May 07, 2012, 11:45 AM — URL filtering has become a "checkbox" feature on most Unified Threat Management firewalls, and no wonder: it doesn't require a lot of imagination to do it right, and it's hard to really differentiate yourself or do a bad job of it.
Three of the vendors tested -- SonicWall, Fortinet , and Barracuda -- had nearly identical interfaces to define URL filtering policy. There are some minor differences — for example, Fortinet had a cute feature that would limit the amount of time you could spend on a category ("you can look at Sports pages, but only for 5 minutes"), but generally there was little difference.
The Barracuda NG Firewall had one major flaw, to be fixed in Version 5.4, which required us to set up separate and independent policies for the HTTP and HTTPS proxies, doubling the time to maintain the policy and increasing the chance of human error.
Check Point takes a very different approach by integrating URL filtering with application identification and control into a single policy. Check Point's combination of the two tools is a better way of building a next generation firewall. URL filtering and application controls are closely related and overlap in many ways.
For example, blocking access to external webmail servers can use both application identification, to find private webmail servers, and URL filtering, to find public webmail servers. Combining the two techniques is better than using just one.
Our anti-malware testing really highlighted differences between the products and their approaches to scanning for viruses across broad categories of traffic. The two stars of the show here were Fortinet, for having the best anti-virus engine, and SonicWall, for having the best coverage across different types of traffic.
Both Check Point Security Gateway and Barracuda NG Firewall did poorly at the task of finding viruses across many different applications, although Check Point Security Gateway did include a new anti-bot detection system.