What Are the Key Capabilities of an NGFW?

An NGFW has all the capabilities of a traditional firewall, including basic packet filtering, stateful inspection to associate packets to legitimate sessions, and application awareness that allows it to detect and block risky applications. In addition, according to the official Gartner definition, an NGFW provides advanced capabilities including deep packet filtering, intrusion prevention, and threat intelligence. We’ll describe each of these capabilities in more detail below.

  • Packet filtering

    Data transmitted over a network or the Internet is broken down into individual data packets. Because these data packets contain content that is about to enter the network, the firewall checks them and prevents packets that appear to be malicious from entering.

    Packet filtering works by determining the source and destination IP addresses (this occurs at Level 3 of the OSI model), ports and protocols (this occurs at Level 4) associated with each packet. Based on this evaluation, and a set of rules defined by the firewall administrator, the firewall allows or blocks data packets.

    The most common example of packet filtering is when a firewall blocks traffic from any IPs that do not belong to a carefully defined allowlist. Another example is a firewall that blocks traffic from vulnerable protocols, such as Remote Desktop Protocol, or protocols not expected to be used in a business setting, such as BitTorrent.

  • Deep packet inspection (DPI)

    An NGFW improves packet filtering by performing deep packet inspection (DPI). While traditional firewalls could only inspect packets using information available at network Layer 3 and Layer 4, DPI can checks the body and header of each packet. 

    Specifically, DPI checks the packet body for malware signatures and other potential threats. It compares the contents of each packet with the contents of a known malicious payloads, and blocks any malicious content it detects. This enables advanced features like malware detection and intrusion prevention.

  • Application Awareness and Control

    NGFW blocks or allows data packets depending on the application to which they are sent. This is done by analyzing the traffic at network Layer 7 – the application layer. Traditional firewalls do not have this capability because they only analyze Layer 3 and Layer 4 traffic.

    Application awareness allows administrators to block potentially dangerous applications, or vulnerable functions within a trusted application. If malicious application traffic cannot cross the firewall, there is no threat to the network.

  • Intrusion Prevention

    Intrusion prevention analyzes incoming traffic, identifies known and potential threats, and blocks them. An NGFW provides intrusion prevention as part of its DPI capabilities. While analyzing the content of packets, the NGFW can detect threats using:

    Signature detection – scanning information in incoming packets and compares them to known threats.

    Anomaly detection – scanning traffic to detect anomalous changes in behavior compared to a known baseline.

    Stateful protocol analysis – analyzes activity via a specific network protocol and compares it to normal protocol usage.

  • Threat intelligence

    Threat intelligence gives the NGFW information about potential attacks. Attack methods and malware inventories continuously update, and fresh threat intelligence is essential to block new attacks. NGFWs can consume threat intelligence from external sources and respond to new attacks advertised by those sources.

    Threat Intelligence provides an NGFW with
    IP reputation information, allowing it to identify IP addresses that were used for malicious activity. The NGFW can then dynamically block these IP addresses.

The Cato Solution: Cloud-native Next Generation Firewall

Cato delivers Next Generation Firewall as a service (FWaaS), one that is available everywhere the business does business, without the need for discrete appliances. Cato Cloud, the world’s first SASE platform, converges all networking and security functions into a single service, built on a global private cloud of 65+ PoPs.

Cato Cloud aggregates all enterprise traffic across datacenters, branches, mobile users, and cloud infrastructure into a cloud network with built-in NGFW. Cato enforces application-aware corporate security policy for WAN- and Internet-bound traffic.

"Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach."
Todd Park
Todd Park,
VP of Information Technology, W&W-AFCO Steel


Complicated and Time-Consuming Appliance Management

Appliance-based security inherently entails distributed deployments and disparate security policies. As a result, IT is forced to allocate valuable time and effort to manage the network life cycle, including manually sizing, deploying, configuring, patching and upgrading firewall appliances across multiple sites.

Cato Solution

Centrally Managed with Unified Application-Aware Security Policy

Cato connects the entire organization to a single, logical global NGFW with a unified application-aware security policy. Maintenance of the service is handled by Cato, so IT can manage security without wasting time on manually handling multiple firewall appliances, their software, and configuration.

Traditional Solutions vs. Cato Solution



Application awareness

low Application Awareness

NGFW detects common network applications based on data flows using DPI. Application IDs that are discovered are used in firewall policies for more granular control. Yet, customers must indicate to the firewall vendor when application traffic isn’t detected or classified and then have to wait for an appropriate signature or patch.

Adaptable Application Awareness

Cato uses its cloud traffic visibility to quickly extend its detection of new applications without involving the customer. New application identification capabilities are immediately available to all customers.


Fragmented Location-bound Visibility

Appliances are location-bound and can only inspect the traffic that flows through them. This is why appliance sprawl and backhauling are needed to get inspection and enforcement to where the traffic is.

Full Visibility

Cato has full visibility into the entire network as all WAN and Internet traffic goes through the Cato Cloud. There are no blind spots or need to deploy multiple appliances to cover all traffic.


Resource Intensive Appliance Management

Distributed NGFWs require an appliance at each location, with its own set of rules. Over time policies tend to change, increasing the likelihood of rule conflict and security exposure. Furthermore, each appliance lifecycle has to be managed separately. Appliances must be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Self-maintaining Cloud Service

With Cato, NGFW is centrally managed with a unified application-aware security policy. This eliminates the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping network security up-to-date against emerging threats and evolving business needs.

Cato Networks
recognized 12x
by Gartner

  • Gartner Market Guide for Managed SD-WAN Services
  • Gartner Market Guide for Virtual Private Networks
  • Gartner Market Guide for Zero Trust Network Access
  • Hype Cycle for Business Continuity Management and IT Resilience, 2021
  • Gartner Hype Cycle for Enterprise Networking, 2021
  • Gartner Hype Cycle for Cloud Security, 2021
  • Gartner Hype Cycle for Midsize Enterprises, 2021
  • Gartner Hype Cycle for Threat-Facing Technologies, 2019
  • Gartner Hype Cycle for Edge Computing, 2021
  • Gartner Hype Cycle for Network Security, 2021
  • Gartner Hype Cycle for Workplace Infrastructure and Operations, 2021
  • Gartner Hype Cycle for Cloud Computing, 2021

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose