Next-generation firewalls (NGFWs) ably protect enterprise networks from intrusions and attacks with integrated network security platforms that include in-line deep packet inspection firewalls, intrusion prevention systems (IPSes), application inspection and control, SSL/SSH inspection, website filtering and quality of service/bandwidth management. Once an organization has decided to go this route, choosing the best next-generation firewall for its IT environment can be a challenging process.

Essentially we have focuse on core areas of any firewall.

  • Application Control. This is what a firewall is. They're supposed to control network traffic - right? (You would never guess sometimes!)
  • Management. This is how you configure the firewall to do the above, and it should be easy.
  • Security Features. This is what a firewall can do; secure stuff.

UTM appliances are sometimes referred to as NGFW

So who are the players? The nine NGFW vendors covered in this article are Check Point, Dell Sonicwall, Palo Alto, Cisco, Fortinet, HP TippingPoint, McAfee, Barracuda and Juniper.


  • Check Point is the inventor of stateful firewalls. 
  • Dell SonicWall has patented Reassembly-Free Deep Packet Inspection, a technology that allows for centralized management for users to deploy, manage and monitor many thousands of firewalls through a single-pane of glass.
  • Cisco ASA with FirePOWER Services provides an integrated defense solution with greater firewall features detection and protection threat services than other vendors.
  • Fortinet lauds its 11-year-old in-house dedicated security research team, FortiGuard Labs. It is one of the few NGFW vendors that has its own, as most others OEM this activity. Fortinet also purports to have NGFW FortiGate, which can deliver five times better performance of comparatively priced competitor products.
  • HP TippingPoint is known for its NGFW's simple, effective and reliable implementation. The security effectiveness coverage is high with over 8,200 filters that block known and unknown threats and over 383 zero-day filters in 2014 alone.
  • McAfee NGFW provides "intelligence aware" security controls, advanced evasion prevention and a unified software core design.
  • Barracuda purports the lowest total cost of ownership (TCO) in the industry due to advanced troubleshooting capabilities and smart lifecycle management features built into large scaling central management server. The NGFW is also the only one that provides NGFW application control and user identity functions for SMBs.
  • Juniper SRX is the first NGFW to offer customers validated (Telcordia) 99.9999% availability (in its SRX 5000 line). The SRX Series is also the first NGFW to deliver automation of firewall functions via JunoScript and open API to programming tools. Open attack signatures in the IPS also allow customers to add or customize signatures tailored for their network.

SO the LEADERs are Fortinet and CHECKPOINT..

                         Fortinet's FortiGate 3200D -- which tied with Check Point's 13800 NGFW Appliance by scoring 99.6% for first place in NSS's overall security-effectiveness assessment -- was the top performer in a special "real-world protocol mix" test designed to mimic the traffic of a real-life data center. Palo Alto's PA-7050 performed only moderately well here.

                         NSS reports that WatchGuard's XTM 1525 had by far the worst connection rates while demonstrating considerably low throughput rates and, at times, high latency. Moreover, NSS scored the XTM 1525 at 87.7% in its security-effectiveness tests, dropping it to last place since Cyberoam's software update. 


If you want detailed Report on each Firewall Email



Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5) Anti-Bot, or (6) Anti-Virus blade is used, allows remote attackers to cause a denial of service (fwk0 process crash, core dump, and restart) via a redirect to the UserCheck page.

Firewall Slowdown in Cyberom 

Clock Signal Degrades Over Time


A problem has been identified with a specific component used in some FortiGate devices, whereby the clock signal may degrade over time.

Subject: Clock Signal Degrades Over Time
Released: 2017-02-15
Modified: 2017-02-15
Product: FortiGate 90E, FortiGate 91E, and FortiHypervisor 90E


FortiGate devices, whereby the clock signal may degrade over time.  This can lead to system boot failure or operating errors.  Devices which use these components have an increased possibility of needing replacement after about 3 years.


Possibly Affected Products:

In certain instances this component may affect the earliest deliveries of the following products with the specific part number AND rework (EX4893-xx) not yet applied:

FortiGates 90E:              P19061-03
FortiGate 91E:                P19071-03
FortiHypervisor 90E:        P19078-03 *

(* Correction of part number as hightlighted.  It was P19079-03 in the 2017-02-08 release.)

A unit with the above mentioned part number with rework EX4893-xx label is NOT affected.

To verify the part number and work label:

(1)    Part number can be can be identified by issuing “get sys status” command:

FGT90E4Q16000020 # get sys status
Version: FortiGate-90E v5.4.1,build5461,160627 (GA)
--- abbreviated---
System Part-Number: P19061-03

(2)    A rework label with rework number (EX4893-xx), if applied, can be seen in the bottom of the unit alongside of the big Fortinet product sticker with model, serial number, and other pertinent information about the unit.



Immediate replacement is not necessary, however Fortinet stands by its commitments in all active support agreements; wherever there is a covered issue related to continued operation of these units based on the above, we will work with our supported customers to plan appropriate remedial measures and an appropriate path forward.