SASECompare
deep-dive9 min read

Is Your SASE Actually a Firewall? FWaaS Capabilities Across 8 Vendors

Firewall as a Service (FWaaS) is the foundation of every SASE bundle, but the label hides a huge range. We ran 6 hard checks on Cato, Check Point, Zscaler, Netskope, Palo Alto, Cisco, Fortinet, and Cloudflare. Three vendors scored a perfect 100%.

A cloud firewall visualized as a glowing barrier, intact and impenetrable on one side, fracturing into a molten breach on the other
8 / 8
Vendors pass the L3-L7 NGFW baseline
SASECompare FWaaS test
3
Vendors score a perfect 100%
Zscaler, Palo Alto, Fortinet
3 of 6
Checks where the field actually splits
IPS, behavioral, DNS security
67%
Cloudflare, the lowest score
Network-delivery heritage
SASECompare Research
|

The Word Firewall Is Doing a Lot of Work

Every SASE platform now advertises a cloud firewall. The label is on every data sheet. But Firewall as a Service ranges from a genuine next-generation firewall delivered from the cloud all the way down to a lightweight access-control list wearing an NGFW badge.

The difference is not academic. If you are retiring on-prem firewalls, the cloud replacement has to match the policy granularity, threat inspection, and protocol coverage your security team already relies on. A gap here is not a missing feature, it is traffic your old firewall inspected and your new one does not.

So we ran 8 SASE vendors through 6 specific FWaaS checks: full L3-L7 application control, real-time IPS/IDS, behavioral and anomaly-based threat detection, DNS security and tunneling prevention, roaming policy enforcement, and custom rule criteria. The headline: the basics are solved everywhere, and the real separation comes down to threat-inspection depth.

The 3 Checks Every Vendor Passes

Before the differences, the baseline. All 8 platforms clear these three, so treat them as table stakes, not selling points.

8 / 8

L3-L7 application-aware firewall

Can it classify and control traffic by application, not just port?

All 8 vendors run a full Layer 3 to Layer 7 engine with deep packet inspection and application identification. A modern SASE firewall that only filtered ports would not survive an RFP, and none of them do.

8 / 8

Policies follow the user across locations

Does the same rule apply in the office, at home, and on the road?

Every vendor ships an always-on client that steers traffic to the nearest cloud edge, so identical firewall, DNS, and IPS policy enforces wherever the user sits. This is the core SASE promise, and it is now universal.

8 / 8

Custom rules with full match criteria

Can you write granular rules on IP, FQDN, service, geo, and app?

All 8 support rich rule criteria: source and destination IP and subnet, FQDN or domain objects, ports and protocols, geolocation, and Layer 7 application. The policy language is not where these platforms differ.

Where It Splits: The 3 Checks That Matter

Three of the six checks are passed by all 8 vendors. The market splits on the other three, and all are about inspection depth rather than policy plumbing. This is where a real cloud NGFW pulls away from a repackaged proxy.

1

IPS / IDS with real-time detection

Does it block the exploit inline, or just watch it happen?

An intrusion prevention system that only detects and logs is a smoke alarm, not a sprinkler. 1 of 8 score PARTIAL here.

Cisco
Cisco YES

Snort 3 engine with 40,000+ Talos signatures, IDS and inline IPS modes.

Palo Alto Networks
Palo Alto Networks YES

Advanced Threat Prevention: signature IPS plus inline ML on unknown exploits.

Check Point
Check Point YES

Defense-in-depth engine: signatures, protocol validation, anomaly and behavioral analysis.

Zscaler
Zscaler YES

Cloud IPS inspects all ports and protocols in real time with custom and industry signatures.

Fortinet
Fortinet YES

FortiGuard IPS extended signature database enforced as a security profile.

Cato Networks
Cato Networks YES

Cloud IPS inspects inbound, outbound, WAN and SSL traffic, with a monitor (IDS) mode.

Netskope
Netskope YES

Real-time, signature-based inline IPS in the Next Gen SWG, with alert (IDS) and block actions.

Cloudflare
Cloudflare PARTIAL

Ships an IDS that detects and logs against signatures, but does not inline-block the traffic.

2

Behavioral and anomaly-based threat detection

Beyond signatures, can it catch evasive and zero-day threats inline?

Signatures only catch what is already known. Inline behavioral and ML detection is what stops zero-days no signature covers yet. 1 of 8 score PARTIAL here.

Zscaler
Zscaler YES

Advanced Threat Protection applies inline AI/ML in the proxy path to catch phishing, C2, and evasive malware.

Palo Alto Networks
Palo Alto Networks YES

Advanced Threat Prevention runs inline deep-learning models that block zero-day exploits and evasive C2.

Fortinet
Fortinet YES

FortiGuard IPS adds heuristic and behavioral monitoring inline, with optional AI-based inline sandboxing.

Cato Networks
Cato Networks YES

Cato IPS runs inline deep-learning models, and Dynamic Prevention baselines normal host behavior for anomalies.

Check Point
Check Point YES

Quantum IPS blends anomaly and behavioral analysis with ML, plus inline Threat Emulation sandboxing.

Netskope
Netskope YES

Inline real-time ML (a PE-malware classifier and deep-learning phishing models) blocks never-before-seen threats.

Cisco
Cisco PARTIAL

Secure Access IPS is signature and reputation based; Cisco's inline ML engines are on the Secure Firewall line, not confirmed in the cloud FWaaS.

Cloudflare
Cloudflare NO

The Magic Firewall IDS is signature-based detect-and-alert only, with no behavioral or ML detection in the firewall data path.

3

DNS security and tunneling prevention

Can it see and stop data smuggled over DNS, including encrypted DNS?

DNS tunneling and DGA-based C2 slip past firewalls that do not inspect DNS, and DoH hides it from those that do not decrypt it. 5 of 8 score PARTIAL here.

Zscaler
Zscaler YES

DNS Control applies policy to every request and response, including encrypted DNS.

Palo Alto Networks
Palo Alto Networks YES

Advanced DNS Security uses Precision AI to block DGA, tunneling and C2, with sinkholing.

Fortinet
Fortinet YES

FortiGuard DNS Filter blocks botnet C&C domains, and with deep inspection it decrypts and inspects DoH.

Cisco
Cisco PARTIAL

Umbrella detects tunneling with ML, but inspects DoH only to its own resolvers, not third-party DoH.

Cloudflare
Cloudflare PARTIAL

Gateway has an explicit DNS Tunneling category, but filters DoH only when it is the resolver, not third-party DoH.

Check Point
Check Point PARTIAL

Detects tunneling and DGA via ThreatCloud AI, but DoH inspection is not covered.

Cato Networks
Cato Networks PARTIAL

DNS filtering and documented tunneling prevention, but narrower encrypted-DNS handling.

Netskope
Netskope PARTIAL

Filters and sinkholes NRDs and DGA and blocks tunneling, with gaps versus a full DNS firewall.

Real Firewall, or Fancy ACL? 5 Ways to Tell

The word firewall covers a lot of ground. These five questions separate a cloud NGFW you can migrate onto from an access-control layer with a marketing budget.

Does the IPS block inline, or only detect and log?

An IDS that emails you after the exploit lands is not prevention. Ask to see a signature firing and dropping the packet, live.

Does it inspect encrypted DNS (DoH / DoT)?

Attackers moved to DNS-over-HTTPS to tunnel data past DNS filters. If the firewall is blind to DoH, your DNS controls have a side door.

Is the firewall a first-class engine, or a feature of the web proxy?

SSE-first platforms sometimes route non-web traffic through the SWG. Ask whether IPS and firewall policy apply to all ports and protocols, not just 80 and 443.

Does it handle non-TCP traffic (UDP, ICMP)?

A real firewall governs the whole 5-tuple. Confirm UDP and ICMP are inspected, not silently tunneled or dropped.

Do rules match on more than IP and port?

FQDN, application, and geo criteria are table stakes now. If you are limited to 5-tuple ACLs, you bought a router filter, not an NGFW.

The Three Tiers

Group the results and three tiers emerge. Note the pattern: the vendors with the deepest inline threat inspection (Fortinet, Palo Alto, Zscaler) fill the top tier, while the platforms that lean on signatures sit at the bottom.

Tier 1Full Cloud NGFW (100%)

Every check passes. These are genuine next-gen firewalls delivered from the cloud, not proxies with a firewall label.

Zscaler
Zscaler

Advanced Cloud Firewall, Cloud IPS, inline ATP behavioral detection, and DNS Control across every port.

Palo Alto Networks
Palo Alto Networks

The full PAN-OS NGFW on Prisma Access, single-pass App-ID with inline deep-learning threat prevention.

Fortinet
Fortinet

FortiOS heritage: NGFW policy, FortiGuard IPS with behavioral monitoring, and a DoH-inspecting DNS filter.

Tier 2Strong, One Gap (92%)

A capable cloud firewall that misses on a single check, and for all three vendors it is the same one: inspecting encrypted DNS (DoH).

Cato Networks
Cato Networks

Purpose-built single-pass firewall with inline deep-learning IPS; DoH/DoT is blocked rather than inspected.

Check Point
Check Point

Quantum-grade threat prevention and behavioral IPS, but DoH (encrypted DNS) inspection is not turnkey.

Netskope
Netskope

Real L7 Cloud Firewall with inline ML threat detection; DoH is blocked and DNS security omits IPv6.

Tier 3Deeper Threat-Inspection Gaps (83% and 67%)

The firewall works, but threat inspection runs shallower. Each posts more than one gap, and both are in detection depth.

Cisco
Cisco

Snort signature IPS and Umbrella DNS are strong, but the cloud FWaaS lacks confirmed inline behavioral ML and full DoH inspection.

Cloudflare
Cloudflare

Magic Firewall and Gateway are solid at L7, but the IPS only detects, there is no behavioral engine, and DoH inspection is resolver-only.

The FWaaS Scorecard

Six checks, PARTIAL counts as half credit. The spread is tight because the baseline is universal, but the ordering tells you who inspects deepest.

Zscaler
Zscaler
100%
6 YES· Inline firewall, IPS, behavioral ATP and DNS across all ports
Palo Alto Networks
Palo Alto Networks
100%
6 YES· Full PAN-OS NGFW on Prisma Access
Fortinet
Fortinet
100%
6 YES· FortiOS firewall heritage, cloud-delivered
Cato Networks
Cato Networks
92%
5 YES1 PARTIAL· Deep inspection throughout, DoH not inspected
Check Point
Check Point
92%
5 YES1 PARTIAL· Strong IPS, but no turnkey DoH inspection
Netskope
Netskope
92%
5 YES1 PARTIAL· Real L7 firewall and inline ML, DNS misses DoH and IPv6
Cisco
Cisco
83%
4 YES2 PARTIAL· Signature IPS, no confirmed cloud behavioral ML or full DoH
Cloudflare
Cloudflare
67%
3 YES2 PARTIAL1 NO· IDS detects only, no behavioral engine, resolver-only DoH

What to Do in Your Evaluation

Application-aware L3-L7 policy, roaming policy enforcement, and rich rule criteria are now baseline. Every vendor we tested passes all three. When a sales deck leads with these, redirect the conversation to IPS behavior, behavioral detection, and DNS inspection, which is where the field actually splits.

The Bottom Line

The good news for buyers: FWaaS is largely mature. Application-aware policy, roaming enforcement, and granular rules are universal, and even the lowest scorer here is a functional cloud firewall, not a toy.

The caution: the marketing word firewall hides real differences in inspection depth. Inline behavioral threat detection and encrypted-DNS visibility are the capabilities that separate a firewall you can retire your Palo Altos onto from one that will quietly leave gaps.

Score the platform on the three checks that split the field, insist on live proof during the POC, and weight the result against the rest of your SASE stack. The vendors at 100% earned it on depth, but the right firewall for you is the one whose gaps do not overlap your risks.


Methodology: All findings are based on SASECompare independent research across 6 FWaaS capability checks in the fwaas-cloud-firewall comparison. Vendor ratings reflect documented capabilities from official documentation, knowledge base articles, and verified public sources as of July 2026. Vendors are not notified before testing and do not pay for inclusion. PARTIAL is scored as half credit. See the full comparison page for source citations per vendor per check.

fwaasfirewall-as-a-servicecloud-firewallips-idsdns-securitysase-comparisonnetwork-securityl7-firewallngfw2026
Share

Not sure whether a vendor's FWaaS can actually retire your on-prem firewall? Get a custom analysis weighted to your rulebase, threat model, and license tier.

Get Your Custom Report
Feedback

Help me make this better

This is a one-person project. Your input directly shapes what gets added, fixed, or prioritized next.