A next-generation firewall (NGFW) is a firewall with advanced features, while firewall-as-a-service (FWaaS) is a cloud-delivered firewall for protecting networks and cloud infrastructure.
After reading this article you will be able to:
Copy article link
These terms describe two different aspects of a firewall — what it can do (NGFW) versus where and how it is deployed (FWaaS). A next-generation firewall (NGFW) has a specific set of security capabilities. Firewall-as-a-service (FWaaS) describes a firewall that is hosted in the cloud and offered as a service (such a firewall can also be called a "cloud firewall").
FWaaS can have next-gen capabilities, and an NGFW can be hosted in the cloud.
The type of firewall an organization needs depends on their infrastructure. If all of their networking infrastructure and applications are on-premise, a hardware-based NGFW may be sufficient. But most modern organizations run some workloads in the cloud, making FWaaS a necessity (ideally, a FWaaS solution with next-gen capabilities).
A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.
The standard capabilities of a firewall include:
NGFWs have the features of traditional firewalls, but they also have added features to address a greater variety of organizational needs and block more potential threats. They are called "next generation" to differentiate them from older firewalls that do not have these capabilities.
NGFW technologies include:
FWaaS is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.
FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-service" categories, such as infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), FWaaS runs in the cloud and is accessed over the Internet.
Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary (called a "network perimeter") between the trusted and untrusted networks. But in cloud computing, this boundary does not exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls protect these assets despite this lack of a network perimeter. Additionally, cloud-hosted firewalls are configured, maintained, and updated by the firewall vendor, not the customer.
Cloudflare Magic Firewall is a cloud firewall with next-gen capabilities that is hosted on the global Cloudflare network. It protects data centers, remote users, branch offices, and cloud infrastructure, and it is tightly integrated with the Cloudflare One platform. Learn more about Magic Firewall.
Learning Center Navigation