The task of selecting a next-generation network firewall (NGFW) may seem simple at first glance, but it is not. In this article, we will explore the nuances and pitfalls based on our own years of experience in the network equipment market.
First, let’s list the criteria for selecting devices.
The questionnaire includes a series of questions, the answers to which allow for the most accurate selection of a solution.
- Required throughput, Mbps.
- Hardware or virtual implementation?
- Is fault-tolerant solution required? Cluster.
- The type and number of interfaces for connecting to existing network equipment.
- Availability, warranty period, and technical support.
- Composition and duration of subscriptions for extended functionality of the firewall.
- Availability of accompanying systems such as an event logging server, centralized management system.
- The required number of remote access VPN connections and connections between sites.
- Placement of the firewall? For installation on the perimeter, in the local network, or for the protection of dedicated segments?
- Requirements for implementation and training of administrators
NOW LET'S EXAMINE EACH POINT IN DETAIL WITH A THOROUGH DESCRIPTION OF THE FEATURES
Throughput
At this stage, it is necessary to select a solution from the manufacturer's model range and compare its specifications with those required to solve the set tasks.
If you rely on the manufacturer's throughput data from information leaflets, you should always be aware that these figures are obtained on “synthetic traffic” in ideal laboratory conditions. In real life, the throughput will be significantly lower. Reach out to us, as we have extensive experience in selecting devices from various manufacturers for specific tasks.
Keep in mind that not all of the channel's throughput to the Internet provided by the communication operator is consumed by the firewall. Routers, dedicated servers, etc., may also be installed in parallel. To choose the correct model of the firewall, it is important to know the required throughput for the interaction of local network resources and the Internet. This can be determined using Netflow/Sflow protocol families. Potential growth should also be considered.
Also, when planning throughput, it is necessary to take into account that resource-intensive tasks such as SSL inspection or VPN can heavily load the central processor (CPU), thereby reducing throughput. Some firewalls have onboard special-purpose processors (ASIC) that can reduce the load on the central processor.
For the most accurate selection based on throughput, the option of evaluating the device in a pilot project on the organization's real traffic is suitable.
Implementation Options
The features of selecting a hardware solution include answers to questions like:
- Placement in a rack or on a desk?
- How many units in the rack?
- Is power redundancy required?

When placing the firewall as a virtual machine, it should be kept in mind that the virtualization server is also susceptible to attacks from untrusted segments and requires a specialized approach to its protection.
The performance of virtual solutions largely depends on the server hosting the virtual machine and can be accurately assessed only during a pilot (test) implementation.
Virtual machine implementation typically occurs in rented virtual capacities.
Virtual solutions are usually licensed based on the number of processor cores allowed for use in the virtual machine.
Clustering
There are different operating modes for devices as part of a fail-safe pair: Active-Active and Active-Passive. Let's look at these in more detail.

Active-Active
- Advantages: Increased throughput by balancing traffic between devices
- Disadvantages: Complexity in diagnostics and fault detection
Active-Passive
- Advantages: Simplicity of implementation
- Disadvantages: Backup devices are always in standby mode while the main one is operating.
Important addition: Different manufacturers have different approaches to licensing additional functionality for fail-safe systems. There are options where the set of subscriptions is purchased in one instance for all devices of the fail-safe system.
It's important not to forget about the requirements for dedicated interfaces to create a cluster.
Interfaces and Ports
To increase the throughput of connections of firewalls to existing network equipment, interfaces with speeds of 10Gbit/sec are not always necessary. Options for aggregating interfaces with a throughput of 1Gbit/sec using protocols from the EtherChannel family, such as LACP, are possible.
If a connection using SFP+ type connector interfaces is still required, DAC cables are recommended.

Warranty and Support
There are three options:
- Manufacturer support
- From the distributor
- From a partner involved in commissioning
Each option varies in cost, response time, and engineer qualification. Generally, the longer the term, the lower the cost.
When choosing the level of support, also consider the following:
- Response time. Business hours or 24x7
- Is an engineer's presence at the customer's site required?
- Is there a replacement for failed equipment and how quickly is it carried out?
Subscriptions for Extended Functionality
Typically, the following functionalities are licensed and renewed every year:
- Antivirus (AV)
- Intrusion Prevention System (IPS)
- Email Protection. Anti-Spam (AS)
- URL Filtering (WEB Filter)
- Application Control (APP Control)
It's important to note that devices from some manufacturers can operate without subscriptions, but access to update servers will not be available. This feature can be taken into account in case of difficulties with timely purchasing of renewals.
Event Logging Systems and Centralized Management Systems
Provided both in hardware and virtual implementations.
Dedicated event logging systems are purchased if a long-term storage or rapid search by specific conditions is required.
Centralized management from one system is common if there are more than 10 devices.

Remote Access VPN
Most manufacturers adhere to a licensing model for remote access based on the number of simultaneous connections. However, some manufacturers offer the ability to connect the maximum number of users with basic functionality.
The basic functionality always requires careful analysis as not all models of equipment can solve the set task. For example, the function of saving the password in client software may be absent.
For some entry-level models, there are limitations on the number of VPN connections between sites.

Placement of Network Firewall Devices
Possible options:

Training, Implementation
- With large volumes of equipment purchases, training can be a bonus. Check with the vendor.
- All LWCOM specialists are certified and have been trained on equipment from all major suppliers. Trust the professionals.
- Before the final choice of solution, an important factor is the availability of extensive documentation and a community of engineers in the public domain.
In conclusion
In this article, we have examined the main issues that arise when selecting network firewall devices. In real situations, there will be significantly more of them. LWCOM solves such issues every day and has tremendous experience in implementing such tasks.
We will help select the network firewall (NGFW) necessary for solving the tasks of your organization. We will deliver the equipment on time, integrate it into the existing IT infrastructure of the company, and train the staff in the nuances of administration and management.