Palo Alto, Fortinet, Check Point Control Firewall Gartner MQ

See Also: Proof Not Promises: Cloud NGFW is the Leader

Gartner said the firewall market is moving toward centralized orchestration, interoperability and AI-powered automation, driven by growing hybrid environments and the explosion of new threat vectors like the internet of things, artificial intelligence and software-as-a-service. Organizations are prioritizing platform approaches and simplified licensing, Gartner said, with demand for open API frameworks and automation across continuous integration and delivery pipelines.

“The HMF market is rapidly evolving, driven by the need for unified firewall and threat prevention controls across hybrid environments – spanning on-premises, cloud and edge,” Gartner wrote. Analysts weren’t available for additional comment (see: Palo Alto, Fortinet, Check Point Top Firewall Forrester Wave).

Where Firewall Vendor Maturity Gaps Are the Greatest

End users are embracing hybrid deployment models, Gartner found, with cloud firewall adoption increasingly tied to hardware renewals. Feature gaps keep many clients from fully transitioning to cloud managers. Clients are also concerned about rising costs and the operational burden of managing inconsistent feature sets across deployment models.

“An increasing number of hardware renewal proposals include cloud firewall part numbers,” Gartner wrote. “As clients adopt multicloud while maintaining on-premises systems, they prefer firewalls from a single vendor for centralized management and advanced security across all environments.”

Gartner noted significant maturity differences between network firewall mesh vendors when it comes to cloud-based managers, AI assistant features, IoT threat handling and third-party API support. Some offer cloud managers that are not fully fledged, routing users through single sign-on dashboards that link to separate legacy consoles.

“The maturity of HMF cloud managers varies greatly between the vendors,” Gartner wrote. “Most cloud managers still use different platforms or work as a single sign-on interfaces for other screens and portals. Many clients are open to migrating on-premises managers to the cloud but are waiting for vendors to address feature gaps before fully making the switch.”

AI is a cornerstone of next-generation firewall operations, but its operational maturity varies greatly across vendors. The most immediate AI use cases are automating daily firewall administration tasks such as policy audits, rule optimizations, firmware updates and traffic analysis. Some vendors offer LLM-powered assistants for configurations, logs and policy generation.

“AI’s greatest impact will be automating daily firewall tasks, such as change management and routine policy assessments,” Gartner wrote. “The majority of HMF vendors are offering AI-based chat assistants to simplify operations. Although these AI assistants are at different stages of maturity, some offer basic documentation search, while others offer more granular capabilities.”

Why Many Clients Are Reconsidering Vendor Consolidation

Licensing models remain complex and inconsistent across vendors, prompting demands for simplified agreements. Organizations struggle with overly complex models involving separate licensing for cloud managers, threat intelligence feeds, advanced analytics and optional firewall capabilities. Many clients are reconsidering vendor consolidation strategies after finding unified stacks don’t always reduce costs.

“Clients are increasingly concerned about rising firewall renewal costs and have found that vendor consolidation does not always reduce expenses,” Gartner wrote. “As a result, they are rethinking their convergence strategies and carefully evaluating the total cost of ownership before purchasing advanced software subscriptions.”

From a completeness of vision perspective, Gartner gave Palo Alto Networks the gold, with Cisco taking the silver, Fortinet capturing bronze and Check Point rounding off the leaderboard in fourth place. On execution, Fortinet captured the gold, with Palo Alto Networks taking the silver, Check Point getting bronze and HPE’s Juniper Networking business coming in fourth place.

Outside of the leaders, here’s how Gartner sees the hybrid mesh firewall market:

• Visionary: Cisco;
• Challenger: HPE (Juniper Networking);
• Niche Players: Sophos, SonicWall, Huawei, WatchGuard, H3C, Sangfor, Forcepoint.

Palo Alto Networks Pursues Coverage for Various Form Factors

Palo Alto Networks’ hybrid mesh firewall ensures consistent security coverage through various form factors such as hardware, software, cloud and SASE, said Rich Campagna, senior vice president of product management. The company unifies network security policy and management operations across environments, replacing fragmented systems and boosting uptime, policy consistency and performance, he said.

The company has anticipated emerging threat trends by delivering dedicated AI and quantum threat security tools ahead of market demand, capitalizing on the acquisition of Protect AI, as well as a new quantum readiness framework. Palo Alto’s ability to handle unknown threats, growth in detection volume and a unified experience differentiate against fragmented solutions from competitors, he said (see: How the CyberArk Deal Is Different From Past Palo Alto M&A).

“We’ve built out this set of form factors that helped us meet those needs anywhere the customer goes,” Campagna told Information Security Media Group. “Obviously, everyone knows Palo for hardware firewalls, and we continue to develop there. But for the last decade or so, we’ve diversified the business so we can meet the needs of customers in more places.”

Gartner criticized Palo Alto Networks for higher renewal costs, complex enterprise license agreements and service agreements, feature disparities between Strata Cloud Manager and Panorama and performance-related issues with hardware firewalls. Campagna said improvements have been made to ELA/ESA clarity, price increases are due to broader product use, parity between Strata and Panorama is nearly complete and improvements are afoot.

“For the vast majority of our customer base, Strata Cloud Manager meets all the needs that Panorama does, plus a lot more in terms of operational efficiencies, troubleshooting and the rest,” Campagna said.

Fortinet Takes Proactive Approach to Quantum-Safe Security

Fortinet’s investment in automation allows customers to manage hybrid on-premises, cloud and SASE from a unified interface using AI-driven tools, including natural language configuration, according to Nirav Shah, senior vice president of products and solutions.

The company’s massive scale and end-to-end ownership of tech from custom hardware to cloud infrastructure distinguish Fortinet from its competitors, Shah said.

Despite quantum threats being a few years out, Shah said clients in financial and government sectors are already preparing. Fortinet has taken a proactive approach to quantum-safe cybersecurity, he said, working with standards bodies like NIST to integrate post-quantum cryptography and quantum key distribution into their solutions, which he said allows customers to adopt these protections immediately (see: Fortinet Invests in SASE, SecOps Amid Network Security Slump).

“Fortinet has more than 50% of unit market share globally, with six million FortiGate’s deployed and that just allows us to look at the scale, but also understand some of the most demanding innovations that our customers globally want to deploy,” Shah told ISMG. “So we are always ahead in understanding many of these requirements and bringing those innovation.”

Gartner chided Fortinet for the number and severity of bugs and exploitable vulnerabilities, low cloud firewall visibility, a lack of roadmap visibility as well as having to go through multiple UIs to meet user needs. Shah said Fortinet has embraced secure-by-design practices and transparency initiatives to fix vulnerabilities and prioritize customer-driven innovation, stating that FortiManager and FortiAnalyzer serve distinct purposes.

“The vulnerability piece is really critical to us, because over the last many years, we made it very clear that, for us, transparency to our customers is key,” Shah said. “We work closely with CISA. We have pledged for secure by design. We have doubled our investment to make sure we are staying ahead and providing information to our customers. So transparency is key.”

Check Point’s Hybrid Enforcement Maximizes Client Flexibility

Check Point Software’s hybrid enforcement is the most impactful innovation for customers since it allows security to be applied either at the device/branch level or via cloud services, said Eyal Manor, vice president of product management.

This flexibility enhances performance, privacy and user experience, Manor said, addressing longstanding customer pain points with older solutions.

The company enables customers to use its threat prevention capabilities across competing platforms through internal development and acquisitions like Veriti, which empower customers with cross-vendor integrations and asset exposure management. The firm simplified security operations through AI by enabling predictive and responsive administration while ensuring feature parity between on-premises and SaaS (see: Check Point Buys Startup Veriti to Advance Threat Management).

“We’ve been working on an approach where network security can be enforced in a hybrid way,” Manor told ISMG. “This means on the branch and for the users, customers have the ability to take the flexibility in an automatic way, whether they want to make the enforcement as close as possible to the user. Or it can be routed through a firewall as a service in the internet and security is performed there.”

Gartner criticized Check Point for lacking containerized firewalls, subpar ease of administration, little visibility in newer deals as compared to competitors and debuting its SASE offering later than rivals. Manor acknowledged complexity due to Check Point’s feature depth, plans to productize containerized firewalls and said the company’s delayed SASE launch allowed for better-informed design than rivals.

“The flip side of being late is having the wisdom of understanding where others have failed,” Manor said. “What are the challenges? What are the pain points, or the agonies enterprises suffer? And coming with a fresh approach that is fixing that and can change the industry. What I believe is that we can disrupt the philosophy around how SASE is done.”