The Next Generation Intrusion Prevention System (NGIPS) must provide organizations with the ability to identify both the applications and usage behavior on their internal networks. Like its predecessor, the network Intrusion Prevention System (IPS), the NGIPS must allow legitimate traffic to pass while also blocking attacks and resisting evasion techniques. And it must catch sophisticated attacks while producing as few false positives as possible and without introducing network latency.

The NGIPS is typically placed behind a next generation firewall and implemented as an inline device that inspects and blocks traffic identified as malicious or unwanted. It must be as stable, reliable, fast, and flexible as the infrastructure it protects. It should also be possible to incorporate an NGIPS into an existing security architecture without requiring a network redesign.


We tested five of the industry’s leading NGIPS products to compare capabilities for security effectiveness (exploit block rate, evasion techniques, and stability and reliability), total cost of ownership (TCO), and performance. In particular, this 2019 NGIPS test focuses on the following capabilities:

  • Exploit block rate: This test determines IPS exploit protection capabilities across a broad range of attacks–while ensuring the device doesn’t block legitimate traffic (false positives).
  • Resistance to evasions: The techniques we used in this test have been widely known for years and should be considered minimum requirements for the IPS product category. Exploit protection results must factor in evasions since the more evasions that are missed, the worse the situation. The test determines the ability of NGIPS products to properly detect and block exploits that apply evasion techniques.
  • Real-world performance: Vendors’ datasheets provide product maximums under ideal conditions that rarely exist in the real world. Our extensive performance tests capture edge cases and points of failure of the tested products. Also, our real-world testing enables us to predict the performance limits of products so that buyers don’t have to learn the hard way.


This is the fifth year for testing NGIPS products. In this year’s test, we were able to evade three NGIPS products. Only one demonstrated robust protection against script-obfuscated attack variants designed to test the security devices’ resilience. 

Of the five products tested, four were rated as Recommended based on comparative scores for overall security effectiveness, TCO per protected Mbps, and performance. 


  • Forcepoint NGFW 2105 v6.3.10 Dynamic Update Package 1164
  • Fortinet FortiGate-100F v6.0.2 build6215 (GA)
  • Palo Alto Networks PA-5250 9.0.3-h2
  • Versa Networks V2000 16.1 R2 S8
  • Vendor A (contact NSS Labs for more information)