Latest News

DNS vs URL Filtering - What’s the Difference and Why it Matters.

Cyberattacks often begin with a single click. That’s why content filtering is more critical than ever in today’s digital landscape. But not all filtering technologies are the same and understanding the difference between DNS and URL filtering can help your organization build a smarter, layered security strategy for web access.

What is DNS Filtering?

DNS filtering works at the Domain Name System (DNS) level. This is the same system that translates a website (like linkedin.com) into the IP address your device uses to connect.

When DNS filtering is enabled, requests for malicious, risk, or non-compliant domains are blocked before a full connection is established.

Benefits of DNS Filtering:

• Fast and lightweight – stops threats before a page even loads
• Great for remote/hybrid work – protection travels with users
• Broad protection – blocks entire domains known for hosting malware, phishing, or botnets

What is URL Filtering?

URL filtering goes deeper. It analyzes the full web address (URL), including the specific page, folder, or file path, after DNS resolution.

This allows organizations to enforce more granular web access policies and send the entire URL for more in-depth evaluation.

Benefits of URL Filtering:

• Granular control – Send specific pages for further risk-based evaluation (e.g., example.com/ sports/basketball)
• Advanced Threat Protection – Stops users from accessing compromised subpages or dangerous downloads on otherwise “safe” domains

Why You Need Both

DNS filtering is your first line of defense by keeping users from even reaching known bad destinations. URL filtering is your second layer which analyzes deeper content on the fly to catch what DNS filtering didn’t.

Together they give you:

• Comprehensive threat coverage to prevent data loss and breaches
• Flexible policy-based controls based on user groups • A layered security approach that’s secures web access wherever your users are

The NSa 2800 and NSa 3800 are the next models due to be available in stock. These will replace the NSa 2700 and NSa 3700 respectively.

What is SonicWall NSa 2800 / NSa 3800?

The SonicWall NSa 2800 and NSa 3800 are high-performance next-generation firewalls (NGFWs) designed for medium to large enterprises, delivering best-in-class security efficacy, scalable performance, and simplified management at a low TCO. Built to handle high-speed encrypted traffic and advanced threat protection, these firewalls provide intrusion prevention, anti-malware, content filtering, and application control without compromising performance. With enterprise-grade security, secure SD-WAN, and cloud-based management, the NSa 2800 and NSa 3800 ensure seamless protection across distributed environments, reducing operational complexity and security costs. Get industry-leading security and efficiency while optimizing your cybersecurity investment.

Key Features:

• Cloud / Centralized Management (NSM) included
• Multiple licensing models
• Better TCO
• Best-in-class Threat Protection Throughput
• Zero-touch Provisioning and Simplified Management
• Zero-Trust Edge Support

Hardware, Deployment, Licensing & Support

How many ports are on the NSa2800 and NSa3800?

SonicWall NSa2800 has 16 x 1G Copper / Ethernet Interfaces and 3 x 10G SFP+ Interfaces, a total of 19 ports, along with a dedicated Management port and a Console port.

SonicWall NSa3800 has 24 x 1G Copper/Ethernet Interfaces and10 x 10 SFP+ Interfaces, a total of 34 ports, and a dedicated Management port and Console port.

Does NSa 2800/3800 have support for Redundant Power Supply?

Yes, both NSa2800 and NSa3800 support an optional Redundant power supply.

Do NSa2800 and NSa3800 support Cellular dongles?

Yes, SonicWall NSa2800 and NSa3800 support USB Cellular dongles – USB Type-A

Does the SonicWall Express App support SonicWall NSa2800 and NSa3800?

Yes, the SonicExpress mobile application supports the new SonicWall NSa2800 and NSa3800.

What are the new licensing options available with NSa2800 and NSa3800?

NSa2800 and NSa3800 can be purchased with three licensing tiers/bundles: EPSS- Essential Protection Service Suite, Advanced Protection Service Suite-APSS, and Managed Protection Service Suite-MPSS.

Both NSa2800 and NSa3800 can be purchased as hardware-only SKUs. Unlike the SonicWall TZ80, no subscription is necessary for them to function. However, we highly recommend licensing security services.

SonicWall NSa2800 and NSa3800 now include Centralized Management with every Support SKU, giving you seamless centralized configuration, change management, and zero-touch deployment—all at no extra cost! Simplify security, reduce IT overhead, and gain enterprise-level visibility with ease.

The following table provides detailed features for each of the service subscription licenses.

Table:1

+ Optional SKUs are available as add-ons or A-la-Carte for specific features/functions.

Settings Migration

Is a migration tool available for NSa2800 and NSa3800?

No, it is not required. The SonicWall NSa2800 and NSa3800 support migrating in-product / on-box settings from:

Export the settings/ EXP file from NSa2600/NSa2700 to NSa2800

Export the settings/ EXP file from NSa3600/NSa3650/NSa3700 to NSa 3800

With the introduction of NSM 3.0, we have a migration application on NSM that supports converting EXP/settings files from NSa2600/NSa2650 onto NSa2800.

Which models are supported for on-box migration experience on NSa2800 and NSa3800?

NSa2800 supports in-product / on-box migration experience from NSa2600 and NSa2700 firewall models running the latest software versions like 6.5.4.13-105n/above and 7.0.1-5145/above

What configurations are not supported during the migration?

Interfaces like U1, VLAN, WLAN, and Tunnel are not supported during the migration. We recommend performing export/import for simple settings migration cases for bulk settings migration assistance, such as address objects, address groups, service objects, service groups, access rules, NAT Policies, and Route Policies. An error is displayed for all unsupported migrations.

Note: The above-listed limitations will not apply when migrating settings from a NSa2700 to NSa2800 and a NSa3700 to NSa3800.

Cloud Management, Reporting and Analytics

Which version of NSM can manage NSa2800 and NSa3800?

NSM version 3.0 and above can manage the NSa2800 and NSa3800 firewalls.

Do I need to pay for Cloud / Centralized management separately?

The support SKU or the EPSS, the APSS or MPSS license bundle includes cloud management at no additional cost. The APSS and MPSS bundles also include advanced reporting and analytics. Please refer to Table 1 for more details.

What cloud management services are included in each of the bundles?

NSa2800 and NSa3800 Support SKU include Support and Cloud Management with 7-day alerting. 7-day alerting refers to firewall UP/DOWN event reporting.

EPSS includes selective security services with 7 days of Basic Reporting.

APSS includes all the security services with Advanced cloud reporting and analytics for 7 days of data.

MPSS includes all security services, firewall-managed services, and 30 days of Advanced cloud reporting and analytics.

Are the flex packages available for cloud reporting?

We offer flex packages to add 30/90/365 days of Advanced Analytics and Reporting.

What is new in NSM 3.0?

NSM 3.0 brings in exciting new features. Please refer to the NSM 3.0 FAQ for more details:https://www.sonicwall.com/support/knowledge-base/250425105502713

Orderability & Activation

Is subscription mandatory for NSa2800 and NSa3800 to operate?

No, SonicWall NSa2800 and NSa3800 will operate as designed, even without any active service on the firewall, though this is not recommended.

What licenses besides EPSS, APSS, and MPSS hardware bundles are available?

Renewal SKUs for EPSS, APSS, MPSS, and flex SKUs for NSM Advanced reporting and analytics are available.

Customer Loyalty & Technology Migration Programs

Are NSa2800 and NSa3800 part of the Customer Loyalty Program?

Yes, buyers can use Secure Upgrade Plus to upgrade from their legacy firewalls to NSa2800/NSa3800 and qualify for special offers.

Are NSa2800 and NSa3800 of the SonicProtect Subscription Program?

Businesses can leverage SonicProtect Subscription on the 2600/3600 firewalls and upgrade to NSa2800/NSa3800 to enable cost protection and lock prices on multi-year APSS services.

Is 3&Free available for NSa2800 and NSa3800?

Yes, buyers can leverage the 3&Free promotional program with Cloud Secure Edge (CSE).

Raised Gen 6/6.5 renewal pricing: Announced 10th February, effective 1st May. 20% price increase on Gen 6/6.5 renewal SKUs. Please note that this is just a notification and will not be effective until May.

Gen 6 firewalls were launched in 2013 and Gen 6.5 firewalls launched in 2017 and are both approaching the end of support. Price adjustments are necessary for these appliances due to inflationary, logistical, and operational costs associated with maintaining legacy products.

Beat the increase and buy renewals before 1st May, or upgrade to a new Gen 7.

Subscriptions

Upgrades

How our more advanced DNS filtering capabilities add a layer of security to help Gen 7 customers avoid malicious websites, filter inappropriate content and improve performance.

With the internet now an integral part of our lives, ensuring a safe and secure online experience has never been more crucial. But as cyber threats continuously evolve and hackers grow more sophisticated, traditional security measures may no longer suffice. This is where DNS filtering, powered by SonicWall, both emerges as the first line of defense and interlocks with your firewall protection.

As part of the recent SonicOS 7.1 feature release, which focused on increasing threat protection, SonicWall introduced more advanced DNS filtering capabilities than were seen in previous generations. In the past, DNS security was limited to DNS Tunnel Detection and DNS Sinkholes. With the release of SonicOS 7.1, DNS filtering inspects DNS traffic in real time and provides the ability to block threats before they can reach your network.

The Significance of DNS Filtering

Layers of defense are necessary to safeguard critical business assets and information. DNS filtering acts as a robust shield against cyber threats by leveraging SonicWall’s advanced algorithms and real-time updates, which ensure that the latest threats are promptly identified and blocked. The deep packet inspection capabilities in SonicWall NGFWs discovers hidden threats in the headers and contents of data packets, while DNS filtering prevents users from reaching dangerous or unproductive sites and applications.

By accurately separating the harmless from the malicious, our solution fortifies your network, allowing your business to flourish without disruptions caused by cyber threats. Here are the three key ways DNS filtering accomplishes this:

Safeguarding Against Malicious Websites

The number of websites online today is mind-boggling — and some pose serious risks to unsuspecting users. These websites harbor malware, phishing scams and other threats. DNS filtering acts as a critical shield, intercepting users' DNS requests and cross-referencing them against a database of known malicious domains. By doing so, it effectively blocks users from accessing these suspicious websites, thus securing them from potential harm.

With DNS filtering, you can:

• Prevent inadvertent encounters with malicious websites
• Mitigate identity theft, financial loss, and the compromise of sensitive information
• Proactively block access to known malicious domains, reducing the risk of malware infections and other cyberattacks

Filtering Inappropriate Content

Apart from protecting against malicious websites, DNS filtering also serves as an effective means of filtering out inappropriate content. This aspect is particularly essential for those charged with safeguarding children and maintaining a safe online environment. DNS filtering empowers schools, parents and other guardians to establish filters that restrict access to adult content, violence and other unsuitable material. This feature provides peace of mind and cultivates a more nurturing online experience for kids and teens.

With DNS filtering, you can:

• Gain an additional layer of protection by blocking access to websites hosting explicit content, violence, or objectionable material
• Personalize filters to align with a specific set of needs or values, ensuring children are shielded from inappropriate content while ensuring access to age-appropriate materials relevant to coursework

Enhancing Network Performance

Another advantage of DNS filtering is its positive impact on network performance. By blocking access to unnecessary or undesirable websites, it reduces bandwidth consumption and optimizes internet speeds. This proves particularly beneficial in corporate environments, where unknowingly accessing sites can jeopardize network performance and security.

DNS filtering guarantees that only necessary and trusted websites are accessible, promoting a more efficient utilization of network resources.

With DNS filtering, you can:

• Prevent access to websites that consume excessive bandwidth or pose security risks
• Maximize internet speeds for critical tasks and applications

In conclusion, DNS filtering, supported by robust SonicWall capabilities, plays a vital role in maintaining a secure and productive online environment. By safeguarding against malicious websites, filtering inappropriate content and improving network performance, DNS filtering offers immense benefits to both individuals and organizations. In an era where cyber threats continue to grow in sophistication, DNS filtering offers a proactive way to combat potential risks.

Take Action Now: Deploy DNS Filtering Service

Don’t let cyber threats hinder your business potential. Secure your online journey today with our DNS Filtering Service, backed by the top-notch protection and unparalleled ease of use SonicWall is known for.

SonicWall’s 3 & Free promotion is here to stay and now includes Cloud Secure Edge (CSE) licenses along with free Gen 7 next-generation firewalls. When you purchase any 3-year Advanced Protection Services Suite (APSS) or Essential Protection Services Suite (EPSS), you get more than just cutting-edge firewalls for free —you also gain access to comprehensive protection from evolving modern threats, both inside and outside your network with CSE.

As today’s businesses rely more heavily on cloud environments and mobile devices, traditional security models based on perimeter defenses are no longer sufficient. CSE offers a transformative approach, replacing outdated VPN and network security methods. This cloud-delivered solution offers seamless, secure access to resources from any device, anywhere, without sacrificing performance or user experience. With CSE, SonicWall empowers your organization to embrace mobility and cloud adoption.

Now with each and every firewall from SonicWall, CSE seamlessly enables your users to securely access any resource from any device regardless of their physical location. Whether your users are working remotely, on the go, or within your organization’s premises, CSE ensures reliable and secure access, all while protecting against web-based and device threats.

Take advantage of SonicWall’s industry-leading Secure Service Edge (SSE) solution and secure your users no matter where they are. With the 3 & Free promotion now including CSE, it’s easier than ever to protect your network and workforce in today’s digital landscape.

Cloud Secure Edge User License Count

Datasheet: https://www.sonicwall.com/resources/datasheet/3-free-program

We, at SonicWall-Sales.com wishes everyone a very happy Christmas and prosperous New Year.

This year we will be running a reduced service between Christmas and the New Year. For hardware orders, the main warehouse is operating as follows:

Thank you to all our customers for a great 2024 together. We're going to be here for you again in 2025!

SONICWALL TZ80 IN STOCK >>>

SonicWall TZ80 Overview

SonicWall TZ80 is the perfect-fit subscription-based NGFW for small offices & home offices (SOHO). The firewall delivers high-security efficacy at a low TCO, the flexibility to meet changing security needs, rapid time-to-value, and a strong security posture. With best-in-class threat protection throughput, TZ80 creates a strong return on investment. Businesses can also transition from enabling basic secure connectivity to advanced protection, matching their dynamic security requirements. The firewall supports Zero Trust Access by Cloud Secure Edge integration, enabling authenticated access of private resources behind the firewall. TZ80 also drives quick onboarding and ease-of-use via zero-touch provisioning and simplified management.

TZ80 delivers:

• Superior encrypted threat prevention and performance
• Low TCO through ease of deployment and single pane of glass management
• Real-time network control and visibility while maintaining

How does SonicWall TZ80 security work?

TZ80 addresses the growing trends in hybrid and remote workplaces, multi-cloud deployments, perimeter-less network security, IoT or connected devices, and compact form-factor appliances. TZ80 delivers a solution that meets the need for automated, real-time breach detection and prevention with a best in-class threat protection performance and high reliability platform.

Benefits

• Better TCO on firewall inspection throughput
• Best-in-class threat protection throughput
• Licensing models for secure connectivity, advanced threat protection and managed protection services
• Zero-touch provisioning
• Remote and automatic configuration
• Bulk provisioning
• Harmonize on-box and cloud management UI/UX
• Rich monitoring and reporting features
• Support zero-trust with integrated Cloud Secure Connector

Why TZ80?

• Low total cost of ownership, small form-factor – ideal for rural broadband, SOHO, IoT, events and hospitality, store-in-store deployments
• No performance impact with advanced threat protection and VPN services
• 2.5x to 4x performance improvements over legacy SOHO offerings
• Scalable SaaS management with model configuration template
• Automated synchronization between on-box and Cloud management
• Comprehensive reporting and analytics
• Zero-touch deployment
• Consistent performance and high reliability
• ZTNA & SSE support

Use Cases

• Small office, home office (SOHO) - The hybrid and remote workplace environment needs to secure connectivity, and seamless zero trust access. TZ80 combines SD-WAN and Zero Trust Network Access (ZTNA) capabilities to enable threat prevention, secure connectivity, and secure private application access.
• IoT Gateway - The hybrid and remote workplace environment needs to secure connectivity, and easy zero trust access. IoT devices are not usually designed with security in mind but are usually used in communications on untrusted cellular and wireless networks. TZ80 can secure the IoT deployments with its threat protection, performance and SD-WAN and scalable management capabilities.
• MicroSMB - MicroSMBs face budget constraints to protect against malware and other cyberthreats. They also run the risk of being part of a supply chain attack. TZ80, with a low TCO, allows for micro and macro network segmentation, and use DPI to detect and block malicious traffic.
• Rural broadband - Businesses in rural broadband environments are not immune to cyberthreats. The remote landscape plus skill gap and high costs of maintaining secure infrastructure renders them even more vulnerable. TZ80 with its best in class threat protection and performance, and centralized management.
• Events & Hospitality - Conferences require east-west and north-south secure connectivity for their exhibitions and booths. They also need rapid security deployment. TZ80 allows simplified deployment for a micro-perimeter security and zero trust access to private networks and applications.
• Service Providers - Service Providers for retail, healthcare, financial services, hospitality (including restaurants) and public safety. Transportation and trade shows, managing remote users and with a remote workforce require an easy-to-manage and easy-to-deploy security solution. TZ80 supports NSM 2.6 and above to deliver zero touch provisioning and bulk management for ease-of-management.
• Other use-cases: Pop-up stores, short-term offices or meeting centres, interactive kiosks (store within a store), storage spaces and remote or mobile workforce.

Licensing Model

TZ80 is a subscription-based model with 1, 3, and 5-year terms.

SONICWALL TZ80 IN STOCK >>>

From 1st November 2024 SonicWall have increased the Secure Upgrade bundles - both 2 and 3 years by 2% to 5%.

Full list of increases:

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.

The Support Portal enables you to:

• View knowledge base articles and technical documentation
• View and participate in the Community Forum discussions
• View video tutorials
• Access MySonicWall
• Learn about SonicWall professional services
• Review SonicWall Support services and warranty information
• Register at SonicWall University for training and certification

SonicWall’s Product Security Incident Response Team (PSIRT) team has identified and confirmed a critical vulnerability in certain older versions of its firewall firmware, and we want to ensure that you are aware and prepared to mitigate any potential risks. We have released a new firmware update that includes important security fixes.

‌KB Article: https://www.sonicwall.com/support/knowledge-base/p...

‌As part of SonicWall’s commitment to be fully transparent this is a communication notifying impacted customers that there is evidence of active exploitation of the vulnerability. SonicWall strongly advises SonicWall SOHO (Gen 5), Gen 6 and Gen 7 devices running SonicOS 7.0.1-5035 and previous versions to ensure that all access controls are correctly configured according to SonicWall's best practices. To minimize potential impact please restrict firewall management access to trusted sources or disable firewall WAN management access from Internet sources, then apply the patch as soon as possible. If you have any further questions on restricting/disabling WAN management access or require additional information, please contact your Authorized SonicWall Partner or SonicWall Technical Support.

More information on how to

do this can be found here: https://www.sonicwall.com/support/knowledge-base/h....

Evolution of the Firewall

Cybercrime has undergone a radical transformation in the past two decades, and fortunately, firewalls have evolved in tandem. Modern next-generation firewalls come equipped with a diverse range of advanced security controls, deliver significantly enhanced performance, and offer a wide array of form factors. How do the latest generation of firewalls stack up against their predecessors? Let’s examine:

Access Control Lists (ACLs) or Stateless Firewall

Network ACLs have existed for a long time. They are used to filter network traffic. With ACLs, traffic can be allowed or denied in both inbound and outbound directions. Network ACLs are typically configured in routers, switches or servers using layer 2 to layer 4 rules based on IP addresses, MAC addresses and ports.

ACLs inspect individual packets but do not inspect flows or maintain state of the flow.

Stateful Firewall

Stateful firewall is different from ACLs or stateless firewall, mainly because they can inspect network connections all the way from layer 2 to layer 7. Stateful firewalls maintain the context of a given connection. This means packets are matched to connections they belong to, offering additional security to prevent hacking techniques like spoofing. Some stateful firewalls can also perform deep packet inspection and can be installed on dedicated hardware.

Zone-Based Firewall (ZBF)

A zone-based firewall is like stateful firewall, except it is configured using more advanced networking concepts. Instead of assigning rules based on connection and interfaces, an administrator would create zones and assign multiple interfaces to those zones. Some of the common zones used are LAN (private or trusted), WAN (public or untrusted) and DMZ (demilitarized zone). Multiple zones can have rules to fully inspect, allow or deny connections.

Unified Threat Management (UTM)

UTM firewalls were originally designed to consolidate multiple stand-alone security controls into a single appliance. Security controls (such as firewall, intrusion prevention, URL filtering and antivirus) are combined into a single operating system and management console. This solution is ideal for small and medium-sized businesses (SMBs) that do not have a big security budget or do not have high performance and scalability requirements.

Next-Generation Firewall (NGFW)

The concept of an NGFW was first defined by Gartner, publisher of the Magic Quadrant for Network Firewalls. NGFWs have the option to add all the security controls that are available in UTMs, as well as advanced controls such as VPN, user control, application control and sandboxing. Apart from advanced security controls, NGFWs are designed to support the high performance and scalability needs of large enterprises. The rest of this document will focus on NGFWs and different factors that enterprises should consider in their buying decision.

Essential NGFW Capabilities

Zone-Based Firewall (ZBF)

ZBFs offer stateful inspection with advanced network security features for large enterprise network infrastructure. A ZBF or stateful firewall is the foundation for any NGFW and a basic requirement to support other features. Choose ZBFs over stateful firewalls for enterprises with large networks, as it is easier to configure and define policies with ZBFs.

Virtual Private Network (VPN)

Distributed enterprises typically have remote branch offices that need secure access to the corporate network. The expansion in work-from-home (WFH) policies has also resulted in an unprecedented rate of employees working remotely. VPNs provide robust, secure access to corporate networks and resources, so it is essential to consider a VPN as part of your NGFW.

It is important to make sure the NGFW provides a comprehensive VPN solution with site-to-site and remote-access encryption. It should include advanced features such as route-based VPN and easy VPN with dynamic routing. A VPN is also important in case you are considering an SD-WAN solution.

VPN configuration should be simple. It needs to be managed from within the NGFW user interface with configuration wizards that provide step-by-step guidance in setting up the VPN tunnels. Enterprises should consider a VPN concentrator at the edge to manage both IPsec and SSL VPN connections.

Intrusion Prevention System

Intrusion Detection and (or) Prevention System (IDS/IPS) was originally developed as a stand-alone solution, which later became part of the NGFW stack. IPS within the NGFW provides an additional layer of needed security by stopping attacks that exploit vulnerabilities. The intrusion detection is done using signatures for known exploits, and is based on anomaly detection.

An IPS within the NGFW can be deployed in detection mode (alert only) or in prevention mode (alert and block). There is no performance penalty for detection mode compared to prevention mode. Initially configure the IPS in detection mode before moving to prevention mode to understand exploits, explore false positives and perform incident responses. An important aspect to look for in an IPS is the threat intelligence feed that keeps the signature database up to date in the NGFW.

Application Control

NGFWs came into fruition with the addition of application control, IPS and URL filtering, forming a single enterprise-class platform. Application Control allows enterprises to define firewall policies based on applications (e.g., Facebook, YouTube, Salesforce) and micro-applications (e.g., chat and IMs). Application Control gives granular control over network traffic based on user identity and email addresses while providing application-layer access control to regulate web browsing, file transfer, email exchange and email attachments. Look at the type of applications that are included in an NGFW database to make sure all the applications that are in use within the enterprise are supported.

Web Control (URL Filtering)

Web Control compares requested websites against a massive database containing millions of rated URLs, IP addresses and domains. It enables administrators to create and apply policies that allow or deny access to websites based on individual or group identity, or by time of day, using pre-defined categories. It also dynamically caches website ratings locally onto the NGFW for instantaneous response times. An NGFW should be able to do URL filtering based on business point of view (block based on category – business) as well as based on security (block based on reputation – security).

Consider NGFWs with threat intelligence feeds that are supported by a world-class research team for IPS, Application Control and Web Control to make sure your NGFW stops the latest threats.

Selecting Advanced NGFW Features

Network and Cloud Sandboxing

For effective zero-day threat protection, enterprises need NGFWs that include malware-analysis technologies and can detect evasive advanced threats. Sandboxing technology scans traffic and extracts suspicious code for analysis, but unlike other NGFW security controls, it also analyzes a broad range of file types and sizes in real time. This enables enterprises to stop zero-day and evasive threats that can slip through other security controls within an NGFW.

Enterprises need to consider solutions that offer both onpremises and cloud-delivered sandboxing based on their performance and privacy needs. This technology should be augmented with global threat intelligence infrastructure that rapidly deploys remediation signatures for newly identified threats to all NGFWs in the enterprise, thus preventing further infiltration.

Enterprises should consider sandboxing technology that examines every byte until the last byte before delivering a final verdict to allow or block. This avoids any false positives or negatives and ensures that highly elusive zero-day threats are blocked.

Multi-instance firewall

Multi-instance is a modern next-generation approach to legacy multi-tenancy that supports multiple firewalls with separate configuration on a single appliance. With this approach, each firewall instance is isolated with dedicated compute resources to avoid resource starvation.

This allows enterprises to use containerized architecture. Enterprises can run multiple independent firewall instances, software versions and configurations on the same hardware without managing different physical appliances.

Dedicated Threat Intelligence

As mentioned earlier, most of the security controls in an NGFW should be augmented by threat intelligence to keep them up-to-date on the latest threats and signatures, among other things. Threat intelligence feeds should be supported by a research team that gathers, analyzes and vets information round the clock and across the globe. Look for vendors with a dedicated team of cybersecurity professionals, advanced machine learning algorithms and security sensors that are spread around the globe to deliver up-to-date threat feeds that automatically block threats in nanoseconds. While looking into threat intelligence in NGFWs, it is important to consider DNS security that protects enterprises against malicious domains.

Networking Requirements

An enterprise-grade platform and operating system are at the core of any physical or virtual NGFW. There are many networking features within the operating system that make a big difference in evaluating and choosing your next NGFW. The following are a few that should be considered in enterprise deployments.

SD-WAN Security

SD-WAN technology allows organizations and enterprises with branch locations to build highly available and higherperformance WANs. By using low-cost internet access (broadband, 4G/5G/LTE, fiber), organizations can costeffectively replace expensive WAN connection technologies such as MPLS with SD-WAN. SD-WAN Security enables distributed enterprises to build high-performing networks across remote sites to protect against cyberattacks.

High Availability/Clustering

NGFWs should support Active/Passive with state synchronization in High Availability mode and Active/Active in clustering mode. It should also support the ability to offload the deep packet inspection load to passive appliance and to boost throughput.

Encrypted Traffic Inspection

This decrypts and inspects TLS/SSL encrypted traffic on the fly, without proxying. It also applies control policies to protect against threats hidden inside encrypted traffic. Enterprises should make sure that the NGFW supports the latest version of encryption protocols, such as TLS 1.3.

Management

Enterprise-wide management of NGFWs is one of the most important considerations. This involves the configuration of NGFWs and usability for day-to-day operations from a single-pane-of-glass console. This console needs to be able to manage most, if not all, security controls across multiple NGFWs deployed on-premises and in the cloud from a central location. Some of the important features that need to be considered are:

Unified Policy: This should provision layer 3 to layer 7 controls in a single rule base on every NGFW, providing admins with a centralized location for configuring policies.

Monitoring: Look for real-time monitoring, reporting and analytics to help troubleshoot, investigate risks and guide smart security policy decisions and actions.

Cloud and on-prem: Configuration and management of NGFWs should be available via the cloud or through an onpremises management system.

Scalability: It should scale to any size organization, managing networks with up to thousands of firewall devices deployed across many locations.

Console: Enterprises should look for an NGFW that uses a single pane of glass to manage all security functions, such as IPS, URL filtering and others, from a single location.

Technology Integration

It is important to consider the type of technology integrations that the NGFW supports. This allows enterprises to protect their existing investments. Some of the technology integrations to consider are:

SIEM: Integration with security incident and event management enables rigorous investigation of cybersecurity threats and examination of anomalous data.

IaaS: It should integrate with all major IaaS providers to support multi-cloud deployments across AWS, Azure or GCP.

Automation: It should enable business process automation through synchronized catalogs, inventories, agreements and tickets.

Zero Trust Network Access (ZTNA): This augments the VPN to provide access to only sanctioned assets and networks while VPN provides layer 3 access.

NGFW Deployments

The three main deployments of NGFWs are based on the environment: physical, virtual and cloud.

Physical: Enterprises should consider physical appliances for on-premises deployments that require high performance and connectivity. Physical appliances can offer more than 100 Gbps throughput and 100 GbE connectivity. Appliances come in various form factors and performance levels for different deployment needs from data centers to remote offices.

Virtual: NGFWs can also be deployed in virtual environments. They can be managed using the same system that is used to manage physical appliances. There are a variety of virtual environments to consider when choosing a virtual appliance. It is important to make sure that your environment is supported.

Cloud: Many companies are moving their data centers and applications to the cloud. NGFWs have evolved to support a variety of private and public clouds, including AWS, Azure, GCP and VMWare. Even if your organization has not yet embraced the cloud, it is important to select a vendor that supports all the major public clouds.

Price-Performance Ratio and Support

Price-Performance Ratio

Apart from security features, price and performance should also be considered. Every vendor has different models that vary widely in performance, and each one has different price points and pricing models. For example, physical appliances may have a one-time big purchase price with a few minor yearly subscriptions, while most cloud firewalls are priced based on a yearly subscription.

Before getting into price/performance analysis, it is important to know the projected three-year or five-year total cost of ownership (TCO). Most vendors do not have an all-inclusive price; they will charge separately for appliance, licenses for different security controls and support. It is important to consider the cost of High Availability pairs and clustering in calculating TCO.

After determining the TCO, you can perform a price/ performance analysis across different vendors. Let us say the three-year TCO came to $250,000 and the NGFW throughput is 100 Gbps. In that instance, the price/performance ratio would be $250,000/100, or $2,500 per Gbps.

Support

Buying an NGFW is a significant and technically complex investment. You should not just look for basic support - you should choose a vendor that has excellent support ratings. Vendors provide many different support options, including simple phone support, on-site support and professional services. Enterprises can use professional services to help deploy, configure, tune and maintain their NGFWs to simplify operations. Support options also include availability by the number of days in a week and hours in a day, such as the examples shown below:

• Monday to Friday – 8 a.m. to 5 p.m. local time
• 24 hours and seven days a week (24/7)
• 24/7 with on-site support from a security professional
• 24/7 with continuous professional services support

NGFW Feature Comparison of Top Five Vendors

Conclusion and Next Steps

Getting the most out of your investment in a NGFW requires careful consideration of several factors to ensure stability, simplicity, and superior threat protection. Key consideration include:

• • Security Controls: IPS, Application Control, URL Filtering and others.
• • Advanced Security: Sandboxing, Zero Trust Network Access and others.
• • Network Size: This determines the number of NGFWs needed.
• • Virtual or Cloud: Enterprises with virtual and cloud environments need virtual and cloud NGFWs.
• • Performance: Choose an NGFW with enough capacity so it will not be a bottleneck in the network.
• • Support options: There are many options: online, on-site and professional service. Choose the option that’s right for your team based on your team’s expertise and workload.

When it comes to solving business challenges, enterprises are generally eager to adopt new technologies such as cloud computing, workforce mobility and automation. But now, many enterprises are finding their digital transformation journey laden with new challenges, including a surge in the number of connected devices, millions of encrypted connections, increased bandwidth needs, continually evolving evasive attacks and increased operational costs.

SonicWall’s Gen 7 is our most secure and stable lineup yet. We’ve greatly increased performance, streamlined operations and upgraded features, all while offering industry-leading TCO. These NGFW have multiple 100/40/10 GbE interfaces that can process millions of connections. Their high-speed connectivity and large port density — coupled with superior IPS and TLS1.3 inspection support — make these firewalls an ideal threat protection platform for enterprise Internet edge and data center deployments. And the newly introduced multi-instance capability (modern multi-tenancy) allows MSSPs and enterprises to provide guaranteed performance, reliability and availability while adhering to service level agreements.

Learn More

• Next-Generation Firewall for Data Center
• Next-Generation Firewall for Internet Edge
• Next-Generation Firewall for Public Clouds