Forcepoint Next Generation Firewall (NGFW)
Enterprise SD-WAN Meets the #1 Most Secure Next Gen Firewall

Forcepoint Next Generation Firewall (NGFW)

Click here to jump to more pricing!


Forcepoint Next Generation Firewall (NGFW) combines fast, flexible networking (SD-WAN and LAN) with industry-leading security to connect and protect people and the data they use throughout diverse, evolving enterprise networks. Forcepoint NGFW provides consistent security, performance and operations across physical, virtual and cloud systems. It’s designed from the ground up for high availability and scalability, as well as centralized management with full 360° visibility.

  • Replace MPLS and Go Direct to Cloud
    Use SD-WAN to replace costly MPLS at retail stores and branch offices with broadband links to the cloud. Accelerate Office 365 performance and boost resilience without sacrificing security with Forcepoint NGFW.
  • Stop Evasions That Bypass Your IPS
    Defend your networks against emerging exploits and malware—even ones camouflaged by advanced evasion techniques that sneak through most next generation firewalls.
  • Respond to Incidents in Minutes, Not Hours
    Immediately see and understand what’s happening in your network with an interactive, visual interface. Update policies for hundreds of physical and virtual locations worldwide with a single click.

Next Generation Firewall (NGFW) - Connectivity, Availability, Security, Scalability, Manageability, and VisibilityAlways-On SD-WAN Connectivity for Enterprises

Today’s businesses demand fully resilient network security solutions. Forcepoint NGFW builds in high scalability and availability at all levels:

  • Active-active, mixed clustering
    Up to 16 nodes of different models running different versions can be clustered together. This provides superior networking performance and resilience, and enables security such as deep packet inspection and VPNs.
  • Seamless policy updates and software upgrades
    Forcepoint’s industry-leading availability enables policy updates (and even software upgrades) to be seamlessly pushed to a cluster without interrupting service.
  • SD-WAN network clustering
    Extends high-availability coverage to network and VPN connections. Combines nonstop security with the ability to take advantage of local broadband connections in order to complement or replace expensive leased lines like MPLS.

Keep Pace With Changing Security Needs

A unified software core enables Forcepoint NGFW to handle multiple security roles, from firewall/VPN to IPS to layer 2 firewall, in dynamic business environments. Forcepoint NGFWs can be deployed in a variety of ways (e.g., physical, virtual, cloud appliances), all managed from a single console.

Forcepoint uniquely tailors access control and deep inspection to each connection to provide high performance and security. It combines granular application control, intrusion prevention system (IPS) defenses, built-in virtual private network (VPN) control and mission-critical application proxies into an efficient, extensible and highly scalable design. Our powerful anti-evasion technologies decode and normalize network traffic before inspection and across all protocol layers to expose and block the most advanced attack methods.

Block Sophisticated Data Breach Attacks

Large data breaches continue to plague businesses and organizations of every industry. Now you can fight back with application-layer exfiltration protection. Forcepoint NGFWs selectively and automatically whitelist or blacklist network traffic originating from specific applications on PCs, laptops, servers, file shares and other endpoint devices based on highly granular endpoint contextual data. It goes beyond typical firewalls to prevent attempted exfiltration of sensitive data from endpoints via unauthorized programs, web applications, users and communications channels.

Unmatched Protection

Attackers have become experts in penetrating enterprise networks, applications, data centers and endpoints. Once inside, they steal intellectual property, customer information and other sensitive data, causing irreparable damage to businesses and their respective reputations. New attack techniques can evade detection by traditional security network devices, including many name-brand firewalls, moving beyond the simple transmission of vulnerability exploits.

Evasions work at multiple levels to camouflage exploits and malware, making them invisible to traditional signature-based packet inspection. With evasions, even old attacks that have been blocked for years can be repackaged to compromise internal systems.

Forcepoint NGFW takes a different approach. Our industryleading security engine is designed for all three stages of network defense: to defeat evasions, detect exploits of vulnerabilities and stop malware. It can be deployed transparently behind existing firewalls to add protection without disruption, or as full-featured NGFW for all-inone security.

In addition, Forcepoint NGFW provides fast decryption of encrypted traffic, including HTTPS web connections, combined with granular privacy controls that keep your business and users safe in a rapidly changing world. It can even limit access from specific endpoint applications to lock down devices or prevent the use of vulnerable software.

Business Outcomes

  • Faster rollout of branches, clouds or data centers
  • Less downtime
  • Greater security without disruption
  • Fewer breaches
  • Less exposure to new vulnerabilities while IT teams prepare to deploy new patches
  • Lower TCO for network infrastructure and security

Key Features

  • SD-WAN connectivity at enterprise scale
  • Built-in IPS with anti-evasion defenses
  • High-availability clustering of devices and networks
  • Automated, zero-downtime updates
  • Policy-driven centralized management
  • Actionable, interactive 360° visibility
  • Sidewinder security proxies for mission-critical applications
  • Human-centric user and endpoint context
  • High-performance decryption with granular privacy controls
  • Whitelisting/blacklisting by client application and version
  • CASB and Web Security integration
  • Anti-malware sandboxing
  • Unified software for physical, AWS, Azure, VMware deployments

Use Cases:

Decrypt Traffic While Safeguarding Privacy

Decrypt Traffic While Safeguarding Privacy

Inspect attacks and stolen data hidden inside encrypted SSL/TLS traffic while still protecting users' privacy.

Extend Your Network Into the Cloud

Extend Your Network Into the Cloud

Deploy applications safely in Amazon Web Services, Azure, and VMware. Segment different service layers and manage virtual NGFWs and IPSs the same way as physical appliances.

Control Access to Web Content

Control Access to Web Content

Limit users' access to entire categories of websites containing inappropriate or unsafe content with URL intelligence that’s depended upon around the globe.

Protect High-Assurance Systems

Protect High-Assurance Systems

Safeguard your most sensitive, mission-critical networks and applications with Forcepoint’s renowned Sidewinder proxy technology.

Regain Control of Shadow IT

Regain Control of Shadow IT

Understand the risk associated with unsanctioned cloud apps so you can redirect users to more appropriate apps or block them altogether.

Offer SD-WAN and NGFW Security as an MSSP

Offer SD-WAN and NGFW Security as an MSSP

Manage enterprise-grade connectivity and protection from your own multi-tenant systems, with a business model tailored to the needs of MSSPs.


Enterprise SD-WAN Connectivity and NGFW Security for Distributed Enterprises

Modular Appliances for Every Environment
Our broad range of appliances provide the right price-performance and form factor for each location; plugable interface cards let you change networks with ease.

Multi-link Connectivity for SD-WAN
Broadband, wireless, and dedicated lines at each location can be centrally deployed and managed, providing full control over what traffic goes over each link with automated failover.

Policy-Driven Centralized Management
Smart Policies describe your business processes in familiar terms and are automatically implemented throughout the network, managed in-house or via MSSP.

Built-in NGFW, VPN, Proxies, and More
Unparalleled security comes standard, from top-ranked Next Generation Firewall and IPS to rapid-setup VPNs and granular decryption, as well as our unique Sidewinder proxy technology.

Human-Centric Endpoint Context
Access policies can whitelist or blacklist specific endpoint apps, patch levels or AV status. Users' behaviors are consolidated into actionable dashboards.

CASB and Web Security
Our reknowned URL filtering and industry-leading cloud services work together to protect your data and people as they use apps and web content.

Rich application programming interfaces enable SD-WAN and NGFWs to be integrated with orchestration, management, and third-party analysis infrastructure.

High Availability, Mixed Clustering
Active-active clustering lets you mix up to 16 different models of appliances for unrivaled scalability, longer lifecycles, and seamless updates without dropping packets.

Automated, Zero-Downtime Updates
Policy changes and software updates can be deployed to hundreds of firewalls and IPS devices around the world in minutes, not hours, without the need for service windows.

Actionable, Interactive 360° Visibility
Graphical dashboards and visualizations of network activity go beyond simple reporting, enabling admins to drill into events and respond to incidents faster. 

Top-Ranked Anti-Evasion Defense
Multi-layer stream inspection defeats advanced attacks that traditional packet inspection can't detect—see for yourself in our Evader video series.

Unified Virtual and Physical Security
Native support for AWS, Azure and VMware has the same capabilities, management, and high performance of our physical appliances.

Anti-Malware Sandboxing
Forcepoint Advanced Malware Detection blocks previously undetected ransomware, zero-days, and other attacks before they steal sensitive data or damage your systems.

Forcepoint Next Gen Firewalls are rigourously tested to comply with major industry and government certification requirements.


One Platform with Many Deployment Options – All Managed from a Single Console
One Platform with Many Deployment Options – All Managed from a Single Console


Physical Appliance Multiple hardware appliance options, ranging from branch office to data center installations
Cloud Infrastructure Amazon Web Services, Microsoft Azure
Virtual Appliance x86 64-bit based systems; VMware ESXi, VMware NSX, Microsoft Hyper-V, and KVM
Endpoint Endpoint Context Agent (ECA), VPN Client
Virtual Contexts Up to 250
Centralized Management Enterprise-level centralized management system with log analysis, monitoring and reporting capabilities
Firewall Features
Deep Packet Inspection Multi-Layer Traffic Normalization/Full-Steam Deep Inspection, Anti-Evasion Defense, Dynamic Context Detection, Protocol-Specific Traffic Handling/Inspection, Granular Decryption of SSL/TLS Traffic, Vulnerability Exploit Detection, Custom Fingerprinting, Reconnaissance, Anti-Botnet, Correlation, Traffic Recording, DoS/DDoS Protection, Blocking Methods, Automatic Updates
User Identification Internal user database, Native LDAP, Microsoft Active Directory, RADIUS, TACACS+, Microsoft Exchange, Client Certificates
High Availability
  • Active-active/active-standby firewall clustering up to 16 nodes  SD-WAN
  • Stateful failover (including VPN connections)
  • Server load balancing
  • Link aggregation (802.3ad)
  • Link failure detection
IP Address Assignment
  • IPv4 static, DHCP, PPPoA, PPPoE, IPv6 static, SLAAC, DHCPv6
  • Services: DHCP Server for IPv4 and DHCP relay for IPv4 and IPv6
  • Static IPv4 and IPv6 routes, policy-based routing, static multicast routing
  • Dynamic routing: RIPv2, RIPng, OSPFv2, OSPFv3, BGP, MP-BGP, BFD, PIM-SM, PIM-SSM, IGMP proxy
  • Application-aware routing
IPv6t Dual stack IPv4/IPv6, ICMPv6, DNSv6, NAT, Full NGFW features
Proxy Redirection HTTP, HTTPS, FTP, SMTP protocols redirection to Forcepoint or third party Content Inspection Service (CIS) on premise and Cloud
Geo-Protection Dynamically updated source/destination country or continent
IP Address List Predefined IP categories or using custom or imported IP address lists
URL Filtering (Separate Subscription) Custom or imported URL lists
Endpoint Applications Application name and version
Network Applications 7400+ network and cloud applications
Sidewinder Security Proxies TCP, UDP, HTTP, HTTPS, SSH, FTP, TFTP, SFTP, DNS
Protocols IPsec and TLS
Site-to-Site VPN
  • Policy- and route-based VPN
  • Hub and spoke, full mesh, partial mesh, Hybrid topologies
  • Dynamic selection of multiple ISP Links
  • Load sharing, active/standby, link aggregation
  • Live monitoring and reporting on ISPs link quality (Delay, jitter, packet loss)
Remote Access
  • Forcepoint VPN client for Microsoft Windows, Android, and Mac OS
  • Any standard IPsec client
  • High availability with automatic failover
  • Client security checks
  • Access to TLS VPN portal
Advanced Malware Detection and File Control
File Filtering Policy-based file filtering with efficient down selection process.
Over 200 supported file types in 19 file categories
File Reputation High speed cloud based Malware reputation checking and blocking
Anti-Virus Local antivirus scan engine*
Zero-Day Sandboxing Forcepoint Advanced Malware Detection available both as cloud and on-premise service

*Local anti-malware scan is not available with 110/115 appliances.


Forcepoint Next Generation Firewall (NGFW) Screenshot


Download the Forcepoint Next Generation Firewall (NGFW) Datasheet (.PDF)

Pricing Notes: