GLOSSARY · Network
Next-Generation Firewall NGFW
Network firewall that does more than port-and-IP filtering — it inspects application traffic, decrypts and re-inspects TLS, identifies the user making each request, and blocks based on threat intelligence.
Detailed definition
Next-Generation Firewall is the modern evolution of the network firewall. Traditional firewalls filtered at the network layer — port 80 in, port 25 out, this IP allowed, that IP blocked. That model worked when most traffic was identifiable by port and most threats were external. The NGFW adds application awareness, identity awareness, decryption, and threat intelligence on top of that base.
What “next-generation” adds beyond traditional firewalls
- Application identification — recognizes traffic as YouTube, Salesforce, BitTorrent, Tor regardless of port or IP
- User identification — ties each connection to the authenticated user, not just the source IP
- Deep packet inspection — looks inside the encrypted payload (after DPI-SSL decryption) for malware signatures, exfiltration patterns
- DPI-SSL — terminates and re-encrypts TLS in transit so inspection can see encrypted traffic that would otherwise be opaque
- Intrusion prevention (IPS) — signature- and behavior-based detection of known attack patterns
- Cloud-based threat intelligence — real-time updates from a global feed of known-malicious indicators
- Sandboxing — suspicious files captured in transit get detonated in an isolated environment
NGFW in a small-business deployment
SonicWall is what we deploy by default. A typical SMB site gets a SonicWall NSa or TZ-series appliance at the perimeter, configured with:
- DPI-SSL for inspection of encrypted traffic (with cert distribution so users don’t see warnings)
- Capture ATP cloud sandboxing for unknown executables and documents
- Geo-IP blocking for countries with no legitimate business need
- Site-to-site VPN to other branches and SaaS-bridge appliances
- Integration with MFA for any administrative access
See the SonicWall service page for the deployment pattern.
Where NGFW is being supplemented (not replaced) by SASE / ZTNA
For a single-site business, the NGFW model still works fine. For multi-site or heavily-cloud businesses, the box-on-premises model is increasingly being supplemented (or replaced) by SASE — cloud-delivered firewall + ZTNA that doesn’t require traffic to backhaul through a physical appliance. The right answer depends on your topology.
HOW WE HELP
Related Bytes Unlimited services
Need help applying NGFW to your business?
We've done this kind of work across New York. First conversation is free.