing information, you
need to contact Juniper directly to request a quote. You can sign up to
buy from this link here.

6. SonicWall Next-Generation Firewall TZ Series

SonicWall’s Next-Generation Firewall TZ Series is a series of firewalls

aimed at SMEs. The TZ Series offers zero-touch deployment so you can
deploy devices to multiple locations and use Network Security Manager
to centrally manage your network configurations.

15 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Key Features:

• Zero-touch deployment
• Deep memory inspection
• Built-in storage and redundant power
• SSL/TLS decryption

With deep memory inspection, the TZ Series detects advanced cyber

attacks such as ransomware and malware with shared threat intelligence
that can detect zero-day threats. When combined with the intrusion
prevention system and content filtering, the TZ Series provides
comprehensive protection against all types of threats.

At the same time, SSL/TLS decryption looks out for threats hidden in
encrypted traffic. For extra security, employees can access the network
with the 802.11ac wireless SSL VPN.

Pros: Cons:

+ Easy to learn and navigate – Must request a quote for pricing

interface
+ Robust content filtering, NAT
policy creation, and QoS
options
+ Builtin VPN services

16 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

SonicWall’s Next-Generation Firewall TZ Series is a reliable option for

SMEs looking for a next-gen firewall with a diverse selection of security
features. To view pricing information for the TZ series you need to
contact the sales team to request a quote. You can submit an inquiry
from this link here.

7. Barracuda CloudGen Firewall Series

Barracuda CloudGen Firewall is a next-gen firewall with traffic

17 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

management and SD-WAN. The series comes with advanced threat

protection and checks files against a regularly updated cryptographic
hash database to identify malicious activity. If the system detects
malicious activity it can respond with an automatic quarantine to control
the problem.

Key Features:

• Traffic management
• SD-WAN
• Advanced threat protection
• Intrusion detection and prevention
• VPN

An Intrusion Detection and Prevention System (IDS/IPS) provides

protection against cyber threats. The IDS/IPS can detect network threats
such as SQL injections, access control attempts, cross-site scripting,
DoS/DDoS attacks, viruses, and spyware, so it can block even the most
advanced attacks.

VPN capabilities enable remote users to connect to network resources

with SSL and IPsec. The VPN is portal-based so that users can connect
seamlessly. There is also a mobile portal for iOS, Android, and
Blackberry devices that employees can access from a smartphone or
tablet.

18 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Pros: Cons:

+ Offers automated threat – Better suited for enterprise

responses options to malware networks
attacks
Barracuda CloudGen Firewall is a
+ Includes IDS/IPS settings to
stop probing and DoS attacks solution suitable for those that
require advanced threat detection
+ Offers VPN service with mobile
support and automated response
capabilities. You can order a trial
from this link here.

8. Cisco FirePOWER Series

19 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Cisco FirePOWER is a series of network firewalls with IPS and malware

detection capabilities. The Cisco FirePOWER Series IPS can identify
indicators of compromise within the network and automatically respond.
Regular signature updates ensure the IPS is also ready to detect
emerging online threats. At the same time, advanced malware protection
detects and blocks malware from entering your network.

Key Features:

• IPS
• URL filtering
• Malware detection
• Centralized policy management

Centralized policy management allows you to manage firewalls,

application control, URL filtering, and malware protection. Here you can
monitor discovered threats and begin the remediation process. There is
also a URL filtering feature that can categorize over 280 million URLs
with 80 different categories.

Pros: Cons:

+ Can alert to indicators of – Can be complicated for

20 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

compromise both internally and sysadmin with little prior Cisco

externally experience
+ Offers robust policy
management and access
controls for staff
+ Has granularURL filtering and
content filtering options

The Cisco FirePOWER series is recommended for enterprises that need

to secure public or private cloud environments. For pricing information,
you need to contact the company directly to request a quote. You can
contact the sales team here.

9. Sophos XG Series

21 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

The Sophos XG series is a series of next-gen firewalls that use threat

intelligence and intrusion prevention to block unknown threats. The
Sophos XG Series’ threat intelligence uses deep learning to detect zero-
day threats. This enables the firewall to follow up with automatic
responses like quarantining the malicious content so it can’t spread to
other systems.

Key Features:

• Intrusion prevention
• Deep learning
• VPN client (and mobile VPN)
• Web application firewall
• Email inbox protection

A web application firewall provides protection against Layer 7 web-based

attacks. Similarly, there is an anti-spam solution that protects the user’s

22 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

inbox from threats like phishing attacks and spam.

Remote workers can easily connect to your network with a VPN client.
The VPN client is available on Windows and macOS so that users can
log into the network from wherever they are located. There are also
application-based mobile VPN clients with IPSEC and SSL VPN.

Pros: Cons:

+ Can detect and stop zero-days – Must contact sales for pricing
through machine learning
+ Flexible VPN client supporting
SSL and IPSEC
+ Offers email filtering gateway to
prevent spam and phishing
attempts

The Sophos XG Series is suitable for enterprises that require all-around

protection from private-network and web-based threats. You need to
contact the company directly to request a quote for pricing information.
You can sign up for the free trial here.

Choosing a Next-Gen Firewall

Next-gen firewalls like the Fortinet FortiGate, Forcepoint NGFW, and

23 of 24 23-03-2022, 10:59
Firefox https://www.comparitech.com/net-admin/next-gen-firewalls/

Palo Alto Networks PA Series are leading the way to combat the next
generation of threats while granting users enhanced centralized
management capabilities.

Before committing to deployment, it’s a good idea to research multiple

solutions so you can find a firewall that provides the best coverage
against the threats facing your environment.

24 of 24 23-03-2022, 10:59