Skip to main content Skip to footer
CyberRatings
  • Research & Testing
    • Test Reports
      Browser Security
      Cloud Network Firewall
      Endpoint Protection
      Enterprise Firewall (formerly NGFW)
      Software-Defined Wide Area Network (SD-WAN)
      Security Service Edge (SSE) Threat Protection
      Zero Trust Network Access (ZTNA)
    • Mini TestsHow effective are the Cloud Service Provider (CSP) native cloud firewall offerings?What does "Secure by Default" mean for Security Service Edge solutions?
Our Ratings SystemResearch
  • Media
    • Blog
    • Press
    • Podcasts & Videos
  • Services
    • Test ToolsCyPerf Trial
  • NSS Labs Archive
0
Log inSign up
CyberRatings
Log inSign up
0
  • CyberRatings
  • Research & Testing
    • Browser Security
    • Cloud Network Firewall
    • Endpoint Protection
    • Enterprise Firewall (formerly NGFW)
    • Software-Defined Wide Area Network (SD-WAN)
    • Security Service Edge (SSE) Threat Protection
    • Zero Trust Network Access (ZTNA)
    • Mini Tests
    • How effective are the Cloud Service Provider (CSP) native cloud firewall offerings?
    • What does "Secure by Default" mean for Security Service Edge solutions?

    • Our Ratings System
    • Research
  • Media
    • Blog
    • Press
    • Podcasts & Videos
  • Services
    • Test ToolsCyPerf Trial
  • NSS Labs Archive
  • Log inSign up
  • CyberRatings
  • Research & Testing
    • Test Reports
    • Browser Security
    • Cloud Network Firewall
    • Endpoint Protection
    • Enterprise Firewall (formerly NGFW)
    • Software-Defined Wide Area Network (SD-WAN)
    • Security Service Edge (SSE) Threat Protection
    • Zero Trust Network Access (ZTNA)
    • Mini Tests
    • What does "Secure by Default" mean for Security Service Edge solutions?

    • Our Ratings System
    • Research
  • Media
    • Blog
    • Press
    • Podcasts & Videos
  • Services
  • NSS Labs Archive
  • Log inSign up

Read the press release on new SSE and ZTNA results — See how Zscaler’s Zero Trust Exchange Performed

Research

« Back
« Back

Best Practices for Enterprise Firewall Deployment in 2024

June 27, 2024CyberRatings.orgResearch

As previously announced, the security industry is working towards a secure-by-default configuration.

This is still an ongoing process; however, we already see vendors making improvements from when we published the cloud network firewall group test. In that test, we found that not all products were secure by default. Therefore, we documented the changes we made and published them (https://cyberratings.org/type/research/2024-best-practices-for-cloud-network-firewall-deployment/). We are doing the same for this group test.

Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

This guide should complement what the vendors already provide to their customers. Please refer to the links below for the best practices and guides for each vendor we tested. We have also included extra information for one vendor: Cisco.

The following steps were taken for each firewall:

  • Deploy the firewall in our lab in Austin, Texas (we are using Fortinet for this example).
  • Connect the interfaces required for the topology. This information can be found in each vendor guide.
  • Register the device to the centralized management system where needed. For our test, we only used centralized management for Cisco and Versa Networks. For Cisco, it is required to get some functionality working; more on this below. For Versa Networks, it’s both recommended and needed from a licensing perspective. This is information that is found in each vendor guide.
  • Validation of licenses, which, in turn, enable software updates, threat updates, etc. This information is found in each vendor guide.
  • Define access policies:
    • Trust to untrust
    • Untrust to trust
  • Define IPS policies:
    • Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
  • Upload the required server certs, keys, and CA certs if necessary. This information is available in each vendor guide.
  • Define TLS decryption policies for versions 1.2 and 1.3. Configure them to decrypt all traffic. We make a few exceptions to test if the product can bypass decryption based on specific IP addresses or domain names. If something cannot be decrypted or is using an older TLS/SSL version or an insecure cipher, then the product is set to block.
  • Link IPS and TLS policies to the overall access policy.
  • Validate configuration:
    • Make sure you can pass traffic.
    • Make sure you can block attacks by sending something malicious.Tune out false positives where possible. If we couldn’t do so without disabling security or if it was practically impossible, we listed the false positive rate in the test report. Please refer to individual test reports for more details.

For each firewall listed below, we have included a link to best practices and additional information.

Firewalls Tested:

 

Check Point Quantum Force 19200 plus

https://www.checkpoint.com/downloads/products/quantum-force-19200-datasheet.pdf

Firmware: R81.20 Jumbo Hotfix Take 45
IPS Version: 635242922
Configuration: 2 x 40G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://support.checkpoint.com

 

Cisco Firepower 2130

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Firmware: Threat Defense v7.3.1 (build 19)
IPS Version: 384
Configuration: 4 x 10G – 2 port-pairs

Follow their instructions; the product requires special configuration; see below.

Documentation: https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html

We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details. This link also provides information about how to make TLS 1.2 and TLS 1.3 work, while also blocking other SSL/TLS version.

Note: Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.

The following screenshot shows the instructions required for achieving our test’s use case.

 

Forcepoint 3410 NGFW

https://www.forcepoint.com/sites/default/files/resources/datasheets/datasheet-forcepoint-ngfw-3400-series-appliance-en_0.pdf

Firmware: 7.1.1 build 29059
IPS Version: 1707
Configuration: 2 x 40G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Note: From version 7.1, Forcepoint Next Generation Firewall is rebranded to Forcepoint FlexEdge Secure SD-WAN.

Documentation: https://support.forcepoint.com/s/article/FlexEdge-Secure-SD-WAN

 

Fortinet FortiGate-900G

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-900g-series.pdf

Firmware: v7.4.4 GA
IPS Version: 27.00783
Configuration: 4 x 10G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/954635/getting-started

 

Juniper Networks SRX4600

https://www.juniper.net/us/en/products/security/srx-series/srx4600-firewall-datasheet.html

Firmware: JUNOS 22.4X3.1 srx4600
IPS Version: 3701
Configuration: 2 x 40G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://www.juniper.net/documentation/product/us/en/srx4600/junos-os/

 

Palo Alto Networks PA-450

https://docs.paloaltonetworks.com/hardware/pa-400-hardware-reference/pa-400-firewall-specifications

Firmware: 11.1.1
IPS Version: Threat Version: 2024-05-14 (8849-8746)

AntiVirus Version: 2024-05-14 (4818-5336)

Configuration: 4 x 1G – 2 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Evasion defenses are now enabled by default, using their latest update. To verify this is the case, please follow the instructions below.

Documentation: https://docs.paloaltonetworks.com/best-practices

Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

After following those instructions, issue the commands in the command line interface (CLI).

To do this:

  • You will have to enable SSH on the device.
  • Then, log in to the device with your admin credentials.
  • Then, run the following commands:

Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable

set deviceconfig setting session resource-limit-behavior bypass

 

Sangfor NGAF 5300

https://www.sangfor.com/sites/default/files/2022-06/NGAF_DS_P_NGAF53-Datasheet_20220531.pdf

Firmware AF 8.0.85.1029 Build 20240423
IPS Version 2024-04-23 (Vulnerability Database)
Configuration 2 x 10G – 1 port-pairs

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://community.sangfor.com/plugin.php?id=sangfor_databases%3Aindex#?Product=NGAF&Document=Configuration%20Guide&Language=English

 

Versa Networks CSG5000

https://versa-networks.com/documents/datasheets/versa-csg5000-series.pdf

Firmware versa-flexvnf-20240405-041659-5186a33-22.1.4-B
IPS Version 6446
Configuration 5 x 10G – 5 port-pairs (limited to 40G)

Follow their instructions; the product doesn’t require any special configuration.

Documentation: https://academy.versa-networks.com/versa-academy-library/

Documentation: https://docs.versa-networks.com

Related content

Enterprise Firewall (formerly NGFW)

Technology

CyberRatings.org Announces 2021 Enterprise Firewall Product Ratings

February 9, 2021
PRESS RELEASE

Enterprise Firewall Comparative Test Results Show That Encryption and Evasions Matter

April 25, 2023
PRESS RELEASE

2024 Best Practices for Cloud Network Firewall Deployment

April 3, 2024
Configuration Guide

CyberRatings.org Announces its 2021 Ratings Chart for Enterprise Firewall + SSL/TLS

February 18, 2021
PRESS RELEASE

CyberRatings Announces Enterprise Firewall Test Results

June 27, 2024
PRESS RELEASE

Sign up for our Newsletter

515 South Capital of Texas Highway
Suite 225
Austin, TX 78746

Phone: +1 (512) 333-1734

Fax: +1 (512) 727-2130

Contact Us

Research & Testing

  • Browser Security
  • Cloud Network Firewall
  • Endpoint Protection
  • Enterprise Firewall (formerly NGFW)
  • Software-Defined Wide Area Network (SD-WAN)
  • Security Service Edge (SSE) Threat Protection
  • Zero Trust Network Access (ZTNA)
Mini TestsHow effective are the Cloud Service Provider (CSP) native cloud firewall offerings?What does "Secure by Default" mean for Security Service Edge solutions?Our Ratings SystemResearch

Services

  • Test Tools
  • CyPerf Trial

Media

  • Blog
  • Press
  • Podcasts & Videos

About Us

  • Our Mission
  • Leadership

Research & Testing

  • Browser Security
  • Cloud Network Firewall
  • Endpoint Protection
  • Enterprise Firewall (formerly NGFW)
  • Software-Defined Wide Area Network (SD-WAN)
  • Security Service Edge (SSE) Threat Protection
  • Zero Trust Network Access (ZTNA)
Mini TestsHow effective are the Cloud Service Provider (CSP) native cloud firewall offerings?What does "Secure by Default" mean for Security Service Edge solutions?Our Ratings SystemResearch

Services

  • Test Tools
  • CyPerf Trial

Media

  • Blog
  • Press
  • Podcasts & Videos

About Us

  • Our Mission
  • Leadership

Copyright © 2022 - 2025 CyberRatings.org, All Rights Reserved. Use of this site governed by the Terms of Service

Privacy PolicyCopyright & Quote PolicyCookie Policy
Forgot Password?
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.
body::-webkit-scrollbar { width: 7px; } body::-webkit-scrollbar-track { border-radius: 10px; background: #f0f0f0; } body::-webkit-scrollbar-thumb { border-radius: 50px; background: #dfdbdb }