[Dr. WoW Season 2] [No 2] NGFW Functions

Latest reply: Apr 23, 2018 06:37:21 1817 5 2 1

Major NGFW Functions

It has been six years since Gartner officially defined NGFWs. The concept of NGFWs is now deeply rooted in people's minds. Gartner defined only NGFW mandatory capabilities, which can be summed up in four aspects: traditional firewall functions, IPS, external intelligence, application awareness and visibility. Different security vendors have different NGFW understandings and develop NGFW products based on their existing products. As a result, the NGFWs from different vendors provide different functions.

With the development of mobility, social networking, cloud, and big data, ICT networks keep changing. To adapt to these changes, NGFWs must continually provide more capabilities and so many security vendors are now trying to redefine NGFWs.

In addition to Gartner-defined traditional firewall functions (status detection, NAT, and VPN), application awareness and control, and IPS, Huawei NGFW products also provide the following functions:

l  Comprehensive threat prevention

Huawei NGFWs not only integrate firewall functions and IPS, but also provide antivirus, anti-spam, URL filtering, and data loss prevention (DLP) functions. In anti-APT scenarios, these functions effectively help eradicate Kill Chain —— we will explain this in more detail in Part 3.

l  Multi-dimensional control

Traditional stateful inspection firewalls implement policy control mainly based on quintuples. In addition to application-specific control, Huawei NGFWs can also interwork with third-party authentication servers, meaning that policies can be defined based on location and terminal type. In this way, Huawei NGFWs provide comprehensive control policies.


Supported Function



Users and user groups






Security zone




Addresses and address groups


Honor 6 Plus


Services and service groups


Applications and application groups



Access mode



l  Simplified management

Capability enhancement often means an increase in management complexity. However, Huawei's innovative Smart Policy technology makes NGFWs intelligent enough for simple management. Security administrators can use the default templates for fast policy deployment. Huawei NGFWs give security policy tuning suggestions based on network traffic analysis results and also identify redundant and invalid security policies to help simplify policy management.

l  Improved user experience

Huawei NGFWs provide bandwidth management functions to restrict low-value traffic, ensure bandwidth for mission-critical services, and forward delay-sensitive traffic preferentially. You can enable the quota management function to restrict the daily and monthly traffic volume or daily online duration of users. Huawei NGFWs also provide the intelligent routing function, which can select the optimal ISP egress, not only through the ISP address library, smart DNS, or transparent DNS but also according to the link quality, bandwidth, weights, and priorities, to implement load balancing. Route selection can also based on IPSec tunnel quality.


People familiar with UTM know that in IDC definitions, UTM is a traditional stateful inspection firewall that integrates functions such as antivirus, IPS, and anti-spam. Since both NGFWs and UTM provide security functions such as IPS and antivirus, what are the differences between them?

As mentioned above, application awareness and visibility are the core requirements on an NGFW, and a UTM usually doesn’t have the application awareness capability. There is also a difference in product positioning and performance. According to Gartner, NGFWs are security products developed for large-and medium-sized enterprises, whereas UTMs are primarily applicable for SMBs and branch offices of large enterprises with less than 1000 employees these enterprises prioritize function diversity and usability over performance.

The performance of many UTM products is severely degraded after IPS and antivirus are enabled. For some of the UTM products, the performance is degraded to as low as 20% after IPS and antivirus are enabled. In these cases, the functions are useless. When IDC defines UTM, it implies that UTM integrates many functions in a box, however not all of these functions are enabled. As for an NGFW, performance degradation is less than 50% after IPS and antivirus are enabled.

How does a NGFW achieve this? The engine and detection mode are the key points.

First, let's talk about the engine. UTM integrates functions in multiple boxes into one box. The number of boxes decreases, but logically, all functions are still performed in a series. Each security detection process is implemented by a separate engine, each packet goes through multiple rounds of detections, and each round of detection adds to the network delay.

Huawei NGFW products use the newly developed high-performance intelligent awareness engine (IAE) for unified detection and processing. The IAE first identifies the protocols and applications of traffic. Then the protocol decoding module parses the protocols and applications and inspects the decoded fields and contents separately. The detection items vary with the types of contents, and the multiple types of detection are implemented in parallel to shorten the detection time.



Of course, the improvement of NGFW performance relies on the hardware platform. Huawei IAE has built-in hardware offload function. The CPU-intensive operations can be processed by the Huawei-proprietary hardware platform to reduce the workload of CPUs and improve operation efficiency.


Now, let's talk about the detection mode. On many UTM products, detection is still based on files. For example, in antivirus checks, the UTM needs to receive and cache files and then scan them. This mode is apparently not applicable to gateway products, like firewalls because caching files requires memory and causes delay. In addition, large files are difficult to cache and are usually permitted. Therefore, security detection of large files is an irreparable security vulnerability.

Huawei NGFW products use flow-based file processing mechanism and can receive file fragments and implement security detection. As mentioned previously, the IAE security detections are concurrent. The file transmission delay is reduced, the overall performance is improved, and user experience is also improved.



For many UTM products, when network traffic exceeds the processing capability, file detection is bypassed, that is, the content security detection is not implemented. Customers and enterprise administrators have to choose between performance and security. Some enterprises purchase UTM products but do not enable many functions to prevent performance deterioration.

Firewall performance deterioration affects user experience on delay-sensitive services and collaborative applications, which further affects enterprise service quality and productivity. Nowadays, security and performance are equally important for many large enterprises. The mission of NGFWs is to compensate for traditional firewalls in terms of application awareness and to provide adequate performance.



To view the list of all Dr. WoW technical posts, click here.

This post was last edited by dr.wow at 2018-04-26 12:31.
  • x
  • convention:

Created Apr 17, 2018 03:41:16 Helpful(0) Helpful(0)

  • x
  • convention:

MVE Created Apr 17, 2018 12:35:52 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Created Apr 17, 2018 20:04:34 Helpful(0) Helpful(0)

  • x
  • convention:

Created Apr 19, 2018 08:09:07 Helpful(0) Helpful(0)

Fine ...:)
  • x
  • convention:

Created Apr 23, 2018 06:37:21 Helpful(0) Helpful(0)

Thanks for providing Helpful Documentation. :)
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits