Firewall as a service (FWaaS) promises to extend the capabilities of next-generation firewall (NGFW) and unified threat management (UTM) solutions across a modern IT environment. Using a centrally-managed FWaaS solution permits an organization to deploy consistent protection in a scalable and consistent manner to geographically dispersed users, cloud applications, and local network resources.
Vendors in the FWaaS market tend to provide their solution as a feature within other products such as secure service edge (SSE) from Cato Networks, zero-trust network architecture (ZTNA) from Perimeter 81 or Zscaler, or secure access service edge (SASE) solutions offered by Cisco or Palo Alto.
Only a few vendors, such as Cloudflare, offer a stand-alone FWaaS service, and several of them don’t even use their own technology; instead, they deploy the Palo Alto solution as a service.
1. Cato Networks SSE 360
Headquartered in Tel Aviv-Yafo, Israel, Cato Networks focuses on cloud-first network architecture and makes a claim to be the world’s first SASE platform.
- Incorporates FWaaS features into its security service edge product that converges secure web gateway (SWG), cloud access service broker (CASB), data loss protection (DLP), and ZTNA into a single software-as-a-service (SaaS) solution
- Simplifies and streamlines deployment
- High-performance NGFW packet inspection
- Reduces attack surface
- Consistent policy enforcement
- Reduces maintenance and update workload on IT teams
- Global private internet backbone with built-in acceleration to deliver faster speeds than generic internet connections
- A seamless integration with full SASE solutions
“Cato is a stellar SASE provider with an extremely intelligent and decisive support team that is prompt, responsive, helpful, and [patient]. We have had a great experience with deploying our SaaS edge network, and they have been there right along with us all [the] way.” -A senior cloud infrastructure architect for an IT services company, review at Gartner Peer Insights
- Named one of 25 2021 Channel Influencer Award winners by Channel Partners and Channel Futures
- Awarded Best Supplier of 2021 in the Innovation category by the Italian manufacturer Gnutti Carlo Group
- Recognized more than 12 times by Gartner in guides, such as:
- Gartner “Market Guide” for managed SD-WAN services
- Gartner “Market Guide” for zero-trust network access
- Gartner “Hype Cycle” for cloud security
- Gartner “Hype Cycle” for edge computing
2. Cisco Umbrella
Networking giant Cisco, based out of San Jose, California, offers its feature-rich Umbrella platform to help secure users and resources connected through the internet.
- FWaaS features come with the Secure Internet Gateway (SIG) Essentials and Advantage packages as part of the Cisco Umbrella SASE and security-as-a-service offering
- Intelligent traffic routing in the cloud
- Direct internet access between resources and users
- Cloud-delivered security with IPsec tunnel-secured connections
- Packet inspection
- Anycast routing technology that allows all data centers to identify themselves with the same IP address to ensure the shortest possible journey between users and resources
- More than 30 data centers worldwide
“[Cisco Umbrella] allows you to review threats as well as update a shared database of negative and destructive web links in real time. Cisco Umbrella makes it simple to visualize and customize your risk defense. Individuals may also submit their own request to the administrator to review a blocked website. I recommend Cisco Umbrella if you want a simple online defense against risks at the application level that is easy to implement while also providing adaptable manageability and effective defense.” -Data engineer for SoftBank Group, review at TrustRadius
- CRN’s 2020 Tech Innovator Awards for best cloud security solution as well as best SD-WAN
- Between June and September 2022, ranked No. 1 in performance for evaluations performed by AV-TEST, a German-based independent research institute for IT security
3. Cloudflare Magic Firewall
San Francisco-based Cloudflare specializes in delivering information. Its original products improved website and application performance, but Cloudflare quickly expanded into security products to protect against distributed denial-of-service (DDoS) attacks or to enable secure connections from and to remote resources.
Cloudflare’s Magic Firewall solution provides a stand-alone FWaaS solution as well as FWaaS features for the broader Cloudflare One SASE platform.
- Filtering rules based on protocol, port, IP address, packet length, and bit field match
- Protocol validation rules to inspect traffic validity
- Deploy with unlimited scale
- Integrate managed threat intelligence IP lists
- Provide DDoS protection
- Deploy rule changes in under 500 ms
- Capture packets on-demand for troubleshooting
- Block users based on the country where their traffic originates
- Full integration with a full suite of Cloudflare tools, including SASE, website security, and website performance solutions
- A global network of data centers in 275 cities in more than 100 countries
- Fast connections of under 50 ms for 95% of connections and a capacity of 155 Tbps for transit connections, peering, and private network connections
“In the past, filtering had to be done through complex access-lists across multiple network equipments. Now, it can be all managed through the Cloudflare Dashboard — fill in the form, and press validate. With less risks, more people can now manage security.” -Managing director and founder of premium managed hosting service provider, Nexylan, in a case study
- Security Software Innovator award in the Microsoft Security Excellence Awards
4. Palo Alto Networks FWaaS Virtual Appliance
Santa Clara, California-based Palo Alto Networks, a well-established firewall appliance provider, offers FWaaS as part of its Prisma SASE product and its Prisma Cloud security platform. Customers already familiar with Palo Alto firewalls can easily transition to the cloud-based platforms to configure and deploy firewalls to local networks from Palo Alto’s global network.
- NGFW technology is included in Palo Alto’s cloud-based products
- Advanced URL filtering
- Packet inspection
- OSI Layer 7 Firewall
- Controls for the application layer
- Centralized visibility over security incidents across the network
- App-ID analysis of applications to identify apps and provide granular control over the features of the application, such as allowing instant messaging through but denying file transfers
- Machine learning (ML)-powered threat prevention against zero-day threats
- Can be deployed as Prisma Access for Clean Pipe for service providers and telcos with multi-tenant environments. This deployment can be seen as stand-alone FWaaS offerings from:
“[Prisma SASE solution is] useful in complex environments. … The interface is the same as that of firewalls, so if you are comfortable you don’t have to learn a new thing, but you can already apply your knowledge. Useful for centralizing logs, configurations, and certainly [firewall] management in general.” -A network administrator for a mid-market enterprise, review at G2
- Palo Alto named a leader in Gartner “Magic Quadrant” reports multiple times
- Frost & Sullivan’s 2022 Company of the Year Award based on the release of Prisma SASE
- Palo Alto’s Prisma Cloud earned the 2022 SC Award for Best Cloud Workload Protection Solution
5. Perimeter 81 Cloud Network Management Platform
Perimeter 81, based in Tel Aviv, Israel, offers customers the easy-to-deploy Cloud Network Management Platform to provide secure connections between remote users, networks, and applications.
The solution offers four levels of service with FWaaS policies offered in three of the levels: Premium (10 policies), Premium Plus (100 Policies), and Enterprise (unlimited policies).
- Encrypts all communication with always-on VPN capabilities
- Allows for adding additional IPsec and Secure Sockets Layer (SSL) encryption for extra defense
- Automatically deploys zero-trust policy-based segmentation, activity audits, activity reports, 1,000 Mbps per gateway performance, and unlimited network tunnels
- Simplified and quick deployment of enterprise-level network and data security
- Ease of use for desktop, laptop, or mobile operating system (OS) users
- Fully integrated with a tool that meets zero-trust and SASE requirements
- No installation fee, minimum subscription period, or upfront costs
“We use it [Perimeter 81] for worldwide VPN networks and to help authenticate our employees logging into several different applications. The service allows you to segment to dial in via various regions around the world. They help with a delay in speeds, etc.” -Solutions consultant, review at TrustRadius
- In 2021, Perimeter 81 received the SINET16 Innovator award as one of the 16 most “innovative and compelling” companies addressing cybersecurity threats and vulnerabilities for the year
- Perimeter 81 also resides among the five leaders in the the Forrester “New Wave” report on zero-trust network access for Q3 2021
6. Zscaler Zero Trust Exchange
Based in San Jose, California, Zscaler offers a cloud-first approach to securing corporate environments. Zscalar’s Cloud Firewall is incorporated as a feature in the Transformation and ELA Zscaler Internet Access Editions as well as its Zero Trust Exchange platform.
- Protect users and resources with a cloud-based, scalable solution
- Eliminates the attack surface
- Prevents lateral movement threats
- Improves monitoring
- Incorporate SWG, CASB, DLP, and full SSL inspection capabilities
- Reduces costs and reduces complexity
- Always-on cloud intrusion prevention system (IPS)
- Special monitoring to catch stealthy techniques on non-standard ports
- Cloud-delivered protection with global edge presence
“[Zscaler is] a terrific method to be entirely compliant. The Zscaler Internet Access Platform is a dedicated SSE solution that focuses on risk mitigation, reliability, and scalability to allow us to deliver our users secure access to our applications while keeping them secure. Zscaler Cloud Security Platform provides us with safe internet gateways with complete functionality and incorporated internet security. Because attackers can’t attack what they can’t see, the Zscaler technology hides source identities by distorting their IP addresses and prevents the business network from being exposed to the internet.” -Program director of DACH integration and TR for a services company, review at Gartner Peer Insights