Next Generation Firewall

Cloud-based Next Generation Firewall eliminates the appliance lifecycle management

The Next Generation Firewall (NGFW) appliance has been the cornerstone of network security for the past two decades. It applies deep packet inspection (DPI) and multiple security engines to inspect both inbound and outbound traffic and enforce a company’s security policy. The main characteristic of a NGFW is application awareness: the ability to detect and enforce policies on applications usage based on packet content rather than packet headers (source and destination IP addresses, ports and protocols).

A cloud-based NGFW (also known as Firewall as a Service) delivers a powerful, application-aware, enterprise-grade, elastic and scalable solution without the challenges of legacy appliance-based solutions.

Appliance-based Next Generation Firewall Challenges

Cloud-based Next Generation Firewall

Application awareness adaptation

Slow application awareness adaptation

Next Generation Firewalls detect common network applications based on data flows using DPI. Application IDs that are discovered can then be used in firewall policies for more granular control. Customers must indicate to the firewall vendor when application traffic is not detected or classified and wait for an appropriate signature or patch.

Adaptable application awareness

Cato uses its cloud traffic visibility to quickly extend its detection of new applications without involving the customer. New application identification capabilities are immediately available to all customers.


Fragmented location-bound visibility

Appliances are location-bound and can only inspect the traffic that flows through them. This is why appliance sprawl and backhauling are needed to get inspection and enforcement to where the traffic is.

Full visibility

As all WAN and Internet traffic goes through the Cato Cloud, there are no blind spots or need to deploy multiple appliances to cover all traffic.


Capacity constrained security

Next Generation Firewalls apply various security engines to the traffic including IPS, anti-malware, URL filtering and more. Running these engines in parallel depends on appliance capacity. Smaller devices, such as UTMs, are limited in their security enforcement due to capacity constraints.

Unrestricted cloud scalability

Cato can inspect any encrypted and unencrypted traffic with all supported security services and no impact on performance. Customers avoid sizing exercises or forced upgrades. Cato ensures there’s capacity so customers receive the full range of security services.


SSL inspection degradation

Next Generation Firewalls need to inspect encrypted (SSL) and unencrypted traffic at line speed. Encrypted traffic places a significant load on the appliance and often creates scalability and performance issues. As the share of SSL traffic increases, forced appliance upgrades often become a necessity.

Full traffic inspection

Cloud-based inspection scale to support all traffic without the need for unplanned or forced upgrades.


Resource intensive appliance management

Distributed Next Generation Firewalls require an appliance at each location, with its own set of rules. Deviations from a policy template tend to happen over time and increases the likelihood of rules conflict and security exposure. Furthermore, each appliance lifecycle has to be managed separately. Appliances must be bought, deployed, configured, patched, updated and ultimately replaced either due to an End of Life (EOL) or business growth.

Self-maintaining cloud service

Without the need to size, upgrade, patch or refresh appliances, customers are relieved of the ongoing grunt work of keeping network security current against emerging threats and evolving business needs.

With the Cato Cloud, enterprise can evolve their network and security infrastructure into a scalable, secure network with full visibility to all traffic, streamlined policy management and complete elimination of the care and feeding associated with on-premise infrastructure.

The Cato Solution:

Cloud-based Next Generation Firewall

Cato is providing a new kind of a Next Generation Firewall, one that is available everywhere the business does business without the need for discrete appliances. The Cato Cloud aggregates all enterprise traffic across data centers, branches, mobile users, and cloud infrastructure into a cloud network with built-in Next Generation Firewall . Cato enforces application-aware corporate security policy for WAN- and Internet-bound traffic.


Customer Case-study

Universal Mental Health Services Provides Secure Access to Internet Sites and Cloud Services

“We have eliminated branch security appliances and can now provide optimized connectivity to our datacenter resources, and secure access to Internet sites and cloud services.”

Read About Appliance Elimination

Free eBook

How to Re-evaluate Your Network Security Vendor

Get this concise checklist and expert advice that can help you avoid common pitfalls when approaching a renewal or refresh of your network security solutions.

Get the Checklist