NGFW Feature Matrix

Next-Generation Firewall (NGFW) feature matrix

NGFW support and feature matrix
Standard firewall features
NetSec support for Palo Alto Networks®		NetSec support for Cisco® (FTD)
Interfaces	Supported	Supported	Interfaces
IPv4 routing	Supported	Supported	IPv4 routing
IPv6 routing	Supported	Supported	IPv6 routing
NAT	Supported	Supported	NAT
Packet filtering	Supported	Supported	Packet filtering
Global Protect Basic (Client VPN)	Supported	Supported	Anyconnect Plus
Management	Supported	Supported	Management
High availability (HA—active/standby)	Supported	Supported	High availability (HA—active/standby)
Routed mode	Supported	Supported	Routed mode
Two-factor authentication			Two-factor authentication
Duo Version 1	Supported with customer provided by proxy server	Supported with customer provided by proxy server	Duo Version 1
Duo Version 2	Roadmap item	Roadmap item	Duo Version 2
Site-to-site VPN			Site-to-site VPN
Policy-based VPN	Supported	Supported	Policy-based VPN
Route-based VPN	Supported	Unsupported Feature	Route-based VPN
RackConnect	Version 3 Only	Unsupported Feature	RackConnect

NGFW features—Threat intelligence feeds
NetSec support for Palo Alto Networks®		NetSec support for Cisco® (FTD)
Threat prevention (IPS)	NetSec—configure only	NetSec—configure only	Threat prevention (IPS)
Geofencing	Supported	Supported	Geofencing updates included threat-prevention license
Anti-virus	Supported (Default template)	Supported	Umbrella
Anti-spyware	Supported (Default template)		Security intelligence DNS security
Vulnerability protection	Supported (default template)	Supported	Security intelligence for IP and URL
URL Filtering	Supported	Supported	URL Filtering (URL)
SSL Inbound decryption	Supported	Supported	SSL Inbound decryption
SSI Outbound decryption (requires PKI infrastructure)	Supported	Supported	SSL Outbound decryption (requires PKI infrastructure)
DNS sinkhole	Supported	Supported	DNS sinkhole
DDOS profiles	Supported (default template)	Roadmap item	Correlation policies
Zone-based protection	Supported (default template)	Roadmap item	Rate-based attack prevention
Profiles	Supported (default template)	Roadmap item	Profiles (based on server OS)

MALWARE protection
Wildfire		Threat Grid Cloud
Wildfire basic	Supported (Default template)	Supported on Firepower hardware only	Anti-malware protection (AMP for networks)
Wildfire signature updates (24-48 hours)	Supported	Not supported on ASA-X hardware	Anti-malware protection (AMP for networks)
Instant signature updates (Less than 5 minutes)	Supported
Wildfire API	Roadmap item
Wildfire appliance	Roadmap item	Roadmap item	Threat Grid appliance
Autofocus	Roadmap item
Wildfire advanced file support	Roadmap item
Data filtering and file blocking	Supported (default template)	Supported	File-type filtering and blocking

Endpoint protection
Traps	Roadmap item	Roadmap item	Anti-malware protection (AMP for endpoints)

Advanced connectivity options
Global Protect Advanced	Professional Services required	Professional Services required	Anyconnect Apex
Global Protect HIP checks	Professional Services required
Global Protect mobile support	Professional Services required
Global Protect IPv6 support	Professional Services required
Global Protect clientless Mode	Professional Services required

Features not supported:
Dynamic routing protocols OSPF/OSPFv3 are reasonable endeavor.
Active/active failover and clustering are not supported.
IPsec DMVPN is not supported.

Updated 19 days ago