What Is A Next-generation Firewall (NGFW)? Definition From ...

• Home
• Network security

• Share this item with your network:

By

• Casey Clark, TechTarget
• Sharon Shea, Executive Editor

Published: Jun 02, 2025

A next-generation firewall (NGFW) is a network security device that combines traditional firewall capabilities with advanced features to detect and block sophisticated cyberattacks.

NGFWs are hardware-, software- or cloud-based. They offer traditional firewall features, such as detecting and blocking sophisticated attacks by enforcing security policies at the application, port and protocol levels, as well as the following advanced functions:

• Application awareness.
• Integrated intrusion prevention system (IPS).
• Identity awareness -- enabling user and group control.
• Bridged and routed modes.
• Ability to use external intelligence sources.
• Advanced threat remediation.

Most NGFWs integrate at least three basic functions: enterprise firewall capabilities, IPS functions and application control.

Like the introduction of stateful inspection in traditional firewalls, NGFWs bring additional context to the firewall's decision-making process. This context enables NGFWs to understand the details of web application traffic passing through them and to take action to block traffic that might exploit vulnerabilities.

Next-generation firewall features

NGFWs combine many of the capabilities of traditional firewalls -- including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) -- with quality of service (QoS) functionality and other features not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection, reputation-based malware detection and application awareness.

These application-specific capabilities help thwart the growing number of application attacks taking place at Layers 4-7 of the OSI network stack.

Benefits of next-generation firewalls

The different features of NGFWs combine to create unique benefits for users. NGFWs can often block malware before it enters a network, something traditional firewalls could not do.

NGFWs are also better equipped to address advanced persistent threats (APTs) because they can integrate with threat intelligence feeds. NGFWs offer a low-cost option for companies trying to improve basic device security using application awareness, inspection services, protection systems and awareness tools.

Challenges of next-generation firewalls

NGFWs are not without difficulties. They can be complicated to set up and maintain, which could require additional skills and expertise from security teams. They might also create an overload of alerts, including false positives, which puts increased pressure on security admins.

NGFWs need to integrate with other security tools, which can increase complexity and create interoperability issues. NGFWs also require integration and constant updates, for example, with threat intelligence feeds, to combat new and evolving threats. The advanced features of NGFWs can also introduce latency and scalability problems.

Additionally, while NGFWs offer more protection than traditional firewalls, they often have higher acquisition, implementation and operational costs.

Next-generation firewall vs. traditional firewall

While both next-generation and traditional firewalls aim to protect an organization's network and data assets, they have several similarities and differences.

The main similarities include static packet filtering to block packets at the point of interface to network traffic. They also both provide stateful packet inspection, network and port address translations, and both can set up VPN connections.

One of the most important differences between the firewalls is that NGFWs offer deep-packet inspection that goes beyond simple port and protocol inspection by inspecting the data carried in network packets. Other key differences are that NGFWs add application-level inspection, intrusion prevention and the ability to act on data provided by threat intelligence services.

NGFWs extend the traditional firewall functionality of NAT, PAT and VPN support to operate both in routed mode -- in which the firewall behaves as a router -- and in transparent mode -- in which the firewall behaves like a bump in the wire when it scans packets -- while also integrating new threat management technologies.

Editor's note: Informa TechTarget editors revised this definition in 2025 to improve the reader experience.

Continue Reading About What is a next-generation firewall (NGFW)?

• The different types of firewalls explained

• How to test firewall rules with Nmap

• The differences between inbound and outbound firewall rules

• Where to place a firewall in an enterprise

• How next-generation firewalls are evolving in a world of AI-enabled cyberattacks

Related Terms

What is an IP address (Internet Protocol address)? An Internet Protocol (IP) address is a unique numerical identifier for every device or network that connects to the internet. See complete definition What is crisis communication? Crisis communication is a strategic approach to corresponding with people and organizations during a disruptive event. See complete definition What is hardware security? Hardware security is vulnerability protection that comes in the form of a physical device rather than software installed on a ... See complete definition

Dig Deeper on Network security

• What is a firewall and why do I need one?

  By: Kinza Yasar

• What is a web application firewall (WAF)? WAF explained

  By: Alexander Gillis

• What is a proxy firewall?

  By: Rahul Awati

• What is unified threat management (UTM)?

  By: Paul Kirvan

Sponsored News

• Three trends driving IT leaders toward Enterprise Data Cloud –Pure Storage
• Exploring Trends Shaping the Future of Specialty Pharmacy –Optum Specialty Fusion
• See More

Vendor Resources

• The 5 Different Types of Firewalls Explained –TechTarget
• 9 essential elements of network security –TechTarget ComputerWeekly.com

Latest TechTarget resources

• Networking
• CIO
• Enterprise Desktop
• Cloud Computing
• Computer Weekly

Search Networking

• What are the different types of network cables?

  The main types of network cables are coax, fiber optics, and shielded and unshielded twisted pair. As enterprises deploy new ...

• Macrocell vs. small cell vs. femtocell: A 5G introduction

  Macrocells, small cells and femtocells each play distinct roles in 5G, balancing coverage, speed, cost and indoor connectivity ...

• What are the features and benefits of 5G technology?

  Increased cellular speed, bandwidth and capacity at lower latencies have made wireless VR and AR practical for business use, ...

Search CIO

• Strategic IT outlook: Tech conferences and events calendar

  Tech conferences are a vital way for CIOs and IT leaders to keep abreast of trends and make real-life connections in a ...

• The 2026 talent reckoning: Beyond degrees and certifications

  Skills, not degrees, will define IT hiring in 2026. CIOs are shifting from degree-based hiring to skills-based strategies, using ...

• From CIO to CEO: Unlocking the entire C-suite

  CIOs can evolve from technology leaders to enterprise strategists, taking on higher C-suite roles by building profit and loss ...

Search Enterprise Desktop

• How to use Windows Check Disk to maintain disk health

  Using built-in Windows tools such as Check Disk and SMART helps organizations reduce risks associated with disk errors, extend ...

• How IT admins can check BIOS or UEFI versions in Windows 11

  Firmware, such as BIOS or UEFI, plays a crucial role in how securely a Windows device starts and operates. Organizations need to ...

• Microsoft opens Copilot agent building to office rank and file

  The battle for desktop agent mindshare heats up. Microsoft is the latest to arm everyday office workers with tools to make their ...

Search Cloud Computing

• Nutanix sovereign cloud hits Broadcom with multi-cloud hook

  Nutanix expands its differentiation from Broadcom with a distributed sovereign cloud approach that supports both self-managed and...

• Plan for repatriation on day one with a hybrid cloud strategy

  In the next 2 years, 87% of orgs plan to repatriate workloads off public cloud. Discover how an exit strategy, paired with hybrid...

• AWS CloudOps hones multi-cloud support for AI, resilience

  Network, observability and Kubernetes management news at re:Invent aligned around themes of multi-cloud scale and resilience amid...

ComputerWeekly.com

• IOWN 2.0 – the next applications for the next-gen network architecture

  Continuing our look at the work of the IOWN project, we find out what use cases the next evolved generation of the infrastructure...

• IOWN advances next-generation network evolution and innovation

  Ending a year in which it celebrated its fifth birthday, the Innovative Optical and Wireless Network project releases details of ...

• Top 10 Post Office scandal stories of 2025

  Here are Computer Weekly’s top 10 Post Office scandal stories of 2025

Close