FWaaS (Firewall as a Service)
Firewall as a Service extends NGFW inspection to cloud-delivered SASE PoPs, covering non-web traffic that SWG cannot inspect — DNS, FTP, RDP, SSH, and custom TCP/UDP protocols. FWaaS applies L3-L7 firewall rules, IPS signatures, and application control without on-prem hardware. Essential for remote users who need firewall-grade protection outside the office network.
Firewall as a Service extends the security inspection model that SWG provides for web traffic to encompass all network protocols. While the SWG handles HTTP and HTTPS, FWaaS inspects everything else: SSH sessions, RDP connections, database protocols like TDS and TNS, custom application protocols, DNS queries, SMTP email flows, and the long tail of non-web traffic that would otherwise bypass your SASE security stack entirely. FWaaS is the cloud-delivered successor to the branch office firewall appliance, the data center perimeter firewall, and the campus network firewall.
The architectural difference between FWaaS and a traditional firewall is the decoupling of policy from hardware. In a traditional model, firewall rules live on specific appliances at specific network choke points, creating an operational nightmare of policy fragmentation, version drift, and capacity-constrained inspection. FWaaS centralizes policy in the cloud and distributes enforcement to globally distributed Points of Presence. A policy change made in the management console is enforced at every PoP within seconds, and inspection capacity scales elastically based on traffic volume rather than being constrained by the throughput of a specific hardware box.
The quality variance among FWaaS implementations is the most significant evaluation criterion in this SASE component category. Some vendors run full next-generation firewall engines in their cloud PoPs, providing App-ID (application identification by behavior rather than port number), intrusion prevention with thousands of signatures, file-based threat prevention, DNS security, and URL filtering — essentially the same engine that runs on a $100,000 hardware appliance, now delivered as a cloud service. Other vendors implement FWaaS as little more than a cloud-hosted access control list with basic port and protocol filtering. The difference in security value between these two approaches is enormous, and the marketing materials will not make the distinction clear. You have to test it.
What it does
Firewall as a Service is a cloud-delivered network security service that applies Layer 3 through Layer 7 inspection to all network traffic, not just web traffic. It performs stateful packet inspection, application identification, intrusion prevention and detection (IPS/IDS), DNS security, protocol enforcement, and network-level microsegmentation from globally distributed cloud Points of Presence. FWaaS replaces the constellation of hardware firewall appliances that traditionally sat at every branch office, data center edge, campus perimeter, and internet breakout point. By centralizing policy and distributing enforcement, FWaaS eliminates the operational burden of managing hundreds of firewall appliances with drifting configurations while ensuring consistent security policy for every user and every location.
How it works
Traffic reaches the FWaaS through IPsec or GRE tunnels from branch office routers, SD-WAN appliances, or the endpoint agent on user devices. At the PoP, the FWaaS engine performs stateful inspection on every session, tracking connection state, sequence numbers, and protocol compliance to detect and block malformed packets, protocol violations, and evasion attempts. Application identification (App-ID in Palo Alto's terminology, or similar engines from other vendors) classifies traffic by its actual behavior and payload characteristics rather than relying on port numbers, correctly identifying applications like Zoom, Slack, or custom enterprise apps even when they run on non-standard ports or share ports with other applications. The IPS engine applies thousands of vulnerability signatures and behavioral detections to identify and block exploit attempts, command-and-control communications, and known attack patterns. For encrypted non-web protocols, some FWaaS implementations can perform TLS decryption similar to the SWG, while others rely on metadata analysis and behavioral detection.
Why it matters
Without FWaaS, your SASE deployment has a massive blind spot: every non-HTTP protocol bypasses the SWG entirely. SSH tunnels can exfiltrate data, RDP sessions can be hijacked, database protocols can be exploited, and DNS can be used for both data exfiltration and command-and-control communication. FWaaS closes this gap by applying the same depth of inspection to non-web traffic that the SWG provides for web traffic. For branch offices, FWaaS eliminates the need to ship, rack, configure, and maintain a physical firewall at every location — a significant operational cost reduction when you consider that a typical enterprise manages 50-500 branch firewalls, each requiring firmware updates, license renewals, and periodic hardware refresh cycles. For remote users, FWaaS ensures that the same security policy that protects someone in headquarters also protects someone working from a hotel room or home office.
Watch out
The single most important evaluation criterion for FWaaS is the quality of the inspection engine. Ask the vendor explicitly: is this the same engine that runs on your hardware NGFW appliance, or is it a separate, cloud-specific implementation? Vendors with a strong NGFW heritage (Palo Alto, Fortinet) typically run their actual NGFW engine in the cloud, providing App-ID, full IPS signature coverage, and file-based threat prevention. Vendors that started as cloud-native SASE platforms may have built a simpler engine optimized for scale but lacking the inspection depth of a mature NGFW. Test this by running a port scan, an evasion test, and an IPS signature coverage comparison between the vendor's cloud FWaaS and their hardware NGFW. If the cloud version catches significantly fewer threats, you have a glorified ACL, not a firewall. Also verify branch-to-branch policy support: can you define policies that govern traffic between two branch offices, not just branch-to-internet traffic? Many FWaaS implementations only handle internet-bound traffic.
Vendor comparison — FWaaS
Cloud-delivered firewall with Snort 3.0 IPS engine, application control, URL filtering, and Talos-powered threat intelligence integrated into the Secure Access SSE stack. Full TLS 1.3 decryption with configurable bypass policies. IPS signatures update in real-time from Talos, delivering NGFW-grade inspection without on-prem hardware for remote users.
FortiOS-powered cloud firewall delivering the same NGFW inspection pipeline as on-prem FortiGate appliances — IPS with 15,000+ signatures, application control with 5,000+ app signatures, and FortiGuard threat intelligence. The FortiOS consistency between cloud and on-prem is the key differentiator: firewall policies written for branch FortiGates apply identically in FortiSASE PoPs.
Cloud NGFW powered by Palo Alto's App-ID engine identifying 5,000+ applications, integrated Threat Prevention with WildFire ML signatures, DNS Security, and Advanced URL Filtering. The same PA-Series firewall inspection capabilities delivered as a cloud service through Prisma Access PoPs. IoT Security and AI Access Security modules extend FWaaS into device discovery and GenAI governance.
Cloud firewall with IPS, application control, and ThreatCloud AI-powered threat intelligence. The hybrid on-device architecture handles basic firewall functions (URL filtering, DNS security) locally on endpoints, with advanced inspection in cloud PoPs. Miercom-verified threat prevention validates efficacy, but cloud NGFW feature depth trails Cisco, Fortinet, and Palo Alto in signature breadth and application identification granularity.
Cloud firewall delivered through ZIA with L3-L7 inspection, IPS signatures, DNS security, and application-aware rules. Replaces branch firewall appliances for internet-bound traffic from remote users and offices. Functional and well-integrated into the SSMA pipeline, but lacks the deep NGFW feature parity of Palo Alto's App-ID or Fortinet's FortiOS firewall heritage — think 80% of an NGFW, not 100%.
Cloud Firewall provides L3-L7 inspection with application-aware rules, egress firewall policies, and port/protocol controls. Adequate for common FWaaS use cases. However, IPS and DNS Security are add-ons not included in the base license — a significant gap versus competitors who bundle these capabilities. Organizations expecting full NGFW-grade inspection out of the box need to budget for the additional modules.
Cloud-native firewall fully integrated into the SPACE engine with IPS (thousands of signatures updated continuously), application control, URL filtering, and DNS security. Unlike competitors running NGFW VMs in cloud PoPs, Cato's FWaaS is native to the SPACE architecture — not a ported appliance OS. Policies are defined once in the unified console and enforce consistently across all traffic: branch-to-internet, branch-to-branch, remote user, and cloud workload. The converged approach means a single firewall rule can reference network, user, device, and application context simultaneously.
Magic Firewall provides cloud-based packet filtering using Wireshark display filter syntax — powerful for network engineers but fundamentally L3/L4, not L7 NGFW-grade inspection. Supports protocol-based rules, IP/port filtering, and GeoIP blocking. For organizations needing application-aware firewall policies with IPS signatures and deep packet inspection, Magic Firewall is not a substitute for Palo Alto, Cisco, or Fortinet FWaaS offerings. Best suited for network segmentation and basic traffic filtering at scale.
Related guides & articles
FWaaS is part of the SASE/SSE stack. See how all six capabilities fit together and compare vendors.