Top 8 Next-Generation Firewall (NGFW) Features in 2024

The network security statistics show that the number of incidents in North America increased from 23% of all cases in 2021 to 25% in 2022. The U.S. accounted for 80% of the North American region’s cybercrime.

Recent security incidents in the U.S. raise the question: Are existing firewall types adequate to prevent unwanted access to key assets?

While firewalls may be less capable than next-generation firewalls, they are still in use — and necessary. However, more comprehensive, effective, and, most importantly, integrated products (e.g. firewall audit software) are necessary to stay up with the most common cyber attack vectors on today’s computer networks.

A next-generation firewall (NGFW) can go beyond simple port and protocol inspection by inspecting the data carried in network packets while also integrating threat management technologies such as application-level inspection and intrusion prevention.

What is a next-generation firewall (NGFW)?

A next-generation firewall (NGFW) is an integrated system stage that connects a standard firewall with other network security filtering capabilities. NGFWs detect and prevent complex assaults by implementing security policies at the application, port, and protocol levels.¹

Figure 1: Next-generation firewall (NGFW) workflow

According to Gartner, the NGFWs must have the following attributes:

1. Traditional firewall functions

NGFW will replace old firewalls and must support typical firewall functions such as packet filtering, network address translation (NAT), and URL filtering.

2. Application detection and monitoring capabilities

NGFWs should provide application awareness, application-specific security policies, and bandwidth control.

Traditional stateful inspection firewalls only work at Layers 2–4 and do not inspect packet contents. The NGFW may inspect the information at Layers 2 through 7, enabling network visibility and control (e.g. network audit controls) over network resources.

Figure 2: Open systems interconnection (OSI) Layers

Source: NotesforMSc²

3. Integration of intrusion prevention systems (IPS) and other firewall functions

The NGFW must support and connect the intrusion prevention system (IPS) function with firewall capabilities. Gartner highlights greater integration is needed across the IPS and firewall rather than simple linking in NGFWs.³

For example, a firewall needs to be able to self-update and transmit network security policies when the integrated IPS detects malicious traffic.

Figure 3: Next-generation firewall (NGFW) with integrated intrusion prevention system (IPS) and application controls

4. Using knowledge outside of the firewall

NGFW can use knowledge provided by other IT systems about users, locations, vulnerabilities, and network resources.

For example, to control problems caused by segment-based network security controls (e.g. microsegmentation, DMZ network security) scenarios, the NGFW can be linked with a user microsegmentation tool that enforces granular access based on network security policies.⁴

Read more: Network segmentation, Top 10 network security policy management solutions (NSPM), UTM vs NGFW.

Features of next-generation firewalls (NGFWs)

A. Common features of traditional and next-generation firewalls (NGFWs)

1. Packet filtering

All data transmitted across a network like the Internet is divided into smaller units known as packets. Since these packets carry any data that crosses a network, firewalls scan them and either block or allow them to pass to prevent risky information (such as malware attacks) from passing through (all firewalls can filter packets).

Packet filtering examines the Internet Protocol (IP) addresses of the source, ports, and protocols connected with each packet — by analyzing where each packet originated, where it travels, and how it will travel there. Firewalls use this assessment to allow or deny packets, blocking out those that are not allowed.

Packet filtering approaches parse a packet’s header and then apply rules to determine whether to allow or reject the packet, as seen in the figure.

Figure 4: Packet filtering across Layer 3 Internet protocol (IP) network

Source: ResearchGate⁵

2. Network address translation (NAT) 

Network address translation (NAT) is the process of converting one or more local private Internet Protocol (IP) addresses into public IP addresses that allow multiple local devices and hosts to connect to the Internet. NAT secures private networks via a router or firewall. 

3. URL filtering

Uniform resource locator (URL) filtering is a system that allows companies to limit the websites and material that their employees can access. Users are prohibited from viewing specified websites and from utilizing corporate resources, such as computers or network bandwidth.

The URL filtering mechanism compares the URL a user attempts to access to a database or list of sites that have been restricted or allowed for use. This often restricts employees from viewing websites that could disrupt the organization’s operations, such as sites that could be high-risk, damaging, or related to cyber-attacks.

Read more: Role-based access control (RBAC), mandatory access control (MAC).

B. Distinct features of next-generation firewalls (NGFWs)

4. Deep packet inspection (DPI)

Deep packet inspection (DPI) is a comprehensive tool for analyzing and monitoring network traffic. It is a type of packet filtering that detects, identifies, categorizes, and routes or stops packets delivering certain data or coding loads that traditional packet filtering cannot identify.

NGFWs integrated with deep packet inspection (DPI) capabilities can check data at transmission control protocol (TCP), internet protocol (IP), and application layers (from top to bottom). This gives application awareness to next-generation firewalls, such as context regarding which application information is being routed.

Figure 5: Deep packet inspection

Source: Apcon⁶

5. Intrusion detection and prevention system (IDPS) 

NGFWs can detect potential cyber attack vectors (e.g. third-party cyber risks) based on particular action patterns or abnormalities and subsequently block suspicious traffic on the network. These capabilities are known as intrusion detection services (IDS), intrusion prevention systems (IPS), or intrusion detection and prevention (IDP) tools.

6. Application awareness

An application-aware firewall recognizes not only ports but also which programs listen to which ports. They are host-based (placed on a user’s desktop) that block malware from listening on a port that a genuine program would typically use.

For example, someone can access port 10 on a traditional firewall if they have an integrated security system (ISS) functioning and desire to enable web traffic.

• Traditional firewall: If malware stops the IIS and starts listening on port 10 instead, the traditional network firewall will transmit traffic to it because it only knows that it has a rule that says it should accept traffic on port 10.

• Application-aware NGFW: An application-aware NGFW has a rule that allows traffic to IIS particularly. If malware stops the targeted program, the NGFW will begin blocking traffic to the ports IIS listens on, and the malware will be prevented by default.

7. Cyber threat intelligence (CTI)

Cyber threat intelligence (CTI) is evidence-based information regarding digital attacks compiled and analyzed by cyber security specialists.

This information can include:

• Techniques of attack.
• How to recognize if an attack is occurring.
• How different forms of security incidents may affect the company.
• Practical suggestions on how to react against attacks.

NGFWs may receive and respond to threat intelligence feeds from outside sources. For example, NGFWs with threat intelligence features can leverage an IPS signature detection or digital footprint by analyzing the most recent malware signatures to detect and block risky IP addresses that are used to launch attacks.

8. Extra firewall intelligence

Extra firewall intelligence brings in information from outside the firewall to enhance blocking assessments or create an optimal blocking rule logic. Examples include employing directory integration to link blocking to user identity and maintaining blacklists and whitelists.

Read more: Firewall assessment.

Differences between traditional firewalls and NGFWs

Traditional firewalls use port/protocol inspection and blocking to secure company networks at the information transport layers (Layers 2 and 4 of the OSI model). This static technique worked well in the past when the computer system was less dynamic and software could be recognized by port. However, with the growing complexity of cloud-based networks and more complex cyber attack vectors, traditional firewalls are no longer sufficient.

Next-generation firewalls (NGFW) are more intelligent. They may filter packets depending on application (Layer 7 of the OSI model), making more precise distinctions that are significantly more effective than classic firewalls’ conventional techniques. NGFWs also rely on outside information to identify threats. This dynamic, adaptive methodology enables them to detect and defend against complex threats (e.g. insider threat management).

To differentiate between traditional and next-generation firewalls, Gartner defines an NGFW as a deep-packet inspection firewall that goes beyond port/protocol inspection and blocking by integrating application-level inspection, intrusion prevention, and bringing knowledge from outside the firewall.⁷

Table 1: Comparison of next-generation firewalls vs. traditional firewalls

* Stateful inspection involves examining packets in context to ensure that they are part of a legal network connection.

Similarities between traditional firewalls and NGFWs

Traditional firewalls and NGFWs serve similar purposes of securing an organization’s system and information resources. 

Some of the similarities include:

• Static packet filtering squares packets at system network interfaces based on rules, ports, or domains.  
• Dynamic packet filtering verifies the reliability of each firewall connection.
• Network address translation (NAT) applies reconfiguration of the IP addresses in packet headers.
• Virtual private networks (VPNs) to maintain private network security while accessing the internet or other open networks.
• Port address translation enables mapping numerous devices on a LAN to a single IP address. 

The future of NGFWs

New threat circumstances and changing company and information technology (IT) operations will prompt network security administrators to explore NGFW capabilities during their next firewall update cycle.

• NGFW and IPS markets are merging, particularly in enterprise boundary-specific deployment scenarios where the NGFW is encroaching on the market for standalone IPS technologies.

• Most large-scale organizations (~%40) are expected to acquire next-generation firewalls.⁸

Thus, large companies are expected to replace existing traditional firewalls with NGFWs as growing bandwidth requirements and a rising number of successful cyber attacks necessitate firewall upgrades.

For guidance on choosing the right tool or service, check out our data-driven sources: network security policy management (NSPM) tools and incident response tools.

Further reading

• Top 10 Microsegmentation Tools
• Intrusion Prevention: How does it work? & 3 Methods
• Role-based access control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics
• Network Security Policy Management Solutions (NSPM)
• Cybersecurity Risk Management

AIMultiple can assist your organization in finding the right vendor. 

External links

• 1. ”Next Generation Firewall- A Review“. International Journal of Computer Science and Information Technologies. 2016. Retrieved March 26, 2024.
• 2. ”Open Systems Interconnection (OSI) Model“. NotesforMSc. Retrieved March 29, 2024.
• 3. ”Next Generation Firewall- A Review“. Gartner. October 12, 2009. Retrieved March 26, 2024.
• 4. ”Next Generation Firewall- A Review“. Gartner. October 12, 2009. Retrieved March 26, 2024.
• 5. ”Implementation of Web Security using  Packet-Scrutinizing Router“. ResearchGate. February 1, 2021. Retrieved March 26, 2024.
• 6. ”Deep Packet Inspection (DPI)“. Apcon. Retrieved March 29, 2024.
• 7. ”Next-generation Firewalls (NGFWs)“. Gartner. 2017. Retrieved March 26, 2024.
• 8. ”2022 Cyberthreat DefenseReport“. Cyber Edge Group. November 2022. Retrieved March 26, 2024.