Table of Contents
Problem Statement
To pass PCI-DSS compliance you need Azure Premium Firewall with IDS/IPS subsystem. That will cost you at least $1300 per month.
What is NGFW?
FW - firewall. NGFW - next-generation firewall.
A traditional firewall decides traffic based on IPs, ports, protocols; an NGFW inspects the full application and content inside the traffic, adds IPS, malware detection, and user-identity controls.
| Capability | FW | NGFW |
|---|---|---|
| Layer 3 IP filtering | Yes | Yes |
| Layer 4 TCP/UDP port filtering | Yes | Yes |
| Layer 7 application awareness | No | Yes |
| Detect “SSH over HTTPS”, “Dropbox”, “Salesforce”, “Zoom”, even on non-standard ports | No | Yes |
A traditional FW only sees Source IP > Destination IP. Port (80, 443, 22...). Protocol (TCP/UDP).
An NGFW sees what application is inside the flow. What user/identity generated it and what content is transferred.
| Security function | FW | NGFW |
|---|---|---|
| Basic stateful inspection | Yes | Yes |
| Intrusion detection (IDS) | No | Yes |
| Intrusion prevention (IPS) | No | Yes |
| Protocol anomaly detection | Minimal | Yes |
| Malware scanning / sandboxing | No | Yes |
| URL/content filtering | No or limited | Yes |
| TLS/SSL decryption and inspection | No | Yes |
NGFW = firewall + IPS + application control + threat prevention. Traditional FW = simple access control + state tracking.
| Identity / user features | FW | NGFW |
|---|---|---|
| Policy by user/group | No | Yes |
| Integrate with LDAP/AD/OAuth/IDaaS | No | Yes |
| Zero Trust segmentation | Limited | Strong |
NGFW can block/allow traffic like:
- Only "Finance" AD group may access internal payment API.
- Deny "unknown application" traffic regardless of port.
| TLS/SSL inspection | FW | NGFW |
|---|---|---|
| Inspect encrypted payload | No | Yes |
| Enforce policies on decrypted sessions | No | Yes |
Traditional FW sees TLS as opaque. NGFW decrypts, inspects, re-encrypts and enforces IPS/malware rules.
| Threat intel | FW | NGFW |
|---|---|---|
| Block IPs/domains from threat feeds | Limited | Yes |
| Constantly updated signatures | No | Yes |
NGFWs like Palo Alto, Fortinet, Barracuda, Cisco, etc., pull real-time threat intel. NGFW logs are much richer — essential for PCI-DSS, SOC, SIEM, IR.
Traditional firewalls were designed for a world where applications used standard ports, malware was rare, TLS traffic was low, IDS/IPS were separate physical appliances. Today most malicious traffic is encrypted. Applications run on any port. Cloud-native microservices obscure traditional boundaries. Attackers hide inside "allowed" ports like 443. NGFW solves these limitations.
Use a Next-Generation Firewall when:
- You need PCI-DSS, HIPAA, or regulatory compliance.
- You want to inspect encrypted traffic.
- You want IPS/IDS and anti-malware inline.
- You require fine-grained application control.
- You have modern workloads (cloud, container, SaaS).
Use a traditional firewall only when:
- You need basic L3/L4 filtering only.
- Traffic inspection is not required.
- Performance/latency must be extremely low.
- Cost must be minimal.
In cloud environments, NGFW is almost always the correct choice.
Alternative Cloud Firewalls Economics
Let's analyze the costs of switching from Azure Firewall Premium SKU + IDPS to another PAYG solution.
Assumptions:
- Single NGFW resource, running 24x7 (720 h/month).
- Traffic to inspect: 5 TB/month (~ 5120 GB).
- All "Cloud-Delivered Security Services (CDSS)" add-ons enabled:
- Advanced Threat Prevention
- Advanced URL Filtering
- WildFire (malware/sandbox)
- DNS Security
- (Optionally) central management — but assume minimal extra cost, or you skip Panorama-style central mgmt for now.
- All traffic goes through inspection & CDSS, worst-case for cost, but ensures full PCI-DSS security.
The values below are the representative monthly costs we established earlier for a single firewall deployment, running 24x7, inspecting 5 TB/month, configured with PCI-DSS-relevant features (IPS/IDPS, TLS inspection, threat prevention, logging-ready). These are minimal approximate, based on publicly referenced pricing models. Different integrations with Azure Cloud services like Log Analytics Workspace can make this price much higher.
| Product / Vendor | PCI-DSS features included | Approx monthly cost (5 TB/month) |
|---|---|---|
| Azure Firewall Premium + IDPS | TLS inspection, IDPS, URL filtering, L3–L7 rules | USD 1,075 / month |
| Palo Alto Cloud NGFW | Advanced Threat Prevention, IPS, URL filtering, WildFire, TLS inspection | USD 1,600 / month |
| Fortinet FortiGate CNF | IPS, application control, AV/UTM, TLS inspection | USD 2,210 / month |
| Barracuda CloudGen Firewall | IPS/IDS, TLS inspection, malware scanning, URL filtering | USD 900–1,000 / month (single VM) |
Custom Solution Architecture
Solution components:
- L3/L4 stateful firewall
- Deep Packet Inspection (DPI)
- IPS/IDS
- TLS/SSL interception (optional)
- URL/content filtering
- Application identification / protocol detection
- Logging, SIEM integration, dashboards
- Routing, NAT, VPN
- Optional: malware scanning (proxy-based)
| Component | Open-source project |
|---|---|
| Stateful firewall | nftables (kernel) |
| IPS/IDS | Suricata |
| Application-layer detection | nDPI (via nProbe/ntopng) |
| Web proxy + TLS inspect | Squid |
| URL filtering | SquidGuard or Shalla blacklist |
| Malware scanning | ClamAV (via ICAP) |
| DPI engine | Suricata (with protocol decoders) |
| SIEM/logging | ELK stack (Elastic, Logstash, Kibana) |
| VPN | WireGuard or strongSwan |