Kindervag recommends testing how well they do at finding unused rules, optimizing configurations and so on, then comparing reports.

"Run the results by your firewall guru or bring in one who can say, 'Yes, that's a good rule change,'" he says.

You can also determine whether they actually scale and deliver analysis at the speeds they claim and what kind of hardware they'd require.

and evaluate the products' capabilities accordingly. Audit reports should come first and foremost for most organizations. Evaluate the quality of summary reports--are they sufficient to prove that your control policies are, in fact, carried out?

Also, make sure that you can produce satisfactory reports on demand in response to specific auditor queries. Some products offer regulation-specific reports, usually for , which may be useful.