MagicQuadrantforEnterpriseNetwork

Firewalls
22April2015ID:G00263955
Analyst(s):AdamHils,GregYoung,JeremyD'Hoinne

VIEWSUMMARY
"Nextgeneration"capabilityhasbeenachievedbytheleadingproductsinthenetworkfirewallmarket,
andcompetitorsareworkingtokeepthegapfromwidening.Buyersmustconsidertheiroperational
realities,theburdenofswitching,andthetradeoffsbetween"bestofbreed"functionandcosts.

MarketDefinition/Description
TheenterprisenetworkfirewallmarketrepresentedbythisMagicQuadrantiscomposedprimarilyof
purposebuiltappliancesforsecuringenterprisecorporatenetworks.Productsmustbeabletosupport
singleenterprisefirewalldeploymentsandlargeand/orcomplexdeployments,includingbranchoffices,
multitiereddemilitarizedzones(DMZs)and,increasingly,theoptiontoincludevirtualversions,often
withinthedatacenter.Theseproductsareaccompaniedbyhighlyscalable(andgranular)management
andreportingconsoles,andthereisarangeofofferingstosupportthenetworkedge,thedatacenter,
branchofficesanddeploymentswithinvirtualizedservers.
Thecompaniesthatservethismarketareidentifiablyfocusedonenterprisesasdemonstratedbythe
proportionoftheirsalesintheenterpriseasdeliveredwiththeirsupport,salesteamsandchannelsbut
alsoasdemonstratedbythefeaturesdedicatedtosolveenterpriserequirementsandserveenterpriseuse
cases.
Asthefirewallmarketcontinuestoevolve,NGFWsaddnewfeaturestobetterenforcepolicy(application
andusercontrol)ordetectnewthreats(intrusionpreventionsystems[IPSs],sandboxingandthreat
intelligencefeeds).ThestandaloneSecureSocketsLayer(SSL)VPNmarkethaslargelybeenabsorbedby
thefirewallmarket.Eventually,theNGFWwillcontinuetosubsumemoreofthestandalonenetworkIPS
appliancemarketattheenterpriseedge.Thisishappeningnowhowever,someenterpriseswillcontinue
tochoosetohavebestofbreedIPSsembodiedinnextgenerationIPSs(NGIPSs).Morerecently,
enterpriseshavebegunlookingtofirewallvendorstoprovidecloudbasedmalwaredetectioninstancesto
aidthemintheiradvancedthreatefforts,asacosteffectivealternativetostandalonesandboxing
solutions(see"MarketGuideforNetworkSandboxing").
However,nextgenerationfirewallswillnotsubsumeallnetworksecurityfunctions.Allinoneorunified
threatmanagement(UTM)approachesaresuitableforsmallormidsizebusinesses(SMBs),butnotfor
theenterprise(see"NextGenerationFirewallsandUnifiedThreatManagementAreDistinctProductsand
Markets").
Theneedsforbranchofficefirewallsarebecomingspecialized,andtheyaredivergingfrom,ratherthan
convergingwith,UTMproducts.Aspartofincreasingtheeffectivenessandefficiencyoffirewalls,theywill
needtotrulyintegratemoregranularblockingcapabilityaspartofthebaseproduct,gobeyond
port/protocolidentificationandmovetowardanintegratedserviceviewoftraffic,ratherthanmerely
performing"sheetmetalintegration"ofpointproducts.

MagicQuadrant
Figure1.MagicQuadrantforEnterpriseNetworkFirewalls

ADDITIONALPERSPECTIVES
Geography:AsiaPacific

STRATEGICPLANNINGASSUMPTIONS
Virtualizedversionsofenterprisenetworksafeguards
willnotexceed10%ofmarketrevenuesbyyearend
2018,upfromlessthan5%today.
Lessthan40%ofenterpriseInternetconnections
todayaresecuredusingnextgenerationfirewalls
(NGFWs).Byyearend2018,thiswillrisetoatleast
85%oftheinstalledbase,with90%ofnew
enterpriseedgepurchasesbeingNGFWsasmore
enterprisesrealizethebenefitsofapplicationanduser
control.
By2018,85%ofnewdealsfornetworksandboxing
functionalitywillbepackagedwithnetworkfirewall
andcontentsecurityplatforms.
Fewerthan2%ofdeployedenterprisefirewallswill
haveWebantivirusactivelyenabledonthemthrough
2016,althoughmorethan10%ofenterpriseswillhave
paidforit.

ACRONYMKEYANDGLOSSARYTERMS
ADC

applicationdeliverycontroller

AFM

AdvancedFirewallManager

ASA

AdaptiveSecurityAppliance

ATA

advancedtargetedattack

ATD

advancedthreatdetection

AWS

AmazonWebServices

DDoS

distributeddenialofservice

DMZ

demilitarizedzone

FIPS

U.S.FederalInformationProcessing
Standards

FPM

firewallpolicymanagement

GUI

graphicaluserinterface

IP

InternetProtocol

IPS

intrusionpreventionsystem

IPv6

InternetProtocolversion6

MSSP

managedsecurityserviceprovider

NGFW

nextgenerationfirewall

NGIPS

nextgenerationIPS

P2P

peertopeer

SMB

smallormidsizebusiness

SSL

SecureSocketsLayer

UTM

unifiedthreatmanagement

VE

VirtualEdition

VPN

virtualprivatenetwork

WAF

Webapplicationfirewall

EVIDENCE

ThisMagicQuadrantwasconductedinaccordancewith
Gartner'swelldefinedmethodology.Theanalysisin
thisresearchwasbasedprimarilyoninterviewsand
interactionsduringfirewallinquirieswithGartner
clientssincethe2014"MagicQuadrantforEnterprise
NetworkFirewalls."Wealsoconsideredsurveys
completedbyvendors,vendorbriefingsconductedat
therequestofvendorsthroughouttheyear,interviews
withreferencesprovidedbyvendors,andsupporting
Gartnerquantitativeresearchonmarketshare.
Guidelinesforrespondingtothefullsurveywere
providedatthetimeofissue.Responseswere,
nevertheless,ofvariablequality.Responsesthatwere
lowerquality(forexample,respondentsignoredthe
question,theyusedpoorgrammar,theywereunable
toexplainkeyconcepts,theywereunabletoprovide
highqualityexplanationsofusecases,ortheywere
unabletogobeyondtechnicalcapabilitiesand
demonstrateanunderstandingofthebusiness
environment),orthatdidnotmeettheguidelines,
generallytendedtoscorelower.Vendorsthatdeclined
toprovideasurveyresponsewereassessedbyGartner
astowhattheirlikelyreplywouldhavebeen(usually,
thiswasinrelationtospecificrevenuebreakdowns).
Somevendorsdeclinedtoanswercertainquestions
duetomarketrestrictions,and,therefore,didnotfare
aswellundersomeofthescoringcriteria.
Weaskedforaspecificnumberofreferencesfrom
eachvendor(n=95,total),andeachreference
customerwassuppliedwithastructuredsurvey.
Referenceswerescoredonthebasisoftheirquality
andwhattheytoldus.Foreachvendor,wetookinto
accountthecommentsfromthatvendor'sreferences
aswellaswhatothervendors'customerssaidabout
thatparticularvendor.Vendorscouldbenotably
affectedbytheinabilitytohaveasufficientnumberof
referencecustomersprovidinginput.

NOTE1
TYPEA,BANDCENTERPRISES

Source:Gartner(April2015)

VendorStrengthsandCautions
AhnLab
SouthKoreabasedAhnLabisalongestablishedsecurityvendor.Knownmostlyforantivirussoftware,
AhnLab'snetworksecurityofferingsincludefirewalls,IPSsandadvancedthreatsolutions.AhnLabbegan
offeringafirewallproductundertheTrusGuardbrandin2007,andnowthereare10models.Thefirewall
isCommonCriteriacertifiedEAL4,butdoesnothaveotherthirdpartyevaluations(suchasICSALabs,
NSSLabsorFIPSPUB1402).
AhnLabisassessedasaNichePlayerforenterprises,becausemostofitswinsarewithinaspecific
geographySouthKoreaand/orareassociatedwithanexpansionoftheendpointsecuritybusiness,
notbecausethevendorcompetesonbestofbreedenterprisefirewallfeatures.
Strengths
SouthKoreaclientsshouldconsiderAhnLabfortheirfirewallshortlists,givenitssignificantlocal
marketshareandsupportpresence.
Themodelrangeisverybroadtheenginewasdesignedtominimizedistributeddenialofservice,
includingfeaturesoptimizedforhandlingsmallerpacketsizes.
AhnLab'sendpointproductcustomerscanhavethesamevendorprovidethemwiththeirnetwork
firewallsolution,reducingvendormanagementchallenges.
Cautions
TheTrusGuardfirewallisnotoftenseeninenterpriseselectionsintheGartnerclientbase.AhnLab
wasnotlistedbyanyvendorwesurveyedasasignificantenterprisecompetitivethreat.
AhnLabdoesnotoffervirtualfirewallmodels,andhasnotyetintegrateditsMalwareDefense
System(MDS)malwaredetectionappliancewithitsfirewall.
AhnLabdoesnotallowmultipleadministratorstomakerulechangessimultaneously,placingitata
disadvantageinlargeenterprises.

Enterprisesvaryintheiraggressionandrisktaking
characteristics.TypeAenterprisesseekthenewest
securitytechnologiesandconcepts,tolerate
procurementfailure,andarewillingtoinvestfor
innovationthatmightdeliverleadtimeagainsttheir
competitionthisisthe"leanforward"oraggressive
securityposture.ForTypeAenterprises,technologyis
crucialtobusinesssuccess.
TypeBenterprisesare"middleoftheroad."Theyare
neitherthefirstnorthelasttobringinanew
technologyorconcept.ForTypeBenterprises,
technologyisimportanttothebusiness.
TypeCenterprisesareriskaversetoprocurement,
perhapsinvestmentchallengedandwillingtocede
innovationtoothers.Theywait,letothersworkout
thenuancesandthenleveragethelessonslearned
thisisthe"leanback"securityposturethatismore
accustomedtomonitoringratherthanblocking.For
TypeCenterprises,technologyiscriticaltothe
businessandisclearlyasupportingfunction.

NOTE2
BUYERS'CONFUSIONCONCERNINGWAFS
Theadventofapplicationcontrolinfirewallshasledto
somenaturalconfusionbetweentheNGFWandWAF
marketsinthemindsofbuyers.Today,thesemarkets
remainverydistinct.Thecriticaldifferenceisof
direction:ApplicationcontrolinNGFWsisconcerned
primarilywithapplicationsthatareexternaltothe
enterprise(forexample,P2PandFacebook),whereas
WAFsareconcernedwithprotectingcustomWeb
applicationsonserversthatareinternaltothe
enterprise.AlthoughafewfirewallsofferoptionalWAF
modules,thesearerarelyenabled.Instead,wesee
WAFsdeployedasastandaloneproduct(suchasfrom
Imperva),anoffpremisesservice(suchasfrom
Akamai)orwithinanADC(suchasfromF5).

BarracudaNetworks
Campbell,CaliforniabasedBarracudaNetworkshasbeenfocusedprimarilyonsellingawiderangeof
securitystorage,andinfrastructureappliancesandcloudservicestomidsizebusinessesandsmall
enterprisemarketsatlowprices.TheBarracudaenterprisefirewallofferingistheNGFirewall,whereas
theBarracudaFirewallseriestargetsSMBs.TheNGFirewallhasapplicationcontrolandreputation
services,whiletheBarracudaNGFirewallVxisavirtualversion,andthereisaMicrosoftAzureinstance.
AnadvancedthreatoptionhasbeenaddedwiththeBarracudaadvancedthreatdetection(ATD)option,
repackagedfromATDvendorLastline,providingacompetitivechoiceversuscompetingfirewalls.

NOTE3
FPMTOOLS
ThirdpartyFPMvendors(suchasAlgoSec,FireMon
andTufin)continuetoexploittheabsenceoffirewall
consolestooptimize,visualize,andreducefirewall
rulesandpolicies.AlthoughtheFPMmarketisstill
somewhatsmall,it'sgrowingfast,andthecustomers

BarracudaisassessedasaNichePlayerforenterprisesbecauseBarracudadoesnoteffectivelysellits
enterprisecapableproducttoenterprisesotherthaninWesternandCentralEuropeandincertainpublic
clouddeployments.
Strengths
TheBarracudaNGFirewallisagoodoptionforcustomersthatalreadyhaveotherBarracuda
productsorarelocatedinWesternorCentralEurope.
TheBarracudamanagementconsolescoreswellinselectionsforsimpledeployments.TheNG
FirewalltiedforthehighestscoreinasurveytoreferencesforIPSfunction.
TheBarracudaNGFirewallisastrongcompetitorinsituationswherepriceishighlyweightedinthe
selection.TheNGFirewallshowedastrongcorrelationforselectionsinasurveyforhighavailability
andclustering.
GartnerhasobservedaconsiderableincreaseinNGFirewallsalessincethepreviouseditionofthe
MagicQuadrant.
Cautions
BarracudacustomersareprimarilySMBs,andthevendordoesnotyethavewellestablished
enterprisenetworksecuritychannelsorsupportoutsideofWesternandCentralEurope.
AlthoughhavingdifferentiatedproductsforenterprisesandSMBsisgoodandreflectstheirdifferent
needs,Barracuda'sproductnamingisconfusingforenterpriseclients.TheBarracudaFirewallseries
targetsSMBs,whiletheBarracudaNGFirewallseriestargetsenterprises.
NovendorwesurveyedlistedBarracudaasasignificantenterprisecompetitivethreat.Althoughwe
seeBarracudaFirewallinSMBdeals,BarracudaisnotvisibleonthefirewallshortlistsofGartner
enterprisecustomers,exceptinsomeregions,notablyGermanyandAustria.Mostinteresthas
comefromincumbentcustomersthathaveotherBarracudaproducts.

CheckPointSoftwareTechnologies
CheckPointSoftwareTechnologiesiscoheadquarteredinTelAviv,Israel,andSanCarlos,California.Its
portfolioincludesnextgenerationfirewalls,threatprevention,Websecurity,endpoint,mobilesecurity,
cloudsecurityanddistributeddenialofservice(DDoS)solutions.CheckPoint'senterprisefirewallproduct
lineincludes17appliancesandtwochassisforhardwareblades,scalingupto400Gbps.Itcanalsobe
deliveredasavirtualappliance,deployedonVMware,AmazonWebServices(AWS),OpenStackand
MicrosoftAzure,ordeliveredassoftware.CheckPointfirewallcapabilitiescanbeexpandedbypredefined
packagesofadditionalsoftwareblades.CustomerscansupplementCheckPoint'sfirewallwithan
advancedthreatoffering(CheckPointThreatCloud),andcanaddadditionalthreatintelligencefeedsfrom
thirdparties(CheckPointIntellistore)andintegrateCheckPoint'sfirewallwithitsMobileSecuritysuiteto
enforcesecuritypolicyformobileusers(usingCheckPointCapsule).
GartnerassessesCheckPointSoftwareasaLeaderforenterprisefirewallsbecauseagoodscoreduring
technicalevaluationcontinuallydrivesnewclientwinsandcontributestoretainingalargeportionofits
existingcustomerbase.CheckPointalsoshowsstrongexecutiononitsenterprisefocusedroadmapto
deliverfeaturestargetingthevariousfirewallplacementusecasesforenterprises.
Strengths
CheckPointhasoneofthelargestexistingenterpriseclientbasesandcontinuestoappear
frequentlyonfinalshortlistsforenterprisefirewallselection.Itisabletosupporttheseclients
globallywithastrongchannelpresenceandasignificantinternalteamdevotedtofirewallfeature
development.
ItscomprehensiveproductportfolioallowsCheckPointtobedeployedinavarietyofenterpriseuse
cases.ThenewchassissolutionsfurtherexpandCheckPoint'sabilitytoscaletothelargestdata
centersandtoadapttotheirfuturegrowthrequirements.
CheckPointfirewallsconsistentlygethighscoresfromclientsonsecurityandeaseofmanagement
incomplexenvironments.Itcontinuestoinvestinitsmanagementsuite,withseveralfeaturesin
theR80versionintendedtoimprovetheauditabilityandmanageabilityofthesecuritypolicy,andit
hasfinallymergedthenetworkandapplicationcomponentsinaunifiedpolicy.
GartnerbelievesthatCheckPoint'sstrategytosupportVMwareNSX,OpenStackandCisco
ApplicationCentricInfrastructure(ACI)isagoodsignalforclientsconsideringCheckPointsecurity
solutionswhentheyevaluatesoftwaredefinednetwork(SDN)projects.
Cautions
PriceisthemostcommonfactorinvokedbyGartnerclientstointroducecompetitionforCheckPoint
solutionsatrenewaltimeorasareasontofavorcompetitionduringshortlists.Gartneranalysts
noticedthathardwareplatformssubmittedinresellerproposalstendtobemoretightlysized,and
seeitasatactictocontroltotalcosts.Inafewreportedclientsituations,undersizingwasaclear
reasonforperformanceissues,andcausedunnecessarybackandforthdiscussiontogetthe
adequatemodel.
In2014,Gartnerobservedahigherthanusualnumberofclientsreportingstabilityissueswith
CheckPointsolutions,andunexpectedlongresolutiontime.Thispeakedin2Q14,thenplateauedat
alowerleverduringthesecondhalfoftheyear.Gartneranalystsobservedthatmanyofthese
incidentsinvolvedclustersofnewhardwareplatformsrunningthefirstversionsoftheunifiedGAiA
OS,withthesituationimprovingasCheckPointsimplifiedthenumberofsupportedlegacyversions.
CheckPointcustomersareoftenslowtoadoptnewsoftwareoptionslikeitsthreatemulation
softwareblade.Gartnerbelievesthatreasonsincludeinsufficientresultsofmarketingoperationsto
supportthelaunchoftheseoptions,aswellasthefactthatCheckPointclientsarenotwillingto
subscribetoadditionalsoftwareoptionsaftertheinitialsizing,infearofperformanceissues.This
increasesthetimeforthesenewoptionstobecomemature,astheybenefitfromaloweramountof

requiringhelpwithcomplexityaretheverylargest.
Additionally,verylargeenterprisesmayhavefirewall
productsfromdifferentvendorssometimesby
accidentviaacquisitionratherthanthroughchoice,
becauseasinglevendorsolutionisusuallythebest
choice.Inothercases,anenterprisemaybeinthe
midstofamultistagerolloutofanewplatform.All
FPMvendorssupportmultiplefirewallproducts,
whereasnofirewallvendorwilleffectivelymanagea
competingproduct.Inaddition,FPMvendorsare
expandingintomanagingothernetworksecurity
devices,suchasIPSs.

EVALUATIONCRITERIADEFINITIONS
AbilitytoExecute
Product/Service:Coregoodsandservicesofferedby
thevendorforthedefinedmarket.Thisincludes
currentproduct/servicecapabilities,quality,feature
sets,skillsandsoon,whetherofferednativelyor
throughOEMagreements/partnershipsasdefinedin
themarketdefinitionanddetailedinthesubcriteria.
OverallViability:Viabilityincludesanassessmentof
theoverallorganization'sfinancialhealth,thefinancial
andpracticalsuccessofthebusinessunit,andthe
likelihoodthattheindividualbusinessunitwillcontinue
investingintheproduct,willcontinueofferingthe
productandwilladvancethestateoftheartwithinthe
organization'sportfolioofproducts.
SalesExecution/Pricing:Thevendor'scapabilitiesin
allpresalesactivitiesandthestructurethatsupports
them.Thisincludesdealmanagement,pricingand
negotiation,presalessupport,andtheoverall
effectivenessofthesaleschannel.
MarketResponsiveness/Record:Abilitytorespond,
changedirection,beflexibleandachievecompetitive
successasopportunitiesdevelop,competitorsact,
customerneedsevolveandmarketdynamicschange.
Thiscriterionalsoconsidersthevendor'shistoryof
responsiveness.
MarketingExecution:Theclarity,quality,creativity
andefficacyofprogramsdesignedtodeliverthe
organization'smessagetoinfluencethemarket,
promotethebrandandbusiness,increaseawareness
oftheproducts,andestablishapositiveidentification
withtheproduct/brandandorganizationintheminds
ofbuyers.This"mindshare"canbedrivenbya
combinationofpublicity,promotionalinitiatives,
thoughtleadership,wordofmouthandsalesactivities.
CustomerExperience:Relationships,productsand
services/programsthatenableclientstobesuccessful
withtheproductsevaluated.Specifically,thisincludes
thewayscustomersreceivetechnicalsupportor
accountsupport.Thiscanalsoincludeancillarytools,
customersupportprograms(andthequalitythereof),
availabilityofusergroups,servicelevelagreements
andsoon.
Operations:Theabilityoftheorganizationtomeet
itsgoalsandcommitments.Factorsincludethequality
oftheorganizationalstructure,includingskills,
experiences,programs,systemsandothervehicles
thatenabletheorganizationtooperateeffectivelyand
efficientlyonanongoingbasis.
CompletenessofVision
MarketUnderstanding:Abilityofthevendorto
understandbuyers'wantsandneedsandtotranslate
thoseintoproductsandservices.Vendorsthatshow
thehighestdegreeofvisionlistentoandunderstand
buyers'wantsandneeds,andcanshapeorenhance
thosewiththeiraddedvision.
MarketingStrategy:Aclear,differentiatedsetof
messagesconsistentlycommunicatedthroughoutthe
organizationandexternalizedthroughthewebsite,
advertising,customerprogramsandpositioning
statements.
SalesStrategy:Thestrategyforsellingproductsthat
usestheappropriatenetworkofdirectandindirect
sales,marketing,service,andcommunication
affiliatesthatextendthescopeanddepthofmarket
reach,skills,expertise,technologies,servicesandthe
customerbase.
Offering(Product)Strategy:Thevendor'sapproach
toproductdevelopmentanddeliverythatemphasizes
differentiation,functionality,methodologyandfeature
setsastheymaptocurrentandfuturerequirements.
BusinessModel:Thesoundnessandlogicofthe
vendor'sunderlyingbusinessproposition.
Vertical/IndustryStrategy:Thevendor'sstrategy

clientfeedback.

Cisco
SanJose,CaliforniabasedCiscohasabroadnetworksecurityproductportfolioacrossfirewall/IPS,Web
securityandemailsecuritytiers.ThefirewallofferingisprimarilyviatheAdaptiveSecurityAppliance
(ASA)brandthatincludesanIPSreleasedin2014.ASAwithFirePOWERservicesistheASAwiththe
SourcefireIPSAdvancedMalwareProtection(AMP)andapplicationvisibilityandcontroladdedin.Cisco's
virtualfirewallinglines,theASAvandtheVSG,requirethepresenceoftheNexus1000vvirtualswitch.
Forawhile,Ciscowillhavetwoprimaryconsoleofferings.First,theAdaptiveSecurityDeviceManager
(ASDM)canfunctionasanonthedevicesingleinstancemanager.Inaddition,thecombinationof
FireSIGHTwhichmanagestheIPSfunctionforASAwithFirePOWERservicesandCiscoSecurity
ManagerwhichmanagestheASAfirewallisthealternativeforASAwithFirePOWERservices.
GartnerexpectsthatCiscowillunitetheCiscomanagementconsoleintheshortterm.
BeforetheintroductionofASAwithFirePOWERservices,GartnersawCiscowinningfirewallprocurements
mostlythroughsales/channelexecutionoraggressivediscountingforlargeCisconetworkscustomers.
WiththeintroductionofASAwithFirePOWERservicesinSeptember2014,Ciscobecamemoreableto
competeintheNGFWfield
CiscoisassessedasaChallengerforenterprises.GartnerdidnotseeitdisplacingLeadersbasedonvision
orfeatures,andwerarelysawCiscoreleasefirewallinnovationsthatcausedLeaderstoreact.
Strengths
TheEnterpriseLicenseAgreement(ELA)forsecuritysoftwareandhardwareaddsvalueforCisco
securitycustomersthatareundertakingmultiyeardeploymentsandwishtomaintainatimetable
andproductflexibility.
GartnerclientsconsistentlyratetheCiscosupportnetworkasexcellent,anditisthemostoften
citedreasonforloyaltytoCiscosecurityproducts.Thevendorhasstrongchannels,broadgeographic
supportandwideavailabilityofothersecurityproducts.SurveyedCiscofirewallclientsconsistently
rankedtheavailabilityandpresenceofotherproductsfromCiscowithintheirnetworksasthemost
importantfactorintheirselectionofthevendor.
Ciscooffersawidechoiceinfirewallplatforms.TheprimaryofferingisthestandalonefirewallASA,
butfirewallsarealsoavailableviatheFirewallServicesModulebladefor6500and7600series
switches,onCisco'sASAforvirtualdatacenterandcloudenvironments,andonCisco's
InternetworkOperatingSystem(IOS)basedIntegratedServicesRouter.GartnerviewsthePlatform
ExchangeGrid(pxGrid)initiativetoallowthirdpartycomponentsontotheASAasthemost
promisingdevelopmentintheCiscofirewallroadmap.
TheintegrationofreputationfeaturesacrossCiscosecurityproductsisastrength.Therichcontext
providedbytheFirePOWERservicesintegrationaddstothisadvantage.
TheinclusionofSourcefireIPSwithinASAhasimprovedthequalityoftheASAIPSandapplication
control.
Cautions
GartnerclientsselectCiscofirewallproductsmoreoftenwhensecurityofferingsareaddedtoaCisco
infrastructure,ratherthanwhenthereisashortlistwithcompetingfirewallappliances.Inthe
surveysenttovendors,Cisco'sproductwasthesecondmostfrequentlylistedastheonevendors
claimedtoreplacethemosthowever,itwasalsolistedthisyearasNo.2inthevendorlistof
perceivedcompetitivethreats.
Cisco'ssecurityconsoleofferingsconsistentlyscorelowversuscompetitorsinassessments
conductedbyGartnerclients.However,GartnerbelievesthatmovingcompletelytotheSourcefire
FireSIGHTwillbringimprovements.
CiscoscoredlowerthanmostcompetitorsinaGartnersurveyofusersforoverallclientsatisfaction.
CiscoASAhasafirewallconsoleintegrationofalocalsandboxbasedadvancedtargetedattack(ATA)
cloudinstanceorappliancethroughAdvancedMalwareProtection(AMP)however,Gartnerclients
chooseAMPnotforitsundifferentiatedsandboxingcapability,butforotherATAdetectionstrengths.
CiscocanimproveitsATAassociatedsandboxingifitintegratesits2014acquisitionofThreatGRID.

DellSonicWALL
Dell,whichisheadquarteredinRoundRock,Texas,sellsenterprisenetworkfirewallsundertheDell
SonicWALLname.ThemajorityofDellSonicWALL'sbusinesshadbeensellingUTMtomidsizeenterprises,
withtheSuperMassivelineaimedatenterprises,andatcompetitiveprice/performancepoints.OtherDell
SonicWALLsecurityproductsincludeSSLVPNs,emailsecuritygateways,cleanwirelessofferings,data
encryptionofferings,identitymanagementofferings,managedsecurityserviceprovider(MSSP)offerings
undertheSecureWorksbrand,andbackup/recoveryofferings.Thecompany'sfirewallofferingsareinfour
brandedlines:SuperMassive,EClassNetworkSecurityAppliance(NSA),NSAandTZ.Gartnerobservesa
strongcorrelationbetweenSonicWALLpurchasesandincumbentDellcustomers.
DellSonicWALLisassessedasaNichePlayerforenterprises,inpartbecauseithasn'tbroughtinnovative
securityfeaturestomarketinatimelymanner,anditssaleschannelsandmarketingprogramshaven't
effectivelyreachedenterprisebuyers.
Strengths
DellSonicWALL'sbroadmodelrangeisagoodoptionfordistributedenterpriseswithmanyremote
officedeploymentsrequiringmanysmallerdevices,suchasinretailorfranchiseoutlets,orwith
TypeCenterprises(seeNote1).GartnerhasobservedthattheDellSonicWALLchannelhas
migratedthecorefirewallbusinessintomoremidsizeorganizationsorintoorganizationsthat

todirectresources,skillsandofferingstomeetthe
specificneedsofindividualmarketsegments,including
verticalmarkets.
Innovation:Direct,related,complementaryand
synergisticlayoutsofresources,expertiseorcapital
forinvestment,consolidation,defensiveorpre
emptivepurposes.
GeographicStrategy:Thevendor'sstrategytodirect
resources,skillsandofferingstomeetthespecific
needsofgeographiesoutsidethe"home"ornative
geography,eitherdirectlyorthroughpartners,
channelsandsubsidiariesasappropriateforthat
geographyandmarket.

alreadyhadastrongDellSonicWALLrelationship.
ForcurrentDellcustomersthatwanttohavefewersecurityvendors,DellSonicWALLisagood
choicebecauseofitswiderangeofproductsandavailableSMBorientedfeatureset.
TheSuperMassivelinehasachievedmarkettractioninhighthroughputfirewalldeployments,such
ascarriersandserviceproviders,inwhichfirewallthroughput,lowlatencyandpriceperprotected
megabitspersecondareforemostinasurveytousers,customersrankedthroughputandspeedas
theforemostselectioncriterionsupportingthisassessment.
Cautions
AsreportedbyGartnerclients,DellSonicWALLisnotyetwidelyviewedasanenterprisestrategic
securityplayerrather,itisperceivedasamidsizebrandassociatedwiththegreaterDellbrand.
GartnerrarelyseesDellSonicWALLinmostTypeAandTypeBenterprisefirewallselections
however,thisisnota"Caution"forotherorganizations.
DellSecureWorkspresentsapotentialchannelconflictforsalestootherMSSPs,whichcanviewDell
SonicWALLaspartofacompetitor.Gartneranalystshaveobservedcompetitorsusingthis
argumenttogatherchannelpartnersfromDellSonicWALL.
DellSonicWALLscoredlowasasignificantenterprisecompetitivethreatbythevendorswe
surveyed,andscoredpoorlyinasurveytousersinregardtofalsepositivesforIPSinthefirewall.
TheproductlinesTZandNSAareaging.DellSonicWALLprospectsshouldasktoseeroadmapsfor
evidenceoffutureinnovationplans.

F5
F5,basedinSeattle,isaleadingdatacenterapplicationdeliveryvendor.Inadditiontothetraffic
managementmodules(GTMandLTM)thatarethecoreofF5'sApplicationDeliveryController(ADC)
offering,securitymodulesincludeApplicationSecurityManager(ASM),itsWebapplicationfirewall,and
theAdvancedFirewallManager(AFM),anetworkfirewall.ItsfirewallproductofferingreliesontheBigIP
appliances(14models,from5Gbpsupto80Gbps)andViprionchassis(fourmodels,upto640Gbps)
hardwareplatforms,runningtheF5TrafficManagementOperatingSystem(TMOS).F5alsooffersvirtual
appliances(F5VE)andcentralizedmanagement(BigIQ)foritsBigIPsolutions.GartnerviewsF5as
successfullyusingsecurityasacompetitivefeatureintheADCmarketratherthanbeingapureplayin
thefirewallmarket.
F5isassessedasaNichePlayerfortheenterprisefirewallmarket,becauseitsfirewallofferingisvisible
onlyinalimitednumberofusecases,mostlysoldasanaddonofotherfeaturestoexistingF5
customers.
Strengths
F5'ssoftwareisoptimizedfordatacenterandISPinfrastructureprotectionusecases.Itincludes
IPv6compatibility,robustroutingoptimizationandSDNfeatures.GartneralsoexpectsF5toadd
integrationwithitsfirewallanditsSilverlineDDoSprotectionoffering.
F5'scustomergivegoodscorestoitshardwareplatformforitsabilitytoscale.Thisincludes
hardwareaccelerationand40Gbpsnetworkinterfaces,butalsostrongSSLoptimizationcapabilities,
whichareoftenaweakspotofotherfirewallplatforms.
F5dedicatessignificanteffortstosecurityfeaturesandshowsitscustomersacommitmentto
considersecurityasacentraltopicofitsroadmap.Thisisapositivesignfortheseclientsthatcan
addafirewallcomponenttotheirexistingdatacenterdeploymentatafractionofthecostrequired
bytheacquisitionofadedicatedappliance.GartnerexpectsF5tocompeteindatacenteronlydeals
whenarchitecturecomplexityislowGartnerhasalreadyseenF5competewellinfirewall
placementsforhostingproviders.
Cautions
F5doesnotappearonGartnerclientcompetitiveshortlistsforenterprisefirewallselection,except
whencustomersalreadyownF5ADCandevaluateF5'supgradeoptions.F5isnotseenyetasa
competitivethreatbyotherfirewallvendorsevaluatedinthismarket.
F5ismissingthecriticalcompetitivecomponentofastandaloneInternetfacingfirewalltoprotect
usersandserverswhereanADCisnotrequired,andlacksentrylevelappliancesrequiredfor
branchesandsmallheadquarters.
F5lacksanIPSmoduleandonlyrecentlyintroducedsecureWebgateway(SWG)services.The
applicationcontrolfeatureislimitedtowhatusersgetfromSWGandWebapplicationfirewall(WAF)
modules,buthasyettobecoveredbyaunifiedsoftwarecomponent.GartnerbelievesthatF5's
effortstocoverabroadfeaturesetcouldhurtitsabilitytoprovidesufficientdepthforthecore
featuresusedinenterprisefirewallusecases.
AsF5'sfirewallmodulesarelikelytobeusedasadatacentersupplementtoaperimeterfirewall,
F5'sintegrationwithonlyonefirewallpolicymanagementsoftware(FireMon)limitssecuritybuyer
options.

Fortinet
Sunnyvale,CaliforniabasedFortinethaslongfocusedonusingpurposebuilthardwaretoproduce
enterprisefirewallandUTMapplianceswithawiderangeoffeaturesatstrongprice/performancepoints.
Itoffersabroadsecurityportfolioandhassomepresenceinnetworkinfrastructure.Thefirewallfeatures
inFortinet'senterprisefirewallproductscannowmeetmostoftheneedsoffirewallfocusedlarge
enterprisebuyers.
FortinetcontinuestomakeprogresswithintheGartnercustomerbase,especiallyinbranchofficeorretail
deployments,butincreasinglyinmorewidespreadenterpriseusecases.Inaddition,itisverycompetitive

indatacenterevaluationsinwhichhighperformance,lowlatencystatefulfirewallsaretheprimaryneed.
Fortinetisasignificantthreattocompetitorsinthismarketbecauseofitshardwareexpertise,
competitivepricingandacceleratingrevenuegrowth.Itisaviableshortlistcontenderformostenterprise
firewallusecases.
FortinetisassessedasaChallenger,mostlybecauseweseeitdisplacingcompetitorsonvalueand
performance,butstrugglingagainstLeadersinmainstreamenterpriseselectionsbasedonfeaturesand
vision.FortinetdoesnotoftenreleasefeaturesthatcauseLeaderstoreact.
Strengths
FortinethasalargehardwareR&Dteamandusesittogotomarketquicklywithhigher
performancechipsets.Fortinetcontinuallydeliversnewfunctionsintheapplicationspecific
integratedcircuitandoperatingsystem,providingextensivepressureoncompetitorsandpleasing
thechannel.
Fortinetoffersagoodprice/performanceratioandawidemodelrange,includingbladedappliances
forlargeenterprisesandcarriers,aswellasSMBandbranchofficesolutions.
InadditiontoenterpriseNGFWdeployments,Fortinetiswellsuitedtodeploymentsincarriers,data
centers,serviceprovidersanddistributedenterprises(forexample,retailandfranchises).
Fortinethasawellarticulatedstrategyregardingvirtualization,publiccloudandSDN,andhasa
promisingpartnershipwithVMwareNSX.
Cautions
Despitesomeimprovementsin2014,managementcapabilitycomparedwiththecompetition
remainsthereasonmostoftenlistedbyGartnerclientsasthereasonwhyFortinetwasshortlisted
butnotselectedbyenterprises.However,wheremultiplefirewallssharethesamepolicy,the
Fortinetconsoleismorecompetitive.
Althoughit'sreducedthenumberofappliancesinitsoverallFortigateproductline,Fortinetstill
supportsmoreversionsandmodels(withoftenoverlappingspecifications)thanmanyofits
competitors.Gartnerbelievesthatthenumberofappliancesandsoftwareversionsimpacts
customersupport.
GartnerbelievesthatFortinet'sFeatureSelect,whichprovidespresetinitialconfigurationoptionsor
bundlesoffeatures,doesn'teffectivelycommunicatethesupportofthevaryingusecasesofmany
enterprisesorcanconveytocustomersthattheNGFWisjustasubsetofthefullUTMsuiterather
thana"madeforenterprise"solution.
WhileFortinet'smarketingmixbecamemuchmoreenterprisefocusedin2014,previousUTM
orientedmarketinghascreatedalingeringbranddisadvantagewithsomeenterprisesecurity
buyers.

HillstoneNetworks
BasedinBeijingandSunnyvale,California,HillstoneNetworksisapureplayfirewallvendor.Itsfirewall
portfolioiscomposedofthreeproductlines,theTSeries(3models),theESeries(13models)andtheX
Series(twochassis),withfirewallthroughputrangingfrom1Gbpsto360Gbps.Hillstonehasadded
networkbehavioranomalydetectionintoitsfirewall,andoffersvirtualversionsinitsvirtualElastic
FirewallArchitecture(vEFA).
Althoughitisaggressivelymovingtoincreasesalesinmoreregionsbyexpandingitsworldwidepartner
ecosystem,HillstoneisassessedasaNichePlayerbecauseitisvisibletoGartneronlyinoneregion,with
amajorityofitssalesinChina.
Strengths
HillstonehasastrongpresenceinChina,andoffersdedicatedfirewallmodelsforthismarket.
SurveyedcustomersinChinagivegoodscorestodirectvendorsupport.
Hillstone'srecentreleaseofafirewallwithbehaviorbasedpolicy(namedIntelligentNextGeneration
Firewall)indicatesamotivationtobringfurtherinnovationtotheenterprisefirewallmarket.
HillstoneintegrateswithFireMonandAlgoSecpolicymanagementsoftware,whichcanfacilitate
purchasedecisionforinternationalcompanieswillingtousealocalvendorintheAsia/Pacificregion.
Cautions
HillstoneNetworks'firewallsarenotyetseeninenterpriseselectionsamongtheGartnerclientbase
outsideofAsia/Pacific.GartneralsoobservesincreasingcompetitionforHillstoneinChinafromlocal
andregionalvendors.
Surveyedcustomersindicatethatperformancedegradationwhenenablingintrusionpreventionis
higherthantheleadingvendorsevaluatedinthismarket.
Surveyedcustomersfrequentlycitemanagementinterfaceasanareathatrequiresimprovement.

HP
PaloAlto,CaliforniaheadquarteredHPhastwolinesoffirewalls.ThefirstisthenewTippingPointNext
GenerationFirewall(NGFW)linethesecondlineiscomposedofF5000andF1000,formerlyofH3C
TechnologiesinChina.Thesetwolinesareondistinctcodebases,areunderdifferentconsolesandare
supportedbydifferentgroupswithinHP.ThenewTippingPointNGFW(x86compatible)istheredesignof
theolderTippingPointIPS,whichisbasedoncustomapplicationspecificintegratedcircuits(ASICs).As
such,thereisnodirecthardwareupgradepathfromtheIPStotheNGFW.However,bothcontinuetobe
sold.TherearesixmodelsofNGFW,allbearingthe"S"prefix.HPisaddinganadvancedthreatsandbox
solutionviaalocalappliancebasedonTrendMicro'sDeepDiscoveryInspector,whichwillworkwithHP's
NGFWandIPSviatheintegrationwiththeHPTippingPointSecurityManagementSystemconsole.

HPisassessedasaNichePlayer,mostlybecauseGartnerhasnotyetseenthenewfirewallproducton
shortlists(see"VendorRating:HP"formoreinformation)orasfullyfeaturedasmostChallengersand
Leaders.HPhasthepotentialtobeadisruptiveinfluenceandamarketchallengerthroughcontinued
productadvancementandutilizationoftheHPchannel.
Strengths
TheprovenTippingPointIPSenginebringsaverygoodqualityofIPStothenewNGFWline,whichis
ofinteresttoincumbentTippingPointIPSdeploymentsthatarelookingtoreplaceafirewall,orto
thosedeploymentsinwhichIPSneedsaremorehighlyrankedthanotherfirewallfeatures.Ina
Gartnersurvey,themostmentionedreasonforbuyingtheHPfirewallwasalreadyhavingotherHP
securityproducts.
Inasurveyoffirewallusers,HPNGFWscoredhighestforusersatisfactionregardingqualityofIPS
relatingtofalsenegativesandpositives.
Thereisagoodrangeofmodelsinthenewfirewallline,meaningnewadoptersarelesslikelyto
havetowaitfornewmodelstoconsiderdeployments.
TheTippingPointNGFWandIPSaremanagedundertheHPTippingPointSMSconsole,whichwill
alreadybefamiliartoHPIPScustomers.
Cautions
Enterprisefirewallbuyersareoftenhesitanttoinvestinsomethingthatdoesn'thaveaproventrack
recordinthismarket.HPhasbeenslowtoexecuteonaroadmapandaddnewfeaturestoits
firewalltoallowittocompeteforgeneralenterprisebusinessbybeing"RFPready."However,
incumbentHPcustomersmaystillfindthistobeashortlistoption.Gartnerclientsrarelyincluded
HPfirewallsintheshortlistsweobserved.
Asisoftenthecasewithnewproducts,thesurveyedHPusersmostoftencitedthattheSMS
consoleneedsimprovementinmanagingthenewfirewallingcapabilities,andsupportwasnotrated
highly.
BasedonconversationswithGartnerclientswhoarealsoHPTippingPoint'sprospectsand
customers,GartnerviewsHPastrendingtowardreemphasizingstandaloneIPSsoverfirewalls,as
theyarechallengedingainingshareinthefirewallmarket.HPNGFWprospectsandcustomers
shouldevaluateHP'sNGFWreleasecadenceandfeaturequality,aswellasthetimelydeliveryof
roadmapcapabilitiestodeterminecontinuedinvestmentandpriority.

Huawei
Shenzhen,ChinabasedHuaweihasbeenshippingfirewallproductsformorethanadecade(formore
information,see"VendorRating:Huawei"),andoffavarietyofothernetworksecurityappliances,
includingantiDDoSandIPSs.Therangeoffirewallappliancesandmodelsisextensive,especiallyfor
higherthroughputoptions,andforcustomersthatalreadyhaveHuaweiproductsandwishtoexpand
thatbusinesstofirewalls.UnifiedSecurityGateway(USG)istheprimaryenterpriseline,andEudemonis
thelineforcarriersandserviceproviders.MoreHuaweifirewallrevenueisderivedfromcarriers,ISPsand
cloudandserviceprovidersthanfromenterprisesandSMBs.
HuaweiisassessedasaNichePlayerforenterprisesovertheevaluationperiod,mostlybecauseweseeit
mostlyinanarrowgeographicsegment,andbecausewedidnotseeitfrequentlydisplacingLeadersor
Challengersbasedonvisionorfeature.
Strengths
GartnerassessesHuaweiashavingaverygoodoverallnetworksecuritystrategyandalarge
securityresearchteam.
CustomerswhosenetworksarebasedprimarilyonHuaweiinfrastructureproductscaninclude
Huaweifirewalls.UsersreporttoGartnerthatHuaweiappliancesperformasexpectedunderload.
ThetopendoftheHuaweifirewalllinehasaveryhighthroughputandisagoodshortlistcandidate
forcarriers.MostdeploymentsGartnerobservesarehigherthroughputdeployments.
HuaweideliveredandimprovedsomeapplicationcontrolandotherNGFWfeaturesin2014,largely
targetedtoenterprisecustomers.Itsupcomingroadmapaddressesenterpriseorientedfeatures.
Cautions
HuaweihaslimitedcompetitivevisibilityoutsidetheAsia/Pacificregionhowever,thereissome
increasingcompetitivepresenceandgrowthinEMEA.
InterviewedusersreportedthattheywouldliketoseebetterfeaturesintheWebgraphicaluser
interface(GUI)console,andconsistentlyaskedforbetterreporting.
Huaweilagsthecompetitioninpartneringwithfirewallpolicymanagementvendors,preventingit
fromfullyfulfillingsomeenterprisecomplianceandsecurityneeds.
Huaweihastakenconsiderablestepstoaddressconcernsaboutrelyingontechnologydevelopedin
Chinahowever,thisconcerncontinuestobeasecuritysaleschallengeinsomemarkets,especially
NorthAmerica.

IntelSecurity(McAfee)
IntelfirewallsaresoldundertheMcAfeebrand.McAfee,whichisnowpartofIntelSecurity(basedin
SantaClara,California),sellssecuritycontrolsattheendpoint,serverandnetworklayers.Intel(McAfee)
networksecurityisbestknownforNetworkSecurityPlatform(NSP),itsnetworkIPSproductline.Intel
Securityobtaineditsnetworkfirewallin2013fromFinlandbasedStonesoft,whoseproductisnowcalled
theMcAfeeNextGenerationFirewall(NGFW).TheMcAfeeNGFWhasagoodrangeofmodels(scalingup
to120Gbps),includingavirtualizedversion,andhasperformedwellinthirdpartytesting.(IntelSecurity

hasanadvancedthreatoffering[ATD]thatbecomesmoreeffectivethemoreIntelMcAfeesafeguardsare
inplace.)
Gartnerbelievesthat,inthenearfuture,IntelSecuritywillhaveasinglehardwareplatformsupporting
theMcAfeeNGFWandNSP,whichistheIPSproduct.
IntelSecurityisassessedasaNichePlayerforenterprisesbecauseitprimarilysellsalongsideotherIntel
andMcAfeesecurityproductsratherthanbeatingLeadersinshortlists.
Strengths
ThebreadthoftheIntelSecuritythreatintelligenceandreputationfeedsisapositivequality
elementandleveragestheIntelSecurityfootprintonendpoints,secureWebgateways,email
securitygatewaysandIPSs.
TheMcAfeeNGFWfirewalllinehaslongbeenaleaderinhighavailabilitytechnology,andithasvery
reliableclusteringandactive/activeconfiguration.Itfocusedearlyonantievasiontechnology,and
protectedcustomerswellasattacksevolvedtoincludefirewallanddeepinspectionevasiveness.
ThevisibilityofePolicyOrchestrator(ePO)hostinformationwithinthefirewallreportingandconsole
toolsisofinteresttocurrentIntelSecurityePOcustomers.
InaGartnersurveyofclients,theMcAfeeNGFWscoredveryhighinoverallclientsatisfaction.
Cautions
GartnerbelievesthathavingtheMcAfeenetworksecurityunitwithinaprimarilyhostbasedsecurity
companywhichisitselfwithinalargeendpointfocusedchipmanufacturerremainsa
significantchallenge.IntelSecuritywasnotlistedbyanyvendorwesurveyedasasignificant
enterprisecompetitivethreat,andIntelisnotestablishedasbeingastrongbrandinnetwork
security.
IntelSecuritycurrentlyhastwodifferentnetworkIPSenginesacrosstheMcAfeeNGFWandNSP
(IPS)products.Rationalizingandcentrallyadministeringthesefromonemanagementconsolewill
presentchallenges.
IntelSecurityisrarelyseenonGartnerclientnetworkfirewallshortlists,andGartnerestimatesthat
themarketshareissmallatlessthan5%.

JuniperNetworks
ThefirewallofferingsofSunnyvale,CaliforniabasedJuniperNetworksareinmultiplemodellines:SRX
SSG,NS,ISGandthevirtualizedversionofSRX(vSRX).TheJuniperSRXSecurityServiceGatewayoffers
routingasabasicfirewallelement,andrunsthesameJunosoperatingsystemasotherJuniper
infrastructurecomponents.Gartnerconsidersroutinginthefirewallasbeingofinteresttoalimited
segmentofcustomers.JuniperhasAppSecureforapplicationcontrolandvisibilityintegratedIPSand
threatintelligencefeeds.Juniper'sJunosSpaceSecurityDesignisthecurrentsecuritymanagement
platform.
JuniperisassessedasaNichePlayerforenterprises,mostlybecauseweseeitselectedinconcertwith
otherJuniperofferings,ratherthandisplacingcompetitorsbasedonitsvisionorfeatures,andweseeit
beingreplacedinenterpriseenvironmentsmoreoftenthanweseeitselected.Juniperis,however,
shortlistedand/orselectedinmobileserviceproviderdeploymentsandlargeenterprisedatacenter
deployments,primarilybecauseofpriceandhighthroughputonitslargestappliances.
Strengths
CustomerswhosenetworksarealreadystandardizedonJuniper'sJunosbasedinfrastructure
productscanbenefitfromtheSpaceSecurityDesignconsolebecauseitispartoftheJunosSpace
networkmanagementplatform.Interviewedusersoftenselectedthefirewalls,withthroughput
weightedhighlyintheirselection.
Goodoptionsexistforhighthroughput,purposebuiltappliances,especiallyinthehigherendSRX
models,becauseGartnerseesJunipermostlydeployedinlargedatacenters.
Juniperhasastrongrangeofbranchofficefirewallscomplementingtheenterpriseproducts.These
branchofficefirewallsincludeWANandcellularbackuptechnologies.
JuniperSRXisagoodshortlistcandidateindeploymentsforserviceprovidersorhosterswhere
statefulfirewallthroughputisvaluedforemostandpriceisweightedhighly.
Juniperoffersathreatintelligenceplatformsupportingthirdpartyfeedsandenablingdeploymentto
enforcementpoints.Thiscapabilitywillappealtoenterprisesthatusemultiplethirdpartythreat
intelligencefeeds.
Cautions
GartnerdoesnotassessJuniperascurrentlyhavingacompellingordifferentiatedsecurityvision,or
onethatiswellknowntononJunipercustomers.In2014,JuniperreleaseditsfirstNGFWfeature
set,wellbehindmostofthefirewallvendorsevaluatedinthisresearch.
SomeGartnerclientshavecitedaneedforsupportandplatformstabilityimprovements.Usersthat
Gartnersurveyedreporthardwarefailuresoverthepast12months.
Gartnerbelievesthatmostenterpriseswantanoperatingsystemintheirsecurityproductsthat
differsfromtheoneininfrastructurecomponents.
Juniperhascontinuedlosingsecuritymarketshareinthepastyear,andhasexperienceddeclining
yearoveryearrevenueinagrowingmarket.Thecompanymustaddressfundamentalsalesand
marketingchallengesanddemonstratethatitcanwinbackcustomersandmarketsharewithits
newercapabilities.

PaloAltoNetworks
PaloAltoNetworksisaCaliforniabasedpureplaynetworksecuritycompanythathasbeenshipping
enterprisefirewallssince2007.PaloAltoNetworksisknownmostlyforitsinnovationsinapplication
controlandforimprovingintegratedIPSinfirewalls.Thefirewallproductlineincludes18models,witha
maximumthroughputof120GbpsforthePA7050,releasedin2014.WiththeacquisitionofCyvera
(rebrandedasTraps),PaloAltoNetworksnowoffersasecondendpointproduct,inadditiontotheexisting
GlobalProtect.PaloAlto'scloudbasednetworksandboxservice,WildFire,sawhighattachratesfornew
andexistingcustomersin2014.PaloAlto'sworkwithVMwareNSXhasprovidedcustomersanother
optionforplacingPaloAltoproductsinvirtualizeddatacenters.
PaloAltoNetworksisassessedasaLeader,mostlybecauseofitsNGFWfocus,andbecauseofits
consistentvisibilityinGartnershortlistsforadvancedfirewallsusecases,frequentlybeatingcompetition
onfeaturequality.
Strengths
GartnerclientsconsistentlyratethePaloAltoNetworksAppIDandIPShigherthancompetitors'
offeringsforeaseofuseandquality.
ThefirewallandIPSarecloselyintegrated,withAppIDimplementedwithinthefirewalland
throughouttheinspectionstream.This"singlepass"isassessedasadesignadvantagebyGartner
clients,asopposedtotheunnecessaryinspectionthatcanoccurincompetingproductsthatprocess
trafficinserialorder.
PaloAltoNetworkswasconsistentlyonmostNGFWcompetitiveshortlistsseenbyGartner,andin
thesurveytovendors,itwasmostmentionedasthestrongestcompetitorwithwhichthese
vendorscompete.
TheroadmapfocusonVMwareNSXdisplaysstrongleadershiptowardsolvingclients'future
problems.PaloAltoshiftedfocuscorrectlytoeastwestsegmentationratherthanwholedatacenter
firewallvirtualization.
TheWildFireadvancedthreatapplianceandcloudservicearepopularaddonswithnewand
incumbentPaloAltoNetworksfirewallcustomers,givingthemanoptionversusthirdparty
advancedthreatappliancesolutions.
Cautions
GartnerclientsreportPaloAltoNetworks'directsalesandresellersbeingoverlyoptimisticaboutthe
performanceimpactofturningonantivirus(thatis,Webantimalware),andconflatingantivirus
withIPSand/orotherfeatures,orclaiminga0%performanceimpactwhenenablingtheantivirus
(AV)function,whichisnotcrediblewithcustomers.Gartnerbelievesthatthisapproachhaseroded
customertrustinthePaloAltoNetworksbrand.
GartnerdoesnotseePaloAltoreproducingitsfirewallsuccessinitsattempttoentertheendpoint
market.GartnerconsidersPaloAlto'sentryintotheendpointmarketasahighriskmovethatcould
dilutecompanyattentionintoanonadjacentmarketandcouldalienatethenetworksecuritybuying
center.Theendpointshouldbeaddressedthroughathirdpartyecosystemorpushedstrongerasan
independenteffort.
Thecompanymustdevelopabetterthirdpartyproductsupportecosystem.
Likeothervendorswithleadingproducts,PaloAltoNetworksischallengedtowinselectionsinwhich
priceisweightedmorethansecurityfeatures,asinTypeCenterprises(seeNote1).Italsodoesnot
offerthesmallerappliancesthatcompetitorspositionindistributedenterprisedeals.
Theclientsweinterviewedwouldliketoseebetterloghandlingatscale.Also,theclientcomplaints
wereceiveregardingPaloAltoNetworksusuallyrelatetomanagementconsoleissuesatscale,or
anecdotesofchannelpartnershortcomings.

Sangfor
HeadquarteredinShenzhen,China,andfoundedin2000,SangforprovidesWANoptimization,access
managementandnetworksecuritysolutions,includingfirewall,SSLVPNandInternetaccess
management.Sangforstartedshippingitsenterprisefirewallproductline(NextGenerationApplication
Firewall)in2011.Itnowfeatures16models,forafirewallthroughputofupto80Gbps.Sangfordoesnot
offeravirtualappliance.
SangforisevaluatedasaNichePlayerforenterprisefirewallbecauseitservesanarrowedsegmentofthe
marketandoperatesmostlyinChina.
Strengths
Sangforclientsliketheeaseofinstallation,reportingonsecurityandhighperformance.Theyalso
citecompetitivepriceasareasonforselectingthesolution.
CloudbasedsandboxingandactivevulnerabilityscanningareavailableonSangfor'sfirewallatno
additionalcharge.
Cautions
GartnerdoesnotseeSangforfirewallsbeingshortlistedoutsideofChina.Internationalizationofthe
Sangforfirewallproductlineisstillanongoingprocess.PotentialcustomersoutsideofChinashould
firstverifytheavailabilityofvendorsupportandproductdocumentationfortheirusecase,and
requestreferencesfororganizationsinthesameregion.
Surveyedcustomersshowedamajorityofuppermidsize/smallenterpriseusecases,withalimited
numberoffirewallsforasinglecustomer.
Sangfor'senterprisefirewallisnewcomparedwithmostofitscompetitors,andseveralfeaturesare
stillunproven,withaquicklygrowingnumberofdeploymentsbutalimitedexistence.

Sophos
SophosisasecuritycompanyheadquarteredinOxford,U.K.,thatisprimarilyknownforitsendpoint
securitysolution.Itsenterprisefirewallportfoliomainlyconsistsoftwoproductlines,theSGseries(14
models,from1.5Gbpsto60Gbps)andtheNGproductline,resultingfromtheacquisitionofIndiabased
Cyberoam(19models,from400Mbpsto160Gbps).ThetworemoteEthernetdevice(RED)modelsallow
remoteVPNconnectionsforsmallbranches.Sophosfirewallsarealsoavailableinvirtualapplianceformat
andcanrunonAWS.SophosalsosellssecureWebgatewaysandsecureemailgatewaysinadditiontoits
endpointsecurityandmobilesecuritysolutions.
Sophos'NichePlayerpositioninthisMagicQuadrantreflectsitsfocusonuppermidmarketandsmaller
enterpriseneeds,whichisshown,too,inthelimitedvisibilityforSophosfirewallsondatacenterand
largerenterprises'shortlists.
Strengths
AgrowingnumberofSophosendpointcustomersshortlistSophosasapotentialfirewall,citingease
ofuse,potentialproductsynergiesandsimplifiedprocurementasthemainreasonsforselectingthe
vendor.
TheSophosCloudmanagementofferingcombinesmobile,endpointandnetworkmanagement,and
appealstovastlydistributedenterprisesandorganizationswithalargemobileworkforce.
TheSophosroadmapshowsagoodunderstandingoftheneedsofmidsizeandsmallerenterprises
clients,theirtargetmarket,andhowtheyplantoaddressoverlapsbetweentheirtwofirewall
productlines,increasecrosssynergiesacrosstheirsolutions,andfilltheremaininggapsintheir
securityportfolio.
SophosleadsthemarketinAWSfeaturesandmarketpenetration,andisagoodchoiceforAWS
onlyplacements.
Cautions
Sophos'visibilityonGartnerenterpriseclientshortlistsremainslow,andisalmostexclusivelyfrom
existingSophoscustomers.
Sophosstillmaintainstwofirewallproductlines,andwillbedeliveringitsunifiednextgeneration
productinmid2015.CustomersmustensuretheirSophosappliancescanreceivethefirmware
upgradeinordertotakeadvantageofthenewplatform.
Gartnerbelievesthatmidmarketandlargeenterprisehavedifferentneedsandexpectationsfor
centralizedmanagementandreportingsolutions.Sophos'currentmanagementandreporting
offeringsareorientedtowardUTMuseanddistributedorganizations,andgetlowerscoresin
competitiveevaluationswherecomplexpolicyandstringentworkflowrequirementsarehighly
weightedhowever,Sophosisagoodchoiceforuppermidmarketcustomers,smallerenterprises
andTypeCenterprises.

Stormshield
Stormshield(formerlyArkoon+Netasq),headquarteredinFrance,hasbeenapureplaynetworksecurity
vendorformorethan15years,sellingUTMsystemsandenterprisefirewallswithintegratedIPSsand
vulnerabilitymanagement.In2012,AirbusDefenceandSpaceCyberSecurity(formerlyCassidian
CyberSecurity,asubsidiaryofEADSGroup)acquiredNetasq.InApril2013,itacquiredArkoon,another
Frenchsecuritycompanywithfirewallsandendpointprotectionplatforms.Thetwogroupshaveunited
undertheStormshieldbrand,andhaveintroducedtheStormshieldNetworkSecurityline.Theseproducts
arecomposedofnineappliances,rangingfrom400Mbpsto80Gbps.
VirtualversionsarealsoavailablewiththeVseries,andattheAWSMarketplace.
StormshieldisassessedasaNichePlayerforenterprises,mostlybecauseitbestservesmidsize
businessesandgovernmentagenciesinWesternandCentralEurope.
Strengths
StormshieldisaEuropeanvendorandbenefitsfromlocalcertifications,suchasthe"EURestricted"
orspecificassessmentfromtheFrenchgovernment,whichisofinteresttoEUgovernmentsand
agencieslookingforsimplerprocurementoralocalprovider.Itsownership(Airbus)addscredibility
toFrenchgovernmentanddefensecustomers.
Stormshieldhasquicklyexecutedonaplantoproduceanewproductline,givingaclearchoiceto
prospectsandexistingclientsfromtheformercompanieswhenconsideringafirewallrefresh.
StormshieldhasawiderangeofvirtualappliancesandAWSbasedinstances,makingitagood
candidatetoprotecthybridnetworks.
CustomersciteIPSqualityasamainreasontheyselectStormshieldastheirnetworkfirewall.
Cautions
ThemajorityofStormshield'spenetration,visibilityandchannelisfocusedonEMEA,especially
France.ThevendorhasnotbeenpartofNGFWselectionsthatGartnerhasseen.
Theburdenofmaintainingsoftwaresupportfor36modelsmaystressStormshield'sR&Dresources
anditsabilitytoexecuteonitstechnologyroadmaps.
Stormshieldlackstheabilitytoapplyqualityofservice(QoS)rulesbasedonapplicationdetection.

WatchGuard
WatchGuardisaSeattlebasednetworksecuritycompanythathasprimarilyseensuccessinsellingUTM
productstomidsizeenterprises.ItsXTMseriesofproductsspansperformanceandfeatureranges

demandedbylargeenterpriseshowever,WatchGuard'sbranding,channelsupportandmanagement
capabilitiestendtobemoreorientedtowardSMBs.WatchGuardalsohasproductsthatincludeSSLVPN,
emailandWebsecurityproductlines.
TheXTMbrandedfirewallmodelsfallintotwocategories:TheXTM2SeriesandXTM5SeriesareUTM,
whiletheXTM8SeriesandtheXTM1520andabovearetargetedattheenterprise.SinceWatchGuard's
introductionofthe"NGFWBundle"optionforappliancesin2011andthe2014releaseofAPTBlocker,
WatchGuard'scloudbasedmalwaredetectionofferingbasedonLastlinetechnology,thecompanyhas
solutionsthatbettersuitprospectiveenterprisebuyersthantheUTMonlyapproach,thoughwehavenot
seenmuchenterprisetractionyet.
WatchGuardisassessedasaNichePlayerforenterprises,mostlybecauseitservesSMBsanddistributed
enterprises.However,wedonotoftenseeitdisplacingLeadersfortheedgefirewallusecasebasedon
features.Moreover,itisnotpresentondatacentershortlists.
Strengths
WatchGuard'sstrongprice/performancepointshaveenabledittowinpricesensitivecompetitions
acrossretail,branchoffice,remoteofficeandTypeCdistributedenterprisedeployments.
WatchGuardcontinuestoinvestinenterpriseusecases,withenhancedIPv6andbettertraffic
managementreleasedin2014,alongwithAPTBlocker.
UsersreporthighsatisfactionwiththeWatchGuardmanagementconsole.Enterprisemodelsare
correctlytargetedatNGFWsratherthanUTMfunctionality.
ThecloudbasedreportingsolutionWatchGuardDimension,withitsexecutivedashboardandtraffic
heatmaps,hasproventobeagoodadditiontothesetoffeaturesthatistargetingareaswhere
manyfirewallswillbedeployed,suchasinfranchisesorretailstores,orviaanMSSP.Theinteractive
heatmapview(FireWatch)isusefultoquicklyidentifynetworkissuescreatedbyaspecificuseror
application.
Cautions
GartnerrarelyseesWatchGuardinmostTypeAandTypeBenterprisefirewallselections.
EnterpriseclasschannelsandsupportwillneedtobeexpandedifWatchGuardwishestocompetein
abroadersegmentofenterprises.Forexample,WatchGuarddoesnothavetheoptionforlarge
enterprisestodeployaWatchGuardresidentengineer,arequirementforsomeenterprise
deployments.
WatchGuardscoredlowasasignificantenterprisecompetitivethreatbythevendorswesurveyed,
andithaslowvisibilityinGartner'scustomerbase.
WatchGuardlagsbehindtheLeadersinarticulatingacomprehensivedatacenterstrategy,andin
includingSDNinitsroadmap.

VendorsAddedandDropped
WereviewandadjustourinclusioncriteriaforMagicQuadrantsandMarketScopesasmarketschange.As
aresultoftheseadjustments,themixofvendorsinanyMagicQuadrantorMarketScopemaychange
overtime.Avendor'sappearanceinaMagicQuadrantorMarketScopeoneyearandnotthenextdoes
notnecessarilyindicatethatwehavechangedouropinionofthatvendor.Itmaybeareflectionofa
changeinthemarketand,therefore,changedevaluationcriteria,orofachangeoffocusbythatvendor.

Added
SangforwasaddedtotheMagicQuadrant.Arkoon+NetasqwasrenamedStormshield,whichnowappears
intheMagicQuadrant.

Dropped
Novendorsweredropped.

InclusionandExclusionCriteria
InclusionCriteria
Networkfirewallcompaniesthatmeetthemarketdefinitionanddescriptionwereconsideredforthis
researchunderthefollowingconditions:
Gartneranalystshaveassessedthatthecompanyhastheabilitytoeffectivelycompeteinthe
enterprisefirewallmarket.
Thecompanyregularlyappearsonshortlistsforselectionandpurchases.
Thecompanydemonstratesacompetitivepresenceinenterprisesandsales.
Gartneranalystsconsiderthataspectsofthecompany'sproductexecutionandvisionmerit
inclusion.
Thevendorhasachievedenterprisefirewallproductsales(notincludingmaintenance)inthepast
calendaryearofmorethan$10million,andwithinacustomersegmentthatisvisibletoGartner.

ExclusionCriteria
Networkfirewallcompaniesmayhavebeenexcludedfromthisresearchforoneormoreofthefollowing
reasons:
ThecompanyhasminimalornegligibleapparentmarketshareamongGartnerclients,oritisnot
activelyshippingproducts.

Thecompanyisnottheoriginalmanufacturerofthefirewallproduct.ThisincludeshardwareOEMs,
resellersthatrepackageproductsthatwouldqualifyfromtheiroriginalmanufacturers,aswellas
carriersandISPsthatprovidemanagedservices.WeassessthebreadthofOEMpartnersaspartof
theevaluationofthefirewall,andwedonotrateplatformprovidersseparately.
Thecompany'sproductssellasnetworkfirewalls,butdonothavethecapabilities,scalabilityand
abilitytodirectlycompetewiththelargerfirewallproduct/functionview.Productsthataresuitedfor
SMBs(suchasUTMfirewalls,orthoseforsmalloffice/homeofficeplacements)arenottargetedat
themarketthisMagicQuadrantcovers(enterprises)andareexcluded.
ThecompanyprimarilyhasanetworkIPSwithanonenterpriseclassfirewall.
Thecompanyhaspersonalfirewalls,hostbasedfirewalls,hostbasedIPSsandWAFs(seeNote2)allof
whicharedistinctlyseparatemarkets.

EvaluationCriteria
AbilitytoExecute
Productorservice:Thisincludesserviceandcustomersatisfactioninenterprisefirewall
deployments.Executionconsidersfactorsrelatedtogettingproductssold,installed,supportedandin
users'hands.StrongexecutionmeansthatacompanyhasdemonstratedtoGartneranalyststhat
productsaresuccessfullyandcontinuallydeployedinenterprises,andthatthecompanywinsalarge
percentageincompetitionwithothervendors.Companiesthatexecutestronglygeneratepervasive
awarenessandloyaltyamongGartnerclients,andalsogenerateasteadystreamofinquiriesto
Gartneranalysts.Executionisnotprimarilyaboutcompanysizeormarketshare,althoughthose
factorscanaffectacompany'sAbilitytoExecute.Salesareafactorhowever,winningin
competitiveenvironmentsthroughinnovationandqualityofproductandserviceismoreimportant
thanrevenue.Keyfeaturesareweightedheavily,suchasfoundationfirewallfunctions,console
quality,lowlatency,rangeofmodels,secondaryproductcapabilities(logging,eventmanagement,
compliance,ruleoptimizationandworkflow),andtheabilitytosupportcomplexdeploymentsand
modernDMZs.Havingalowrateofvulnerabilitiesinthefirewallisimportant.Thelogistical
capabilitiesformanagingappliancedelivery,productserviceandportdensitymatter.Supportis
ratedonthequality,breadthandvalueofofferingsthroughthespecificlensofenterpriseneeds.
Overallviability:Thisincludesoverallfinancialhealth,prospectsforcontinuingoperations,
companyhistory,anddemonstratedcommitmentinthefirewallandsecuritymarkets.Growthof
thecustomerbaseandrevenuederivedfromsalesarealsoconsidered.Allvendorswererequiredto
disclosecomparablemarketdata,suchasfirewallrevenue,competitivewinsversuskeycompetitors
(whicharecomparedwithGartnerdataonsuchcompetitionsheldbyourclients)anddevicesin
deployment.Thenumberoffirewallsshippedorthemarketshareisnotthekeymeasureof
execution.Rather,weconsidertheuseofthesefirewallstoprotectthekeybusinesssystemsof
enterpriseclients,andthosebeingconsideredoncompetitiveshortlists.
Salesexecution/pricing:Weevaluatethecompany'spricing,dealsize,installedbase,anduseby
enterprises,carriersandMSSPs.Thisincludesthestrengthofthevendor'ssalesanddistribution
operations.Presalesandpostsalessupportisevaluated.Pricingiscomparedintermsofatypical
enterpriseclassdeployment,andincludesthecostofallhardware,support,maintenanceand
installation.Lowpricingwillnotguaranteehighexecutionorclientinterest.Buyerswantgood
resultsmorethantheywantbargains,andthinkintermsofvalueoversheerlowcost.Costof
ownershipoveratypicalfirewalllifecycle(threetofiveyears)isassessed,asisthepricingmodelfor
conductingarefreshwhilestayingwiththesameproductandreplacingacompetingproduct
withoutintolerablecostsorinterruptions.Therobustnessoftheenterprisechannelandthirdparty
ecosystemisimportant.
Marketresponsiveness/record:Thisevaluatesthevendor'sabilitytorespondtochangesinthe
threatenvironment,andtopresentsolutionsthatmeetcustomerprotectionneedsratherthan
packagingupfear,uncertaintyanddoubt.Thiscriterionalsoconsiderstheprovider'shistoryof
responsivenesstochangesindemandfornewfeaturesandformfactorsinthefirewallmarket,and
howenterprisesdeploynetworksecurity.
Marketingexecution:Competitivevisibilityisakeyfactoritincludeswhichvendorsaremost
commonlyconsideredtohavetopcompetitivesolutionsduringtheRFPandselectionprocess,and
whichareconsideredtopthreatsbytheothers.Inadditiontobuyerandanalystfeedback,this
rankinglooksatwhichvendorsconsidertheotherstobedirectcompetitivethreats,suchasby
drivingthemarketoninnovativefeaturescopackagedwithinthefirewall,orbyofferinginnovative
pricingorsupportofferings.AnNGFWcapabilityisheavilyweighted,asareenterpriseclass
capabilities,suchasmultidevicemanagement,virtualization,adaptabilityofconfigurationand
supportforenterpriseenvironments.Unacceptabledevicefailurerates,vulnerabilities,poor
performance,andaproduct'sinabilitytosurvivetotheendofatypicalfirewalllifespanareassessed
accordingly.Significantweightingisgiventodeliveringnewplatformsforscalableperformancein
ordertomaintaininvestment,andtotherangeofmodelstosupportvariousdeployment
architectures.
Customerexperienceandoperations:Theseincludemanagementexperienceandtrackrecord,
aswellasthedepthofstaffexperiencespecificallyinthesecuritymarketplace.Thegreatest
factorinthesecategoriesiscustomersatisfactionthroughoutthesalesandproductlifecycles.Low
latency,throughputoftheIPScapabilityandhowthefirewallfaredunderattackconditionsarealso
important.Succeedingincomplexnetworkswithlittleintervention(forexample,oneoffpatches)is
highlyconsidered.

Table1.AbilitytoExecuteEvaluation
Criteria
EvaluationCriteria

Weighting

ProductorService

High

OverallViability

Medium

SalesExecution/Pricing

Medium

MarketResponsiveness/Record

High

MarketingExecution

Medium

CustomerExperience

High

Operations

Medium

Source:Gartner(April2015)

CompletenessofVision
Marketunderstandingandmarketingstrategy:Thisincludesprovidingatrackrecordof
deliveringoninnovationthatprecedescustomerdemand,ratherthanan"us,too"roadmap.We
alsoevaluatethevendor'soverallunderstandingofandcommitmenttothesecurityandnetwork
securitymarkets.Gartnermakesthisassessmentsubjectivelybyseveralmeans,including
interactionwithvendorsinbriefingsandfeedbackfromGartnercustomersoninformationthey
receiveconcerningroadmaps.Incumbentvendormarketperformanceisreviewedyearbyyear
againstspecificrecommendationsthathavebeenmadetoeachvendor,andagainstfuturetrends
identifiedinGartnerresearch.Vendorscannotmerelystateaggressivefuturegoalstheymustput
plansinplace,showthattheyarefollowingtheirplans,andmodifythoseplansastheyforecasthow
marketdirectionswillchange.Understandinganddeliveringonenterprisefirewallrealitiesandneeds
areimportant,andhavingaviableandprogressiveroadmapandcontinuingdeliveryofNGFW
featuresisweightedveryhighly.TheNGFWcapabilitiesareexpectedtobeintegratedtoachieve
correlationimprovementandfunctionalimprovement.
Salesstrategy:Thisincludespreproductandpostproductsupport,valueforpricing,andproviding
clearexplanationsandrecommendationsfordetectingevents,includingzerodayevents.Building
loyaltythroughcredibilitywithafulltimeenterprisefirewallstaffdemonstratestheabilitytoassess
thenextgenerationofrequirements.Vendorsneedtoaddressthenetworksecuritybuyingcenter
correctly,andtheymustdosoinatechnicallydirectmanner,ratherthansellingjustfearornext
generationhype.Channelandthirdpartysecurityproductecosystemstrategiesmatterinsofaras
theyarefocusedonenterprises.
Offering(product)strategy:Thiscriterionfocusesonavendor'sproductroadmap,current
features,NGFWintegrationandenhancement,virtualizationandperformance.Credible,
independentthirdpartycertificationsincludetheCommonCriteriaforInformationTechnology
SecurityEvaluation.Integrationwithothersecuritycomponentsisalsoweighted,aswellasproduct
integrationwithotherITsystems.Wealsoevaluatehowthevendorunderstandsandservesthe
enterprisebranchofficeanddatacenter.Innovation,suchasintroducingpracticalnewformsof
intelligencetowhichthefirewallcanapplypolicy,ishighlyrated.Anarticulated,viablestrategyfor
addressingthechallengesinSDNdeploymentsisimportant.
Businessmodel:Thisincludestheprocessandsuccessratefordevelopingnewfeaturesand
innovationitalsoincludesR&Dspending.
Vertical/industrystrategyandgeographicstrategy:Theseincludetheabilityand
commitmenttoservicegeographiesandverticalmarkets,suchascomplexenterprisemultinational
deployments,MSSPs,carriersorgovernments.
Innovation:ThisincludesR&Dandqualitydifferentiators,suchas:
Performance,whichincludeslowlatency,newfirewallmechanisms,andachievinghighIPS
throughputandlowappliancelatency.
Firewallvirtualizationandsecuringvirtualizedenvironments.
Integrationwithothersecurityproducts.
Managementinterfaceandclarityofreportingthatis,themoreaproductmirrorsthe
workflowoftheenterpriseoperationscenario,thebetterthevision.
"Givingbacktime"tofirewalladministratorsbyinnovatingtomakecomplextaskseasier,
ratherthanaddingmorealertsandcomplexity.
Productsthatarenotintuitiveindeployment,oroperationsthataredifficulttoconfigureorhave
limitedreporting,arescoredaccordingly.Solvingcustomerproblemsisakeyelementofthiscriterion.
Reducingtherulebase,offeringinterproductsupportandleadingcompetitorsonfeaturesare
foremost.
Table2.CompletenessofVision
EvaluationCriteria
EvaluationCriteria

Weighting

MarketUnderstanding

High

MarketingStrategy

Medium

SalesStrategy

Medium

Offering(Product)Strategy

High

BusinessModel

Medium

Vertical/IndustryStrategy

Medium

Innovation

High

GeographicStrategy

Low

Source:Gartner(April2015)

QuadrantDescriptions
Leaders
TheLeadersquadrantcontainsvendorsthatbuildproductsthatfulfillenterpriserequirements.These
requirementsincludeawiderangeofmodels,supportforvirtualizationandvirtualLANs,anda
managementandreportingcapabilitythatisdesignedforcomplexandhighvolumeenvironments,such
asmultitieradministrationandrule/policyminimization.AsolidNGFWcapabilityisanimportantelement
asenterprisescontinuetomoveawayfromhavingdedicatedIPSappliancesattheirperimeterand
remotelocations.Vendorsinthisquadrantleadthemarketinofferingnewsafeguardingfeatures,
providingexpertcapabilityratherthantreatingthefirewallasacommodity,andhavingagoodtrack
recordofavoidingvulnerabilitiesintheirsecurityproducts.Commoncharacteristicsincludehandlingthe
highestthroughputwithminimalperformancelossandofferingoptionsforhardwareacceleration.

Challengers
TheChallengersquadrantcontainsvendorsthathaveachievedasoundcustomerbase,buttheyarenot
consistentlyleadingwithdifferentiatednextgenerationcapabilities.ManyChallengersareslowtowork
towardastrongNGFWcapabilityortheyhaveothersecurityproductsthataresuccessfulinthe
enterpriseandarecountingontherelationship,ratherthantheproduct,towindeals.Challengers'
productsareoftenwellpriced,and,becauseoftheirstrengthinexecution,thesevendorscanoffer
economicalsecurityproductbundlesthatotherscannot.ManyChallengersholdthemselvesbackfrom
becomingLeadersbecausetheyareobligatedtoplacesecurityorfirewallproductsatalowerpriorityin
theiroverallproductsets.FirewallmarketChallengerswilloftenhavesignificantmarketshare,buttrail
smallermarketshareLeadersinthereleaseoffeatures.

Visionaries
Visionarieshavetherightdesignsandfeaturesfortheenterprise,buttheylackthesalesbase,strategy
orfinancialmeanstocompeteconsistentlywithLeadersandChallengers.MostVisionaries'productshave
goodNGFWcapabilities,butlackinperformancecapabilityandsupportnetwork.Savingsandhightouch
supportcanbeachievedfororganizationsthatarewillingtoupdateproductsmorefrequentlyandswitch
vendorsifrequired.Iffirewallingisacompetitiveelementforanenterprise,thenVisionariesaregood
shortlistcandidates.VendorsthatdonothavestrongNGFWcapabilitiesaresupplementingthemina
defensivemove,whilevendorsthathavestrongNGFWofferingsarefocusedonmanageabilityand
usability.Gartnerexpectsthenextwaveofinnovationinthismarkettofocusonbetteridentificationof
maliciousprotocolsatmultigigabitpersecondrates.

NichePlayers
MostvendorsintheNichePlayersquadrantaresmallervendorsofenterprisefirewalls,makersof
multifunctionfirewallsforSMBs,orbranchofficeonlyproductmakersthatareattemptingtobreakinto
theenterprisemarket.ManyNichePlayersaremakinglargerSMBproductswiththemistakenhopethat
thiswillsatisfyenterprises.SomeenterprisesthathavethefirewallneedsofanSMB(forexample,some
TypeC"riskaverse"enterprises)mayconsiderproductsfromNichePlayers,althoughothermodelsfrom
LeadersandChallengersmaybemoresuitable.Iflocalgeographicsupportisacriticalfactor,thenNiche
Playerscanbeshortlisted.

Context
Theenterprisefirewallmarketisoneofthelargestandmostmaturesecuritymarkets.Itispopulated
withmaturevendorsandsomemorerecententrants.Changesinthreats,aswellasincreasedenterprise
demandformobility,virtualizationanduseofthecloud,haveincreaseddemandfornewfirewallfeatures
andcapabilities.Organizations'finalproductselectiondecisionsmustbedrivenbytheirspecific
requirements,especiallyintherelativeimportanceofmanagementcapabilities,easeandspeedofthe
deployment,acquisitioncosts,ITorganizationsupportcapabilities,andintegrationwiththeestablished
securityandnetworkinfrastructure.

MarketOverview
Asthefirstlineofdefensebetweenexternalthreatsandenterprisenetworks,firewallsneedto
continuallyevolvetomaintaineffectiveness,respondingtochangesinthreatsaswellaschangesin
enterprisenetworkspeedandcomplexity.Thefirewallmarketishighlypenetratedinthelargermarkets
(NorthAmerica,WesternEuropeandmatureAsia/Pacific),whichmeansthat,toprotecttheirinstalled
base,incumbentsmustaddimprovedcapabilitiesandincreaseperformance,orfaceeitherreplacement
byinnovativemarketentrantsorcommoditizationbylowcostproviders.Firewallpolicymanagement
(FPM)productsareincreasinglybeingusedtomanagecomplexity(seeNote3).

NextGenerationFirewalls
OnekeyareaoffirewallevolutionthathasbeensupportediswhatGartner(in2009)called"NGFW
features"namely,integrateddeeppacketinspectionintrusiondetection,applicationidentificationand
granularcontrol.ThekeydifferentiatorsintheseareasareIPSeffectiveness,asdemonstratedthrough
thirdpartytestingunderrealisticthreatandnetworkloadconditions,andfinegrainedpolicyenforcement
inapproximatelythetop40businessapplications.Identitybasedpolicyenforcement,ortheabilityto
enforcepolicyonthousandsofapplications,hasbeenhighlytoutedbutusedinfrequently.

Becauseitishighlypenetrated,thefirewallmarketisdrivenbyrefreshcycles.Wehaveseensome
commonpatternsinthefirewallmarketasenterpriseswiththreetofiveyearoldfirewallsandIPSs
evaluatereplacement:
EnterprisesnotcurrentlyusinganyIPSsmigratetoNGFWswithminimaluseofadvancedfeatures.
EnterpriseswithfirewallsandstandaloneIPSsthatareemployedprimarilyindetectionmode(that
is,usingminimalsignaturesets)migratetoNGFWsusingthebuiltinIPScapabilities.
EnterpriseswithfirewallsandstandaloneIPSsthatareusedforactiveprevention,withlarge
signaturesetsandsomecustomsignatures,migratetoNGFWsforthefirewallwithapplication
controlandusercontext,butcontinueusingstandaloneIPSs.
HighsecurityenvironmentsupgradetoNGFWsforthefirewall,andupgradeIPSstoNGIPSs(see
"DefiningNextGenerationNetworkIntrusionPrevention").
Organizationsarelookingtoextendtheironpremisesfirewallvendorintoinfrastructureasaservice
(IaaS)cloudproviders.

UTMCan'tCompeteWithNGFWsinEnterprises
Historically,UTMvendorstargetedSMBclients.However,inthepastfewyears,thelargeUTMvendors
havetriedtoexpandbeyondtheirtraditionalusecase.TheynowtrytosellUTMtoenterpriseclientsthat
scorepricecompetitivenesshigherthansecurity.GartnerseessomelimitedsuccessforTypeC
enterprises,butitisrestrictedtotwousecases:distributedTypeCenterprises(mostlyintheretail
industry),andstatefulfirewallfornetworksegmentationatlowcost.However,theUTMapproachfailsto
convinceTypeAandTypeBenterprisesthatrequireNGFWcapabilitiesanddonotconsolidateWeb
antivirusontheInternetfacingfirewall(see"NextGenerationFirewallsandUnifiedThreatManagement
AreDistinctProductsandMarkets").
UTMvendorsalsofacedifficultiesinbuildingastrongsalesandsupportchannelforenterprises(similarly,
enterprisefirewallvendorswouldunderestimatetheworkofbuildinganSMBchannel).Mostenterprise
buyersarealsowaryofshortlistingaUTMvendorbecauseofitsprimaryfocusonSMBsandlimitedbrand
awareness.

VirtualizedFirewalls:HypeOutrunsDemand
Asdatacentervirtualizationhascontinued,demandforvirtualappliancesupporthasgrown.Performance
andtheabilitytomanagefirewallpolicythroughasingleintegratedmanagementconsoleforstandalone
appliancesorvirtualappliancesarekeydifferentiators.Gartnerhasnotseenthefirewallfeaturesof
virtualizationplatforms(suchasthoseofferedwithVMware)asamajorcompetitortomainstreamfirewall
vendorsbecausetheneedforseparationofdutiesdrivesclientstodoubttheinfrastructure'sabilityto
protectitself.GartnercoversvirtualonlyfirewallvendorssuchasvArmourandIllumio,buthasnotseen
significantadoption.EarlyVMwareworkwithPaloAltoNetworks,andnowCheckPointandFortinet,has
createdsomebuzzforvirtualizingdatacentersandnetworksandeastwestsegmentation,butfew
customershaveadoptedthese,thoughadoptionisgrowingquickly.Asothervirtualizationplatformssuch
asXenandHyperVgaintraction,managingheterogeneousvirtualizedfirewallsfromexistingphysical
firewallvendors,virtualizationplatformvendorsandvirtualonlyfirewallswillpresentachallenge.
Performanceremainsabarriertowiderdeployment:Almostallnetworkfirewallstodayaredeliveredon
purposebuiltappliancesbecauseofthepoorerperformanceofrunningfirewallsongeneralpurpose
servers.Almostalloperatingsystemswithinfirewallappliancesareuniquelyhardened,subjectto
stringentthirdpartysecurityevaluations.Securitymindedenterprisesarealsorightlyskepticalof
runningfirewallswithinahypervisorthatisbetweenthethreatandthefirewall.
Gartnermarketdataindicatesthat,in2014,thenumberofvirtualversionsoffirewallssoldremainedflat
atlessthan2%.Amongthe95referencecustomerssurveyedforthisMagicQuadrant,0%listed"virtual
versionavailable"asatopthreereasontheyselectedtheircurrentvendor,whereas53%selected
"throughput/speed"asatopthreereason,andapproximately30%ofrespondentsselected"price"
(34%),"managementconsole/reporting"(32%),"IPS"(32%),"applicationcontrol"(29%),and"high
availability/clustering"(27%).
Nodynamicshifttowardvirtualapplianceswilloccuruntilafundamentalchangetothecurrentnetwork
securityvirtualizationmarketismadeanddemanddrivesvendorinnovation.

TheFirewallMarketSlowsDownonAcquisitions,butRemainsDynamic
Acquisitionsinthefirewallspacesloweddownin2014from2013'sbreakneckpace,butgrowthremained
robust.
Duringtheevaluationperiod,thefirewallmarketgrew9.5%to$9.5billion.For2015,Gartnerestimates
thefirewallmarketwillgrowapproximately10%toreach$10.5billionin2015.Wealsoforecastthatthis
marketwillreachacompoundannualgrowthrateof10%through2017,andwillbeelevatedbythe
additionoffirewalladdonssuchasIPSsandadvancedthreatdefenses.Gartnerbelievesthatthefirewall
marketis"atcapacity":Althoughthegrowthrateisjustaround10%,thisisthelargestsecurityproduct
market(fastapproaching$10billion),andincrementalmarketgrowthissignificant.Firewallrefreshes
remainconstantatafiveyearaverage,soevenifgreatnewproductsemerge,incumbentfirewallsare
rarelyrefreshedbeforetheyreachmaturity.Thisrefreshdynamicresultsinthemarketbeinglinear,
ratherthanhavingmacrorefreshcyclesor"bumps"ofrefreshes,asinothermarkets.

HaveSomeAdvancedThreatDetectionWithThatFirewall
Advancedthreatdetectionusinganetworksandbox,pioneeredbyFireEye,hasbecomearapidlygrowing
market.Asadvancedthreatdefense/detectionfurtherpenetratesthemainstreammarket,firewall
vendorshaveintroducedsolutionsoverthepastthreeyears.Thesefirewallattachedsandboxesare
deliveredmostlyascloudbasedsandboxespricedassubscriptionbasedservices.Mostofthefirewall

vendorsevaluatedhereeitherdeliveranetworksandboxtoday,orhaveitontheirshorttermroadmaps.
Someofthesearebuiltbythefirewallvendors,othersaredeliveredthroughthirdpartypartnerships.
Thusfar,we'veseenfirewallconnectedsandboxesappealmostlytobudgetconstrainedTypeB
enterprisesthatwouldrathermaintainsingleconsolecontrolovertheirfirewallthandeployaseparate
platform.Asthedesiretodefendagainsttheadvancedthreatmorefullypermeatesthemainstream
market,weexpectthatcustomerswillincreasinglyturntotheirfirewallvendorsfortheirnetwork
sandboxingneeds(see"MarketGuideforNetworkSandboxing").

ConfusingUseof"Application"and"Firewall"inThreeDistinctProducts
Overlappingterminologyandunclearmarketingcanleadtoconfusionamongthethreedistinctissuesof
applicationcontrol,WAFsandfirewallsonapplicationdeliverycontrollers(ADCs).Thefirewallapplication
controlapproachesusedbymostNGFWvendors(suchasCheckPoint,DellSonicWALL,FortinetandPalo
AltoNetworks)aremostlyaboutcontrollingaccesstoexternalapplications,suchasFacebookandpeer
topeer(P2P)filesharing.
WAFsaredifferent:TheyareplacedprimarilyinfrontofWebserversinthedatacenters.PureplayWAF
companies(suchasImperva)ordatacenterinfrastructurevendorsthatprovideWAFtechnologywithin
theirADCsareconcernedwithprotectingcustominternalWebapplications.
WhilesomeADCvendors(suchasF5)arenowofferingnetworkfirewallingwithintheirADCsaswell,
GartnerdoesnotseeNGFWandWAFtechnologiesconvergingbecausetheyarefordifferenttasksat
differentplacements.MosttraffictoenterpriseWebserversremainsencrypteduntilitreachestheADC,
meaningtheownersoffirewallsandIPSsfacethedifficultdecisionofwhethertoengageSSLinspection,
whichinvolvesaterminationandreencryptionofthesesessions(see"SecurityLeadersMustAddress
ThreatsFromRisingSSLTraffic"and"WebApplicationFirewallsAreWorththeInvestmentfor
Enterprises").
AsGartneradvisesclients,mostenterpriseshaveasinglebrandofnetworkfirewallforallplacements,
includingInternetfacing,virtualized,datacenterandbranch(see"OneBrandofFirewallIsaBest
PracticeforMostEnterprises").Thesedatacenterfirewallswillbechallengedtogainanynoteworthy
shareuntiltheycanprovidecompetitivefirewallingforallenterpriseplacements.Theycan,however,
serveaspecializednicheofplacements,suchasincaseswherethedatacenterisaseparatebusiness
withitsownfirewalloperationsstaff.

AsiaPacificContext
22April2015
Analyst(s):CraigLawson,AdamHils,MatthewCheung

TheAsia/Pacificregionwillrepresentjustover11%ofthetotalenterprisenetworkfirewallmarketin
2015.Itsdiverseculturesanddifferencesinmarketmaturitycreatespecificexpectationsand
requirementswhenAsia/Pacificenterprisesevaluatefirewallvendors.

MarketDifferentiators
FirewalltechnologycontinuestobeafundamentalelementofnetworksecuritystrategyforAsia/Pacific
organizations.Thisregionhasadifferentcompetitivelandscapetoothergeographiesduetoitssizeand
geopoliticalalignments.TheAsia/Pacificmarketisforecasttomakeup$926millionofthetotal$8.346
billionspentonenterprisefirewalls(11%oftheglobalmarket)in2015.Thisoverallmarketisexpectedto
growto$9.745billionby2017,withAsia/Pacificaccountingfor$1.12billion,or11%.
TherearetwousageprofilesinAsia/Pacificconcerningfirewallacquisitionanddeployedfeatures:
TechnologicallymoreadvancedAsia/Pacificcountries(suchasJapan,SingaporeandAustralia)havea
similarfeatureadoptionratetotheU.S.andEurope,embracingmorerecenttrendssuchascloudbased
sandboxingmeanwhile,emergingAsia/Pacificcountries(China,Indonesiaandothers)arestillmoving
throughearlierphasesofnextgenerationfirewall(NGFW)featureadoption.
TheAsia/Pacificregion'sdiversityintermsofgeography,culture,industryandeconomicmodelsmeans
therearevaryinglevelsofITorganizationmaturityandprocurementpolicies.Thisisdifferentinmakeup
comparedwiththeNorthAmericanandEuropeanmarketsthatpredominantlyoperateundersimilarsets
oflegislativerequirementsandalimitednumberofcurrencies.Asia/Pacific'sdiversitymeansthatvendors
mustsupportthesenuancesandthecostofdeliveryburdenswithinalargeregioncomposedofmany
largeandsmallcountries,eachwithitsownlegislative,cultureandcurrencyrequirements.In
Asia/Pacific,anumberofvendorsdealwiththiscomplexitybyleveragingatieredvalueadded
distributor/valueaddedreseller(VAR)model.
Theeffectsonnetworksecurityvendors'salesandmarketshareinlightoftheU.S.surveillance
revelationsstartingin2013areyettobefullyseeninAsia/Pacific.WhileGartnerdoesnotexpectthisto
changethesizeofthefirewallmarket,itislikelytochangethemarketshareofvendorsasnonU.S.
customersmoveawayslightlyfromU.S.providers.ThiswillfavorAsia/Pacificnativesecurityproviders
thatwillbenefitfroma"builthere"sentimentthatisstronginsomebutnotallpartsofAsia/Pacific(see
"TheSnowdenEffect:DataLocationMatters").

ConsiderationsforTechnologyandServiceSelection
ClientsinAsia/Pacificshowapreferenceforprovidersthathavealocalpresence,atleastforsalesand
presalessupport.Asia/Pacificorganizationsexpectsupportforlocallanguagesinboththeproduct
managementinterface,documentation(withreportingataminimum)andfortechnicalsupport.

WiththesteadytransitiontoapplicationandidentitybasednetworksecuritydeliveredbyNGFWs,
vendorsalsoneedtosupportsocialnetworkingandbrowserapplicationsthatareheavilyusedin
Asia/Pacific,althoughnotprevalentintheinaproduct'shomecountryofdevelopment.Examplesinclude
Tencent(QQ,WeChat,QQBrowser)Weibo,Line,KakaoTalk,ViberandPPSEntertainment.Deep
understandingofthisapplicationecosystemandsubsequentabilitytofilterisaproductdifferentiatorin
theAsia/Pacificmarket.
IntheemergingAsia/Pacificcountrieswithmorematureeconomies,priceisastrongdriver,andthe
marketiscontinuingtoshowthatproductsdeliveringamajorityof"goodenough"featuresatapalatable
pricewillcontinuetoholdandinsomecasestakesharefrommoreprominentbrands.Additionally,large
scalethroughputisalsoanimportantfactorinthetelco/ISPverticalintheAsia/Pacific'sheavilypopulated
countries.
InsidematureAsia/Pacific(suchasJapan,Singapore,Australia,NewZealandandHongKong),NGFW
featuressuchassecurityefficacy,advancedmanagementandrobustsupportareallvaluedby
customers,asiscompetitivepricing.Gartnerisalsoseeinghighlevelsofinterestinmaturecountiesin
theregionforintegratedadvancedthreatdetectioncapabilitiesleadingtoincreasedattachrateinNGFW
sales.Vendorsthatofferthis"feature"toadvancedAsia/Pacificcustomersaspartoftheiroverall
architecturewillbemoresuccessfulthanpointproductvendors(seePredicts2015:Infrastructure
Protection).

NotableVendors
VendorsincludedinthisMagicQuadrantPerspectivehavecustomersthataresuccessfullyusingtheir
productsandservices.SelectionsarebasedonanalystopinionandreferencesthatvalidateITprovider
claimshowever,thisisnotanexhaustivelistoranalysisofvendorsinthismarket.Usethisperspective
asaresourceforevaluations,butexplorethemarketfurthertogaugetheabilityofeachvendorto
addressyouruniquebusinessproblemsandtechnicalconcerns.Considerthisresearchaspartofyourdue
diligenceandinconjunctionwithdiscussionswithGartneranalystsandotherresources.
CheckPointSoftwareTechnologies
CheckPointhasasignificantexistingclientbaseinAsia/Pacificandhasconsistentlyoutsoldall
competitorsintheregion'sfirewallmarket,whichvaluessecurityfeaturesandmanagingcomplexityas
wellascompetitive,butnotthelowest,pricing.Thevendorhasstrongbrandrecognition,marketleading
features,alargechannelandextensivecountrylevelcoverageinAsia/Pacific.WithNGFWadoptionrates
inemergingAsia/PacificlaggingthoseinmatureAsia/Pacificandotherregions,thereisalargepotentialto
moveexistingandnewclientsontoitsNGFWplatform,inadditiontofeaturedrivencompetitive
displacement.CheckPointhasalsoaddedadvancedthreatcapabilitiesviasandboxingtotheplatform,
whichisanimportantbuyingfactorinAsia/Pacific.
CheckPointshouldbeconsideredbysecurityconsciousorganizationswithintheAsia/Pacificregionforits
breadthofsecuritycontent,regionalchannelsupportandrangeofappliances.
Cisco
Ciscohasasignificantshareofthesecuritymarketintheregionandhasleverageditsnetworking
heritageverysuccessfullyoveralongperiodoftimeinsalesofitsfirewallplatform.Itcontinuestobea
formidablevendorinthismarketdueprimarilytoitslargechannelandcrosssellingopportunityfor
Asia/Pacificpartnersandclients.Cisco'sintrusionpreventionandadvancedthreatdetectioncapabilities
viatheSourcefireacquisitionareincludedwithintheASAwithFirePOWERproductsandcomplementedby
thebroaderportfolioofWeb,emailandidentityproducts.ThisenablesCiscotocontinuetocompetefor
pricesensitiveAPACbuyerswhileallowingforupgradesforclientsthatalsorequireadvancedsecurity
features.However,latelyCisco'ssalesinChinahavetakenadownturnbasedonrecentpublicfinancial
announcements,whichweattributetogeopoliticalmachinationsstemmingfromthe2013National
SecurityAgency(NSA)disclosures.
Ciscoshouldbeconsideredformidsizeandlargeenterprisesthatvalueasinglevendorfornetworkingand
securitysolutions,Asia/Pacificwidefieldcoverageandchannelsupport.
DellSonicWALL
DellSonicWALLlagsbehindmanyenterprisefirewallsinregionalmarketpresence.Itispricecompetitive,
however,withregionalvendors,buttodatehasnotdevelopedaneffectiveAsia/Pacificsaleschannel.
SonicWALLcouldbenefitfromDell'srecentcommitmentofresourcestotheregion,particularlyChina.
DellSonicWALL'srangeofapplianceshavelocalizedlanguagesupporttotargetorganizationsinChina,
SouthKoreaandJapan,andwillhelpitappealtoorganizationsthatdemandalocallanguageexperience.
SonicWALLshouldbeconsideredforAsia/PacificclientsthatarealreadyrunningDellinfrastructure,and
asacompetitiveoptionforpriceconsciousmidmarketbuyersanddistributedenterpriseusecasesdueto
itslargerangeofappliances.
Fortinet
Asia/PacificandJapanespeciallyrepresentahealthypercentageofFortinet'sworldwiderevenueshare,
puttingitaheadofanumberofextraregionalcompetitorsintheregion.InmanyAsia/Pacificmarkets,
Fortinetisthesecondlargestnetworksecurityvendor.FortinethasalsoinvestedinAsia/PacificwithR&D
inBeijing,athreatresearchcenterinSingaporeandasupportcenterinMalaysia.Thisfostersitslocal
presenceaswellasitsproductlocalizationefforts.
Fortinet'sfocusonlowercost,highthroughputfirewallapplicationspecificintegratedcircuit(ASIC)based
technologies,incombinationwithacompetitivesecurityfeaturesetandadvancedthreatcapabilities,has

givenitmarketappealintheregion,wherecost,rangeofappliancesandperformancearekey
requirementsforusecasesthatconvergemultipletechnologiesonasingleappliance.
Fortinetshouldbeconsideredbyallmidmarketandlargeclientsduetoitsrangeofproductsandsupport
oftheAsia/Pacificregion.
HillstoneNetworks
HillstoneNetworksisafirewallvendorheadquarteredbothinChinaandtheU.S.withanambitionto
expandfurthergloballybyincreasingitspresenceintheU.S.andotherregions.Since2014,Hillstonehas
setupoperationsanddistributors/resellersnetworksinmostregionsgloballynow,includingSoutheast
Asia.Hillstonehasabroadportfolioofnetworksecurityproducts,butamajorityofrevenuecomesfrom
firewall,targetingbothcarriersandenterprises.Hillstone'scustomerbaseismostlyinChina.
AlthoughHillstonefocusedoriginallyondeliveringcommonfirewallfeaturesandfunctions,ithas
marketeditsiNGFWcapabilities("i"forintelligent)andasoftwaredefinednetwork(SDN)strategyinits
productportfolio.ThesefeaturesdifferentiateHillstonefrommostofthecommodityfirewallvendorsfrom
China.Hillstonelookstocompetewithglobalplayerswiththesefeatures.
Hillstoneisalsoperceivedasapricecompetitivelocalprovider,anditshighperformanceandstabilityare
citedbycustomers.
Huawei
HuaweiisoneofthefewChinesenetworksecuritycompaniesthathasexpandeditsfootholdoutsidethe
region.MorethanhalfofHuawei'sfirewallrevenuecomesfromoutsideofChina,buttherestof
Asia/PacificisrelativelyasmallmarketinHuawei'soverallrevenuesplit.Huawei'ssecurityproductsare
soldwidelytobothenterprisesandtelecomoperators.
Huawei'skeydifferentiatorsareitsintegrationwithitsnetworkingbusiness,competitivepricingand
relationshipwithtelecomoperators.AlthoughHuaweisecurityispartofitsnetworkingandsecurity
division,Huaweisecurityhasitsownsecuritysalesteamanddedicatedchannelpartners.
Huaweisecuritysolutionsshouldbeconsideredbyclientsvaluingthesamenetworkandsecurityvendor,
prospectswithinChina,andadditionallywherepriceisaprimarybuyingconsideration.
JuniperNetworks
JuniperNetworksdoesagreaterpercentageofitsfirewallbusinessinAsia/Pacificthanmostglobal
vendors,continuingitslongtimelegacyofservingregionalcustomers'firewallneeds.JuniperNetworks
hasaprovennetworkingchannelintheregion,andithasleveragedtosellitsSRXproductline.Juniper
Networksalsoseessuccesswithmanagedsecurityserviceprovider(MSSP)partnersthatoftensellits
firewalls(physicalorvirtual)asthedefaultoption,whichisduetocostandperformance.
AsJuniperincreasinglyshiftsitssecurityemphasistohigherendcloudprovidersandtelecommunications
areas,Asia/Pacificenterprisesshouldaskforroadmapcommitmenttocontinuedenterpriseclassproduct
developmentandsupport.
PaloAltoNetworks
PaloAltoNetworksisseenasaninnovatorinfirewallsduetoitsearlytomarketnextgenerationfirewall
features.Asaconsequence,ithasmanywinsamongcustomersinAsia/PacificwithmorematureIT
adoptionprofiles.ThecompanyhasinvestedinAsia/Pacificandhasestablishedaviablepresence,but
customeradoptionofPaloAltoNetworks'technologyisnotasstrongonarelativebasiswhencompared
withNorthAmericaandEurope.Thisisduetoconsiderablecompetitionfromregionallystrongplayers
(Huawei,Hillstone),thestrengthinAsia/Pacificofentrenchedglobalplayers(Cisco,CheckPoint,Fortinet)
andtherelativesizeofPaloAltoNetworks'Asia/Pacificstaffingandchannel.
Advancedfeaturescontinuetomakeitaworthyshortlistcandidatefor"leanforward"Asia/Pacific
organizationswiththeskillsandbudgetnecessarytoleveragePaloAltoNetworks'"nextgeneration"
featuresandsecuritycontent.Gartnerexpectsitsintegratedadvancedthreatpreventionarchitectureto
beastrongfeaturedifferentiatorintheAsia/PacificNGFWmarket.
LeanforwardorganizationswithintheAsia/Pacificregionwithasecurityovercostpreferenceshould
considerPaloAltoNetworksfortheirshortlists.
Sophos
NottraditionallyalargeplayerintheAsia/Pacificenterprise,Sophos,withitsFebruary2014acquisitionof
IndiabasedCyberoam,hasbolstereditspresenceintheregion,especiallySouthAsia.Cyberoam's
productlinehasexcelledatuseridentitycontrolandhasembeddedreportingitscustomerslike.In
addition,Cyberoamhasaddedfeaturestoappealtoindustrialenterpriseusecases.Sophosisinthe
processofintegratingdifferentiatedfeaturesofthelegacySophosandCyberoamproductlines,butthe
Cyberoamappliancesremainavailable.Clientsshouldassesstheoutcomesoftheproductlinesmerging
toensurethisprocessstillalignswithtacticalandstrategicproductchoices.
SouthAsianorganizationslookingforalowcostregionaloptionwithadvancedidentitybasedcontrols
shouldevaluateSophosasashortlistcandidate.
WatchGuard
WatchGuard'sregionalpresenceintermsofthenumberofitsAsia/Pacificcustomermixisaboutonpar
withitsextraregionalcompetitors.Overthepastseveralyears,WatchGuardhasgrownitspresencein

theregionwithadditionalstaff.Ithasasimilargotomarketapproachwithitstechnologyasvendorslike
Fortinet,offeringagoodrangeandfeaturesofNGFWandunifiedthreatmanagement(UTM)appliancesat
competitivepricing.Thissuitssmaller,midmarketAsia/Pacificclients.WatchGuardhasalsopartneredto
deliverpayloadadvancedpersistentthreat(APT)detectionfunctionality,whichisincreasinglybecominga
tablestakescomponentofperimeterarchitecturesinAsia/Pacific.
WatchGuardshouldbeconsideredbymidmarketandgeographicallydispersedAsia/Pacificbusinessesthat
requireamixofsecurityfeaturesatacompetitiveprice.
Wins
WinsisheadquarteredinSouthKorea,whereitalreadyhasadomesticallysuccessfulnetworkintrusion
preventionsystem(IPS)offering.ItsNGFWincludesthesameIPSengine.Thecompanycompetes
primarilyinSouthKoreaandJapan.AlthoughWinsisexpandingintoIndonesia,Malaysia,Singaporeand
otherpartsofSoutheastAsia,GartnerhasseenitsproductsmostlyinWins'corenations.Koreanand
Japanesecustomersshouldconsiderthisvendorforinclusiononfirewallshortlists.
WinsshouldbeconsideredbyclientsinWins'primaryareaofoperationinSoutheastAsiathatrequire
goodlocallanguageandvendorsupport.

2015Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Thispublicationmaynotbe
reproducedordistributedinanyformwithoutGartnerspriorwrittenpermission.Ifyouareauthorizedtoaccessthispublication,youruseofitissubjecttothe
UsageGuidelinesforGartnerServicespostedongartner.com.Theinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable.
Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformationandshallhavenoliabilityforerrors,omissionsorinadequacies
insuchinformation.ThispublicationconsistsoftheopinionsofGartnersresearchorganizationandshouldnotbeconstruedasstatementsoffact.Theopinions
expressedhereinaresubjecttochangewithoutnotice.AlthoughGartnerresearchmayincludeadiscussionofrelatedlegalissues,Gartnerdoesnotprovidelegal
adviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnerisapubliccompany,anditsshareholdersmayincludefirmsandfundsthat
havefinancialinterestsinentitiescoveredinGartnerresearch.GartnersBoardofDirectorsmayincludeseniormanagersofthesefirmsorfunds.Gartnerresearch
isproducedindependentlybyitsresearchorganizationwithoutinputorinfluencefromthesefirms,fundsortheirmanagers.Forfurtherinformationonthe
independenceandintegrityofGartnerresearch,seeGuidingPrinciplesonIndependenceandObjectivity.

AboutGartner|Careers|Newsroom|Policies|SiteIndex|ITGlossary|ContactGartner