What is a Next-Generation Firewall (NGFW), and what three key functionalities does it combine?
An NGFW is a modern firewall that combines three previously-separate functions into one box: stateful firewalling + IDS/IPS + application control via Deep Packet Inspection. The "next-gen" label is over 15 years old — today it's just a baseline term for any decent enterprise firewall.
The three core NGFW functions:
| Function | What it does |
|---|---|
| Stateful firewall | Connection-tracking, port/protocol-based rules (Gen 2) |
| IDS/IPS (Intrusion Detection / Prevention) | Pattern-match against known attack signatures (Snort, Suricata-style) |
| Application Control via Deep Packet Inspection | Identify the application (Slack, BitTorrent, Skype) regardless of port |
Additional NGFW features:
- NAT (Network Address Translation)
- URL blocking / web categorization
- SSL/SSH Inspection (TLS interception for visibility)
- Reputation-based malware defense (block known-bad IPs/domains)
- Application Awareness (Palo Alto's App-ID, Fortinet's AppCtrl)
Why "deep packet inspection" matters:
Stateful FW sees: TCP/443 to 192.0.2.5 → "allowed HTTPS"
NGFW (DPI) sees: TCP/443 to 192.0.2.5 → "allowed HTTPS"
TLS SNI: torrent.bad.com → "BLOCK — torrent traffic"
HTTP UA: BitTorrent/7.10 → confirms identification
DPI inspects inside the packet payload (above L4) — even on encrypted traffic, the SNI in the TLS handshake or behavioral fingerprints can identify the application.
The "Web App firewall" rules":
NGFWs can detect and block:
"die Zugriffe blockieren, wenn ein bekanntes Exploit zum Angriff ansetzt"
That is — known exploit signatures (Log4Shell, Heartbleed, specific SQL-injection payloads) are blocked at the FW before they reach the application.
The naming history note:
A common critique: "Ich verwende den Begriff Next-Gen FW nur ungern weil er uralt ist!" — a fair critique. NGFW has been the marketing term since ~2008. Modern equivalents you'll see: "Web Application & API Protection (WAAP)", "Cloud Native Firewall", "SASE" (Secure Access Service Edge). All overlap with NGFW.
Tip: When evaluating an NGFW vendor, check the threat intelligence feed quality (how often signatures update) and TLS inspection performance — these are the real differentiators between cheap and enterprise-grade products.
Go deeper:
Next-generation firewall — Wikipedia — pins down what actually distinguishes NGFW from stateful inspection: inline DPI, application control, and integrated IPS.