NSS Labs reports uneven evasion resistance in firewall tests

NSS Labs' 2025 enterprise firewall comparative report tested seven widely deployed products against real-world exploits, malware, evasion techniques, and encrypted workloads, revealing varied evasion resistance and differing encrypted throughput that matter for procurement and risk planning.

Research Overview

The evaluation deployed each firewall inline between trusted and untrusted networks and exercised mixed plain-text and encrypted traffic to mirror enterprise conditions.

Test inputs included 3,326 exploit samples, 11,311 malware samples, 5,752 evasion variations across 53 categories, and 55 performance stress tests covering Hypertext Transfer Protocol (HTTP), HTTPS, and User Datagram Protocol (UDP) traffic.

Key Findings

Three products received Recommended ratings—Check Point, Juniper Networks, and Versa Networks—each showing security effectiveness above 99 percent and high false-positive accuracy.

Three participants—Cisco, Fortinet, and Palo Alto Networks—received Caution ratings primarily because of gaps in handling low-level evasion techniques, with reported exploit-evasion resistance dropping to 40 percent for Cisco, 60 percent for Fortinet, and 0 percent for Palo Alto Networks in the noted categories.

Technical Breakdown

The report measured not only exploit and malware detection but also resistance to 53 evasion categories, TLS/SSL handling, false-positive accuracy, and sustained throughput weighted to reflect that about 95 percent of web sessions are encrypted.

Throughput and stability were assessed under sustained enterprise-grade loads to show how decryption and evasion handling affect protection and performance in realistic deployments.

Product Update

Palo Alto Networks and Fortinet publicly acknowledged the test findings, issued software updates within a short interval, and scheduled retesting for the affected products.

The report frames vendor responsiveness as part of operational risk management, noting that remediation and transparent validation can change comparative ratings after fixes are verified.

Operational Impact

NSS Labs replaced a price-per-protected-megabit metric with false-positive accuracy to better represent operational overhead; Cisco reported about 80 percent accuracy, while Palo Alto, Versa, and Fortinet exceeded 99 percent in resistance to false-positive scenarios.

Performance varied under encrypted traffic: Versa reported the highest sustained throughput at 7.6 Gbps, Juniper balanced speed and protection, Fortinet offered a notable value profile, and Palo Alto and Cisco showed lower decryption efficiency near the reported 70 percent range compared with Versa and Juniper at roughly 80–90 percent.

The report shows uneven evasion handling and varied encrypted throughput, factors enterprise IT and security teams should weigh in procurement, configuration, and risk assessments. This 'Blog Signals brief' is a fact-based summary of the vendor blog.