My own criteria list, although using ideas from a 2012 discussion of NGFW InformationWeek-NetworkComputing:
#1 Profitability and longevity. You don’t want to buy a firewall and then have the company have financial problems even 5 years down the road. (so startups need not apply – sorry)
#2 Speed throughput – we have to be capable of running our email, web, applications, and more without a speedbump.
#3 What can the NGFW claim to catch? SQL injection? malware, and more – sure it won’t catch all, but some is good and more is better.
#4 Social media inspection and other potential encrypted communications, logging etc. It would be great if it can inspect SSL/TLS encrypted communications.
#5 Co$t of course – It may do everything but we can’t afford it, so that does not help.
So using these 5 Criteria
Latest rage is PaloAltoNetworks https://www.paloaltonetworks.com/products/platforms/firewalls.html Datasheet PA-3050
Cisco ASA NGFW
Of course this is only a 1 hour review of these 5 firewalls. I did not look at Cost, as that would require more time commitments and spec discussions.
I want to focus on the aspect of SSL tunnel inspections – I was suprised not to see the Checkpoint firewall has a SSL/TLS inspection capability on their marketing literature and info online (without discussing with sales) i was not surprised with Cisco ASA, as I consider Cisco’s ASA firewall a good basic firewall these days, but not really a NGFW. Kinda surprised Cisco even mentions it on their site – it is considered anNGFW, but maybe it will get more features as time passes. here is a snippet from their website:
Contact us to let us know what models you are currently evaluating and we can help