5FN previous blog’s feedback on firewalls dying in 2030 prompted the need to delve into the history of Next Generation Firewall (NGFW) defense technology and service development in the business market. The story has many lessons for understanding business management, detecting silent signals, and the lifecycle of technology. Many will recognize themselves and their companies over the years, whether as customers, suppliers, or colleagues. The birth and death of NGFW are, at the same time, a story of disruption and entrepreneurship. Where were you at the time of the birth of the NGFW market?”

Firewall market in the late 90s

In the late 90s, the business firewall market was dominated by Cisco Systems™ PIX and CheckPoint™ Firewall-1. The statefull firewall, developed in the decade’s early years, had conquered the market from the competing Application Firewall technology. By avoiding processing TCP/IP protocols, the FW processing requirements were reduced. This way, the product became cheaper. Price and ease of maintenance won over security.

The problem in the market. No solution.

In the early 2000s, there was a significant problem in corporate networks. The explosive growth of the Internet brought along malware. The statefull firewall could not cope with the challenge when working at the TCP/IP protocol level. At the same time, PC anti-virus technology and updates couldn’t keep up with the malware mutations. Removing malware manually, computer by computer became familiar to many IT units. For some, it was a quarterly task.

The ICAP protocol, developed by Peter Danzig and John Schuster in 2000, allowed traffic to be directed to a separate anti-virus server. However, ICAP needed to be stronger supported in firewalls. Few companies wanted to integrate it into their firewall for fear of downtime. It also didn’t fit our then-company (Forte Netservices Oy) strategy, as our firewall market share was negligible. Furthermore, the ICAP technology mainly focused on checking the HTTP protocol, leaving a significant gap in protection.

The First AntiVirus Gateway in the Market

I had seen an advertisement for an Ositis AVstripper gateway product (promise) the size of a postage stamp in an international trade magazine in the industry. We started working with Willie Ositis in 2001 and brought the Forte AntiVirus Gateway service to the market. A plug-and-play (L2 bridge) malware cleaner was placed before or behind the firewall. The virus engine was TrendMicro™, but the offering quickly expanded to Sophos™ and McAfee™.

The gateway removed malware from the TCP/IP traffic flow and significantly improved the situation in corporate networks. The network of one Finnish company was so contaminated that we concluded that the cleaner protected more of the Internet network and other companies.

Latvian Willy Ositis sold his company to BlueCoat Systems (Symantec/Broadcom) in 2003. This product became the legendary BlueCoat ProxyAV™. The solution was later widely used in large Finnish corporations.

UTM enters the market

Forte’s eVPN™ was successful in networking remote work and offices using the Internet boom. Today it is referred to as SD-WAN. Forte AntiVirus Gateway worked reasonably well, and the service was very profitable. Forte’s firewall service was non-existent, and the firewall market was highly competitive, although the selected NetScreen™ (Juniper) technology worked well. Despite the growth, we had a problem that reflected everywhere in the company’s operations. There were too many devices in the solution, and overall it was expensive.

Fortinet™, founded in 2000, was crucial for this problem. The first FortiGate Network Protection Gateway™ was introduced in 2002. It integrated Stateful Firewall, VPN, anti-virus and spam filtering, URL filtering, and Intrusion detection & prevention functions. The following year we switched all our NetScreen™ firewalls to FortiGate™ firewalls. Our Forte Managed Security Services concept was commercially successful from then on. The solution was stable, fast, and much cheaper than the competition. No other firewall in the market contained an integrated security solution in one device.

Eight years later, the service had almost 1000 UTM/NGFW devices in over 50 countries. In 2009 and 2010, we received recognition for our work as “Best European Managed Security Service Provider.”

IDC™ and Gartner™ Battle

Research company IDC™ launched the term Unified Threat Management (UTM) in 2004 with the following definition: UTM system is a multifunctional gateway providing all-in-one protection against network threats. Fortinet adopted the UTM definition. Competing research company Gartner™ naturally couldn’t accept the definition. They came up with the “Next Generation Firewall (NGFW)” concept in the same year. In practice, it was not the same, as Gartner’s definition did not include the requirement for malware protection. It was likely a commercial decision to support Gartner’s big customers in a tricky situation. Fortinet didn’t fit on the Gartner Magic Quadrant list for a while or even in the same city.

The first real competitor to Fortigate™ and FortiGuard™ concept appeared only in 2007 when Palo Alto Networks™ introduced their NGFW product. At the same time, Gartner updated the NGFW definition, although it still did not include the requirement for filtering malware. There was a debate in the world market about the terms and the superiority of their products. But the fact was that Fortinet was dominant in malware protection for years to come. Over time and with the leveling of technological differences, Fortinet also adopted the Next Generation Firewall term.

The operating environment inevitably changes.

Encrypted traffic

When we started, only a small portion of Internet traffic was encrypted. Washing the traffic was a possible defense technique. Nowadays, over 95% of Internet and corporate network traffic is encrypted. Examining the content of encrypted traffic requires decrypting it. Firewalls can decrypt SSL/TLS encryption, but it’s just one of many protocols. NGFW configurations need to include this capability; however, it’s rare. The marketing of AI, machine learning methods, etc. won’t change the decline in the effectiveness of traffic filtering.

Price competition at the cost of security

In the UTM era, we used expensive (powerful) devices. With them, we were able to promise and deliver. We used the so-called Proxy Inspection mode, a “sandbox on wire” technique. As competition intensified, the market ended up in a price/performance competition. The competition also forced Fortinet to bring a lighter option to the market, the Flow Inspection mode. Performance improved at the cost of security. Price and ease of maintenance won over cybersecurity once again.

Now in 2023, numerous players compete in the same market. There are no significant differences between vendors’ NGFW technology.

What can we learn from a business perspective?

Can you create your place in the market?

Identifying the customer’s challenge required hundreds of customer meetings. The problem was not with the team managing the firewall but with the desktop and server teams. The market didn’t offer technology or services to stop malware. UTM and NGFW were not about the firewall but about ensuring traffic security passed.

After identifying the customer need, a new technology and company had to be found willing to develop its technology and meet the recognized demand in the market. In addition, its operations had to be adapted to the agile development of the new solution and service. We did a lot of requirement specifications and testing in the early stages of developing the FortiGuard service with Ositis and Fortinet. They, too, were startup companies.

Disrupting the operating environment

At the same time, as the Internet (Web) grew and the EU single market formed, we were not stuck in Finland’s (manufacturer / wholesaler / retailer) channel structure and its limited supply. We bravely acquired better technology from companies that were still unknown worldwide.

Competition came from outside of control.

In the early 2000s, the service procurement model was rare in the ICT sector, except for teleoperators. Most companies made IT purchases as investments, and the brand had a significant impact. The service concept and productization hid the brand. The competing provider had to compare the service content and features instead of relying on the brand. With unknown technologies, we would hardly have succeeded in brand competition. The competition framework and rules had to be changed. Ultimately, the market shift towards a service-oriented mindset made the arrangement easier.

We were a cause for concern in Finland’s stagnant firewall market, as the local staff of Cisco said.

Why did the customers need not be met?

Our company was acquired by a telecom operator autumn of 2011. The buyer did not have NGFW or UTM-based services in its portfolio. The competing operators had recently started a partnership with Palo Alto. At this point, we had been producing UTM/NGFW services for eight years. Our customers included 23% of Finland’s top 100 companies (excluding IT and telecom operators). Nearly all of our customers were also customers of these operators. The change could have been more agile in a well-established market. Many questions arise afterward:

  • Why couldn’t established players respond to customer needs?
  • Why couldn’t they change their product offerings?
  • Why do they believe they can change in time in 2023?

Is there a future for NGFW?

As companies move from their own data centers and services to SaaS, PaaS, and IaaS markets, and app development becomes decentralized on Azure™, AWS™, and Google™ platforms, the importance of firewalls inevitably declines. The blog “Firewalls are dying by 2030” covers this topic. The birth and death of NGFW background this.


Hannu Rokka, Senior Advisor

5Feet Networks Oy