LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a Next-Generation Firewall (NGFW), and what three key functionalities does it combine?

An NGFW is a modern firewall that combines three previously-separate functions into one box: stateful firewalling + IDS/IPS + application control via Deep Packet Inspection. The "next-gen" label is over 15 years old — today it's just a baseline term for any decent enterprise firewall.

The three core NGFW functions:

Function What it does
Stateful firewall Connection-tracking, port/protocol-based rules (Gen 2)
IDS/IPS (Intrusion Detection / Prevention) Pattern-match against known attack signatures (Snort, Suricata-style)
Application Control via Deep Packet Inspection Identify the application (Slack, BitTorrent, Skype) regardless of port

Additional NGFW features:

  • NAT (Network Address Translation)
  • URL blocking / web categorization
  • SSL/SSH Inspection (TLS interception for visibility)
  • Reputation-based malware defense (block known-bad IPs/domains)
  • Application Awareness (Palo Alto's App-ID, Fortinet's AppCtrl)

Why "deep packet inspection" matters:

Stateful FW sees:  TCP/443 to 192.0.2.5      → "allowed HTTPS"
NGFW (DPI) sees:  TCP/443 to 192.0.2.5      → "allowed HTTPS"
                  TLS SNI: torrent.bad.com   → "BLOCK — torrent traffic"
                  HTTP UA: BitTorrent/7.10   → confirms identification

DPI inspects inside the packet payload (above L4) — even on encrypted traffic, the SNI in the TLS handshake or behavioral fingerprints can identify the application.

The "Web App firewall" rules":

NGFWs can detect and block:

"die Zugriffe blockieren, wenn ein bekanntes Exploit zum Angriff ansetzt"

That is — known exploit signatures (Log4Shell, Heartbleed, specific SQL-injection payloads) are blocked at the FW before they reach the application.

The naming history note:

A common critique: "Ich verwende den Begriff Next-Gen FW nur ungern weil er uralt ist!" — a fair critique. NGFW has been the marketing term since ~2008. Modern equivalents you'll see: "Web Application & API Protection (WAAP)", "Cloud Native Firewall", "SASE" (Secure Access Service Edge). All overlap with NGFW.

Tip: When evaluating an NGFW vendor, check the threat intelligence feed quality (how often signatures update) and TLS inspection performance — these are the real differentiators between cheap and enterprise-grade products.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026