How to buy enterprise firewalls

This syndicated post originally appeared at Network World Zeus Kerravala.

Next-gen firewalls: Automation, processing power, and a roadmap to future features are key considerations for enterprises looking to buy.

tech design background

Enterprise firewalls have been the quintessential security device for decades, standing guard at the perimeter, inspecting all inbound and outbound traffic for malware. So, what happens to firewalls as the perimeter fades away? They evolve.

Today’s firewalls are an essential piece of the enterprise security puzzle. They’ve become the foundational device upon which security vendors have stacked all of their advanced features. Cloud-based, next-generation firewalls (firewall-as-a-service) are a core component of any secure access service edge (SASE) deployment. VPN remote access for work-at-home employees typically terminates at a firewall. And firewalls play a key role in zero-trust network access (ZTNA), serving as the device that enforces access control policies and network segmentation rules.

Key questions to ask

Network execs looking to upgrade their firewalls should ask these sets of questions.

  • What is the level of basic functionality of the firewall in terms of performance, features, automation, and management?
  • How well do the firewall’s capabilities and form factors fit with the use cases of the business? Are there hardware, software, virtualized and firewall-as-a-service (FWaaS) options to accommodate IoT traffic, multi-cloud environments, and internal (east-west) traffic generated by virtualized or containerized apps?
  • How well does the vendor’s platform mesh with the broader security, IT and OT operations of the organization?
  • What is the vendor roadmap for SASE, zero trust, and the inexorable movement of security functionality to the cloud?

Vendor landscape remains relatively static

According to the latest numbers from the Dell’Oro Group, the firewall market grew at a healthy 14% in Q3 2021, as enterprises caught up with their refresh cycles following 2020, a year in which firewall sales lagged because attention was diverted to the pandemic.

The market share leader is Palo Alto Networks, followed by Cisco in second place and Fortinet in third, according to Mauricio Sanchez, research director at Dell’Oro Group. Without divulging exact numbers, Dell’Oro puts Palo Alto’s market share above 20%, with Cisco and Fortinet in double digits, and everyone else in the single digits.

A recent Forrester report on enterprise firewalls that evaluated vendors on 20 criteria put Cisco and Palo Alto Networks in the leader category, with Check Point, Fortinet, Juniper, Forcepoint, Sophos and Huawei listed as ‘strong performers.’

Gartner’s newest Magic Quadrant on firewalls identifies the leaders as Palo Alto, Fortinet and Check Point, with Versa and Barracuda described as visionaries.

Sanchez points out that the enterprise firewall market is very mature, and the traditional players continue to dominate without appreciable competition from the types of disruptive newcomers seen in other markets.

At the same time, vendors aren’t sitting on their hands. Firewalls themselves continue to evolve in order to meet new security challenges, and they will play a vital role in enterprise security for many years to come.


Firewalls must have the capacity to perform in-line, deep packet inspection without becoming a bottleneck that degrades application performance, so throughput is an important measure.

Vendors will claim to have the fastest firewalls or the best price/performance, but it’s critically important to conduct your own trial or pilot project that plugs the firewall into a production network to see how it handles your actual traffic. One thing you don’t want at your organization is for IT pros under pressure to maintain network performance turning off key firewall security features in order to reduce the delay they might cause.

So, be sure to put the firewall that you’re considering through its paces. Run it with your most bandwidth-intensive applications, with encryption turned on, with different packet sizes, protocols, and types of traffic. One by one, turn on additional features and measure the impact on throughput. Key metrics include: application throughput; number of connections per second; the maximum number of sessions for both IPv4 and IPv6 traffic; and SSL/TLS performance.

Basic features and form factors

Today’s firewalls are jampacked with additional features that can include threat intelligence, application control, IDS, IPS, anti-virus, anti-malware, sandboxing, URL filtering, SSL traffic inspection, and many others.

If you already have point products that perform some of these functions, a decision needs to be made on whether to pull the plug on, say, your incumbent IPS or anti-virus tool, and to consolidate these features into one device.

The pros of bundling are ease-of-use, reduced complexity, and consolidated management that comes with a single-vendor approach. The cons are that you might not be getting best-of-breed performance, and you’re relying on the firewall vendor to have the resources and technology chops to continue upgrading all of these features over time.

Another key consideration is how well the firewall integrates with SD-WAN, which is becoming a popular option for sending traffic from a branch office directly to the cloud, rather than backhauling to a centralized data center. The trend is for enterprises to replace separate branch-office routers and branch-office firewalls with a single SD-WAN device that incorporates security and routing features.

Most firewall vendors have acquired SD-WAN startups in order to deliver that single-box branch-office device, but customers should press them on the level of integration between firewall functionality and WAN optimization.

Form factors—hardware, software, virtual—are also a key consideration because of the complexity and variety of use cases. You need heavy-duty firewalls that can handle the high-capacity workloads of a data center; lighter-weight firewalls that can be deployed at the edge and in branch offices; and ruggedized firewalls for harsh environments, if applicable. Virtualized firewalls (also called cloud firewalls) come into play in public- and private-cloud environments, software-defined networks (SDN), or SD-WAN.

Advanced features

There are also several advanced features that prospective buyers should ask about:

  1. AI/ML: Vendors are beginning to tout the use of AI and machine learning in their firewalls in order to sniff out zero-day attacks, to more efficiently inspect the vast amounts of traffic that IoT devices can generate, to better automate firewall functionality, and to analyze network traffic in order to deliver actionable recommendations for things like improvements to access-control policies.
  2. Endpoint security: Firewalls inspect traffic that originates from endpoint devices when that traffic reaches the network, but what about protecting endpoint devices from attack in the first place? Customers should ask whether the firewall vendor has an endpoint-security story, either with its own gear or through partnerships with leading endpoint-protection companies.
  3. Containers: If your organization has containerized apps running in the cloud or has plans to deploy containers, be sure to pin the vendor down on whether its firewalls have a virtualized or FWaaS option that covers containerized apps.


The days of set-it-and-forget-it firewall rules are long gone. Today’s security and networking professionals require firewalls that can be deployed, configured, monitored and managed by a single cloud-based dashboard no matter where they are deployed—on-prem, cloud, edge.

Management functionality should enable IT staffers to keep rules and policies up to date, to change configurations on the fly, and to have visibility that extends everywhere, including into SaaS-based applications, IoT devices, even OT environments where things like building-access via two-factor authentication or biometrics are becoming part of the overall security infrastructure.

Automation plays a key role in firewall management. Prospective purchasers should ask about the level of automation for various tasks and processes. These include the automation of routine workflows, change-management processes, and updates, which often result in configuration errors when performed manually. Enterprise environments are extremely fluid, so an effective management system must embrace automation to dynamically deploy policy changes across the entire network.

In addition, the management system needs to monitor the network to make sure policies are being enforced. For example, in a manufacturing scenario, the OT staff might physically move a machine and its IoT sensors from one location to another. The management system should be able to recognize that the IoT device is now on a different network segment and should be able to automatically make sure that the firewall policy rules follow the device.

The most critical job for a firewall is preventing attacks. And that’s where automation can play a key role, identifying threats much faster than a human could, and then responding to the threat in a proactive manner, effectively eliminating the threat with no human intervention required.

Automated systems can spot the smallest anomalies and take appropriate action, such as quarantining devices so that an attack can’t spread while an investigation takes place to determine the type of attack and the appropriate countermeasures.

The management platform also needs the capacity to enforce not only hundreds of firewall rules, but broader security policies such as network segmentation or access controls that are linked to Active Directory or some other identity and access management scheme.

Looking ahead: platforms, roadmaps, and cloud

Each of the leading firewall vendors has a broad platform that includes multiple security products managed via one dashboard, preferably cloud-based. But not all of the individual products are at the same level of maturity. And for vendors that have recently made acquisitions to fill out their portfolios or that still have holes in their product lines integration becomes an issue that prospective buyers should ask about.

SASE: If your company is considering moving to secure access service edge, it’s important to ask the vendor to describe its roadmap, since few, if any, vendors currently have a complete suite of SASE capabilities. As defined by Gartner, a SASE deployment consists of SD-WAN, secure Web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access.

“By 2024, more than 70% of SD-WAN customers will have implemented a SASE architecture, compared to 40% in 2021,” according to Gartner. So, the expectation is that most organizations will embark on their SASE journey in the next couple of years and the selection of a firewall vendor with a clear SASE vision is a pivotal decision.

ZTNA: Zero trust has become the “trend du jour in the security vendor community,” according to Forrester’s “Practical Guide to a Zero Trust Implementation”, which describes zero trust as “a conceptual and architectural framework for moving security from a network-oriented, perimeter-based security model to one based on continuous verification of trust.”

So, where does the venerable firewall fit into this zero-trust future? Forrester says, “The next-generation firewall was the original poster child for zero trust, and it is even better today.”

Thanks to advanced chipsets, firewall appliances can now have the processing power to decrypt and inspect traffic without slowing down the network. In addition, use cases for virtualized firewalls are becoming common, such as inspecting application traffic in the cloud.

Other components of a zero-trust strategy include micro-segmentation andidentity and access management. Firewalls can enforce those policies, so organizations shopping for firewalls should require vendors to spell out their zero-trust roadmap.

FWaaS: The trend over the past few years has been for enterprise firewalls to get fatter as they incorporate new functionality. But Dell’Oro’s Sanchez says that is reaching an inflection point. He predicts that firewall functionality will slowly but steadily move to the cloud in the form of FWaaS.

FWaaS provides several advantages over appliance-based firewalls, similar to the advantages that SaaS provides over on-prem applications. FWaaS offers a pool of resources that can deliver the type of instant scalability—both scaling up and scaling down—that can’t be replicated with on-prem hardware.

FWaaS enables companies to finally ditch their MPLS networks and direct all traffic to the cloud, where security policies can be consistently enforced across all traffic types. FWaaS also provide fast, flexible deployment.

Taking a broad view, as network defense strategies grow, enterprises need to plan for how their firewalls will fit in over time. Sanchez sums it up this way: “Firewalls aren’t going away, but they’re changing and evolving to address new use cases.” Customers should be sure to ask firewall vendors, “How does the firewall mesh into the long-term journey the enterprise is on toward a more cloud-centric world?”

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.