Unrivaled Security

Scalability Security Availability Visibility Manageability Connectivity

Extensive controls that stop more attacks, breaches and theft without sacrificing performance

Forcepoint Next Generation Firewall (NGFW) provides a wide range of advanced access controls and deep inspection capabilities that protect your business, users and data against ever-evolving advanced threats that lead to breaches and theft. Centrally managed with the Forcepoint NGFW Security Management Center (SMC), you can apply different types of security techniques to each connection such as: by application, by organization, by location, or a variety of other factors – all without sacrificing networking performance. And, this protection works seamlessly throughout your network – in data center SDNs, on the edge, in branch SD-WANs and in the cloud.


IDC Research found that customers who switched to Forcepoint experienced 86% fewer cyberattacks and 69% fewer breaches.

IDC Research, Forcepoint NGFW Business Value Snapshot, March 2017.


NSS Labs gave Forcepoint the highest score for security out of all vendors tested in their 2017 NGFW test along with one of the best TCO rankings as well.

NSS Labs 2017 NGFW Test, May 2017.

“Forcepoint ticks all the boxes for our legal clients including security, compliance and cost. It’s resilient, it’s secure, and it’s scalable through the range. No other firewall has the ability to do security this well.”

Senior Security Consultant, NETprotocol

Broad range of built-in security capabilities

Forcepoint NGFW comes with a wide range of built-in security capabilities (including VPN, IPS, encrypted inspection, secure SD-WAN, and mission-critical application proxies), freeing you from having to juggle different products, allocate licenses or perform administrative chores in multiple places. You can even repurpose security appliances into different roles, extending the lifetime of your infrastructure.

Encrypted traffic control – while maintaining user privacy

With Forcepoint NGFW, you can painlessly handle the rapid shift to encrypted transmissions – both for incoming and outgoing traffic. Accelerated decryption lets you inspect HTTPS and other SSL/TLS-based protocols efficiently to deny or allow specific HTTP commands or URL segments inside HTTPS – ( even in virtualized or cloud deployments), and our SSH security proxy gives you advanced control for mission-critical applications. In addition, Smart Policies make it easy to comply with emerging privacy laws and internal practices: preventing the exposure of personally identifiable information (PII) as users communicate with their banks, insurance companies, or other sensitive sites.

Better breach prevention with industry-leading IPS

All Forcepoint NGFWs enforce powerful anti-intrusion policies through built-in IPS capabilities that do not require additional licenses or separate tools to implement. Forcepoint NGFW’s IPS capabilities are NSS Labs RECOMMENDED (2016 Next Generation Intrusion Prevention System test) and it recently achieved perfect scores in NSS Labs’ 2017 NGFW Test, blocking 100% of malware and evasions with no false positives.

Deep security integrated with SD-WAN

Forcepoint NGFW extends enterprise-grade security out to branch offices, eliminating the need for multiple devices in SD-WAN environments. It provides full protection across multi-ISP broadband Internet links as well as MPLS lines that connect to corporate networks. Different types of traffic can be restricted to specific links (for example, Office 365 to high-speed broadband, social media and video to inexpensive commercial lines, and voice or sensitive apps to leased lines), each with the appropriate encryption and inspection controls. With Forcepoint’s centrally managed Secure SD-WAN approach, you can save upfront capital costs and reduce ongoing operating expenses.

Strong protection against Advanced Evasion Techniques (AETs)

Forcepoint is the pioneer in Advanced Evasion Techniques (we wrote the book, literally). Our full protocol normalization of traffic disrupts attackers’ attempts to sneak in malicious code, spots anomalies and prevents attempts to exploit vulnerabilities within your network.

Protection of mission-critical apps

For years, Forcepoint has been protecting mission-critical applications in some of the most sensitive networks around the world. Forcepoint combines the strength of our Sidewinder security proxy technology with the central manageability and high availability of our next generation firewalls. Mediate access and data flow between users and the servers that mission-critical applications are running on, isolating them from transport- and application-layer attacks over SSH/SFTP, HTTP, TCP and UDP.

Advanced malware detection and Zero-Day sandboxing

Forcepoint NGFW applies multiple scanning techniques to files found in network traffic, including: reputation vetting, built-in anti-malware scanning, and Zero-Day scanning via our Forcepoint Advanced Malware Detection service. This powerful, cloud-based system uses industry-leading sandboxing and other analysis techniques to examine the behavior of files and reliably uncover malicious code so that it can be rapidly blocked. Organizations have the flexibility of choosing a cloud-based or on-premises version to best suit their operational needs.

Reduced risk of botnet infiltration

Forcepoint NGFW uses a variety of techniques for examining traffic patterns within connections to identify potential botnet command-and-control communications. Fingerprints of known botnets and message-length sequence analyses (even for encrypted traffic) uncover attempts to infiltrate your network so that you can block attackers before they get a foothold.

Endpoint Whitelisting and Blacklisting Application Control

Endpoint Context Agent provides whitelisting and blacklisting of client applications running on hosts and end-user devices. For example, it would allow administrators to specify the browsers and their versions that may or may not access the Internet. This provides more granular controls that can be customized to the business needs and security posture of the organization.

Dynamic protection against phishing and malicious web downloads

Forcepoint NGFW provides dynamic URL filtering that makes it easy to enforce web access policies for compliance and block access to phishing sites (as well as malicious or undesirable content). Forcepoint Threat Intelligence cloud service provides an extensive, continually updated categorization of URLs that can be used directly within access policies to provide dynamic control over which users are allowed to access which sites.

Integrated data exfiltration controls

Forcepoint NGFW can help prevent loss of sensitive data and intellectual property. Outbound traffic can be inspected for patterns such as credit card numbers, personal identifiers, restricted code names and other terms to reduce the risk of theft.

Virtualized protection in software-defined networks (SDN)

Forcepoint NGFW runs in virtualized data centers and in the cloud, providing the same centrally managed security that is available on in physical appliances. This lets you microsegment your virtualized applications, databases and services infrastructure with the same types of policies and visibility you use in offices and branch locations.

Unparalleled advanced security, powered by the Forcepoint Cloud (CASB, web, email, dlp)

Forcepoint NGFW provides unparalleled security without deployment headaches when used alongside Forcepoint CASB (Cloud Application Security Broker), Web Security, Email Security, and DLP (Data Loss Prevention) for cloud applications.

Quantifying operational and security results of switching to Forcepoint NGFW, by IDC

Customers switching to Forcepoint saved 53% in IT staff time, cut maintenance downtime 70%, and slashed cyberattacks 86%

The Evasion Gap, identified in the NSS Labs tests in 2017

With Evader by Forcepoint, you can quickly see which vendors leave you exposed and which close the door on attacks.