The Future of the Enterprise Firewall is in The Cloud

The Future of the Enterprise Firewall Is in The Cloud (2)
The Future of the Enterprise Firewall Is in The Cloud (2)
Listen to post:

If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS).

Yes, that’s probably not news coming from Cato. After all, we’ve seen more than 1,000 enterprises adopt Cato’s FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances.

But it’s not just Cato who’s seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1

And just this week, for the first time, Gartner included Cato in its “Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2

What’s Changing for FWaaS

What’s behind this change? FWaaS, and Cato’s FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato’s FWaaS is kept updated automatically by Cato’s engineers.

Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience.

Migrating your Datacenter Firewall to the Cloud | Download eBook

Not Just FWaaS, Cloud-Native FWaaS

But to realize those benefits, it’s not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture.

FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It’s not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover?

By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato’s Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining.

What are the five attributes of a “cloud-native” platform? Check out this blog post, “The Cloud-Native Network: What It Means and Why It Matters,” for a detailed explanation.

Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato’s FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato’s more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail.

How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here:

Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More

Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato’s networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration.

FWaaS is only one of Cato’s many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.

And, all services are seamlessly and continuously updated by Cato’s dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats.

FWaaS: A Better Way to Protect the Enterprise

In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security.

And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’t just serve as network ingress points where traffic must be sent to yet another PoP for processing. We will also be adding new security services next year not by putting a marketing wrapper around acquired or third-party solutions, but by building them ourselves, directly into the rest of the Cato Cloud. As for EPP and EDR, neither are currently in scope for SASE but both are viable targets for convergence.

Comparing cloud services and boxes is always challenging. Ultimately, enterprises face a trade-off between DIY or consuming the technology as a service. Moving to the cloud alters the cost of ownership, bringing the same agility and power that’s changed how we consume applications, servers, and storage to security.

To better understand how Cato can improve your enterprise, contact us to run a quick proof-of-concept. You won’t be disappointed.


1 Gartner, Critical Capabilities for Network Firewalls, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Adam Hils, Jeremy D’Hoinne, 10 November 2020


2 Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D’Hoinne, Nat Smith, and Adam Hils, 1 November 2021


GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.