In addition, although the NGFW represents security consolidation, Kwong retains some reservations about that. Kwong says he also plans to continue using open-source IPS as "a second set of eyes" in addition to the Palo Alto IPS functionality. "I'll never consolidate everything in one box," says Kwong, adding "I'm never going to rely solely on one vendor."

And what about the question of how any of the NGFW security applies when users aren't even behind a firewall, such as travelling with laptop or using a mobile device?

"We can expand to the user's machine not on the network," says Chris King, Palo Alto Networks director of product marketing. Palo Alto already has a VPN client that can drag user traffic back to the customer's NGFW point, but early next year Palo Alto will offer what it calls its GlobalProtect smart VPN client which knows where the user is in the world and will direct the client to the nearest gateway. "There's a hierarchy of gateways that manages a list of gateways, and the client knows where the nearest gateway is," King says. This capability enables some level of data-loss prevention, he adds.

Palo Alto also sees the ability to do SSL inspection as a big plus for its package, which opens up inbound and outbound traffic, based on a trusted environment where a user's desktop certificate is shared. "We'd open it to make sure it's an allowed application, then re-encrypt," King said.

in Network World's Wide Area Network section.