NGFW Feature Matrix
Next-Generation Firewall (NGFW) feature matrix
NGFW support and feature matrix |
|||
|---|---|---|---|
Standard firewall features |
|||
| NetSec support for Palo Alto Networks® | NetSec support for Cisco® (FTD) | ||
| Interfaces | Supported | Supported | Interfaces |
| IPv4 routing | Supported | Supported | IPv4 routing |
| IPv6 routing | Supported | Supported | IPv6 routing |
| NAT | Supported | Supported | NAT |
| Packet filtering | Supported | Supported | Packet filtering |
| Global Protect Basic (Client VPN) | Supported | Supported | Anyconnect Plus |
| Management | Supported | Supported | Management |
| High availability (HA—active/standby) | Supported | Supported | High availability (HA—active/standby) |
| Routed mode | Supported | Supported | Routed mode |
| Two-factor authentication | Two-factor authentication | ||
| Duo Version 1 | Supported with customer provided by proxy server | Supported with customer provided by proxy server | Duo Version 1 |
| Duo Version 2 | Roadmap item | Roadmap item | Duo Version 2 |
| Site-to-site VPN | Site-to-site VPN | ||
| Policy-based VPN | Supported | Supported | Policy-based VPN |
| Route-based VPN | Supported | Supported | Route-based VPN |
| RackConnect | Version 3 Only | Unsupported Feature | RackConnect |
NGFW features—Threat intelligence feeds |
|||
|---|---|---|---|
| NetSec support for Palo Alto Networks® | NetSec support for Cisco® (FTD) | ||
| Threat prevention (IPS) | NetSec—configure only | NetSec—configure only | Threat prevention (IPS) |
| Geofencing | Supported | Supported | Geofencing updates included threat-prevention license |
Anti-virus |
Supported (Default template) | Supported | Umbrella |
Anti-spyware |
Supported (Default template) | Security intelligence DNS security | |
Vulnerability protection |
Supported (default template) | Supported | Security intelligence for IP and URL |
| URL Filtering | Supported | Supported | URL Filtering (URL) |
| SSL Inbound decryption | Supported | Supported | SSL Inbound decryption |
| SSL Outbound decryption (requires PKI infrastructure) | Supported | Supported | SSL Outbound decryption (requires PKI infrastructure) |
| DNS sinkhole | Supported | Supported | DNS sinkhole |
| DOS profiles | Supported (default template) | ||
| Zone-based protection | Supported (default template) | ||
| Profiles | Supported (default template) | ||
MALWARE protection |
|||
|---|---|---|---|
Wildfire |
Threat Grid Cloud |
||
| Advanced Wildfire | Supported (Default template) | Supported on Firepower hardware only | Anti-malware protection (AMP for networks) |
| Wildfire signature updates (24-48 hours) | Supported | Not supported on ASA-X hardware | Anti-malware protection (AMP for networks) |
| Instant signature updates (Less than 5 minutes) | Supported | ||
| Data filtering and file blocking | Supported (default template) | Supported | File-type filtering and blocking |
Advanced connectivity options |
|||
|---|---|---|---|
| Global Protect Advanced | Professional Services required | Professional Services required | Anyconnect Apex |
Global Protect HIP checks |
Professional Services required | ||
Global Protect mobile support |
Professional Services required | ||
Global Protect IPv6 support |
Professional Services required | ||
Global Protect clientless Mode |
Professional Services required | ||
Updated about 1 year ago