FWaaS
Firewall as a Service
Firewall as a Service extends the security inspection model that SWG provides for web traffic to encompass all network protocols. While the SWG handles HTTP and HTTPS, FWaaS inspects everything else: SSH sessions, RDP connections, database protocols like TDS and TNS, custom application protocols, DNS queries, SMTP email flows, and the long tail of non-web traffic that would otherwise bypass your SASE security stack entirely. FWaaS is the cloud-delivered successor to the branch office firewall appliance, the data center perimeter firewall, and the campus network firewall.
The architectural difference between FWaaS and a traditional firewall is the decoupling of policy from hardware. In a traditional model, firewall rules live on specific appliances at specific network choke points, creating an operational nightmare of policy fragmentation, version drift, and capacity-constrained inspection. FWaaS centralizes policy in the cloud and distributes enforcement to globally distributed Points of Presence. A policy change made in the management console is enforced at every PoP within seconds, and inspection capacity scales elastically based on traffic volume rather than being constrained by the throughput of a specific hardware box.
The quality variance among FWaaS implementations is the most significant evaluation criterion in this SASE component category. Some vendors run full next-generation firewall engines in their cloud PoPs, providing App-ID (application identification by behavior rather than port number), intrusion prevention with thousands of signatures, file-based threat prevention, DNS security, and URL filtering — essentially the same engine that runs on a $100,000 hardware appliance, now delivered as a cloud service. Other vendors implement FWaaS as little more than a cloud-hosted access control list with basic port and protocol filtering. The difference in security value between these two approaches is enormous, and the marketing materials will not make the distinction clear. You have to test it.
What it does
Firewall as a Service is a cloud-delivered network security service that applies Layer 3 through Layer 7 inspection to all network traffic, not just web traffic. It performs stateful packet inspection, application identification, intrusion prevention and detection (IPS/IDS), DNS security, protocol enforcement, and network-level microsegmentation from globally distributed cloud Points of Presence. FWaaS replaces the constellation of hardware firewall appliances that traditionally sat at every branch office, data center edge, campus perimeter, and internet breakout point. By centralizing policy and distributing enforcement, FWaaS eliminates the operational burden of managing hundreds of firewall appliances with drifting configurations while ensuring consistent security policy for every user and every location.
How it works
Traffic reaches the FWaaS through IPsec or GRE tunnels from branch office routers, SD-WAN appliances, or the endpoint agent on user devices. At the PoP, the FWaaS engine performs stateful inspection on every session, tracking connection state, sequence numbers, and protocol compliance to detect and block malformed packets, protocol violations, and evasion attempts. Application identification (App-ID in Palo Alto's terminology, or similar engines from other vendors) classifies traffic by its actual behavior and payload characteristics rather than relying on port numbers, correctly identifying applications like Zoom, Slack, or custom enterprise apps even when they run on non-standard ports or share ports with other applications. The IPS engine applies thousands of vulnerability signatures and behavioral detections to identify and block exploit attempts, command-and-control communications, and known attack patterns. For encrypted non-web protocols, some FWaaS implementations can perform TLS decryption similar to the SWG, while others rely on metadata analysis and behavioral detection.
Why it matters
Without FWaaS, your SASE deployment has a massive blind spot: every non-HTTP protocol bypasses the SWG entirely. SSH tunnels can exfiltrate data, RDP sessions can be hijacked, database protocols can be exploited, and DNS can be used for both data exfiltration and command-and-control communication. FWaaS closes this gap by applying the same depth of inspection to non-web traffic that the SWG provides for web traffic. For branch offices, FWaaS eliminates the need to ship, rack, configure, and maintain a physical firewall at every location — a significant operational cost reduction when you consider that a typical enterprise manages 50-500 branch firewalls, each requiring firmware updates, license renewals, and periodic hardware refresh cycles. For remote users, FWaaS ensures that the same security policy that protects someone in headquarters also protects someone working from a hotel room or home office.
Watch out
The single most important evaluation criterion for FWaaS is the quality of the inspection engine. Ask the vendor explicitly: is this the same engine that runs on your hardware NGFW appliance, or is it a separate, cloud-specific implementation? Vendors with a strong NGFW heritage (Palo Alto, Fortinet) typically run their actual NGFW engine in the cloud, providing App-ID, full IPS signature coverage, and file-based threat prevention. Vendors that started as cloud-native SASE platforms may have built a simpler engine optimized for scale but lacking the inspection depth of a mature NGFW. Test this by running a port scan, an evasion test, and an IPS signature coverage comparison between the vendor's cloud FWaaS and their hardware NGFW. If the cloud version catches significantly fewer threats, you have a glorified ACL, not a firewall. Also verify branch-to-branch policy support: can you define policies that govern traffic between two branch offices, not just branch-to-internet traffic? Many FWaaS implementations only handle internet-bound traffic.
Vendor comparison — FWaaS
FWaaS is one of six core SSE components. See how they fit together and compare vendors.