Definition
A Next-Generation Firewall (NGFW) extends traditional stateful firewall capabilities with application-aware inspection (identifying applications by content, not just port), integrated intrusion prevention (IPS), URL filtering, SSL/TLS inspection, and user identity awareness (via IdP integration). NGFWs from Palo Alto, Fortinet, Check Point, Cisco, and others dominate enterprise perimeter security. NGFWs continue to matter for east-west traffic, data center segmentation, OT/ICS protection, and cases where cloud SWG forwarding isn't practical. In SSE / SASE architectures the NGFW role is increasingly delivered as Firewall-as-a-Service (FWaaS), with the cloud SWG handling most outbound web traffic. Symantec does not produce an NGFW; instead, Cloud SWG covers the cloud-delivered web security role.
Related terms
- SWG (Secure Web Gateway) - Security service that inspects web traffic for malware, enforces URL policy, and applies content controls - historically on-prem, now cloud-delivered.
- IPS (Intrusion Prevention System) - Inline security control that detects and blocks network attacks based on signatures and behavioral analysis.
- IDS (Intrusion Detection System) - Network monitoring system that detects attacks and generates alerts - does not block inline.
- SASE (Secure Access Service Edge) - Convergence of WAN networking (SD-WAN) and cloud-delivered security services (SWG, CASB, ZTNA, FWaaS) into a single platform.