Blog post

For 2016, Should We Retire the “Next Generation Firewall”?

By Adam Hils | December 29, 2015 | 2 Comments

SecurityNetwork securitySecurity of Applications and DataTechnology and Emerging Trends

Okay, network security industry – I have a question for you: What does NGFW mean today?

First, a history lesson:

  • When Gartner initially coined the “next-generation firewall in 2003/2004, it had a limited view of which features comprised a NGFW. In “Predicts 2005: Security Focuses on Protection” (archived for Gartner subscribers), we made the following strategic planning assumption: “The majority of leading firewall vendors will offer next-generation firewalls (that is, IPS features) in 2006 (0.8 probability).”
  • By 2009, Gartner had refined its definition of NGFW to include the following aspects:
      • Standard first-generation firewall capabilities
      • Integrated rather than merely colocated network intrusion prevention
      • Application awareness and full stack visibility
      • Extrafirewall intelligence

So, entering 2016, can you name an enterprise firewall which does not have (at least on their data sheets) stateful firewall + intrusion prevention + application and user control + the ability to consume other context/intelligence? And if almost every enterprise firewall vendor can check all these boxes, we must ask ourselves – when does “next-generation” cease to be meaningful to anyone (aside from emotionally-invested vendor firewall marketing teams)?

What new features are required to bolster the relevance of “NGFW”?

  • Cloud-based network sandbox? Maybe, but almost all firewall platforms have them. It is an extra security feature for the platform, however, so probably becomes part of the definition as a necessary table stake for perimeter firewall deployments.
  • Extensions into the public cloud? Perhaps, but many vendors offer virtual versions for AWS, and some already do for Microsoft Azure. And there is nothing extra in security functionality – form factor just changes.
  • East/west microsegmentation in SDN? Again, just a different form factor, not differentiated security.
  • Having endpoint agents from the same vendor? Just no.

In the end, I guess, the term of art really doesn’t matter.

Whether we as an industry retire the term or not, it’s important for firewall customers to understand that many vendors can call themselves “next-generation” legitimately. Customers must do the hard work of determining which features of the NGFW are most important to them, and which vendors deliver those capabilities most effectively.

We firewall analysts have started working on the 2016 update of the “Magic Quadrant for Enterprise Network Firewalls“, where we will attempt to help Gartner clients look beyond (and behind) vendor “next-generation” marketing.



The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • John says:

    Hi Adam

    I think the term NGFW has served its purpose in making companies add more security at the edge, which was much needed. There are now so many different features and functions that we cannot possibly come up with a name for each. So its time to call it what it is – “Enterprise Firewall” but then guide customers as to the different deployment modes and Associated policy/security functions – Edge Firewall (NGFW), Data Center Firewall (DCFW), Internal Segmentation Firewall (ISFW), Carrier Class Firewall (CCF), Virtual Firewall (VFW). The only area that is confusing – Distributed Enterprise who will use the functionality of a SMB UTM Appliances but require Enterprise Scale Management.

    John Maddison
    SVP Products

  • Andrew Plato says:

    NGFW has always been a misleading word. It was just a new way to say UTM when UTM was no longer cool. Firewalls have been evolving and consuming features for 15+ years. So what does a firewall with endpoint control become? A Next Next Generation Firewall II, Electric Boogaloo?

    A BMW and a Kia are both cars, just because a BMW as more features or a better engine does not mean it becomes something other than a car. Its a car. Maybe a better car. But BMW does not get to unilaterally decide “oh, we’re not a caaaaar, we’re a next-generation automotive conveyance machine.” Likewise, firewall vendors do not get to just change the words they use and become a whole new market. They have to actually invent something new.

    The problem here, which we at Anitian have called out for years, is that creating a new word is not the same as creating a new technology. Anybody can invent words. But new technologies are much more hard won.

    I think its time to collapse this market back to what it always was – firewalls.