10 Must-Have Features of a Next-Gen Firewall (NGFW)

I’ve been in this space long enough to know firewalls are just… firewalls. Just a little wall between your network and the big, bad internet. When Slammer came along back in the early 2000s, I remember well how traditional security models were failing us. Zoom ahead to today — where everything’s connected, threats evolve by the minute, and zero trust is a buzzword (and a must).

So let’s talk NGFWs — what’s important, what’s not, and what you actually need.

Quick Take

• Intrusion Prevention — A firewall should identify and stop threats in real-time.
• VPN & Remote Access — Secure access to the corporate network is a non-negotiable for hybrid work.
• Deep Packet Inspection (DPI) — Prevents attackers from lurking in legitimate traffic.
• Zero Trust Ready — Since perimeter security is dead.
• AI-Powered Security? — Take that claim with a grain of salt.
• Fortinet NGFWs — If you really want to get security, this is one to look at.

Okay, in other words, let us get into the nitty-gritty.

1. Intrusion Prevention (IPS)

Old school firewalls filtered ports and IPs. That was sufficient in those days, but today’s invaders aren’t cracking their way in — they’re slipping in through weaknesses, links in email, and compromised software updates.

An IPS-enabled Next-Gen Firewall may help to:

• Identify and block known attack patterns.
• Discover zero-day exploits (even without a patch yet).
• Use threat intelligence feeds to adjust in real-time.

But here’s the thing — intrusion prevention really isn’t something you can take or leave. If your firewall isn’t actively inspecting for exploits, it’s more or less just a lock on a door that attackers can pick.

(And trust me, having recently upgraded enough banking systems, passive security won’t cut it anymore.)

2. VPN & Remote Access

Remember the days when work took place only inside of an office? Neither do I. Remote work has grown explosively in the last decade, and if your firewall lacks strong VPN and remote access controls, you’re already exposed.

An NGFW should support:

• Secure Remote Connections — SSL VPN and IPsec VPN.
• Multi-factor authentication (MFA) to authenticate users before granting access.
• Zero-trust access policy — being on the VPN does not mean you should see everything we have.

Fun fact — one of the largest breaches I’ve ever examined at a financial institution? It was caused by a compromised VPN account with no MFA. An intruder gained access and wandered at will. Don’t make that mistake.

3. Deep Packet Inspection (DPI)

Today, a firewall that just inspects packets and says something like “Yep, looks like regular old HTTP traffic, allow it” is useless. DPI is crucial because attackers embed malware into legitimate traffic.

Your NGFW can now do the following with Deep Packet Inspection:

• Inspect the entire payload content and not just headers.
• Detect malware, C2 traffic, and data exfiltration.
• Identify risky apps (yes, including encrypted ones like WhatsApp Web).

It’s like checking the ingredients before cooking — not just believing the fancy label.

I recently encountered this when assisting a mid-sized bank in its transition to zero-trust, and they were literally speechless after DPI discovered rogue unauthorized file-sharing taking place within their network. In reality, a well-meaning employee had spun up some convenient cloud storage for backup (translation: easy data leak).

Moral of the story? DPI isn’t optional.

4. PJ Networks’ Fortinet NGFWs

Okay, I’ve dealt with a whole bunch of firewalls over the years — from the original Cisco PIX (if you remember those, you’re as old as me) to new cloud-based solutions. Right now, Fortinet NGFWs shine, especially for companies needing AI-driven threat detection (yup, not a big AI fan, but Fortinet makes a strong case — unlike a lot of AI hype vendors).

Here’s why I trust them:

• Native IPS & Threat Intelligence — Prevents zero-days before they are executed by attackers.
• AI-driven malware detection — Because signature-based protection simply isn’t enough.
• Hardware-accelerated performance — After all, a slow firewall is a security problem, too.
• Better DPI & SSL inspection (Yep, it examines protected traffic too).

And most importantly? It works.

So when I updated those three banks to a zero-trust architecture, Fortinet was what I turned to. The difference was their ability to tightly segment traffic without unnecessarily slowing legitimate activity.

5. Conclusion

Here’s the bottom line:

• No longer just blocking inbound connections.
• You just have to outsmart attackers — they are smarter, and you need to outthink them.
• Fortinet combines IPS, DPI, and zero-trust in their NGFWs.
• If your firewall doesn’t identify exploits, block encrypted malware, or provide secure remote access… it’s a liability, not a defense.

Security is not just one thing; it’s layers, it’s regular, and never assumes your network is safe. (Because, believe me, it is not.)

Now, if you’ll please excuse me, I’m still buzzing from DefCon and have a bunch of hardware hacking experiments to finish! (Also, probably time for a fourth cup of coffee.)