Feedback on how to evaluate firewalls?

Hi there, I am putting together a list of evaluation criteria for firewalls. After doing my research I’ve come across this list of capabilities and would like your feedback. Are there items on this list that are outdated or that are missing? Any feedback is appreciated.

Core capabilities

  • IDS/IPS functionality

  • Network Antivirus & Anti-Spyware

  • Anti-Bot

  • APT protection - Sandboxing

  • Behavioural Analysis

  • DDOS protection

  • Context aware

  • DLP functionality

Deployment options

  • High availability

  • Support Routed and Transparent mode

  • Support for Virtualized environment

Integration with

  • Threat Intelligence

  • Network Policy Management tools

  • Network Monitoring Tools

  • Security Incident and Event Management (SIEM) Tools

  • Identity Access Management

  • Central Authentication

  • Supports Certificates based authentication

  • Ticketing System

  • Industry Best Practices

  • Development or scripting tools

  • Automation tools

Additional Functionality


  • Application control

  • IPv4/IPv6 support

  • NAT functionality

  • 2-FA authentication

  • DHCP functionality

  • SSL traffic decryption support

  • Bandwidth Management

  • Centralized management and Administration console

  • Site to Site IPSec VPN support

  • Reverse proxy functionality

  • DNS proxy functionality

  • Stateful engine support for all protocols in TCP/IP stack

  • URL filtering

  • Hardened OS & purpose built chassis hardware

  • Support for static and dynamic routing protocols

  • Application Intelligence for TCP/IP protocols (telnet, Ftp, etc)

*** Others?**

DNS Query inspection?:thinking:

1 Like

The fact of being able to deploy control policies, web filtering, as well as filtering the use of certain applications.
The management offered in relation to VPN networks, with remote access and VPN tunnels, including SecuRemote
The improved performance they offer based on the latest generation chips to streamline processes
A higher density of high connectivity ports (1 Gbps) that are now compatible with many other 10 Gbps SFP, in addition to fiber ports.
WebUI management console, with the possibility of monitoring in real time and based on the use of a single panel, each of the network traffic policies deployed.
Periodicity and update of the signature file automatically and efficiently, with possibility of USB or microSD for new firmware


Netflow Generation
Virtual environment deployment

1 Like