Next-generation firewall (NGFW) vs. firewall-as-a-service (FWaaS)

A next-generation firewall (NGFW) is a firewall with advanced features, while firewall-as-a-service (FWaaS) is a cloud-delivered firewall for protecting networks and cloud infrastructure.

Learning Objectives

After reading this article you will be able to:

  • Define next-generation firewall (NGFW) and firewall-as-a-service (FWaaS)
  • Contrast NGFWs with FWaaS
  • Learn how cloud firewalls overlap with next-gen firewalls

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

Next-generation firewall (NGFW) vs. firewall-as-a-service (FWaaS)

These terms describe two different aspects of a firewall — what it can do (NGFW) versus where and how it is deployed (FWaaS). A next-generation firewall (NGFW) has a specific set of security capabilities. Firewall-as-a-service (FWaaS) describes a firewall that is hosted in the cloud and offered as a service (such a firewall can also be called a "cloud firewall").

FWaaS can have next-gen capabilities, and an NGFW can be hosted in the cloud.

NGFW vs. FWaaS Venn diagram

The type of firewall an organization needs depends on their infrastructure. If all of their networking infrastructure and applications are on-premise, a hardware-based NGFW may be sufficient. But most modern organizations run some workloads in the cloud, making FWaaS a necessity (ideally, a FWaaS solution with next-gen capabilities).

What does a firewall do?

A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.

The standard capabilities of a firewall include:

  • Packet filtering: Analyzes individual data packets and blocks them when necessary
  • Stateful inspection: Evaluates packets in the context of active network connections
  • Virtual private network (VPN) awareness: Identifies encrypted VPN traffic and allows it to pass through

What is a next-generation firewall (NGFW)?

NGFWs have the features of traditional firewalls, but they also have added features to address a greater variety of organizational needs and block more potential threats. They are called "next generation" to differentiate them from older firewalls that do not have these capabilities.

NGFW technologies include:

  • Intrusion prevention system (IPS): Scans network traffic, identifies malware, and blocks it
  • Deep packet inspection (DPI): Improves on packet filtering by analyzing the body of each packet in addition to the header
  • Application awareness and control: Identifies and blocks traffic based on which applications the traffic is going to
  • Threat intelligence feeds: Incorporates streams of updated threat intelligence to identify the latest threats

What is firewall-as-a-service (FWaaS)?

FWaaS is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.

FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-service" categories, such as infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), FWaaS runs in the cloud and is accessed over the Internet.

Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary (called a "network perimeter") between the trusted and untrusted networks. But in cloud computing, this boundary does not exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls protect these assets despite this lack of a network perimeter. Additionally, cloud-hosted firewalls are configured, maintained, and updated by the firewall vendor, not the customer.

What is Cloudflare Magic Firewall?

Cloudflare Magic Firewall is a cloud firewall with next-gen capabilities that is hosted on the global Cloudflare network. It protects data centers, remote users, branch offices, and cloud infrastructure, and it is tightly integrated with the Cloudflare One platform. Learn more about Magic Firewall.