SASECompare
deep-dive9 min read

Is Your SASE Actually a Firewall? FWaaS Capabilities Across 8 Vendors

Firewall as a Service (FWaaS) is the foundation of every SASE bundle, but the label hides a huge range. We ran 5 hard checks on Cato, Check Point, Zscaler, Netskope, Palo Alto, Cisco, Fortinet, and Cloudflare. Four vendors scored a perfect 100%.

A cloud firewall visualized as a glowing barrier, intact and impenetrable on one side, fracturing into a molten breach on the other
8 / 8
Vendors pass the L3-L7 NGFW baseline
SASECompare FWaaS test
4
Vendors score a perfect 100%
Zscaler, Palo Alto, Fortinet, Cisco
2 of 5
Checks where the field actually splits
IPS/IDS and DNS security
80%
Netskope, the lowest score
SSE-first architecture
SASECompare Research
|

The Word Firewall Is Doing a Lot of Work

Every SASE platform now advertises a cloud firewall. The label is on every data sheet. But Firewall as a Service ranges from a genuine next-generation firewall delivered from the cloud all the way down to a lightweight access-control list wearing an NGFW badge.

The difference is not academic. If you are retiring on-prem firewalls, the cloud replacement has to match the policy granularity, threat inspection, and protocol coverage your security team already relies on. A gap here is not a missing feature, it is traffic your old firewall inspected and your new one does not.

So we ran 8 SASE vendors through 5 specific FWaaS checks: full L3-L7 application control, real-time IPS/IDS, DNS security and tunneling prevention, roaming policy enforcement, and custom rule criteria. The headline: the basics are solved everywhere, and the real separation comes down to just two checks.

The 3 Checks Every Vendor Passes

Before the differences, the baseline. All 8 platforms clear these three, so treat them as table stakes, not selling points.

8 / 8

L3-L7 application-aware firewall

Can it classify and control traffic by application, not just port?

All 8 vendors run a full Layer 3 to Layer 7 engine with deep packet inspection and application identification. A modern SASE firewall that only filtered ports would not survive an RFP, and none of them do.

8 / 8

Policies follow the user across locations

Does the same rule apply in the office, at home, and on the road?

Every vendor ships an always-on client that steers traffic to the nearest cloud edge, so identical firewall, DNS, and IPS policy enforces wherever the user sits. This is the core SASE promise, and it is now universal.

8 / 8

Custom rules with full match criteria

Can you write granular rules on IP, FQDN, service, geo, and app?

All 8 support rich rule criteria: source and destination IP and subnet, FQDN or domain objects, ports and protocols, geolocation, and Layer 7 application. The policy language is not where these platforms differ.

Where It Splits: The 2 Checks That Matter

Three of the five checks are passed by all 8 vendors. The market splits on the other two, and both are about inspection depth rather than policy plumbing. This is where a real cloud NGFW pulls away from a repackaged proxy.

1

IPS / IDS with real-time detection

Does it block the exploit inline, or just watch it happen?

An intrusion prevention system that only detects and logs is a smoke alarm, not a sprinkler. 2 of 8 score PARTIAL here.

Cisco
Cisco YES

Snort 3 engine with 40,000+ Talos signatures, IDS and inline IPS modes.

Palo Alto Networks
Palo Alto Networks YES

Advanced Threat Prevention: signature IPS plus inline ML on unknown exploits.

Check Point
Check Point YES

Defense-in-depth engine: signatures, protocol validation, anomaly and behavioral analysis.

Zscaler
Zscaler YES

Cloud IPS inspects all ports and protocols in real time with custom and industry signatures.

Fortinet
Fortinet YES

FortiGuard IPS extended signature database enforced as a security profile.

Cato Networks
Cato Networks YES

Cloud IPS inspects inbound, outbound, WAN and SSL traffic, with a monitor (IDS) mode.

Netskope
Netskope PARTIAL

IPS is bolted into the Next Gen SWG, not the cloud firewall itself. Signature-based, alert or block.

Cloudflare
Cloudflare PARTIAL

Ships an IDS that detects and logs against signatures, but does not inline-block the traffic.

2

DNS security and tunneling prevention

Can it see and stop data smuggled over DNS, including encrypted DNS?

DNS tunneling and DGA-based C2 slip past firewalls that do not inspect DNS, and DoH hides it from those that do not decrypt it. 3 of 8 score PARTIAL here.

Zscaler
Zscaler YES

DNS Control applies policy to every request and response, including encrypted DNS.

Palo Alto Networks
Palo Alto Networks YES

Advanced DNS Security uses Precision AI to block DGA, tunneling and C2, with sinkholing.

Cisco
Cisco YES

Umbrella DNS-layer security across all ports, and it inspects DoH, DoT and DNSCrypt.

Fortinet
Fortinet YES

FortiGuard DNS Filter blocks botnet C&C domains at the name-resolving stage.

Cloudflare
Cloudflare YES

Gateway DNS policies include an explicit DNS Tunneling category plus DGA detection.

Check Point
Check Point PARTIAL

Detects tunneling and DGA via ThreatCloud AI, but DoH inspection is not covered.

Cato Networks
Cato Networks PARTIAL

DNS filtering and documented tunneling prevention, but narrower encrypted-DNS handling.

Netskope
Netskope PARTIAL

Filters and sinkholes NRDs and DGA and blocks tunneling, with gaps versus a full DNS firewall.

Real Firewall, or Fancy ACL? 5 Ways to Tell

The word firewall covers a lot of ground. These five questions separate a cloud NGFW you can migrate onto from an access-control layer with a marketing budget.

Does the IPS block inline, or only detect and log?

An IDS that emails you after the exploit lands is not prevention. Ask to see a signature firing and dropping the packet, live.

Does it inspect encrypted DNS (DoH / DoT)?

Attackers moved to DNS-over-HTTPS to tunnel data past DNS filters. If the firewall is blind to DoH, your DNS controls have a side door.

Is the firewall a first-class engine, or a feature of the web proxy?

SSE-first platforms sometimes route non-web traffic through the SWG. Ask whether IPS and firewall policy apply to all ports and protocols, not just 80 and 443.

Does it handle non-TCP traffic (UDP, ICMP)?

A real firewall governs the whole 5-tuple. Confirm UDP and ICMP are inspected, not silently tunneled or dropped.

Do rules match on more than IP and port?

FQDN, application, and geo criteria are table stakes now. If you are limited to 5-tuple ACLs, you bought a router filter, not an NGFW.

The Three Tiers

Group the results and three tiers emerge. Note the pattern: the vendors with deep firewall heritage (Fortinet, Palo Alto, Cisco) and the security-first cloud (Zscaler) fill the top tier, while the SSE-first platform sits at the bottom.

Tier 1Full Cloud NGFW (100%)

Every check passes. These are genuine next-gen firewalls delivered from the cloud, not proxies with a firewall label.

Zscaler
Zscaler

Advanced Cloud Firewall plus Cloud IPS and DNS Control, all inline across every port.

Palo Alto Networks
Palo Alto Networks

The full PAN-OS NGFW feature set on Prisma Access, single-pass App-ID inspection.

Fortinet
Fortinet

FortiOS heritage: NGFW policy, FortiGuard IPS and DNS filter carried into FortiSASE.

Cisco
Cisco

Snort 3 IPS with 40,000+ Talos signatures and Umbrella DNS-layer security.

Tier 2Strong, One Real Gap (90%)

A capable cloud firewall with a single documented blind spot worth probing before you sign.

Cloudflare
Cloudflare

Magic Firewall and Gateway are solid, but the IPS detects and logs only, it does not inline-block.

Check Point
Check Point

Quantum-grade threat prevention, but DoH (encrypted DNS) inspection is not covered.

Cato Networks
Cato Networks

Purpose-built single-pass firewall, with narrower encrypted-DNS handling than the leaders.

Tier 3SSE-First (80%)

Grew up as a web-security and CASB platform. The firewall is real but leans on the SWG for parts of the job.

Netskope
Netskope

Cloud Firewall covers all ports, but IPS lives in the Next Gen SWG and DNS security is partial.

The FWaaS Scorecard

Five checks, PARTIAL counts as half credit. The spread is tight because the baseline is universal, but the ordering tells you who inspects deepest.

Zscaler
Zscaler
100%
5 YES· Inline firewall, IPS and DNS across all ports
Palo Alto Networks
Palo Alto Networks
100%
5 YES· Full PAN-OS NGFW on Prisma Access
Fortinet
Fortinet
100%
5 YES· FortiOS firewall heritage, cloud-delivered
Cisco
Cisco
100%
5 YES· Snort 3 IPS plus Umbrella DNS security
Cloudflare
Cloudflare
90%
4 YES1 PARTIAL· IDS detects and logs, no inline blocking
Check Point
Check Point
90%
4 YES1 PARTIAL· Strong IPS, but no DoH inspection
Cato Networks
Cato Networks
90%
4 YES1 PARTIAL· Single-pass firewall, narrower encrypted DNS
Netskope
Netskope
80%
3 YES2 PARTIAL· IPS in the SWG, DNS security partial

What to Do in Your Evaluation

Application-aware L3-L7 policy, roaming policy enforcement, and rich rule criteria are now baseline. Every vendor we tested passes all three. When a sales deck leads with these, redirect the conversation to IPS behavior and DNS inspection, which is where the field actually splits.

The Bottom Line

The good news for buyers: FWaaS is largely mature. Application-aware policy, roaming enforcement, and granular rules are universal, and even the lowest scorer here is a functional cloud firewall, not a toy.

The caution: the marketing word firewall hides real differences in inspection depth. Inline IPS blocking and encrypted-DNS visibility are the two capabilities that separate a firewall you can retire your Palo Altos onto from one that will quietly leave gaps.

Score the platform on the two checks that split the field, insist on live proof during the POC, and weight the result against the rest of your SASE stack. The vendors at 100% earned it on depth, but the right firewall for you is the one whose gaps do not overlap your risks.


Methodology: All findings are based on SASECompare independent research across 5 FWaaS capability checks in the fwaas-cloud-firewall comparison. Vendor ratings reflect documented capabilities from official documentation, knowledge base articles, and verified public sources as of July 2026. Vendors are not notified before testing and do not pay for inclusion. PARTIAL is scored as half credit. See the full comparison page for source citations per vendor per check.

fwaasfirewall-as-a-servicecloud-firewallips-idsdns-securitysase-comparisonnetwork-securityl7-firewallngfw2026
Share

Not sure whether a vendor's FWaaS can actually retire your on-prem firewall? Get a custom analysis weighted to your rulebase, threat model, and license tier.

Get Your Custom Report
Feedback

Help me make this better

This is a one-person project. Your input directly shapes what gets added, fixed, or prioritized next.