Authors: Devon James, Tim Otto and Michael Shirley

Publish Date: July 16, 2018


The proliferation of enterprise applications, the mainstream adoption of bring your own device (BYOD) and the hybrid cloud environment all increase the attack surface in the enterprise environment. The next generation firewall (NGFW) is the first line of defense against today’s threats and is a critical component of any defense-in-depth strategy. The NGFW market is one of the largest and most mature in the cybersecurity industry.

NGFW technologies have evolved from packet filtering and circuit-level gateways to application layer (proxy-based) and dynamic packet filtering firewalls that use port and protocol combinations to create and enforce access control policy between trusted and untrusted networks.

Traditional firewalls relied on common application ports to determine which applications were running and which attacks to watch for, but the NGFW can identify and either allow, block, or limit applications regardless of the ports and protocols used. The NGFW must also be capable of performing deep packet inspection on all packets, on all ports, and over all protocols in order to determine which applications are running over which ports and thus secure the applications effectively. Also, the expanded use of SSL/TLS in much of the traffic traversing the modern network makes it necessary for the NGFW to inspect encrypted content.


NSS Labs performed an independent test of the Cisco Firepower 4120 Security Appliance v6.2.2. The product was subjected to thorough testing at the NSS facility in Austin, Texas, based on the NSS Labs Next Generation Firewall Test Methodology v8.0. This test was conducted free of charge and NSS did not receive any compensation in return for Cisco’s participation.



  • Security effectiveness: The ability of the product to enforce a specified security policy effectively
  • Performance: Measures the performance of the firewall using various traffic conditions that provide metrics for real-world performance
  • Stability and Reliability: The ability of the device to maintain security effectiveness while under normal load and while passing malicious traffic
  • Total cost of ownership (TCO): Costs associated with product purchase, maintenance, installation and upkeep


As with all NSS Labs group tests, there was no fee for participation. In addition, the test methodology applied is in the public domain to provide transparency and to help enterprises understand the results.