Firewall discussions can get tribal fast.
Fortinet people like Fortinet. Palo Alto people like Palo Alto. SonicWall, Check Point, and Sophos all have their defenders too. That is normal. People tend to trust the platforms they know well, especially when those platforms have saved them time during an outage or helped them solve a messy network problem.
There are real differences between firewall products. Licensing models differ. Management interfaces differ. VPN behavior differs. Reporting differs. High availability, SD-WAN, threat prevention, identity integration, and cloud management all vary from vendor to vendor.
But there is a point that gets lost in brand arguments:
A skilled person with an average firewall will usually outperform an unskilled person with a better platform.
Skill matters. Configuration matters. Maintenance matters. Review matters.
The firewall is not magic. It is a control point that has to be designed, configured, updated, monitored, and periodically questioned.
The 2026 Gartner Peer Insights Short List
Gartner Peer Insights currently lists several familiar names under its public Hybrid Mesh Firewall Top Trending Products. For this roundup, I looked at these five:
- FortiGate: Next Generation Firewall
- PA-Series
- SonicWall TZ Series
- Check Point Quantum
- Sophos Firewall
This is not a declaration that one product is automatically better for every business. It is a practical way to frame a comparison using products many organizations already know, buy, manage, or inherit.
The Bad CVE Argument
One line I see tossed around too casually is:
“That firewall has vulnerabilities.”
Of course it does.
All major software products have defects. All major security products have vulnerabilities. Firewalls are complex systems. They inspect traffic, terminate VPNs, parse protocols, enforce policy, decrypt traffic, integrate with identity systems, run management interfaces, and expose administrative services. That is a lot of code and a lot of attack surface.
Raw CVE count by itself is not a very useful way to judge a firewall vendor.
A vendor with a mature security program may find, disclose, and fix more vulnerabilities than a peer with weaker research, weaker disclosure practices, or less visibility. More CVEs can mean more defects. It can also mean more scrutiny.
The useful questions are different:
- How quickly does the vendor publish advisories?
- Are fixes available and clearly documented?
- Are customers told which versions are affected?
- Are exploited issues handled with urgency?
- Does the product make upgrades realistic for smaller teams?
- Can administrators easily see what version they are running?
- Are management services exposed only where they need to be?
- Does the organization actually patch the firewall?
CVE data matters, but it needs context.
The Quick and Dirty CVE Snapshot
Using my local CVE database and the best available CVSS score per CVE, I grouped related firewall product records together and excluded obvious non-firewall products.
This is not a product ranking. It is a snapshot of matched CVE records in the local dataset.
| Gartner product | Grouped local CPE products | CVEs | Avg CVSS | Avg severity | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|
| FortiGate NGFW | FortiOS, FortiGate models | 273 | 6.83 | Medium | 29 | 94 | 144 | 6 |
| PA-Series | PAN-OS, PA models | 209 | 7.31 | High | 60 | 60 | 85 | 4 |
| SonicWall TZ Series | SonicOS, SonicOSv, TZ models | 71 | 7.18 | High | 12 | 27 | 32 | 0 |
| Check Point Quantum | Quantum, Gaia, Firewall-1, VPN-1, Security Gateway rows | 67 | 6.72 | Medium | 8 | 29 | 29 | 1 |
| Sophos Firewall | Sophos Firewall, SFOS, XG, UTM, Astaro, Cyberoam | 51 | 7.90 | High | 18 | 19 | 13 | 1 |
Assumptions Behind the Table
- I treated Gartner Peer Insights public Top Trending Products as the comparison set.
- I grouped all versions and hardware models together.
- I excluded obvious non-firewall products, including FortiManager, FortiAnalyzer, Palo Alto GlobalProtect, Sophos endpoint and email rows, and SonicWall SMA.
- All five product groups had CVSS coverage for every matched CVE, so there were no unknown-severity rows in this comparison.
There are limits to this approach.
Grouping all versions together means older product history can influence the count. Hardware models and software platforms are not always cleanly separated in public vulnerability data. Product naming changes over time. CPE matching is useful, but it is not perfect.
That is why I would not use this table to say, “buy this firewall” or “avoid that firewall.”
I would use it to make a more practical point: every major firewall platform needs a patching and lifecycle plan.
What the Numbers Actually Say
The numbers do not prove that one vendor is careless and another vendor is safe.
They do show that firewalls are living software platforms. They accumulate vulnerabilities. Some are serious. Some are remotely exploitable. Some affect management interfaces, VPN features, web portals, authentication flows, packet parsing, or operating system components under the hood.
That should not surprise anyone who has managed firewalls for a while.
The real risk usually shows up when three things meet:
- an affected firewall version
- exposure to an untrusted network
- delayed patching or weak configuration
That combination is where brand debates stop mattering and operations start mattering.
If a firewall’s management interface is exposed to the internet, the product name is not the first question. The first question is why it is exposed. The second question is whether it is patched. The third question is who owns checking that tomorrow, next month, and after the next advisory drops.
The Product Does Not Run Itself
Firewalls require care and feeding.
First, someone has to know how to use the platform. Not just enough to create an allow rule, but enough to understand zones, NAT, VPNs, logging, firmware trains, inspection profiles, identity rules, threat prevention, backups, and rollback options.
Then that knowledge has to be maintained. Firewall products change. Features get added. Defaults shift. Licensing changes. Cloud management gets introduced. VPN clients age out. Certificate handling changes. New inspection features appear. Old configuration habits may stop being best practice.
The configuration also needs periodic review.
Rules that made sense three years ago may not make sense today. Temporary vendor access can become permanent. A test rule can survive long after the test is over. An old VPN account can stay enabled because nobody owns the cleanup. Logging can be turned on but never reviewed. Firmware can sit behind because nobody wants to risk touching the edge device.
That is how firewalls become risky. Usually not all at once. Usually one exception at a time.
A Practical Firewall Care Checklist
At a minimum, every organization should be able to answer these questions:
- Who owns firewall administration?
- Who approves firewall rule changes?
- When was the rule base last reviewed?
- Are management interfaces restricted to trusted networks?
- Is remote access protected with MFA?
- Are local admin accounts limited and documented?
- Is the current firmware or software version supported?
- How quickly are critical firewall advisories reviewed?
- Are configuration backups taken before and after major changes?
- Has restore or replacement been tested?
- Are logs going somewhere useful?
- Does anyone review blocked traffic, VPN activity, and admin logins?
- Are old VPN users, vendors, and site-to-site tunnels cleaned up?
- Is there a maintenance window process for updates?
- Does leadership understand the risk of delaying firewall patches?
These questions are not glamorous. They are also where a lot of real security improvement lives.
What I Would Tell a Small Business
Do not buy a firewall only because a chart says it is popular.
Do not reject a firewall only because someone found CVEs for it.
Do not assume your MSP, IT provider, or internal administrator is automatically reviewing it the way you think they are.
Instead, focus on fit and ownership.
For a small business, a good firewall choice is one your support team can manage well, patch reliably, monitor consistently, and explain clearly. The best product on paper can become a liability if nobody understands it. A less glamorous product can perform well when it is configured carefully, maintained regularly, and reviewed with discipline.
That does not mean all products are equal. They are not.
It means buying the firewall is only the beginning.
The Bottom Line
Firewalls are still important. They are also not set-it-and-forget-it products.
The product matters, but the operating model matters more. A firewall needs a clear owner, current firmware, reviewed rules, restricted management access, tested backups, useful logging, and someone paying attention when advisories come out.
If you need help reviewing your firewall, choosing a platform, planning an upgrade, or making sense of the current landscape, MN Risk & Cybersecurity Advisory can help. We have extensive firewall experience and can help you turn the firewall from a mystery box into a managed control.