What is an ML-Powered NGFW?

4 min. read

A next-generation firewall (NGFW) is an advanced version of the traditional firewall that makes authentication decisions based on the context of the user, content and application. NGFWs have become the standard for network security in recent years. At the same time, three key trends are changing the cyberthreat landscape:

  1. Cybercriminals are becoming more sophisticated and launching more attacks.
  2. The Internet of Things (IoT) is adding a deluge of hard-to-secure devices to enterprise networks, for which only a small percentage of businesses feel prepared.1
  3. An increasingly remote workforce is bringing more devices to work, increasing the surface area vulnerable to attack.

Related Video

The Evolution of Modern Phishing Attacks

The Proactive NGFW

Over the last decade, much of the enterprise security industry has focused on reducing the time it takes to react to cyberattacks. What if a new paradigm were to replace the reactive firewall? This is the thinking behind firewalls that embed machine learning (ML) at the core, turning the firewall from a reactive security control point to a proactive one. An ML-Powered NGFW does this by learning continuously from vast amounts of data to detect threats across multiple fronts. 

Four mechanisms fuel the ML-Powered NGFW. 

  1. Inline Machine Learning
    Malware algorithms distributed at scale often attack a single victim and expand from there. Older generation defenses either take too long to reprogram the infrastructure to prevent subsequent attacks or have to stop and inspect every file, frustrating users with their slow response. In a ML-Powered NGFW, ML algorithms are embedded in the firewall code. This means that the firewall can inspect a file while it’s being downloaded and block it instantly if it is malicious, without having to access offline tools. With this approach, the time from visibility to prevention is close to zero.
  2. Zero-Delay Signatures
    Inline ML detects and blocks new malware variants, but the most sophisticated attackers often develop new malware from scratch. An ML-Powered NGFW rearchitects the way signatures are delivered. Instead of waiting at least five minutes for a scheduled push, signature updates are performed and streamed to the firewall within seconds after ML analysis is done. This means a new threat will be stopped at the first user, and future mutations will be automatically blocked.
  3. ML-Powered Visibility Across IoT Devices
    IoT devices, such as cameras and other electronics, are being added to enterprise networks with dizzying speed, increasing the need for IoT security. Imagine a new camera that starts transmitting a file via FTP to a different network system. Older IoT security solutions depend on existing definitions of devices and can’t track unexpected or dangerous behavior. The ML-Powered NGFW automatically groups similar devices, such as cameras and tablets, using ML-based classifications. In this way, it can track and prevent unusual and harmful activity.
  4. Automated, Intelligent Policy Recommendations
    Security administrators find it challenging to keep up with the rate of change of applications, devices, and attacks on a network while updating their security policies manually. They often resort to permissive policies, which expose the network to unknown threats. The ML-Powered NGFW, on the other hand, compares metadata from millions of IoT devices to that of the network to establish normal behavior patterns. For each IoT device and category, the ML-Powered NGFW then recommends a policy of allowable behaviors, saving network administrators countless hours of manual updates.

Why an ML-Powered NGFW?

The ML-Powered NGFW disrupts the way security has been deployed and enforced so far:

  • Based on testing, it proactively prevents up to 95% of new threats instantly.
  • It stops malicious scripts and files without sacrificing the user experience.
  • It extends visibility and protection to IoT devices without additional hardware. Based on customer data, the number of detected IoT devices increases by a factor of three.
  • It reduces human error and automates security policy updates to prevent the most advanced attacks.

Want to learn how Palo Alto Networks is leveraging machine learning to protect today’s enterprises from tomorrow’s threats? Read our e-book 4 Key Elements of an ML-Powered NGFW: How Machine Learning Is Disrupting Network Security.


1. McKinsey & Company, “Perspectives on transforming cybersecurity,” March 2019.