The firewall is the first line of defense for a corporate network. But between the classic firewall, UTM, NGFW, and the various VPN technologies, the terminology can be confusing. This guide explains what these acronyms mean, the key security functions to know, the criteria for sizing your appliance, and an essential point when buying second-hand: the issue of licenses.
What is a corporate firewall for?
A firewall controls traffic between your internal network and the outside (Internet) according to filtering rules. It blocks unauthorized connections, masks the internal network via NAT, and serves as the enforcement point for security policies. On modern models, it adds content analysis, intrusion detection, and secure remote access.
Classic firewall, UTM, or NGFW: the differences
The classic “stateful” firewall
It filters traffic based on IP addresses, ports, and connection states. Effective for basic segmentation (DMZ, segmentation), but without application content analysis.
UTM (Unified Threat Management)
UTM combines several security components in a single box: firewall, gateway antivirus, web/URL filtering, anti-spam, VPN, sometimes IPS. Ideal for an SMB seeking comprehensive protection that is easy to manage.
NGFW (Next-Generation Firewall)
The next-generation firewall adds application inspection (recognizing and controlling applications, not just ports), integrated IPS, encrypted traffic inspection (SSL/TLS), and user-based control. The line with UTM is now blurred: most professional appliances (FortiGate, Stormshield…) combine both approaches.
VPN: remote access and site-to-site links
IPsec VPN (site-to-site)
The IPsec VPN connects two sites permanently and encrypted—for example, a headquarters and a branch—as if they were on the same network.
SSL VPN (mobile users)
The SSL VPN allows teleworkers to connect to the company network from a browser or a lightweight client, without heavy configuration. Essential since remote work became widespread.
Key security functions
- IPS/IDS: intrusion detection and prevention.
- Web filtering and application control: block risky sites and applications.
- Gateway antivirus: analyze incoming traffic.
- SSL/TLS inspection: examine encrypted traffic (the majority of the web today).
- Sandboxing: run suspicious files in an isolated environment.
- High availability (HA): two appliances in redundancy to avoid downtime.
How to choose: decisive criteria
- Firewall throughput: it drops when inspection is enabled; look at the “UTM/threat” throughput, not just raw throughput.
- Number of users / simultaneous sessions to support.
- Interfaces: number of ports, presence of SFP/fiber ports, multiple WANs.
- Security licenses/subscriptions (see below).
- High availability if continuity is critical.
Which brands?
Two reliable names in the professional market: Fortinet FortiGate, widely used and versatile, and Stormshield, a French vendor valued for data sovereignty and certifications (ANSSI). Find all our appliances in the corporate firewall collection.
Used firewalls: beware of licenses
Tested second-hand equipment is an excellent way to equip yourself at a lower cost. But one point must be clear: UTM/NGFW functions (filtering, antivirus, IPS, signatures) rely on security subscriptions purchased from the vendor, to be renewed to stay up to date. The used device provides firewall and VPN; for threat services, plan the appropriate license. If in doubt, ask us: we will guide you on the suitable model and license.
FAQ: corporate firewall
What is the difference between UTM and NGFW?
UTM combines several security features in one box (firewall, antivirus, filtering, VPN). NGFW emphasizes application inspection, IPS, and encrypted traffic analysis. In practice, modern professional appliances combine both.
Is a router enough as a firewall?
A router performs basic filtering and NAT but offers neither application inspection, IPS, nor gateway antivirus. For true corporate protection, a dedicated firewall (UTM/NGFW) is recommended.
Can you buy a used firewall?
Yes, for the hardware, which provides firewall and VPN. However, security services (IPS signatures, antivirus, filtering) require a current subscription with the vendor.
IPsec or SSL VPN?
IPsec to connect sites permanently; SSL for remote access from a distant workstation. Many companies use both.
In summary
Choosing a corporate firewall means first identifying your need: simple segmentation, full UTM protection, or advanced NGFW inspection—then sizing the real throughput (with inspection enabled), VPN access, and redundancy. Tested second-hand equipment greatly reduces the cost, provided you plan for up-to-date security subscriptions. Need to structure your network as well? See our guide on managed or unmanaged switches and our guide to second-hand equipment.