There's appeal in using capabilities such as integrating Microsoft Active Directory, for instance, to set up user groups in terms of authorized applications. So far, though, most McAfee customers are trying out advanced firewall features gingerly with some applications, not all, to see what impact policy controls have.

Fitness-center chain 24 Hour Fitness, which maintains more than 400 clubs in the U.S. and abroad, is giving the Palo Alto Networks application-aware firewall it deployed last summer a workout.

Justin Kwong, senior director of IT operations and security there, says there's a not only a cost justification in switching to Palo Alto's consolidated architecture, but his staff is getting a much better picture of what's happening using features such as reputation-based filtering.

The company is making use of Palo Alto's integration with Active Directory to set up policy controls regarding applications for employees, but the use is "not that granular yet," says Kwong, noting there's a learning curve regarding application control. In addition, Kwong doesn't believe his organization as yet needs to migrate completely to the NGFW model since the need for application-aware controls may not exist in all parts of the network or data center.

IDC analyst Kolodgy says that view about application-based controls is to be expected, advising, "use it in limited use until you are comfortable with it and then expand its use, which is exactly how IDS transitioned into ."