Webinar ActiveProtect — next-generation backup Sign up →

Cybersecurity · NGFW

Next-Generation Firewall — intelligent network perimeter protection

NGFW is much more than port filtering. App-ID identifies applications regardless of port, SSL inspection decrypts encrypted traffic, IPS blocks exploits in real time. The first and most important line of defense against external threats.

Ask about NGFW → Service scope
App-IDapplication inspection
SSL Inspectionencrypted traffic
IPSexploit blocking

What we deploy

NGFW feature scope

NGFW combines a traditional firewall with advanced security features — application inspection, threat detection, and user control.

App-ID — application inspection

Application identification independent of port and protocol — Facebook on port 443 is identified as Facebook, not as HTTPS. Policies per application instead of per port. Blocking of unauthorized applications.

SSL/TLS Inspection

Decryption and inspection of encrypted HTTPS traffic. Over 90% of web traffic is encrypted — without SSL inspection most threats are invisible to the firewall. Selektywna inspekcja z wykluczeniem ruchu finansowego i medycznego.

IPS — Intrusion Prevention System

Real-time blocking of exploits and network attacks based on signatures and behavioral analysis. Automatic signature updates from threat intelligence. Protection against CVEs even without system updates.

URL Filtering and categorization

Filtering web access by category — malware, phishing, botnets, inappropriate content. User web activity reports. Enforcement of internet usage policy.

Sandboxing

Analysis of suspicious files in an isolated environment before passing to the network. WildFire (Palo Alto), FortiSandbox, Stormshield Breach Fighter — zero-day malware detection.

High Availability and clustering

Active/Passive or Active/Active firewall pair — failure of one does not interrupt network traffic. Session and policy synchronization. Subsecond failover.

Certified partners

Technology partners

Palo Alto Networks

Palo Alto Networks

PA-Series — leading NGFW with App-ID, Threat Prevention, and WildFire sandboxing. Panorama for central management.

Fortinet

Fortinet

FortiGate — NGFW with ASIC for high performance. Security Fabric integrates NGFW with EDR, SIEM, and SD-WAN in one ecosystem.

Stormshield

Stormshield

SNS (Stormshield Network Security) — European NGFW certified by ANSSI. Especially recommended in sectors requiring European certifications.

A firewall without SSL inspection protects against less than 10% of threats

If your firewall doesn't decrypt HTTPS traffic — it doesn't see most of what attackers do on the network.

Over 90% of network traffic is now encrypted. Traditional firewalls and older NGFW without SSL inspection are blind to attacks hidden in HTTPS. A properly configured NGFW with SSL inspection is the minimum standard.

Ask about NGFW →

FAQ

Next-Generation Firewall questions

A traditional firewall filters traffic based on ports and IP addresses — port 443 is HTTPS, end of story. NGFW identifies applications regardless of port (App-ID), decrypts HTTPS traffic (SSL inspection), blocks exploits (IPS), filters URLs, and detects malware (sandboxing). The difference is between a guard checking the door number versus one checking ID and the contents of the briefcase.
In many cases yes — NGFW with URL filtering and SSL inspection takes over proxy functions (URL filtering, HTTPS inspection, web activity reporting). A dedicated proxy (e.g. Zscaler, Squid) has more caching features and fine-grained HTTP control. For most companies NGFW is sufficient.
The cost is the sum of licenses (hardware or VM + Threat Prevention, URL, WildFire subscriptions), network integration, and policy configuration. For a 50–200 user company — typically 15,000–60,000 PLN for hardware and 3-year licenses. Configuration and deployment — separately. The exact quote depends on the model and feature scope.
IPS, URL, and malware signatures — automatic updates from the vendor, several times a day. Firewall policy rules — reviewed quarterly or after every significant infrastructure change. Firewall firmware — updated 1–2 times a year or for critical CVEs. An un-updated firewall is the biggest security gap you can have.