Next Generation Firewall (NGFW)

NGFW has been the cornerstone of network security for the past two decades. It applies deep packet inspection (DPI) and multiple security engines to inspect both inbound and outbound traffic and enforce a company’s security policy.

The main characteristic of a NGFW is application awareness: the ability to detect and enforce policies on application usage based on packet content rather than packet headers (source and destination IP addresses, ports, and protocols).

Legacy networks with SD-WAN appliances don’t address security needs and, to achieve the functionality of NGFW, enterprises need to install discrete appliances at the network edge, adding complexity to network management and maintenance. A cloud-native NGFW delivers a powerful, application-aware, enterprise-grade, elastic and scalable solution without the challenges of legacy appliance-based solutions.

The Cato Solution: Cloud-native Next Generation Firewall

Cato delivers Next Generation Firewall as a service (FWaaS), one that is available everywhere the business does business, without the need for discrete appliances. Cato Cloud, the world’s first SASE platform, converges all networking and security functions into a single service, built on a global private cloud of 65+ PoPs.

Cato Cloud aggregates all enterprise traffic across datacenters, branches, mobile users, and cloud infrastructure into a cloud network with built-in NGFW. Cato enforces application-aware corporate security policy for WAN- and Internet-bound traffic.

“Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach.”

Todd Park,
VP of Information Technology, W&W-AFCO Steel

Challenge

Complicated and Time-Consuming Appliance Management

Appliance-based security inherently entails distributed deployments and disparate security policies. As a result, IT is forced to allocate valuable time and effort to manage the network life cycle, including manually sizing, deploying, configuring, patching and upgrading firewall appliances across multiple sites.

Appliance-based security inherently entails distributed deployments and disparate security policies. As a result, IT is forced to allocate valuable time and effort to manage the network life cycle, including manually sizing, deploying, configuring, patching and upgrading firewall appliances across multiple sites.

Cato Solution

Centrally Managed with Unified Application-Aware Security Policy

Cato connects the entire organization to a single, logical global NGFW with a unified application-aware security policy. Maintenance of the service is handled by Cato, so IT can manage security without wasting time on manually handling multiple firewall appliances, their software, and configuration.

Cato connects the entire organization to a single, logical global NGFW with a unified application-aware security policy. Maintenance of the service is handled by Cato, so IT can manage security without wasting time on manually handling multiple firewall appliances, their software, and configuration.

Traditional Solutions vs. Cato Solution

Legacy

Legacy

Cato

Cato

Application awareness

Legacy

Low Application Awareness

NGFW detects common network applications based on data flows using DPI. Application IDs that are discovered are used in firewall policies for more granular control. Yet, customers must indicate to the firewall vendor when application traffic isn’t detected or classified and then have to wait for an appropriate signature or patch.

Cato

Adaptable Application Awareness

Cato uses its cloud traffic visibility to quickly extend its detection of new applications without involving the customer. New application identification capabilities are immediately available to all customers.

Visibility

Legacy

Fragmented Location-bound Visibility

Appliances are location-bound and can only inspect the traffic that flows through them. This is why appliance sprawl and backhauling are needed to get inspection and enforcement to where the traffic is.

Cato

Full Visibility

Cato has full visibility into the entire network as all WAN and Internet traffic goes through the Cato Cloud. There are no blind spots or need to deploy multiple appliances to cover all traffic.

Capacity

Legacy

Resource Intensive Appliance Management

Distributed NGFWs require an appliance at each location, with its own set of rules. Over time policies tend to change, increasing the likelihood of rule conflict and security exposure. Furthermore, each appliance lifecycle has to be managed separately. Appliances must be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Cato

Self-maintaining Cloud Service

With Cato, NGFW is centrally managed with a unified application-aware security policy. This eliminates the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping network security up-to-date against emerging threats and evolving business needs.

Legacy

Cato

Application awareness

Low Application Awareness

NGFW detects common network applications based on data flows using DPI. Application IDs that are discovered are used in firewall policies for more granular control. Yet, customers must indicate to the firewall vendor when application traffic isn’t detected or classified and then have to wait for an appropriate signature or patch.

Adaptable Application Awareness

Cato uses its cloud traffic visibility to quickly extend its detection of new applications without involving the customer. New application identification capabilities are immediately available to all customers.

Visibility

Fragmented Location-bound Visibility

Appliances are location-bound and can only inspect the traffic that flows through them. This is why appliance sprawl and backhauling are needed to get inspection and enforcement to where the traffic is.

Full Visibility

Cato has full visibility into the entire network as all WAN and Internet traffic goes through the Cato Cloud. There are no blind spots or need to deploy multiple appliances to cover all traffic.

Capacity

Resource Intensive Appliance Management

Distributed NGFWs require an appliance at each location, with its own set of rules. Over time policies tend to change, increasing the likelihood of rule conflict and security exposure. Furthermore, each appliance lifecycle has to be managed separately. Appliances must be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Self-maintaining Cloud Service

With Cato, NGFW is centrally managed with a unified application-aware security policy. This eliminates the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping network security up-to-date against emerging threats and evolving business needs.