SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS Attacks Stop Malicious Bot Abuse Accelerate Internet Applications Ensure Application Availability Optimize Web Experiences Stream Videos On-Demand
Secure Employee Applications and Devices
Deliver Zero Trust Access to Applications Implement Secure Access Service Edge (SASE) Protect Users Accessing the Internet Protect Corporate Networks Manage Secure Contractor Access Replace Virtual Private Networks (VPNs) Secure Your Remote Workforce Stop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Mitigate L3 DDoS Attacks Connect network infrastructure with Cloudflare Transform Corporate Networks
Code on the Network Edge
Build a Serverless Application Deploy a Static Website Configure a CDN Define Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS Platforms Enable SSL for SaaS Applications Reduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerce Gaming Media and Entertainment Public Sector Public Interest Groups SaaS
FOR INFRASTRUCTURE
Application & Network Security
DDoS Protection WAF Bot Management Magic Transit Rate Limiting SSL / TLS Cloudflare Spectrum Network Interconnect
Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Stream Delivery China Network
FOR TEAMS
Cloudflare for Teams Access Gateway Browser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare Workers Cloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Workers Sites Cloudflare Stream
FOR EVERYONE / PUBLIC
1.1.1.1 1.1.1.1 with WARP (App) 1.1.1.1 for Families Cloudflare Radar Election Campaigns Project Galileo Athenian Project
INSIGHTS
Analytics Cloudflare Logs Web Analytics
FOR INFRASTRUCTURE
Advanced Security
Bot Management Firewall rules Magic Transit Spectrum (TCP/UDP) SSL WAF
Performance & Reliability
CDN DNS Image Resizing Load Balancing Stream (Video) Argo Tunnel
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick Start Workers Site Sample Workers Projects Workers Tutorials Command-line (Wrangler) Runtime
FOR TEAMS
Access Access Audit logs Gateway Gateway Activity Logs
EXPLORE CLOUDFLARE API
Cloudflare API API Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource Hub Whitepapers Webinars Solutions & Product Guides Case Studies Analysts
EXPLORE
What's New? Network Map Cloudflare in China GDPR
GET STARTED
Register Your Website Welcome Center Get Help
LEARN
Learning Center Security DDoS Bot Management SSL Identity and Access Management Performance CDN DNS Cloud Serverless Network Layer
CONNECT
Blog Community
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner Network Partner Portal
TECHNOLOGY PARTNERS
Overview Analytics Partners Bandwidth Alliance Interconnect Partnerships Peering Portal

What Is a Next-Generation Firewall (NGFW)? | NGFW vs. FWaaS

A next-generation firewall (NGFW) is a firewall with powerful modern features. Next-generation firewalls can be hosted in the cloud, though not all of them are.

Share facebook icon linkedin icon twitter icon email icon
What Is the Cloud?
What Is Multicloud?
What Is Hybrid Cloud?
What Is a Cloud Firewall?
Glossary

Next-Gen Firewall

Learning Objectives

After reading this article you will be able to:

  • Define 'next-generation firewall'
  • Contrast classic firewalls with next-generation firewalls
  • Learn about how cloud firewalls overlap with next-gen firewalls

Related Content

What Is a Cloud Firewall?

What is Cloud Migration?

What Is the Cloud?

What Is Hybrid Cloud?

What is a Public Cloud?

What is a next-generation firewall (NGFW)?

A next-generation firewall (NGFW) is more powerful than a traditional firewall. NGFWs have the capabilities of traditional firewalls, but they also have a host of added features to address a greater variety of organizational needs and block more potential threats. They're called "next generation" to differentiate them from older firewalls that don't have these capabilities.

The difference between a next-generation firewall and older firewalls is somewhat like the difference between a smartphone and an old-fashioned cell phone. Both have some features in common – texting, voice calls, a list of contacts, etc. But a smartphone adds so many advanced features that it's practically a different type of product, and as a result there's a different term for it.

What does a firewall do?

A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.

Typical capabilities of a traditional firewall include packet filtering, stateful inspection, proxying, IP blocking, domain name blocking, and port blocking.

  • Packet filtering refers to the ability to filter out potentially dangerous network traffic. All data that travels over a network (such as the Internet) is broken up into smaller chunks called packets. A firewall can look at each individual packet and, if it matches certain predetermined rules, block it from entering or exiting an internal network.
  • Stateful inspection takes packet filtering one level deeper. With stateful inspection, firewalls can examine data packets in the context of other packets that have passed through the firewall. A data packet may look harmless on its own, but if it's heading towards an unusual destination within the network, it could be malicious. (For instance, a SQL query isn't malicious on its own, but if it's sent through a web form, it might be part of a SQL injection attack.)
  • Proxying, in networking, refers to one machine sending or receiving network traffic on behalf of another machine. A firewall can act as a proxy by making requests and receiving network responses on behalf of the user devices within its internal network, filtering out malicious data before it has a chance to reach those devices.
  • IP and domain name blocking means that the firewall can block users from accessing certain websites or applications altogether.
  • Port blocking allows firewalls to filter out certain kinds of network traffic. In networking, a port is a place where a connection between one machine and another terminates. Ports are virtual, or software-based – they don't correspond to physical components of the machine. Certain ports are reserved for certain kinds of network connections: HTTPS connections, for instance, take place on port 443.

What features differentiate a next-gen firewall from a traditional firewall?

NGFWs have all of the above features. But in addition, they include technologies that weren't available in earlier firewall products:

Intrusion prevention system (IPS): An intrusion prevention system actively detects and blocks cyber attacks. This is like having a security guard who actively patrols a building, instead of one who just sits next to the front entrance.

Deep packet inspection (DPI): Older firewalls typically inspect only the headers* of the data packets passing through. NGFWs inspect both data packet headers and the packet payload, in order to better detect malware and other kinds of malicious traffic. This is somewhat like a security checkpoint where the security officers actually inspect the contents of a person's luggage, instead of just having that person tell the officers what items are in their luggage.

*A packet header contains information about the packet as a whole, such as how long it is and where it originates from.

Application control: In addition to analyzing network traffic, NGFWs can identify which applications the traffic comes from. Based upon that, NGFWs can control what resources different applications can access, or block certain applications altogether.

Directory integration: User directories allow an organization's internal teams to track the privileges and permissions each user has. Some NGFWs can filter network traffic or applications based on these internal user directories. If a user does not have permission to access a certain application, then that application is blocked for that user by the firewall, even if the application isn't identified as malicious.

Encrypted traffic inspection: Some NGFWs can actually decrypt and analyze traffic that is encrypted with SSL/TLS. A firewall is able to do this by acting as a proxy for the TLS process. All traffic to and from the website is decrypted by the firewall, analyzed, and encrypted again. From a user's point of view, this proxying is virtually seamless, and they can interact with secure HTTPS websites like normal.

Are NGFWs deployed in the cloud or on-premises?

NGFWs can run either in the cloud or on-premises. The only thing that distinguishes an older firewall from a next-gen firewall is whether or not it has next-generation capabilities like those listed above.

What is Firewall-as-a-Service (FWaaS)?

Firewall-as-a-Service (FWaaS) is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.

FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-Service" categories, such as Software-as-a-Service or Platform-as-a-Service, FWaaS runs in the cloud and is accessed over the Internet.

Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary between the trusted and untrusted networks. But in cloud computing, this boundary, called a "network perimeter," does not necessarily exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls keep these assets secure despite this lack of a network perimeter.

What is the difference between FWaaS (cloud firewalls) and NGFWs?

Next-Generation Firewall vs Cloud Firewall

Most modern firewalls, including FWaaS/cloud firewalls, are next-generation. However, "FWaaS" and "next-generation" describe two different characteristics of a firewall. FWaaS describes where a firewall is. "Next-generation" describes what a firewall can do.

Any firewall that has next-generation capabilities is an NGFW, no matter where it's hosted. A cloud firewall, or FWaaS, is hosted in the cloud – whether or not it has next-generation capabilities. Additionally, cloud-hosted firewalls are configured, maintained, and updated by a vendor, making them easier for customers maintain and usually more up-to-date and safer.

What kind of firewall does Cloudflare offer?

The Cloudflare WAF (web application firewall) is a cloud-based firewall that protects cloud assets as well as web applications. The Cloudflare WAF is unique in that it continually identifies and blocks new potential threats. It does this by analyzing traffic data from the entire global Cloudflare network.

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.