UTM v NGFW: A Single Shade of Gray

One of the things I enjoy is analyzing the language of the security industry. Language not only communicates ideas, but also intentions, aspirations, and fears.

One of those words that I find fascinating “Next Generation Firewalls,” (NGFW). This blog first addressed this word in our Cult of Palo Alto Networks blog. Industry analysts, like Gartner, and firewall manufacturers, like Palo Alto, have been aggressively promoting that NGFW is reshaping the firewall market and breaking out from traditional firewalls or Unified Threat Management (UTM). Moreover, the NGFW manufacturers are positioning their products as “the next big step” in the evolution of firewalls.

So why is NGFW so revolutionary? What is the difference between UTM and NGFW?

None. There is no difference between UTM and NGFW. These are the same technologies with the same capabilities being marketed and promoted as different. Moreover, there is nothing intrinsically unique or revolutionary about NGFWs. These are simply firewalls that have expanded their feature set to include other security functions. Or in other words, NGFW is UTM.

What is interesting is how Gartner and the vendors have lined up to create this whole fabricated class of products. Frankly, this is an age-old tactic: moving the goalposts.

Politicians have been doing this since Roman times, and the process is rather simple:

  1. You have a product (or candidate) who does not really measure up to the competition. It lacks features or has negative aspects (like poor performance, or questionable tax returns.)
  2. Rather than address this weakness directly, you invent a new conversation to distract from the weakness.
  3. You focus the discussion exclusively on the “new” conversation and dismiss the other issue as old, outdated, or serving an inconsequential community.
  4. Feed this all into an echo chamber of media (or industry analysts) and repeat the “new conversation” ad nauseum.

Behold, the old discussion gets buried in the new one and everybody wants to talk about the new issue and considers the old one useless. The echo chamber of the media, or in this case, industry analysts like Gartner is critical to this working. You need a vocal institution to echo your new conversation and overshadow the old one.

When upstart UTM companies arose in the mid-2oo0s, the traditional firewall makers, like CheckPoint, Cisco, and Juniper, were not prepared for this change. Their reliance on older code and enterprise clients stifled their innovation. Their early UTM style appliances were clumsy and underpowered. Newer companies like Fortinet and SonicWall were introducing more innovative designs and taking customers.

Moreover, some of the traditional firewall companies, as well as some new comers like Sourcefire and Palo Alto Networks, lacked the intellectual property to compete across the spectrum of capabilities. They did not own their own antivirus, antispam, or URL filtering engines.

As such, rather than compete, they simply redefined themselves. The first step was to marginalize UTM to the small business market. Gartner, never missing an opportunity to sell another report, quickly created an Enterprise Firewall category, which of course was reserved for all these next generation devices. UTM was relegated to discussions about small business and managed services.  The next step was to cast NGFW as unique, different, and special. Therefore, NGFW was cast as the next step after stateful packet inspection. Some vendors even went so far as to claim that their NGFW stateful packet inspection was completely unique and new. Which of course it was not.

What impresses me is how well the industry accepted this sleight of hand.  The manufacturers changed conversation about firewalls without really changing the technology. Gartner reinforced the concept to convince the consumers. And consumers ate it up. NGFW marketing has been extremely effective.

To prove my point, consider the feature set of the following devices: Palo Alto Networks, CheckPoint, Sourcefire and McAfee all claim to have a NGFW. Just put “next generation firewall” into Google, those four products pop up first.  Now, type in “unified threat management” and you get SonicWall, WatchGuard, Fortinet, and Sophos (Astaro) as well as some other small time players.  Let’s compare these products. I threw Juniper and Cisco into the mix because they are big names who tend to play both sides of this fence right now.

Of course, the NGFW vendors will claim uniqueness and cite how their products do different things or can detect applications on all ports. The fact is, these arguments break down quickly when you consider that its mostly marketing-speak. Palo Alto, for example, likes to claim their AppID is unique. It is not, other products have done application identification for a long time. Sourcefire plays up their IPS engine as being unique to NGFW, it is not. Plenty of products have IPS engines with decent detection features. Decryption, authentication, content inspection – none of these are unique to UTM or NGFW platforms.

The sameness of UTM and NGFW is not intended to suggest all these products are identical in quality. Each manufacturer has their strengths and weaknesses. The quality and performance of these products varies widely. However, from a purely feature perspective, they are all the same. Their differences in approach to application inspection, antivirus, or IPS may explain their performance or accuracy benefits, but it does not change the fact that the core feature set is all the same.

Now consider Gartner’s obtuse definition for NGFW from their Magic Quadrant for Enterprise Firewalls, December 14, 2011.

As the firewall market evolves from stateful firewalls to NGFWs, other security functions (such as network IPSs) and full-stack inspection, including applications, will also be provided within an NGFW. The NGFW market will eventually subsume the majority of the stand-alone network IPS appliance market at the enterprise edge. This will not be immediate, however, because many enterprise firewall vendors have IPSs within their firewall products that are competitive with standalone IPS appliances, and are resisting truly integrating the functions and instead colocate them within the appliance. Although firewall/VPN and IPS are converging (and sometimes URL filtering), other security products are not. All-in-one or unified threat management (UTM) products are suitable for SMBs but not for the enterprise: Gartner forecasts that this separation will continue until at least 2015. Branch office firewalls are becoming specialized products, diverging from the SMB products.

I have a variety of problems with this definition. First, the industry is not evolving from stateful firewalls to something different. Stateful firewall inspection is part of every single UTM and NGFW on the market. It is not going away or being replaced. Conversely, there is nothing new or innovative about stateful packet inspection. Every firewall on the planet of any notable interest does stateful inspection and has for decades.

Moreover, where exactly is the difference between UTM and NGFW? Gartner cites no reason for these being classified as different other than UTM being “not suitable” for the enterprise. Why is UTM not suitable? Considering that all the UTM appliances and all the NGFW products share identical feature sets and that UTM vendors have enterprise-class products, I fail to see the difference.

The attribution of “all-in-one” to UTM is strange since UTM products and all of the NGFW share the exact same feature set. So how is a UTM “all-in-one” but a NGFW, with an identical feature set different?

Gartner could make the claim that UTM products are targeted at the SMB market whereas NGFW is targeted to the enterprise. That statement has some merit, but what is the purpose? Does that mean the SMB products from Palo Alto Networks are really UTMs? Or is an enterprise-class Sonicwall really a NGFW? This distinction merely muddies the waters, when there really no reason to do so.  UTM is NGFW. Why not put them all into the same class and evaluate SMB products and enterprise-class products separately, like any other technology.

The divide between UTM and NGFW is essentially a creation of the marketing people to make certain vendors seem more competitive than they really are. It is intended to shift the goalposts for the enterprise consumer into a different set of criteria and marginalize established companies, like Fortinet and Astaro into the basement of “small-business.”

Wise enterprise and small-business consumers need to see this for what it really is, a meaningless differentiator created to sell weaker products at a premium price. If you are in the market for a new security appliance, you would be wise to ignore this differentiator and view UTM and NGFW technologies as completely identical and select from them the products that suit your business needs best.

As for Gartner, I do not fault them for being what they are. They are in the business of selling advice and shaping the market. However, this is a case where their advice is misleading. This makes me wonder what their motivations are.  Is it just to sell reports? Or is there some other agenda at work? I am uncertain about that, but it is clear that Gartner wants UTM and NGFW fighting for market and mindshare.

46 thoughts on “UTM v NGFW: A Single Shade of Gray

  1. Congrats for your post.
    We’ve shared the same thought..
    Gartner created the term NGFW because IDC have created the UTM concept. Just a market fight…

  2. All true. I just had to chance to talk yesteday to Palo Alto Guys on IT-SA in Nuremberg, Germany. I went deep in to technical details as well having real stuff done like QoS per application flow etc.
    The thing is: It is same as other UTM/NGFW/NGWHATEVER. The only difference I have seen is that they have really great graphic designers. They interface looks really nice. However, in order to evaluate platform, you need to drill further with what AV is there, how support is working, etc etc …

    However, hats down for marketing to Palo Alto. They got me to loose like 90 minutes trying to see the difference where difference doesn’t exist. Except nice icons on dashboards 🙂

    Best regards,

  3. Well, not quite…

    Interesting analysis, but far from “brilliant”. I work for a Fortune 25 and have spent the past 6 months tearing apart the NGFW market. You’ve missed the comparison on a few key fronts – just to start. First is the hardware and platform architectures and the evolution that should be evident within the product lines. Compared to UTM platforms that have generally evolved from legacy firewalls via the facilities of bolt-on software components NGFW should have an architecture that was designed from the ground-up to facilitate security functionality components (i.e. the current security landscape and be adaptable going forward). When looking at the effectiveness of those vendors who truly fit the NGFW realm (most do not, less than a handful) you’ll find quickly that performance and effectiveness goes hand in hand. The next piece that is missing is the actual network processing path within the platform and architecture. Generally, UTM appliance inspect and reinspect along the path whereas NGFW platforms *should* inspect once and most notably, not more than twice in the path (herein lies the latency problem of UTM and non-NGFW platforms). As stated, this impacts latency and bandwidth exponentially when you start to compare to vendors whose products are not truly NGFW. While I won’t name names here I can tell you that my analysis has been backed and vetted by industry recognized labs.

    Long story short is that this paper analysis doesn’t help the reality of the situation within the firewall segment. You’re missing a significant amount of key data that you don’t have the facilities to produce so you’ve chosen to ignore it. I would hope that people reading this would take it for what it’s worth, and at face value, all that is ends up being marketing comparisons. I’ve taken into account: performance, functionality, financials, manageability and broken those out into an array of many other sub categories. I have, literally, thousands of reports on functionality and performance. While here we have an analysis based very lightly on functionality. I’d boil it down to say – you’re off the mark in your conclusion.

    1. Well, I have read a lot of those same reports. I’ve piled through lots of those same performance stats. And I don’t see any difference in the two markets. I think NGFW was created to allow a small group of vendors to appear more competitive than they really are.

      Again, this is not to suggest every UTM or NGFW is identical in performance, capability, or value.

      As for network processing path, this is a technical detail that may affect performance or accuracy, but it does not alter the feature set and capabilities of a product.

  4. I’m not sure you’re understanding my point. I did not read through others reports – I used a lab, built with this intent and purpose, to place real weight on the vendors products. Luckily our budget allows for things like dedicated 10Gb infrastructure and tools like BreakingPoint appliances. Comparatively NSS labs reports do not contain as much transparency or data that we were after.

    Also – your feature set comparison is flawed. If “Motortrend” rated cars based on simplistic comparisons they wouldn’t sell any magazines. In that regard not all engines, suspensions, or build quality is comparable. So if you think that a comparison of “Does this vendor have IPS? Yes or No” is a good and thorough comparison, then by all means continue business as usual. My point, however, is that IPS cannot be compared side by side unless you subject the functionality to a repeatable and sane environment where you’re tracking metrics and efficacy. What you’ve provided by publishing this table doesn’t do that type of methodology justice and I can tell you that certain vendors do very much better than the next comparing feature sets side by side.

    You can’t see data that you don’t have, and I can tell you that you’re analysis is an assumption and not founded in data or methodology. To that point, it does nobody any good in gut feel recommendations based on the fact that you read a report or have configured a device.

    1. I think you are trying to change the point I made. Gartner and others have created a market called NGFW. I think that is purely a marketing creation. There is no significant technical or market focus difference to warrant that creation. I think the motivation is to make some products and vendors appear more competitive than they really are.

      The fact that Product A (which calls itself a NGFW) and Product B (which is a UTM) have different performance statistics based on special data that only you have and nobody else has seen – well that’s a pretty hallow statement. Share your data. If NGFW is so different than UTM, explain why those two market segments are different. You are claiming to have data that backs up your claim, but you aren’t sharing that data. I referenced NSS reports, Gartner reports, and many other resources to back up a claim that NGFW and UTM are the same.

      The whole point of establishing a product category is to lump together products that have similar features. And when you look at the function, feature set, and positioning of UTM products and NGFW products – they are much more alike than unalike. As such, my point is that these two categories are an attempt to change the conversation about firewalls and marginalized established players in favor of emerging products.

  5. You are coming down a little hard on the author, Windexh8er.

    His point is that there is no separate markets or product categories for UTM vs NGFW. Your point, I believe, is that there are a lot of differences between the implementation of capabilities in every product regardless of its label. No one is refuting that or that there could be better analysis/reporting if only an independent source had the resources to do the kind of testing you describe. Or, maybe you could share your research, even if not for publication, with industry analysts so they know what to focus on when they talk to end users and vendors?


  6. My point is that there is a difference in the technology across products that you’re not understanding.

    UTM is legacy bolt on. Think a firewall that existed 8 years ago, and now we slap on IPS. The data flow path is FW–>IPS, there is not correlation and generally no communication of the flows between the two disparate processes. If you look at the architecture of the platforms this is where they begin to diverge. On those legacy, UTM, platforms we see multiple services accumulating a lot more latency. NGFW platforms will do a lot of the heavy lifting up front, identify the app and make performance better on the downstream functionality. Now the IPS knows that the data flow is application X and so the number of security related functions changes to a more reduced footprint.

    If I could share the data I’ve collected I would. I’ve spent 6+ months on this project and it would be eye opening. I’ve seen all of the reports and they don’t dive into the products or architectures as they should be doing. UTM is a market that most vendors should still be in that are claiming NGFW. There is a difference and it’s something that if you don’t understand it, or take the time to do the actual research, you can get stuck on casting blame to those who say there is a difference. I’m saying there is, I have done my research (in fact, that’s generally all I’ve been doing for the better part of the year).

    What it boils down to is that a simplification of feature comparison will get you an outcome based on a bad methodology. Lumping together features is, again, a bad approach. Let’s use an analogy:

    2 car manufacturers come to the table with AWD cars. One is a automatic system that is generally FWD and kicks in the differential when the front slips, but the rear end isn’t limited slip. The other is a full-time AWD system that has a limited slip rear end. Both satisfy the base requirement for AWD. But, those who want the more competent system know how to find it. Same thing here – direct feature comparison does not equal synonymous effectiveness. You need to dig into the technical architectures because, yes, it does make a huge difference in the effectiveness of given functions.

    I’m not sure where you get “special data” from, but I’m using industry standard application protocols. I had roughly 15 test cases with 3 iterations to each test case all of which focused on a specific feature / function or showcased an overall operational result. Do I wish I had more? Of course, but I have 99.999% more data than the next guy. So while you may call my analysis shallow, it’s far more in-depth than feature comparison.

    Finally – NSS doesn’t have anything out to date that says UTM and NGFW are the same. Not sure where you’re getting that information.

    1. I think what you are seizing upon is the notion of “single-pass” architecture. I have news for you – LOTS of products claim this. No vendor is unique here. Sonicwall, Fortinet, PAN, Sourcefire all have single-pass architectures. All of them do application ID upfront as well. All of them.

      Yes, some UTMs are bolt-ons. But they generally fair worse in comparisons. Those with a more sophisticated architecture fair better.

      To continue with your car analogy: All these products have engines and four wheels. You could argue that the engine inside a Mercedes is more sophisticated than the engine inside a Kia. But that doesn’t change the fact that they are all cars. The Mercedes does not become a “Next Generation Car” because it has a more sophisticated fuel injector.

      Well, that’s what we’re saying. Just because one vendor claims to have a better, more sophisticated engine does not mean they can just call themselves something different. They are all UTMs. Changing the name does not change the role these products play in an organization.

      Your testing of these products is immaterial. You can drive Mercedes and Kias all day, but at the end of the day, you have not earned the right to just arbitrarily rename Mercedes as the “Next Generation Car” because it was faster or had a better throttle tip in.

      Which is exactly why I was calling out Gartner. They took Palo Alto and some other products for a drive. Liked the ride. And came back and decided to rename the entire class of cars because they felt a handful of products were better. I say that is disingenuous. UTM is NGFW. And smart IT people should compare both product types and pick the product that best aligns with their business need.

    2. LOL, we have a Palo Alto fanatic here…
      latency, correlation, concurrent process, etc… are words of Palo Alto seller

      Relax dude… All vendors are with website updated from UTM to NGFW. So, in the end, the article still right, and you a “fanatic”.

  7. Good article that brings up good points.

    In my mind an NGFW is a single product that brings together all the functionality you have stated above well, in a single platform. Also when I think about the term NGFW I think about what a Cisco ASA is and what it’s designed to block…ports/protocols/IP’s. Then I compare that to how threats have really moved away from port/protocol/IP’s towards vulnerabilities within applications running over ports we typically allow through our firewalls. In my mind that is what an NGFW is.

  8. Excellent blog. Finally someone speaks out what a lot of people in the industry are thinking. This NGFW magic quadrant is totally BS. I don’t want to bash PaloAlto. They have their advantages when it comes to Application Control details but what Gartner is doing is just not serious.

    windexh8er: Single path engine ! Application ID ! New engine design from scratch! Yeah right, this sound like PA marketing. I have seen this super nice engine loosing in IPS performance test (with Breaking Point) against so called UTM vendors. At the end of the day i don’t care what kind of engine is inside as long it performs and stops malicious code or unwanted Apps.

  9. I kind of agree with the writer. UTM is no doubt NGFW merely looking at the feature set. Now back to the argument. Does that imply that if Cyberoam adds 4 x 10Gbps capability, can they claim to be selling an NGFW? Yes, they are still saying the same thing. If Sourcefire sells an NGFW with only 10Mbps throughput, does that make the product a UTM? Yes still. If this kind of attitude is not frowned at, McAfee, Kaspersky will come out with NGAV and Dr Solomon and Avira will claim UAV… Little wonder Forntinet won Security company of the year from SC magazine. I think it’s penny wise pound foolish now; buy UTM if it works well for you and if you need to show off, NGFW is the way to go.

  10. I’ve been looking a long time at those Gartner magic quadrants and had my (negative) toughts about them, but Andrew just hit the spot.

    Being familiar with Watchguard products, I can give you an example that just showcases how right Andrew is.

    WatchGuard was one of the UTM pioneers and their development added year after year new features to their products. When PA came out with application recognition and filtering, it indeed took some time, before also WatchGuard implemented Application Control, as they call it. Still they positioned their product as an UTM.
    But since Gartner made this hype with NGFW, WatchGuard had to follow up and present a NGFW product to the market.

    Guess how they did that: they took the normal UTM product and just REMOVED all UTM subscriptions except IPS and Application Control!

    So with WatchGuard a NGFW you get a stripped down UTM solution.
    As a product choice this makes sense in enterprise networks – many of them have specialized solutions for antispam, web filtering, etc. and would not use the more ‘basic’ functionality of an UTM appliance for that job. So they save on the licensing cost for the services with a stripped down NGFW bundle.

    Today, WatchGuard markets also the full UTM solution as a NGFW, what ist actually was all the time.

    I think, that this is a very nice example that shows, that we don’t really have a technical differentiation, but that it is all about marketing the products.

    I also never really understood, how some people claim that PA is outperforming everyone else on the market. To be able to compare products you can compare the performance on the same platform (in this case impossible as everyone uses a different hardware platform) – or you can compare price vs. performance.
    Now I would like see, where PA outperformed WatchGuard, Fortinet , SonicWall, etc. with a device at the same price level. When calculating the full cost of ownership (include also reporting and other extra’s) vs. performance, the picture gets even worse for PA.

    Also I see this debate about ‘multiple engines’ as pure missunderstanding of marketing approaches of different vendors. If some marketing guy painted a shema of the functionality several years ago, he would try to make it understandable to the normal customer – but how much did that shema have in common with the actual source code of the firmware running on the firewall?
    Does really someone beleive, that Checkpoint is running BLADES in their appliances?
    Even in this case it’s again all about marketing.

    How PA made it into the top right corner of the quadrant is a mistery for me. There are other players that had also very high increases of sales in the enterprise market – with better products. PA is even in the application recognition part loosing the battle – just compare how many applications they are able to recognize and how many does e.g. WatchGuard. Also they are failing on the granularity of control over applications.

    To make things even worse, I see a lot of SME customers looking at those Enterprise Quadrants, not understanding, that even if it was realistic, it would not necessarily apply to their environment.
    Many people rely on Gartner and their Magic Quadrants – they don’t have the resources to test all the products on the market to find out which one fits them best. Instead they look at Gartners Quadrant and evaluate just vendors in the upper right quadrant. From my point of view, this is a very dangerous approach and might end up as a big failure for the customer. Also this might end up in a seriouse loss of credibility for Gartner.

    Additionally I’d like to mention, that the picture in the Magic Quadrant is possibly a global one. But we live in regions, that in many cases show a completely different picture. In my region, Cisco would stand in the upper right corner of the quadrant.
    So how much is the Gartner Magic Quadrant really worth?

    1. PAN’s greatest invention was words. They invented new words to describe UTM features that everybody else was already doing. So, rather than “application control” which nearly every UTM product does, they call it “AppID.” Rather than “web filtering” they call it “Content-ID” and rather than “user authentication” its now “User-ID.”

      This demonstrates the power of words. With the right words, a gullible audience, and an effective echo chamber (like Gartner), you can achieve great things. Keep in mind, PAN has also expertly exploited the buying habits of USA companies. Unlike other parts of the world, which tend to buy based on things like performance, features, name recognition, USA buyers overwhelmingly favor “me too” style procurement strategies. Which means if “Big Boy Company 1” has an PAN then all the other Big Boys want one too. And PAN expertly exploits that. Their pitch, their approach and their messaging is all around “all the big guys have one, you need one too if you want to be a serious big boy player.”

      PAN’s technology is pretty good, but their marketing is really, really good. And like it or not, they have managed to warp the market to their benefit.

      It is easy to look at PAN purely as a technology, and analyze them for their faults and weaknesses. But they, like all companies, live in a marketplace, which is more than just software and hardware. Its perception, image, messaging and brand awareness. As a company, I deeply admire PAN for their expertise at attacking the UTM/NGFW market. As a technologist, I find them competent but arrogant.

      That does not mean they are bad. PAN is just following the model of other massively successful companies (see Apple) who are not really innovative, but APPEAR innovative. And we (the consumers) are really to blame for creating this. We let Gartner have a big voice, and therefore they use that voice to support dubious technologies. We let companies snow us with messaging, thus empowering them to snuff out debate and conjecture. We willingly accept misleading information as fact, forever rendering those facts in doubt. We the market made this. We must learn to live with it.

      Were I in WatchGuard’s place, I would be looking for a new way to position myself in the market. WatchGuard jumped the shark a long time ago. And they only ones they have to blame is themselves. They were one of the most innovative security products on earth…in 2002. They pissed that all away with corporate diddling and blind allegiance to legacy code. They may have a competitive product now, but they have so lost their edge in the mindshare of the industry. If I was in WatchGuard’s marketing department, I would be obsessed with PAN and learning everything I could from them.

      1. Rob Collins (Senior Engineer) from WatchGuard here. At WatchGuard, we have always had UTM and standard firewalls in the market. UTM firewalls had a fundamental problem – They went too slow when all the security features were turned on. I personally applaud Palo Alto for taking advantage of a niche by releasing a ‘cut down’ UTM solution and establishing great branding for it, but times change and (some) UTMs maintain strong speeds whilst operating with multiple layers of security, control and reporting. We’re offering Next Gen Firewall bundling of security services that recognises the fact that many larger enterprises already have dedicated point solutions.

        1. You are correct Rob, however I wanted to demonstrate how misleading the term “Next Gen Firewall” can be for someone without any insight.

          Blindly following the term and hype, created and promoted by PA and Gartner, one would believe, there is more layers of security in a ‘Next Generation’ product, that this is what you have to go for, if you want to survive the threads we face today, that it is the better solution.

          The WatchGuard example demonstrates, that what marketing was originally selling as an UTM, had more layers of security included, than what you call the NGFW Bundle, that the picture was opposite to that, what PA and Gartner made one beleive.

          Of course a NGFW Bundle product with the limited set of security layers (if you want to call them so) is performing better on the same hardware, than the UTM/Security Suite Bundle with the full set of functionality, there is no doubt about that. However going with a NGFW Bundle means, that you will have to purchase and maintain additional solutions that will take over the missing ‘layers of security’. That means extra expenses and more work to manage all together – things you could avoid by correctly sizing the UTM solution you purchase (most vendors publish UTM performanse data, so that should not be the problem).

          You very well know, that today WatchGuard marketing made a shift and does not promote anymore, that they are selling UTM firewalls, but started to use the Next Gen term for all firewall solutions – not because of a change in the products itself, but because of the marketing shift and misunderstanding that was created by Gartner, implying that UTM is not the best solution for today’s networks.

          I guess, that there is no better proof, how correct Andrew is in his point, that it is all about marketing.

  11. I just randomly came across this link on the Internet and this is such an interesting topic that I have to write something. I agree to an extent on what you said but I also do not agree. Let’s remove the NGFW and UTM sales jargon for a moment. There are two very distinct differences between a Fortigate and a Pallo Alto and I’m using these two because I have worked allot on both of these. The different software modules in a Fortigate does not integrate seamlessly in my opinion and they feel as if they were created over time and were made to fit with the previous modules. Plastered together to create the solution you see today. For example if you talk user identity policies on fortigate , they way that is currently working is borderline insanity by creating a firewall rule base within a firewall policy.The Pallo Alto on the other hand you click a drop down menu select your ad group or single user and apply policy and it is agentless. Fortigate on box reporting is so far behind the PA. These two points for me is the difference between NGFW and UTM where NGFW every single feature integrates seamlessly into the other and Visibility into what is happening through that device is dynamic and easy to access while UTM feels like it was thrown together piece by piece.

    1. You are conflating PAN=NGFW and Fortigate=UTM. There is no conflation, they are exactly the same technology. Just because you find one of those products easier to use or having better features, does not make that product a completely different product.

      Consider this analogy (which I have used before). BMW invents a new turbo that makes their cars have higher performance with better fuel economy. Does the use of their new technology allow them the right to claim: “BMWs are ‘Next Generation Cars’ and therefore cannot be compared to anything else on the market.”

      No, of course not. The automotive press would, to use a pun, pan BMW and call them arrogant and disingenuous. People would laugh at them and their use of “next-generation car” would probably become synonymous with “new Coke.”

      Why then did PAN get that right? Just because a company innovates on a technology, does not earn them the right to completely rename it. UTM and NGFW are identical technologies. This does not mean all UTMs or all NGFWs are identical in quality or capability, just as not all cars are identical in quality of capability.

      Your conflation of “usability” to product type is absurd. This is like saying “I find the Android easier to use, therefore its a SMARTPHONE which big, impressive, hotshot, gurus use; whereas iPhone is difficult to use so its a STUPIDPHONE which only stupid, ugly, poor people use.” Say that an Apple store, see where it gets you.

      Lastly, I would disagree also with your commentary on the usability of Fortigate and PAN. I find them to operate identically, with different approaches to their GUI and management. Since we work with both, our guys universally consider them to have an equal set of positives and negatives. I would also add that PAN’s commit process is beyond infuriating, and summarily destroys any concept of usability they have. Whereas Fortinet’s routing is outright black magic.

    2. Those are some interesting iihsgnts, and I would agree. I think Symantec buying Veritas was a huge mistake. It sent the company in a different direction. Not to mention that their lack of hardware made them entirely dependent upon others for the success of their products. You are correct the Thompson was more of a sales guy. But, he did build up Symantec to the powerhouse it was / is. I think he got lazier toward the end and left when he saw that it was going to get a lot harder. However, if you contrast Thompson against Salem, Thompson was a genius. Salem turned out to be an huge dud with absolutely zero vision.

      1. Salem was an accountant. And if there is one immutable law of business that corporate boards regularly break: never ever ever ever put a beancounter in charge. No offense to accountants, but accountants make terrible leaders. They are too risk adverse and too numbers focused.

  12. Very interesting blog. In the end UTM is the same as NGFW, i.e. its a firewall with additional services, the argument seems to revolve around what is the difference? and my take is that PAN have focused on Application Control. Do all the other evndors have APP Control?, yes they do, are they all as good as each other, no they are not? Did many vendors have App Control before PAN? Yes they did. Is PAN the best, definately not?.

    The author has hit the nail totally on the head. PAN are a company that took a load of Venture Capital, ploughed it into Marketing, convinced a gullable market, including Gartner, that they had something new, even unique. Why? because they had to deliver high growth in order to IPO, establish a ridiculously high PE rating in order to sell the business to an unsuspecting IT Giant (IBM, Cisco etc), which will happen in 18 months.. The underlying technolgy is OK but vastly oversold in my practical experience, performance is pretty flakey in Real World testing (see NSS Labs). PAN have sacrificed having a robust technology for Marketing when it comes to investing their VC dollars, and it shows when you scrape the surface.
    I suppose there have been many PANs over the years who have come to the market with great a great story, but they soon go away once the discerning IT buyers see through the veneer. However, PAN have done something very clever that I am not sure anyone else has achieved. They conned Gartner!, They managed to convince an organisation, which IT Professionals seem to respect, to such a degree that their opinions are almost gospel, you hear the cries ‘This must be true’. Alas that is where we all fall foul of the business model Gartner and other Analysts seem to adopt. ‘He who pays, wins’ Simple as that. In fact what would be a really interesting Magic Quadrant is the details of which vendors have paid them money, hosted hospitality, trips to very nice venues, in nice locations…you get the picture. Then I think the reader would have a more balanced view of what really drives the Magic Quadrant.
    My organisation went through a detailed process of choosing a security vendor for a large Enterprise deployment for a whole suite of security functions including App Control. Key criteria were Scalability, Performance (latency, throughput), level of threat protection, Opex and Capex and Manageability. We evaluated 5 vendors, we chose Fortinet, 2 others came a close 2nd and PAN finished 5th, why? when we cut through the Datasheet crap, it didn’t perform, simple as. So how do Gartner honestly expect my organsiation to believe their Magic Quadrant holds any water in what is a real life business.

    Gartner you need to wake up.

  13. Damir good post. I forgot to say in my post. There was one area PAN did score highly and that was their GUI looked sexy, almost Applesque!, but again when we spent an hour digging deep it was flawed. They say beauty is only skin deep, how apt.

  14. Andrew, thanks for the insight. great work.

    I do have one question though, where does WAF fit into the discussion? Is it a simply a specific use case of so called NGFW? What is the different between WAF and NGFW?

    Specifically, an insight into F5 WAF and PAN NGFW would be great. What are (if any) the key differentiators between the two.


    1. WAF and NGFW are two different technologies. A Web Application Firewall is specifically for protecting web applications from inbound attacks. WAFs are essentially highly customized reverse proxies that can filter out bad web site requests and content. NGFW and UTM are network-layer firewalls that also offer application-layer security features. Typically, organizations will have a UTM/NGFW and a WAF. The two technologies are complimentary.

      F5 and PAN are not really in the same market. F5 WAF would complete with Imperva, ModSecurity, or Fortinet’s FortiWAF.

      PAN completes with CheckPoint FW1, Juniper SRX, Fortinet Fortigate, or Cisco ASA.

      PAN does not market a WAF. Although you could deploy a PAN (or Fortigate for that matter) with some WAF-like protections.

      1. Andrew,

        thanks for the prompt response. Sorry, I should have been clearer in my question.

        I was meaning to ask, why won’t only only implement ‘application-layer security’ from the UTM/NGFW itself, what does WAF offers extra? I was thinking more that ‘application-layer security’ from UTM/NGFW will give you more protection (Web Apps as well as others).

        1. A WAF fully controls an entire HTTP/HTTPS session. It can set rules on exactly what kinds of content are allowed. A WAF tends to be more of a “whitelist” approach to securing a web application. A WAF can compensate for a poorly coded web app by only allowing “safe” application-layer functions.

          A NGFW/UTM does not control the entire HTTP/HTTPS session (usually). It will only block known attack types. It is more of a “blacklist” approach to web protection. A NGFW/UTM is not going to compensate for a poorly coded web app.

          For basic web apps, the protection of a NGFW/UTM is sufficient. But, for apps that require additional security, a WAF provides a more robust set of controls that can block both known and unknown attack tactics.

          NGFW/UTM do not put WAF features into their products because there is a LOT of processing power required to do WAF correctly. Moreover, there is a limited subset of companies who want WAF. So, for now, WAF has remained a stand-alone technology. Its possible that WAF features could eventually migrate to NGFW/UTM platforms, but given the limited market for WAF, I think this is unlikely.

  15. Excuse me for being anonymous but I work for yet another competitor that usually don’t get inte the FUD war between Palo Alto and Checkpoint.

    I have just one question, how can the leader in the Gartner Quadrant for enterprise firewalls not have a single enterprise firewall in their portfolio?
    The PA5060 bottoms out at 20Gbps (10Gbps with threat protection) with no IPv6 support for dynamic routing. It baffles me how this is even possible to call that an enterprise firewall.

    Another strange point is the placement of vendors if you put the UTM and Enterprise firewalls quadrant on top of each other. Vendors seem to be moved around at random when strength and weaknesses are still pretty much the same in both quadrants.

    Palo Alto should clearly be a challenger in an unified quadrant.

    1. You pretty much nailed the key problem with PAN. When you logically analyze them against their competitors, their raw numbers and statistics are fair. They have never once been in the top performers in any NSS test. They have performance issue when loaded up. Their biggest unit tops out at 20GB, while Fortinet and Juniper field units of 100GB or more. PAN is extremely adept at convincing people of their emmense superiority and total uniqueness among technologies. They do this through extremely effective marketing. This allows them to be a serious player, when under all normal circumstances they would not be a serious player.

      This is not to suggest they are horrible or bad. They are a decent product and some of their features are quite innovative. They definately disrupted the industry. However, I think their disruption is more of a marketing and sales acheivement then a technical one.

    1. Distinct markets, yes, but not distinct products. Add anti-spam to an NGFW and you have a UTM – that is not in question. But by using different language, productization, pricing, advertising, discounting and targeting a different audience, you create a distinct market. Look at VW and Audi with the A3/Golf – basically the same car underneath, but one is marketed as ‘luxury, premium, European, blah, blah’, while one is not. They have the benefit of being the owner of both, so can control this even further. PAN saw that no one was positioning UTM to enterprise, so they found a way to do it.

      1. Great point, Rob. You are correct, NGFW is essentially a subset of UTM. Which means the distinction is really one of marketing and nothing to do with technical capability. PANs greatest invention was the marketing language to cleave an already dense market and carve out a space for themselves. This is why PAN is such a brilliant company. They did something that is very difficult to do with a technology that has minimal innovation.

  16. I sell and integrate both Fortinet and PAN for years. I agree NGFW has became a marketing combo, that has been now totally assimilate by old UTM corp. (They wanna surf on the NGFW wave of fame and they are right !)
    But I assume Thereare 2 fundamental differences between Classic UTM and PAN :
    1/ Technical : UTM used to treat threats by lock, block, work on OSI 3 and 4… As PAN work only on the OSI 7. That way PAN was the 1st to access the SSL encapsuled trafic…
    2/ Policy/philosophic : Is directly a consequence of the 1st point, the approach of authentification and the way to manage inside and outside users is completly revolutionnar compare to the old UTM. The triptic : UserID=ContentID=AppID combination whatever you use to connect people and wherever you are : this is a tremendous change, and in a worlwide clouded IT envirronnement, this cannot be minimized !

    1. PAN was not the first to work at layer 7. Ample firewalls did that before. Sidewinder, for example, was a full proxy inspection firewall long before there was a PAN. Also, SSL interception was not new to PAN either. BlueCoat (and Sidewinder) did that long before PAN existed.

      Also the ability to filter on UserID, Application, or content was also not new to PAN. Again, many proxies did that as well. Heck, WatchGuards could do that in 2001.

      This is not to say PAN isn’t a good technology. But to say it was first to these capabilities is just wrong.

  17. Your table shows what the equipment does (in fact it is a list of features), not how it does it. And of course: that little difference becomes huge in a world where the whole performance IS vital.
    What your table shows is like trying to compare vehicles in a table where you list, wheels, engine, chassis. Of course you could write a YES for every feature for a car and a motorcycle. But they serve different purposes and have different performances, don´t they?
    You can’t say, because they have the same features, that they perform the same way and in consequence that you will get the same results from a NGFW and an UTM.
    So what is the real difference between NGFW and UTM?
    I work in a pretty big institution: an University with more than 5,000 teachers, 90,000 students and about 5000 administrative computers connected to the network (labs, workers, classrooms. etc. not counting BYODs).
    We already have tested Paloalto (NGFW) and FortiGate (UTM), and found a huge difference in performance and integration between both. Try a forensic analysis with FortiGate (with the Fortianalyzer) vs what you can do with Paloalto… we (with the people from Fortinet helping in the test) were not able to do with FortiGate what we (with the people from Paloalto) easily did with Paloalto. Try IPS with Paloalto vs. Fortigate… huge… HUGE difference.
    What made the difference? INTEGRATION (and in the case of IPS the hardware power). Fortigate (UTMs) provide a set of tools (what you describe in your table) in SERIES… so if you want to firewall you get delay. Firewall + IPS more delay. Firewall + IPS + AV…. even more delay… Now try Paloalto (all in parallel)… HUGE difference (in fact we were not able to get all the IPS firms ON with the FortiGate without really affecting the whole device performance)
    I am not saying that FortiGate is not a good product, because it really is. So… I agree… THEY ARE different products for different markets. With the size of institution we are, we were able to stress the performance of both and get deeper into reports and analysis and we found UTMs deficient for our needs.

    1. You’re right, different products have different capabilities, and different groups of enthusiasts. Just like cars. There are people who love an adore BMW, and would not be caught dead driving a Mercedes, or an Kia. However, BMW does not get to rename their entire line of cars as “next-generation cars” because they perform well or the enthusiasts love them. A BMW is still a car. Moreover, just because BMWs appeal to wealthier people, or people in the sales profession, also does not earn them the right to invent a new word for car. The cheapest Kia and the most expensive BMW are still cars.

      I get it, you love Palo Alto and dislike Fortinet. Guess what, some people love Fortinet and hate PAN. And some people love Cisco and hate Fortinet and PAN. Just because you find a product better, or more useful, does not mean it transcends the entire market and gets to become an entirely new product line. PAN, Fortinet, SonicWall, Cisco, CheckPoint, Juniper – all exist in the same market. Changing the words does not change the fact they they are all just firewalls.

        1. How about Tesla? or autonomous cars?
          1. it’s still just a car
          2. it has 4 wheels and moves without using anyone’s muscles
          3. in some years almost every car manufacturer will have electric/hybrid/autonomous offer

    2. Carlos, the acronyms UTM and NGFW are specifically about what these security products do and not how they do it.

      An argument can be made that one NGFW which performs features x, y and z and another NGFW from another vendor which also performs features x, y and z, are still considered NGFW regardless of how they provide those features, right?

      So putting aside the how, NGFW is at best a subset of UTM and some products considered NGFW and UTM are actually like-for-like for features. So really, why the distinction? Marketing, that is all.

      Marketing of a really high performance and innovative products, focuses on the real innovation and performance and not on buzzwords.

      If I want features x, y and z, I don’t care if the vendor with the unit which provides me the best value calls their product a UTM or a NGFW and I don’t care how they do it, I just want it to work well and provide good ROI.

      But the problem here is that some vendors make out like there is a significant difference between NGFW and UTM and that NGFW is newer and better and is what you really should want. When the reality is that NGFW does not provide anything that UTM did not already.

      They appear to do this as a differentiator ahead of their product and the products of their competitors. To me it seems that the idea is to create this abstract difference that is first separate from vendors and their products, as if NGFW is the next evolution of UTM and after convincing customers of this, applying the new term to their product and relegating the old term to their competitors, as if their competitors are playing catch up.

      I find this marketing smokescreen especially annoying considering that when the NGFW term was coined, products blessed with it provided less than those under the UTM term.

      The “how” matters, but is not what the terms are about.

      In regards to the performance differences you witnessed, which models were you trialing? In all of my tests of Fortigate firewalls, they always exceeded the stated specifications and the Content Processor ASIC equipped models were amazing performers for IPS and AV. But you would expect that from units equipped with Application Specific Silicon built into the UTM/NGFW/NGUTM (There! I coined it! Next Gen UTM!).

      I agree that I never really loved the FortiAnalyzer and I did actually instead export syslogs which I would then massage with a script I wrote to give me more readable realtime and searchable historical output.

      Regarding PAN’s parallel processing, this is more marketing speak for similar techniques other vendors use and which provide their own marketing speak for. Take Fortinet for example, most of their Network Processor equipped models perform packet filtering at wire speed, on every NP equipped port, even for the smallest possible packet sizes at saturation. All at once and all with the system CPU taking it easy.

      Can you imagine? An old Fortigate 310B from about 8 years ago, pegged at pushing 8Gbps constantly while it’s system CPU is barely twiddling it’s thumbs? Waiting for something to offload to it’s Content Processor?

      So from a marketing perspective, would you want to sell this as being parallel processed, because so much of it occurs independent of the CPU once the session is set up? Or as independently serial? Who cares! What is the end performance?

      Funnily enough, I remember in the very early days of PAN, they were marketing their products as having this high performance serial stream processing for each function!

      At the end of the day, there are products leveraging multi-core CPU to provide “parallel processing” and there are vendors using that AND offloading to ultra high performance onboard ASIC processors.

      Fortinet does the latter in many of their devices.

Leave a Reply