5 Critical Mistakes to Avoid: Incorrectly Sizing Your Future NGFW

Stephanie Johnson


Category: Firewall

This post is part of a blog series where we dive into the five critical mistakes to avoid when evaluating a next-generation firewall. Avoid these, and you’ll be well on your way to picking the right next-generation firewall.

How will you know if the NGFW you’re considering is the right one for your organization? The safest bet is to test it. But when evaluating and selecting a new NGFW, there are some common mistakes security professionals often make. One of these critical mistakes is highlighted in detail below, along with insight and recommendations to help you avoid the blunder.


Mistake #1: Incorrectly Sizing Your Future NGFW

Avoid relying solely on datasheets and other “performance on paper” summaries as they are inaccurate points of comparison for firewalls. There are fundamental differences in features and offerings from one firewall vendor to the next. For example, one vendor might measure consolidated threat prevention features (e.g., intrusion prevention systems, antivirus, command and control, URL filtering) in terms of performance impact, while another might highlight performance impact based solely on best-of-breed IPS capabilities in a stand-alone box. To ensure accurate “apples to apples” firewall comparisons, organizations should size capabilities to their real-world environments’ requirements (e.g., IPS, application control, advanced malware detection), in addition to the traffic mix. When doing so, it’s critical to account for performance impact resulting from enabling other features in the future.

In addition, advanced capabilities, such as SSL decryption, will vary in performance impact depending on processing logistics. Some vendors decrypt using the hardware form factor, while others decrypt using software – each with varying degrees of performance effect. Further, threat response performance should only be compared with all required signatures activated. Carefully read the documentation for out-of-the-box collections of signatures to determine actual coverage. Performance often continues to degrade with the introduction of additional signatures.

  • Avoid trade-offs between security and performance. You should never have to decide between enabling a feature or signature and crippling your performance.
  • Accurately map to your requirements for throughput and traffic composition. It is difficult to argue against testing the actual traffic to be secured. Simulators can’t represent custom applications, real-world usage scenarios or shadow IT.

To correctly size your next NGFW while also ensuring maximum performance, security and ROI, run a proof of concept in your organization. A POC allows you to accurately test next-generation firewalls, their affiliated services and subscriptions – either on their own or against one another – in your actual, operational IT environment, whether it is physical, virtual or a hybrid.

For more critical mistakes to avoid when evaluating a next-generation firewall, download the white paper: 5 Critical Mistakes When Evaluating a Next-Generation Firewall.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42