IT Central Station is now PeerSpot: Here's why

NGFW with URL Filtering vs Web Proxy

Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead?

I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy).

What's your opinion?

PeerSpot user
910 Answers

Mike Hounsome - PeerSpot reviewer

Over 50% of security vulnerabilities are non-Web based traffic, such as DNS, DDOS etc and this is where some Web Proxys fall short as they only inspect the Web traffic that is forwarded to them, NGFW's provide superior protection at the edge to inspect all traffic for on-prem users locally.

This is where a SASE solution can help for remote working by providing best of both worlds capabilities such as SWG, NGFW, ZTNA, CASB etc delivered from a Cloud architecture in a unified (single-pass) manor, protecting 'All Traffic from Any user/device anywhere not just Web. 

chiefexe795285 - PeerSpot reviewer
Top 5Real User

Use a Web Proxy that will protect your users when they are working at home as well. The FW will provide protection when the user is behind it. The web proxy will protect the user at any place, anytime. 

Evgeny Belenky - PeerSpot reviewer
Community Manager

Hi @Oleg Pekar and @Manish Nalawade. Can you share your thoughts?

V for Reviewer - PeerSpot reviewer
Top 5LeaderboardReal User

You are analyzing a central solution (perimeter), correct? 
So, NGFW with URL filtering is simple & easy to go live without any issues.

But, what is going on with the endpoints, local URL filtering? 

Cesar Beut - PeerSpot reviewer
Top 5Real User

Web Proxy like Cisco Umbrella works very well, you have protection at home and at office, with a lot of employees working some days at home and others at the office is a great solution.

Basil Dange - PeerSpot reviewer
Top 5LeaderboardReal User

NGFW does streaming based scanning it means it will pass the packet as it received due to which there is high probability of malware getting passed via Firewall. Where as Proxy wait for complete

Luis Apodaca - PeerSpot reviewer
Top 5User

Hi Edwin

organization size ?
usual final users behavior?
how strong its the security you want ?
budget ?

if what you need its not that big i allways recomend kind a free solution as a " Pihole server " (in a virtual container its the best way) but,,, also you can find a SOPHOS UTM as the best solution either or maybe a Unifi USG Router or unifi dream machine, of course if your budget allows it

good luk.

PrideChieza - PeerSpot reviewer
Real User

I think the NGFW should do all the work for you if configured properly eg deep packet inspection and not just certificate inspection mode on the policies.

With deep packet inspection the Firewall will deconstruct and reconstruct the packet this will give you full visibility into network traffic and network protection.

The NGFW like fortigate will also give you protection when connected to the public network through sslvpn with tunnel mode enabled such that all your traffic goes through the HQ when browsing resulting in the same policies that you use when onsite to be the same when you are offsite.

Louis Nel - PeerSpot reviewerLouis Nel

@PrideChieza NGFW coupled with internal resources, e.g. domain controllers, gives a great breakdown per area and scopes well. A FortiGate integrated with user groups can act as a firewall and per group web filter, and yes, if deep packet inspection is really needed can be tweaked to allow very specific traffic. +1 for it doing the had work for you.

imadam - PeerSpot reviewer
Top 10Real User

This depends on many factors like size of organization, how organization is geo-spread, type of NGFW and Proxy you are looking at or you have. And where proxy is deployed, onprem or cloud? With cloud you have additional options and companies like Zscaler and Netskope started to eat this part of market. 

Buyer's Guide
May 2022
Find out what your peers are saying about Fortinet, Check Point, Netgate and others in Firewalls. Updated: May 2022.
599,220 professionals have used our research since 2012.