Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
The seven types of firewalls Canadian businesses encounter in 2026 are packet filter, stateful inspection, proxy (application gateway), next-generation firewall (NGFW), unified threat management (UTM), web application firewall (WAF), and cloud-native firewall. Each inspects traffic at a different layer, and most defensible Canadian SMB stacks run two or three of them together rather than relying on one box at the edge.
KEY TAKEAWAYS
- Packet filter and stateful firewalls inspect headers and connection state. They cannot see applications, users, or encrypted payloads.
- NGFWs add DPI, identity, IPS, and TLS decryption. UTMs bundle stateful inspection with AV, anti-spam, and basic web filtering.
- WAFs protect HTTP/HTTPS apps. Cloud-native firewalls (Azure Firewall, AWS Network Firewall, GCP Cloud Armor) protect VPC traffic.
- The standard Canadian SMB stack: Fortinet or Palo Alto NGFW at the edge plus Cloudflare or AWS WAF in front of public web apps.
- Misconfiguration causes more breaches than the wrong product choice.
Book a Free IT Business Consultation
What does a firewall actually do in 2026?
A firewall is a policy enforcement point that decides which traffic crosses a network boundary. NIST SP 800-41 defines that boundary broadly: between two networks, between a host and a network, or between segments.
Most Canadian SMB traffic is now encrypted, identity-driven, and routed through SaaS or remote sessions. A firewall built only for ports and IP addresses cannot see inside that traffic. The job of a modern firewall is to identify the application, the user, and the threat behaviour on each session, then apply policy that follows the user across office, home, and cloud.
That is why firewall conversations now span three planes: the network edge (NGFW), the public-facing web app (WAF), and the cloud workload (cloud-native). Choosing the wrong type for the plane is the most common architectural error Fusion sees during assessments.
The 7 main firewall types
Product datasheets blur categories on purpose. Knowing where each type sits on the OSI model prevents paying NGFW prices for stateful features.
| Type | Layer | Strengths | Limitations | Best for |
|---|---|---|---|---|
| Packet filter | L3 / L4 | Fast, cheap, simple ACLs | No session state, no payload inspection | Internal segment ACLs, lab networks |
| Stateful inspection | L3 / L4 | Tracks connection state, blocks spoofed return traffic | Cannot read application or encrypted payload | Branch baseline, low-risk zones |
| Proxy / application gateway | L7 | Full session termination, content filtering | Latency, app-by-app coverage, scaling cost | Tightly regulated egress, legacy app brokering |
| Next-generation (NGFW) | L3 to L7 | DPI, IPS, identity, TLS decrypt, threat intel | Subscription cost, tuning effort | Edge for 10 to 200 user Canadian SMBs |
| Unified threat management (UTM) | L3 to L7 (lighter) | All-in-one AV, anti-spam, basic web filter | Throughput drops sharply with features on | Micro-business under 10 users, single site |
| Web application firewall (WAF) | L7 (HTTP/S only) | OWASP Top 10, bot mitigation, virtual patching | Protects only web apps, needs tuning per app | Public web apps, member portals, ecommerce |
| Cloud-native firewall | L3 to L7 | Native to VPC, autoscale, API-driven policy | Scoped to one cloud, fewer threat-intel feeds | Azure, AWS, or GCP workload protection |
Gartner’s 2025 Magic Quadrant for Network Firewalls lists Fortinet, Palo Alto Networks, Check Point, and Cisco as Leaders. Cloudflare and AWS lead the WAF category. Firewall type follows the threat model, not vendor preference.
NGFW vs UTM: how to tell them apart
NGFW and UTM both sit at the network edge and ship with long feature lists. The distinction is whether application identification and IPS run on the same policy engine at production throughput, or sit beside a stateful core as bolt-ons.
An NGFW such as Fortinet FortiGate, Palo Alto PA-Series, or Cisco Firepower identifies traffic by application signature first, then user identity from Entra ID, then enforces IPS, URL filtering, and TLS inspection in one pass. A UTM such as a SonicWall TZ at small-office tier still tracks state first and runs AV, anti-spam, and web filter as parallel modules. Throughput often drops 60 to 80 percent when all features are enabled.
The practical test: ask the vendor for inspection throughput with IPS, application control, and TLS decryption all on. If the number is more than half the headline rate, the appliance is an NGFW. Our firewall migration plan documents the rule-base audit that exposes this gap before a contract is signed.
Network firewalls vs cloud-native firewalls
Network firewalls protect the boundary of an on-premise or co-located environment. Cloud-native firewalls protect virtual networks inside a hyperscaler. They are not interchangeable. A FortiGate at the office edge cannot see lateral traffic between Azure subnets, and Azure Firewall cannot enforce policy on a Hamilton branch office.
Three cloud-native services dominate Canadian SMB deployments. Microsoft Azure Firewall is the default for Azure-hosted workloads, billed per hour with managed threat intelligence from Microsoft Defender. AWS Network Firewall sits in a VPC and uses Suricata-compatible rules. GCP Cloud Armor pairs DDoS protection with WAF rules in front of load balancers.
For hybrid environments the right pattern is an NGFW at every physical site plus a cloud-native firewall in each cloud tenant, with logs flowing to one SIEM. Backhauling cloud traffic through an on-premise NGFW adds latency and creates a single point of failure.
Web application firewalls (WAF) and where they fit
A WAF inspects HTTP and HTTPS requests bound for a specific web application. It does not replace an NGFW. The two protect different planes. The NGFW protects the network, the WAF protects the web app.
OWASP guidance frames the WAF as the primary control for the OWASP Top 10: SQL injection, cross-site scripting, broken access control, and the rest. Cloudflare WAF, AWS WAF, and Azure Front Door WAF dominate the Canadian SMB market. On-premise WAFs from F5 and Imperva remain in regulated sectors that require traffic to terminate inside Canada.
If a Canadian SMB runs a customer portal, ecommerce store, or member login, a WAF in front of that app is part of the CIS Controls v8.1 baseline. Without one, the web app is exposed to bot traffic that an NGFW cannot meaningfully filter.
Hardware vs virtual vs cloud delivery
Every major firewall type ships in three delivery models. Choosing the wrong one adds cost without adding security.
| Delivery | Form factor | Strengths | Best fit |
|---|---|---|---|
| Hardware appliance | Dedicated box at site (FortiGate 70F, PA-460) | Predictable throughput, ASIC-accelerated TLS | Branch and HQ edge, on-prem workloads |
| Virtual appliance | VM image on Hyper-V, VMware, KVM | Same OS as hardware, portable, snapshots | Co-location, data centre, hybrid east-west |
| Cloud / SaaS | Azure Firewall, AWS Network Firewall, Cloudflare WAF | Autoscale, API-driven, no hardware refresh | Cloud workloads, public web apps, distributed staff |
The right Canadian SMB stack often blends all three: hardware FortiGate at the office, FortiGate VM in Azure, Cloudflare WAF in front of the customer portal.
How to choose the right firewall for a Canadian SMB
The Canadian Centre for Cyber Security network baseline frames firewall selection as a five-criterion decision. Fusion uses the same rubric on every assessment.
- What is being protected. Office network, cloud workload, public web app, or all three. Each plane wants a different firewall type.
- Inspection depth. Cyber-insurance and PIPEDA expectations now assume TLS decryption, IPS, and identity-aware policy at the edge.
- Throughput with features on. Sustained throughput with IPS, application control, and TLS decrypt all enabled. Headline numbers are marketing.
- Operational ownership. Who patches firmware, rotates certificates, reviews logs, and tunes rules. If no one owns it, the firewall degrades quietly.
- Canadian data residency. Where logs are stored. PIPEDA, PHIPA, Law 25, and BC PIPA all favour Canadian residency.
For most 25 to 200 user Canadian SMBs the answer is a Fortinet FortiGate or Palo Alto NGFW at every physical site, a cloud-native firewall in each cloud tenant, a Cloudflare or AWS WAF in front of public web apps, and a managed contract that names the engineer responsible for each.
Field Note, Mike Pearlstein: A 90-user Toronto firm called Fusion in early 2026 after a phishing-driven account takeover. They had a name-brand NGFW at the edge and EDR on every endpoint. The gap was their Microsoft 365 admin portal: no WAF, no Conditional Access geo-fence, no inspection on the public login surface. The fix was a Cloudflare WAF rule set plus identity-aware policy on the existing FortiGate. Four hours, zero new hardware.
Firewall mistakes that get Canadian SMBs breached
Every firewall type can be deployed badly. Fusion incident reviews show the same patterns across vendors and sectors.
- Treating one firewall as the whole network plan. An NGFW at the edge does nothing for cloud east-west or public web app traffic.
- Leaving TLS decryption disabled. Over 90 percent of web traffic is encrypted. A firewall without selective decryption is blind on most sessions.
- IP-based rules instead of identity. Static IP allowlists break the moment staff work from home. Identity-aware policy through Entra ID or Okta is the modern baseline.
- No log review. CIS Controls v8.1 names log review as a primary control. Without a SIEM or managed SOC, alerts are noise no one reads.
- Skipping the WAF. A public web app behind only an NGFW is exposed to the OWASP Top 10. Bot traffic and credential stuffing run unchecked.
- End-of-support hardware. Once threat-intel feeds and firmware updates stop, the box is a liability. IDC SMB Network Security 2025 puts median Canadian replacement age at 5.4 years.
Why firewall type maps to threat plane: NIST SP 800-41 Guidelines on Firewalls and the Canadian Centre for Cyber Security network baseline both frame firewall selection by what is being protected, not by vendor. The Gartner Magic Quadrant for Network Firewalls (2025) places Fortinet, Palo Alto Networks, Check Point, and Cisco in the Leaders quadrant for NGFW. Sources: NIST SP 800-41, cyber.gc.ca, Gartner Magic Quadrant for Network Firewalls 2025.
Why WAF and NGFW are not substitutes: OWASP guidance names the WAF as the primary control for the OWASP Top 10 web application risks. CIS Controls v8.1 lists web application firewalls as a separate safeguard from network firewalls under control 13. Together they protect different planes of a Canadian SMB stack. Sources: OWASP WAF guidance, CIS Controls v8.1.
Get a Firewall Stack Consultation
Frequently asked questions
What are the main types of firewalls?
Seven categories matter in 2026: packet filter, stateful inspection, proxy, next-generation firewall (NGFW), unified threat management (UTM), web application firewall (WAF), and cloud-native firewall. Each inspects traffic at a different layer and protects a different threat plane.
Is an NGFW the same as a UTM?
No. An NGFW runs application identification and IPS on the same policy engine at production throughput. A UTM bundles stateful inspection with AV, anti-spam, and basic web filtering, and throughput often drops sharply when features are enabled.
Do I need both an NGFW and a WAF?
Yes if a public web app is in scope. The NGFW protects the network, the WAF protects the application. OWASP guidance and CIS Controls v8.1 both treat them as separate safeguards.
What is a cloud-native firewall?
A firewall delivered as a managed service inside a hyperscaler. Microsoft Azure Firewall, AWS Network Firewall, and GCP Cloud Armor are the three Canadian SMBs encounter most. They protect VPC traffic and public-facing services, billed by usage.
Hardware, virtual, or cloud delivery, which is best?
Most Canadian SMBs use all three. Hardware NGFW at every office, virtual NGFW in the data centre or co-location, and a cloud-native firewall plus WAF in each cloud tenant. The right delivery follows the workload.
FortiGate, Palo Alto, or Cisco for a Canadian SMB NGFW?
FortiGate is the Fusion default for 10 to 200 users on price-to-feature and FortiAnalyzer logging. Palo Alto Networks fits regulated environments at higher cost. Cisco Firepower suits sites already running Cisco networking gear.
Where does Cloudflare WAF fit?
In front of any public web app, customer portal, or ecommerce site. It blocks the OWASP Top 10, throttles bots, and virtual-patches known CVEs without code changes.
How long does a firewall last before replacement?
IDC SMB Network Security 2025 puts median Canadian firewall age at replacement at 5.4 years. End-of-support hardware and TLS-inspection throughput shortfalls are the common triggers.
Does a firewall replace EDR?
No. The firewall defends the network, EDR defends the device. A defensible stack runs both with logs flowing to one review queue.
Do firewalls help with PIPEDA compliance?
Yes. PIPEDA, PHIPA, Law 25, and BC PIPA all expect documented technical safeguards. Firewall inspection logs, change records, and segmentation policy provide evidence of “reasonable” safeguards.
