This is one area where next-generation firewall vendors are still finding their way. We think that Fortinet is on the right track here, but since this is an open area of discussion, we did not include it in our scorecard.
The last area we looked at was the action options. In our testing, we simply asked the firewalls to block traffic. But in the case of web-based applications, the network manager might want to intercept the request and display a page to the end user indicating that security policy prohibited the transaction.
The Check Point Security Gateway, which integrated URL filtering with application identification, was the only product that included this feature. The Security Gateway actually goes further than that, allowing the next-generation application identification rule to have an action that displays the "page blocked" message while allowing the user to click on through after acknowledging a warning.
We found other options as well. For example, SonicWall and Fortinet let an application rule apply some QoS settings, such as limiting traffic (in the case of bandwidth wasters, for example) or guaranteeing traffic (in the case of VoIP or video conferencing). Both also allow an action of "log packets" to save a transaction for later analysis.
When it comes to actually identifying and blocking applications, what we would prefer is a hypothetical product mixing two of the devices we tested: the SonicWall SonicOS engine configured by the Check Point Security Gateway management system. In the absence of such a mythical beast, SonicWall did the best job of identifying and controlling applications, but we found room for improvement in everything we tested.
Of course, application awareness is the icing on the cake for next-generation firewalls, which also have to handle all of the other basic tasks associated with a state-of-the-art firewall. In this next section, we delve into those other functions, which we've divided into network visibility, SSL decryption, IPS, UTM and basic firewall blocking and tackling.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.
Read more about wide area network in Network World's Wide Area Network section.