One of the things I enjoy is analyzing the language of the security industry. Language not only communicates ideas, but also intentions, aspirations, and fears.

One of those words that I find fascinating “Next Generation Firewalls,” (NGFW). This blog first addressed this word in our Cult of Palo Alto Networks blog. Industry analysts, like Gartner, and firewall manufacturers, like Palo Alto, have been aggressively promoting that NGFW is reshaping the firewall market and breaking out from traditional firewalls or Unified Threat Management (UTM). Moreover, the NGFW manufacturers are positioning their products as “the next big step” in the evolution of firewalls.

So why is NGFW so revolutionary? What is the difference between UTM and NGFW?

None. There is no difference between UTM and NGFW. These are the same technologies with the same capabilities being marketed and promoted as different. Moreover, there is nothing intrinsically unique or revolutionary about NGFWs. These are simply firewalls that have expanded their feature set to include other security functions. Or in other words, NGFW is UTM.

What is interesting is how Gartner and the vendors have lined up to create this whole fabricated class of products. Frankly, this is an age-old tactic: moving the goalposts.


Politicians have been doing this since Roman times, and the process is rather simple:

  1. You have a product (or candidate) who does not really measure up to the competition. It lacks features or has negative aspects (like poor performance, or questionable tax returns.)
  2. Rather than address this weakness directly, you invent a new conversation to distract from the weakness.
  3. You focus the discussion exclusively on the “new” conversation and dismiss the other issue as old, outdated, or serving an inconsequential community.
  4. Feed this all into an echo chamber of media (or industry analysts) and repeat the “new conversation” ad nauseum.


Behold, the old discussion gets buried in the new one and everybody wants to talk about the new issue and considers the old one useless. The echo chamber of the media, or in this case, industry analysts like Gartner is critical to this working. You need a vocal institution to echo your new conversation and overshadow the old one.

When upstart UTM companies arose in the mid-2oo0s, the traditional firewall makers, like CheckPoint, Cisco, and Juniper, were not prepared for this change. Their reliance on older code and enterprise clients stifled their innovation. Their early UTM style appliances were clumsy and underpowered. Newer companies like Fortinet and SonicWall were introducing more innovative designs and taking customers.

Moreover, some of the traditional firewall companies, as well as some new comers like Sourcefire and Palo Alto Networks, lacked the intellectual property to compete across the spectrum of capabilities. They did not own their own antivirus, antispam, or URL filtering engines.

As such, rather than compete, they simply redefined themselves. The first step was to marginalize UTM to the small business market. Gartner, never missing an opportunity to sell another report, quickly created an Enterprise Firewall category, which of course was reserved for all these next generation devices. UTM was relegated to discussions about small business and managed services.  The next step was to cast NGFW as unique, different, and special. Therefore, NGFW was cast as the next step after stateful packet inspection. Some vendors even went so far as to claim that their NGFW stateful packet inspection was completely unique and new. Which of course it was not.

What impresses me is how well the industry accepted this sleight of hand.  The manufacturers changed conversation about firewalls without really changing the technology. Gartner reinforced the concept to convince the consumers. And consumers ate it up. NGFW marketing has been extremely effective.

To prove my point, consider the feature set of the following devices: Palo Alto Networks, CheckPoint, Sourcefire and McAfee all claim to have a NGFW. Just put “next generation firewall” into Google, those four products pop up first.  Now, type in “unified threat management” and you get SonicWall, WatchGuard, Fortinet, and Sophos (Astaro) as well as some other small time players.  Let’s compare these products. I threw Juniper and Cisco into the mix because they are big names who tend to play both sides of this fence right now.

Of course, the NGFW vendors will claim uniqueness and cite how their products do different things or can detect applications on all ports. The fact is, these arguments break down quickly when you consider that its mostly marketing-speak. Palo Alto, for example, likes to claim their AppID is unique. It is not, other products have done application identification for a long time. Sourcefire plays up their IPS engine as being unique to NGFW, it is not. Plenty of products have IPS engines with decent detection features. Decryption, authentication, content inspection – none of these are unique to UTM or NGFW platforms.

The sameness of UTM and NGFW is not intended to suggest all these products are identical in quality. Each manufacturer has their strengths and weaknesses. The quality and performance of these products varies widely. However, from a purely feature perspective, they are all the same. Their differences in approach to application inspection, antivirus, or IPS may explain their performance or accuracy benefits, but it does not change the fact that the core feature set is all the same.

Now consider Gartner’s obtuse definition for NGFW from their Magic Quadrant for Enterprise Firewalls, December 14, 2011.

As the firewall market evolves from stateful firewalls to NGFWs, other security functions (such as network IPSs) and full-stack inspection, including applications, will also be provided within an NGFW. The NGFW market will eventually subsume the majority of the stand-alone network IPS appliance market at the enterprise edge. This will not be immediate, however, because many enterprise firewall vendors have IPSs within their firewall products that are competitive with standalone IPS appliances, and are resisting truly integrating the functions and instead colocate them within the appliance. Although firewall/VPN and IPS are converging (and sometimes URL filtering), other security products are not. All-in-one or unified threat management (UTM) products are suitable for SMBs but not for the enterprise: Gartner forecasts that this separation will continue until at least 2015. Branch office firewalls are becoming specialized products, diverging from the SMB products.

I have a variety of problems with this definition. First, the industry is not evolving from stateful firewalls to something different. Stateful firewall inspection is part of every single UTM and NGFW on the market. It is not going away or being replaced. Conversely, there is nothing new or innovative about stateful packet inspection. Every firewall on the planet of any notable interest does stateful inspection and has for decades.

Moreover, where exactly is the difference between UTM and NGFW? Gartner cites no reason for these being classified as different other than UTM being “not suitable” for the enterprise. Why is UTM not suitable? Considering that all the UTM appliances and all the NGFW products share identical feature sets and that UTM vendors have enterprise-class products, I fail to see the difference.

The attribution of “all-in-one” to UTM is strange since UTM products and all of the NGFW share the exact same feature set. So how is a UTM “all-in-one” but a NGFW, with an identical feature set different?

Gartner could make the claim that UTM products are targeted at the SMB market whereas NGFW is targeted to the enterprise. That statement has some merit, but what is the purpose? Does that mean the SMB products from Palo Alto Networks are really UTMs? Or is an enterprise-class Sonicwall really a NGFW? This distinction merely muddies the waters, when there really no reason to do so.  UTM is NGFW. Why not put them all into the same class and evaluate SMB products and enterprise-class products separately, like any other technology.

The divide between UTM and NGFW is essentially a creation of the marketing people to make certain vendors seem more competitive than they really are. It is intended to shift the goalposts for the enterprise consumer into a different set of criteria and marginalize established companies, like Fortinet and Astaro into the basement of “small-business.”

Wise enterprise and small-business consumers need to see this for what it really is, a meaningless differentiator created to sell weaker products at a premium price. If you are in the market for a new security appliance, you would be wise to ignore this differentiator and view UTM and NGFW technologies as completely identical and select from them the products that suit your business needs best.

As for Gartner, I do not fault them for being what they are. They are in the business of selling advice and shaping the market. However, this is a case where their advice is misleading. This makes me wonder what their motivations are.  Is it just to sell reports? Or is there some other agenda at work? I am uncertain about that, but it is clear that Gartner wants UTM and NGFW fighting for market and mindshare.