As enterprise networks get more complex, so do the firewall deployments.
There are on-premises firewalls to manage, along with firewalls that are deployed in virtual machines and firewalls deployed in containers. There are firewalls for clouds and firewalls for data centers, firewalls for network perimeters, and firewalls for distributed offices.
According to Gartner, by 2026, more than 60% of organisations will have more than one type of firewall deployment.
"A firewall used to be a box or a chasse with multiple cards," says Omdia analyst Fernando Montenegro. "Then we had a firewall in a virtual machine. And now we have a container form factor for a firewall because customers are deploying containers. And, oh, we need firewalls-as-a-service to support SASE."
In response, firewall vendors that offer multiple form factors for their firewalls are bringing all these different firewalls together under a single, centralized management interface. A so-called hybrid mesh firewall platform is a centralized management system that oversees different types of firewalls, including on-prem, firewall-as-a-service, and cloud.
This emerging approach is different from network security policy management (NSPM) platforms from vendors such as Firemon or Tupin, because hybrid mesh firewalls are single-vendor platforms and NSPMs are a management overlay that can handle firewalls from multiple vendors.
Hybrid mesh firewalls are also different from cybersecurity mesh architecture, says Gartner analyst Adam Hils. A cybersecurity mesh architecture stitches together multiple cybersecurity products from a single vendor, he says, not just firewalls.
But a hybrid mesh firewall could be one component of a cybersecurity mesh architecture, or it could be deployed on its own.
What’s driving interest in hybrid mesh firewalls?
One significant driver for hybrid mesh firewall adoption is that workloads are moving to the cloud. "Cloud-hosted workloads often have a very different agile deployment pipeline that precludes the use of traditional firewall controls," says Gartner's Hils.
Another driver is the rise in zero-trust architectures and microsegmentation. "You can coordinate all the firewalls and establish a least-trust approach," says Hils.
Other drivers include hybrid working – which is accelerating the adoption of firewall-as-a-service – and IoT. "The Internet of Things is changing interconnectivity requirements," says Hils.
In addition, security professionals are expensive, and the more different firewalls a company has, especially if they're all from different vendors, the more complicated management can become. Use of best-of-breed firewall vendors for changing use cases is leading to added complexity and management overhead, according to Gartner. "Our clients are looking to consolidate vendors," says Hils. "It allows fewer people, fewer administrators, to do firewall management."
Some hybrid mesh firewalls will also control cloud-native firewalls provided by Azure and AWS, he adds. "But that's the only third-party firewall that they would manage."
If a company has more than one vendor providing firewalls, then they wouldn’t get all the benefits they could from a hybrid mesh firewall, he says.
Challenges and obstacles
A lack of integration among different firewall vendors is a significant obstacle to deploying a hybrid mesh firewall platform.
A multivendor firewall approach isn’t all that uncommon in enterprise environments. Not all vendors have mature solutions for all the different firewall use cases, so enterprises are forced to use multiple vendors.
In addition, many companies have different business units using different vendors for various historical reasons, including siloed operations or mergers and acquisitions.
"A hybrid mesh firewall makes you highly dependent on one single vendor," says John Carey, managing director of the technology solutions group at global consulting firm AArete. "Some organizations prefer to have best-of-breed and select the right tool for the right job. You'll see CrowdStrike running alongside CyberArk running alongside Juniper running alongside Cisco. You don't see many organizations doing a blanket removal, taking out all those tools and putting in one. It's costly, and they don't want to be totally dependent on that one vendor."
With a hybrid mesh firewall only able to manage firewalls from that one vendor, that could be a problem for those companies.
Alternatively, an enterprise can use an NSPM product from a vendor such as Tufin or Firemon, says Scott Wheeler, cloud practice leader at Asperitas Consulting, an IT and cloud services firm. "They are not firewall products, but they do enable the concept of hybrid mesh firewall. So, depending on how you look at the semantics, they are more of a hybrid mesh firewall solution because you can manage across different firewall providers."
And there are other ways to get the same effect, he says. Asperitas Consulting is working with a financial institution in Chicago that chose to push everything into Microsoft Sentinel (a combination security analytics and threat detection and response platform) because it offers a single, centralized point of view. “They don't want to have a million point solutions," Wheeler said.
At the same time, integration issues can crop up even in single-vendor environments. Some hybrid mesh firewall providers may have problems integrating the different firewalls that they themselves offer. And the features and automation promised by a vendor may not always work as advertised. "Some of these vendors are getting out ahead of their ability to execute," says Gartner's Hils.
There are also pricing issues, he says. "All of these tools are priced erratically in different ways, and procurement people are having some difficulty in figuring out what pieces they need."
Another challenge that comes with deploying hybrid mesh firewalls is that firewalls aren't created equal. Different types of firewalls need to be handled differently.
"Say your business is adding a new branch," says Omdia's Montenegro. "The network team will work with the facility team. This is radically different from when you do endpoint network security and have a new employee at the company – then the request is going to come from HR and you have a very different workflow. Or you have a new application in your data center – that's a different workflow. And it's different from a container-based firewall for your workload."
These firewalls aren't only deployed differently, he adds. They also need different security policies. A container-based firewall will need to handle IP addresses and object changes differently from an end-user firewall, which is different from a branch firewall, which is different from a data center firewall.
And once they're deployed and the security policies are set up, future changes are also handled differently.
"Back in the day, when you do a firewall change management request, you submit a form with what port needs to be allowed, what the source IP is, what the destination IP is," says Montenegro. "That workflow is unlikely to work in a container firewall or an end-user firewall."
Having a hybrid mesh firewall can give you a central view of all your firewalls, he says. "But if you’re not able to support all those different use cases, you’re going to create grief for your organisation."
Top hybrid mesh firewall vendors
The leaders in the hybrid mesh firewall space are Fortinet, Check Point Software Technologies, Palo Alto Networks, and Cisco. "They have the form factors to execute on it," says Gartner's Hils. "But they may not have all built up a full management architecture."
Gartner doesn't yet have a magic quadrant for hybrid mesh firewalls, he says, because it's still early. However, Gartner did release its latest update of its magic quadrant for network firewalls in December of 2022, and Fortinet, Palo Alto, and Check Point were the three leaders.
In a recent hype cycle report for zero trust networking, Gartner laid out how enterprises are struggling to implement firewall controls in multiple environments, leading to a lack of centralized management and visibility.
They’re turning to hybrid mesh firewall platforms to consolidate policy management while still supporting multiple firewall deployment types, including data center, cloud, branch offices and enterprise networks.
For enterprises that are considering a hybrid mesh firewall platform, Gartner recommends they integrate hybrid mesh firewalls with their zero-trust strategy; most existing controls, such as hardware-based firewalls, will not be fully retired in the mid to long term, driving complexity that a hybrid mesh firewall can help simplify, according to Gartner.
Among its other recommendations, Gartner reminds enterprises to demand transparent contracts from the reseller or vendor and to refuse to sign a contract that doesn’t clearly highlight part numbers and components. Likewise, the firm says to closely verify the requirement for all software subscriptions. “You might not need all of the subscriptions that the vendors try to sell,” Gartner warns.