What Is A Next-Generation Firewall (NGFW)? - Cisco

• Skip to content
• Skip to search
• Skip to footer

• Cisco.com Worldwide
• Products and Services
• Solutions
• Support
• Learn
• Explore Cisco
• How to Buy
• Partners Home
• Partner Program
• Support
• Tools
• Find a Cisco Partner
• Meet our Partners
• Become a Cisco Partner

• Products & Services
• Security
• Firewalls

What Is a Next-Generation Firewall?

A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

• NGFW overview (1:21)
• Secure firewall

Contact Cisco

• Get a call from Sales

• Call Sales:

• 1-800-553-6387
• US/CAN | 5am-5pm PT
• Product / Technical Support
• Training & Certification

The Total Economic Impact of Cisco Secure Firewall

Explore the benefits of Secure Firewall in a Forrester study based on interviews with key decision-makers.

• Get the study

What is a next-generation firewall?

A traditional firewall provides stateful inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules.

A next-generation firewall (NGFW) does this, and so much more. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner's definition, a next-generation firewall must include:

• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Threat intelligence sources
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

What should I look for in a next-generation firewall?

The best next-generation firewalls deliver five core benefits to organizations, from SMBs to enterprises. Make sure your NGFW delivers:

Breach prevention and advanced security

The number-1 job of a firewall should be to prevent breaches and keep your organization safe. But since preventive measures will never be 100% effective, your firewall should also have advanced capabilities to quickly detect advanced malware if it evades your front-line defenses. Invest in a firewall with the following capabilities:

• Prevention to stop attacks before they get inside
• A best-of-breed next-generation IPS built in to spot stealthy threats and stop them fast
• URL filtering to enforce policies on hundreds of millions of URLs
• Built-in sandboxing and Advanced Malware Protection that continuously analyzes file behavior to quickly detect and eliminate threats
• A world-class threat intelligence organization that provides the firewall with the latest intelligence to stop emerging threats

Comprehensive network visibility

You can't protect against what you can't see. You need to monitor what is happening on your network at all times so you can spot bad behavior and stop it fast. Your firewall should provide a holistic view of activity and full contextual awareness to see:

• Threat activity across users, hosts, networks, and devices
• Where and when a threat originated, where else it has been across your extended network, and what it is doing now
• Active applications and websites
• Communications between virtual machines, file transfers, and more

Flexible management and deployment options

Whether you are a small to medium-sized business or a large enterprise, your firewall should meet your unique requirements:

• Management for every use case: Choose from an on-box manager or centralized management across all appliances
• Deploy on-premises or in the cloud using a virtual firewall
• Customize with features that meet your needs: Simply turn on subscriptions to get advanced capabilities
• Choose from a wide range of throughput speeds

Fastest time to detection

The current industry standard time to detect a threat is between 100 to 200 days; that is far too long. A next-generation firewall should be able to:

• Detect threats in seconds
• Detect the presence of a successful breach within hours or minutes
• Prioritize alerts so you can take swift and precise action to eliminate threats
• Make your life easier by deploying consistent policy that's easy to maintain, with automatic enforcement across all the different facets of your organization

Automation and product integrations

Your next-generation firewall should not be a siloed tool. It should communicate and work together with the rest of your security architecture. Choose a firewall that:

• Seamlessly integrates with other tools from the same vendor
• Automatically shares threat information, event data, policy, and contextual information with email, web, endpoint, and network security tools
• Automates security tasks like impact assessment, policy management and tuning, and user identification

Next-generation firewall resources

E-book: Drive Security Resilience with Secure Firewall

Set up a personalized firewall demo

Strengthen your security with Cisco Secure Firewall

Connect with us

• Cisco Secure Firewall
• Threat intelligence blog

Related network security topics

• What Is Malware?
• What Is Ransomware?
• What Is a Cyberattack?
• What Is Data Loss Prevention?
• What Is Endpoint Security?
• What Is a DDoS Attack?
• What Is ZTNA?
• What Is DNS Security?

Follow Us

• Trials
• Demos
• Webinars