Senior Riverbed (WAN,APM,NPM) Consultant at NetConsulting
User
2021-05-17T08:15:51Z
May 17, 2021
Over 50% of security vulnerabilities are non-Web based traffic, such as DNS, DDOS etc and this is where some Web Proxys fall short as they only inspect the Web traffic that is forwarded to them, NGFW's provide superior protection at the edge to inspect all traffic for on-prem users locally.
This is where a SASE solution can help for remote working by providing best of both worlds capabilities such as SWG, NGFW, ZTNA, CASB etc delivered from a Cloud architecture in a unified (single-pass) manor, protecting 'All Traffic from Any user/device anywhere not just Web.
Use a Web Proxy that will protect your users when they are working at home as well. The FW will provide protection when the user is behind it. The web proxy will protect the user at any place, anytime.
Networking Specialist at a healthcare company with 1,001-5,000 employees
Real User
2021-05-17T07:47:51Z
May 17, 2021
Web Proxy like Cisco Umbrella works very well, you have protection at home and at office, with a lot of employees working some days at home and others at the office is a great solution.
Senior Manager at a financial services firm with 10,001+ employees
Real User
2021-05-14T00:54:05Z
May 14, 2021
NGFW does streaming based scanning it means it will pass the packet as it received due to which there is high probability of malware getting passed via Firewall. Where as Proxy wait for complete
IT Support and Network Admin at Escuela Carlos Pereyra
User
Top 10
2021-05-13T13:03:05Z
May 13, 2021
Hi Edwin
organization size ? usual final users behavior? how strong its the security you want ? budget ?
if what you need its not that big i allways recomend kind a free solution as a " Pihole server " (in a virtual container its the best way) but,,, also you can find a SOPHOS UTM as the best solution either or maybe a Unifi USG Router or unifi dream machine, of course if your budget allows it
I think the NGFW should do all the work for you if configured properly eg deep packet inspection and not just certificate inspection mode on the policies.
With deep packet inspection the Firewall will deconstruct and reconstruct the packet this will give you full visibility into network traffic and network protection.
The NGFW like fortigate will also give you protection when connected to the public network through sslvpn with tunnel mode enabled such that all your traffic goes through the HQ when browsing resulting in the same policies that you use when onsite to be the same when you are offsite.
@PrideChieza NGFW coupled with internal resources, e.g. domain controllers, gives a great breakdown per area and scopes well. A FortiGate integrated with user groups can act as a firewall and per group web filter, and yes, if deep packet inspection is really needed can be tweaked to allow very specific traffic. +1 for it doing the had work for you.
SE at a comms service provider with 11-50 employees
Real User
2021-05-13T06:08:29Z
May 13, 2021
This depends on many factors like size of organization, how organization is geo-spread, type of NGFW and Proxy you are looking at or you have. And where proxy is deployed, onprem or cloud? With cloud you have additional options and companies like Zscaler and Netskope started to eat this part of market.
What is a web application firewall (WAF)? A web application firewall, or WAF, helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet.
Over 50% of security vulnerabilities are non-Web based traffic, such as DNS, DDOS etc and this is where some Web Proxys fall short as they only inspect the Web traffic that is forwarded to them, NGFW's provide superior protection at the edge to inspect all traffic for on-prem users locally.
This is where a SASE solution can help for remote working by providing best of both worlds capabilities such as SWG, NGFW, ZTNA, CASB etc delivered from a Cloud architecture in a unified (single-pass) manor, protecting 'All Traffic from Any user/device anywhere not just Web.
Use a Web Proxy that will protect your users when they are working at home as well. The FW will provide protection when the user is behind it. The web proxy will protect the user at any place, anytime.
Hi @Oleg Pekar and @Manish Nalawade. Can you share your thoughts?
You are analyzing a central solution (perimeter), correct?
So, NGFW with URL filtering is simple & easy to go live without any issues.
But, what is going on with the endpoints, local URL filtering?
Web Proxy like Cisco Umbrella works very well, you have protection at home and at office, with a lot of employees working some days at home and others at the office is a great solution.
NGFW does streaming based scanning it means it will pass the packet as it received due to which there is high probability of malware getting passed via Firewall. Where as Proxy wait for complete
Hi Edwin
organization size ?usual final users behavior?
how strong its the security you want ?
budget ?
if what you need its not that big i allways recomend kind a free solution as a " Pihole server " (in a virtual container its the best way) but,,, also you can find a SOPHOS UTM as the best solution either or maybe a Unifi USG Router or unifi dream machine, of course if your budget allows it
good luk.
I think the NGFW should do all the work for you if configured properly eg deep packet inspection and not just certificate inspection mode on the policies.
With deep packet inspection the Firewall will deconstruct and reconstruct the packet this will give you full visibility into network traffic and network protection.
The NGFW like fortigate will also give you protection when connected to the public network through sslvpn with tunnel mode enabled such that all your traffic goes through the HQ when browsing resulting in the same policies that you use when onsite to be the same when you are offsite.
@PrideChieza NGFW coupled with internal resources, e.g. domain controllers, gives a great breakdown per area and scopes well. A FortiGate integrated with user groups can act as a firewall and per group web filter, and yes, if deep packet inspection is really needed can be tweaked to allow very specific traffic. +1 for it doing the had work for you.
This depends on many factors like size of organization, how organization is geo-spread, type of NGFW and Proxy you are looking at or you have. And where proxy is deployed, onprem or cloud? With cloud you have additional options and companies like Zscaler and Netskope started to eat this part of market.