Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Find out more
Products > Traditional vs. Proxy-based Firewall

The next-generation firewall made history.
Now, it may be history.

Detecting and stopping today’s advanced threats requires more than traditional stateful or next-generation firewalls.

Threats are lurking in encrypted traffic

The dramatic explosion in encrypted traffic in the last few years has allowed hackers to leverage SSL to infect users, shroud data exfiltration, and hide C&C communications. Today, 54% of advanced threats hide behind SSL. It’s no longer optional – you must conduct SSL inspection to ensure security and protect your users.

Source: Google Transparency Report 2016

Threats are lurking in encrypted traffic
Traditional firewalls struggle to inspect encrypted traffic

Traditional firewalls struggle to inspect encrypted traffic

Unfortunately, traditional firewalls were not designed to decrypt your traffic. SSL inspection is processor intensive and most firewall appliances simply can’t handle it, and performance grinds to a halt when they try. As a result, inspecting SSL on an appliance often requires you to upgrade your hardware to support it.

To detect SSL-encrypted malware at scale, you need a proxy-based architecture in the cloud

Zscaler Cloud Firewall is built upon a highly scalable proxy-architecture that handles SSL inspection at scale. Our footprint allows us to process increasing SSL bandwidth and sessions, without costly upgrades or reduced inspection. As a result, you get limitless SSL decryption on all ports at a flat per user cost.


Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.
Traditional firewalls have blind spots

Traditional firewalls have blind spots

Traditional firewalls leverage IPS and AV to protect against signature-based threats, which make up a small fraction of the total threat landscape. But, almost ninety percent of signatures were written for HTTP and DNS2. To fully inspect HTTP and DNS traffic, you must have a proxy-based
architecture—signature-based protection is no longer enough.

Source: 2 ThreatLabz analysis of snort free registered user ruleset, snapshot 2990: outbound, active, vulnerabilities

Protecting your most vulnerable protocols

Zscaler Cloud Firewall uses an advanced deep packet inspection engine and proxy-based architecture to proxy everything that appears to be HTTP/HTTPS, DNS, or FTP traffic, regardless of the port. So you get the ability to find more threats for your most vulnerable protocols – whether your users are at HQ, a branch office or even when employees are remote.

Protecting your most vulnerable protocols

Suggested resources

Data sheet

Zscaler Cloud Firewall


Enabling the Internet-Only Branch with Zscaler Cloud Firewall


2023 Gartner Magic Quadrant for Security Service Edge