My own criteria list, although using ideas from a 2012 discussion of NGFW InformationWeek-NetworkComputing:
#1 Profitability and longevity. You don’t want to buy a firewall and then have the company have financial problems even 5 years down the road. (so startups need not apply – sorry)
#2 Speed throughput – we have to be capable of running our email, web, applications, and more without a speedbump.
#3 What can the NGFW claim to catch? SQL injection? malware, and more – sure it won’t catch all, but some is good and more is better.
#4 Social media inspection and other potential encrypted communications, logging etc. It would be great if it can inspect SSL/TLS encrypted communications.
#5 Co$t of course – It may do everything but we can’t afford it, so that does not help.
So using these 5 Criteria
Latest rage is PaloAltoNetworks https://www.paloaltonetworks.com/products/platforms/firewalls.html Datasheet PA-3050
McAfee NGFW http://www.mcafee.com/us/resources/data-sheets/ds-next-generation-firewall-appliance-spec-sheet.pdf
Cisco ASA NGFW
Checkpoint http://www.checkpoint.com/downloads/product-related/datasheets/13500-appliance-datasheet.pdf
Dell SonicWALL http://www.sonicwall.com/us/en/products/SuperMassive-E10000.html#tab=features
Of course this is only a 1 hour review of these 5 firewalls. I did not look at Cost, as that would require more time commitments and spec discussions.
I want to focus on the aspect of SSL tunnel inspections – I was suprised not to see the Checkpoint firewall has a SSL/TLS inspection capability on their marketing literature and info online (without discussing with sales) i was not surprised with Cisco ASA, as I consider Cisco’s ASA firewall a good basic firewall these days, but not really a NGFW. Kinda surprised Cisco even mentions it on their site – it is considered anNGFW, but maybe it will get more features as time passes. here is a snippet from their website:
Contact us to let us know what models you are currently evaluating and we can help