It was supposed to be obsolete by now. Twenty years of obituaries later, the firewall is still here. Here's why it isn't going anywhere.
The firewall has been dying for a long time.
In the early 2000s, application-layer awareness was supposed to make packet inspection obsolete. The rise of mobile devices was supposed to dissolve the perimeter. Cloud adoption was supposed to make on-premises appliances irrelevant. Zero Trust sealed the deal: the firewall was a relic of a security philosophy built for a world that no longer existed.
Today, the global firewall market is valued at roughly $6 billion and growing. Enterprise refresh cycles are active. Mid-market and small- to medium-sized business (SMB) deployments keep expanding. For a technology declared dead more times than any other in security, the firewall has a remarkable record of surviving its own obituaries
The question worth asking isn't whether the firewall is dead. It's why every generation of security innovation has failed to kill it, what that tells us about the nature of network security and what the firewall could become over the next decade as the environment around it continues to change.
Analysts wrote the obituaries. Vendors positioned against it. Conference panels debated the timeline. The firewall has been declared dead more times than any other product in security…. But the firewall keeps shipping anyway.
Why the Obituaries Were Written
The predictions weren't unreasonable. They were just incomplete.
The logic was sound on its face. If your data lives in AWS, your applications run in Azure and your workforce is distributed across home offices and coffee shops, what exactly is sitting between the attacker and the asset that a box in a data center rack is protecting?
That question drove real architectural change. ZTNA, identity-based authentication, cloud-delivered web gateways and browser isolation all addressed genuine gaps the classic firewall could not cover.
SonicWall embraced that shift. Our cloud-delivered security services, ZTNA capabilities and cloud-based management platforms reflect an honest acknowledgment that identity verification, application access control, DNS filtering and threat intelligence are better delivered from infrastructure that scales elastically and updates continuously.
All of that is true. And still, none of it killed the firewall.
The reason for the firewall's resilience comes down to something the cloud-first argument consistently undervalues: traffic still has to flow somewhere. And the point where traffic flows is the point where policy can be enforced.
From Appliance to Architecture: How the Firewall Changed Shape
The original firewall was a box in a rack. It was a standalone appliance at the perimeter, inspecting packets against a static ruleset.
That world is gone.
The firewall did not go with it.
It transformed through three phases, each declared to be its replacement, each becoming its next evolution.
Phase 1: Convergence with Networking (SD-WAN Era): As SD-WAN took hold, treating the firewall and the WAN edge as separate problems stopped making sense. The two functions collapsed into a single platform. The firewall became a network security device, managing connectivity, enforcing policy and optimizing traffic from one control plane to another. For mid-market organizations, that convergence cut complexity and reduced device sprawl.
Phase 2: Extension to the Cloud (SASE/SSE): When users moved off the corporate network, and workloads shifted to SaaS and IaaS, backhauling traffic to a physical appliance became unsustainable. SASE and SSE moved web filtering, threat inspection, ZTNA and application access control into the cloud delivery layer. The physical firewall became the on-premises anchor, with cloud enforcement handling remote users and the appliance handling local traffic and fixed infrastructure.
Phase 3: Intelligence at the Edge (AI-Driven Enforcement): The current transition, covered in detail below, moves the firewall from rule-based enforcement to a continuously learning enforcement node, drawing on cloud-scale AI to stay current against an accelerating threat landscape.
Standalone box. Converged SD-WAN platform. SASE/SSE node. AI-driven enforcement engine. Each transition was called the firewall's death. Each became its next form.
The Persistent Case for an Inline Device
Cloud security architectures are genuinely powerful for controlling access to cloud resources and protecting distributed users. What they cannot replicate is deep, low-latency inspection of traffic at the point where a physical network meets everything else.
Hybrid Deployment Models: Most environments are not fully cloud-native. On-premises infrastructure, legacy systems that cannot be migrated, OT on the plant floor, building automation, local network segments - all of it carries traffic that never touches the public internet. An inline device is the most direct control point for all of it.
Performance: Routing all traffic through a cloud inspection point introduces latency. For latency-sensitive applications, that tradeoff is sometimes unacceptable. A co-located appliance enforces policy at wire speed, without the round-trip to a cloud enforcement point.
High Availability and Redundancy: A security architecture that depends entirely on cloud connectivity fails when connectivity is disrupted. A physical device enforcing local policy during a WAN outage provides resilience that a cloud-only model cannot. In healthcare, manufacturing, and utilities, that is not a nice-to-have. It is a requirement.
Data Going Dark: Over 95% of enterprise traffic is TLS-encrypted, including the sessions attackers use to deliver malware, exfiltrate data and reach command-and-control infrastructure. A next-gen firewall (NGFW) performing inline TLS inspection decrypts, inspects and re-encrypts that traffic in real time. Cloud proxies cover remote users.
Endpoint agents cover devices. Neither inspects encrypted east-west traffic between internal systems or catches exfiltration hidden inside HTTPS. Attackers know which paths go uninspected. The firewall closes them. And the encryption landscape itself is shifting, as nation-state adversaries are harvesting encrypted traffic today to decrypt once quantum computing matures. As organizations migrate to NIST-standardized post-quantum cryptography algorithms, the firewall is the enforcement point where quantum-safe TLS inspection gets implemented. That migration makes the refresh cycle more urgent, not less.
These are not arguments against cloud security - they are arguments for why the two models are complementary rather than substitutes. Organisations that have tried to go fully cloud-native have consistently found themselves building exceptions for exactly these scenarios.
An inline device enforces policy where traffic actually flows. That capability doesn't disappear when workloads move to the cloud.
What the Firewall Is Actually Becoming
The honest conversation about the firewall's future requires separating the function from the feature set
Threat intelligence feeds, signature updates, behavioral analytics and sandboxing will move to the cloud. That migration is underway. The appliance that offloads the right workloads while retaining the functions requiring local execution wins. The one that tries to do everything locally does not.
What remains in the device, and what justifies its presence for the foreseeable future, is the set of functions that are fundamentally dependent on being inline on the traffic path:
High-speed traffic inspection at the network edge, where latency constraints make cloud routing impractical.
Inline TLS/SSL decryption and inspection of encrypted traffic, covering more than 95% of enterprise sessions and the exfiltration channels attackers increasingly use to move data out undetected.
Post-quantum cryptography readiness. As organizations migrate to NIST-standardized PQC algorithms, the firewall is the inspection point where quantum-safe TLS gets enforced. Nation-state adversaries are already harvesting encrypted traffic today to decrypt once quantum capability matures. The inline device is where that threat gets addressed at the network level.
Enforcement of segmentation policy within local networks, isolating operational technology from IT infrastructure and containing lateral movement. Ransomware propagates by moving laterally after initial compromise; network segmentation enforced at the device level remains one of the most effective controls for limiting blast radius.
Local policy execution during connectivity disruptions, ensuring that security doesn't fail open when the WAN link goes down.
Deep packet inspection for protocols that don't traverse cloud inspection points, including traffic between on-premises systems that never leaves the building.
Physical integration with operational technology environments, where the device sits adjacent to industrial control systems and must enforce policy at the hardware level.
The future firewall is a specialized enforcement engine: handling traffic that must be handled locally, anchoring the hybrid architecture and integrating tightly with cloud services that handle everything else.
That's a different product than what vendors built in 2005. It's also a product that will be deployed, refreshed and maintained for decades.
The OT and IoT Reality
No single factor better secures the firewall's long-term relevance than the growth of operational technology and connected devices at the network edge.
Manufacturing floors run equipment with 20-year lifecycles that cannot be patched, updated or migrated to cloud management. Hospitals operate medical devices on isolated network segments because those devices cannot tolerate the latency or complexity of cloud-based access controls. Utilities manage grid infrastructure where the consequences of a security failure extend well beyond data loss into physical safety.
For all of these environments, a device that enforces segmentation, monitors traffic and controls access at the network level is the primary security control, not optional infrastructure. Attempting to secure a manufacturing floor full of legacy PLCs through identity-based policies and cloud-delivered enforcement is a thought experiment, not an architecture.
IoT devices compound this. They do not run agents. They cannot authenticate to identity providers. They communicate over protocols that identity-centric models were not designed to handle. Securing them requires a device inline in their traffic path. That is a firewall.
Compliance requirements reinforce the same conclusion. PCI-DSS, HIPAA and NERC CIP all reference network-level controls explicitly. Auditors look for firewalls. Regulators mandate them. For organizations in financial services, healthcare and critical infrastructure, removing the firewall is not an architectural decision they can make unilaterally. It is a compliance violation.
OT environments run equipment on 20-year lifecycles. The device that secures them needs to be physically present, inline, and built to last.
The Architecture of the Next Decade
The next decade will not be defined by a choice between cloud and on-premises. It will be defined by how well vendors integrate the two. Cloud delivers what benefits from scale: identity, threat intelligence, behavioral analytics and application access policies. Physical devices handle what requires local execution: inline inspection, segmentation enforcement, survivability and OT/IoT security. The firewall's role is more specialized than it was, more tightly integrated with cloud services and more focused on the scenarios where local enforcement is irreplaceable. That is not diminishment. It is clarity.
At SonicWall, appliance and cloud are not competing propositions. They are complementary layers of a unified architecture.
The debate about whether the firewall is dead was always a false choice between two things that need each other.
AI Is Reshaping This Landscape Faster Than We Can Evolve
Prior architectural shifts played out over years. SD-WAN, SASE, SSE: organizations had time to evaluate and migrate. AI is not following that pattern. The threat landscape and the tooling built to address it are both moving faster than most organizations can track.
On offense, AI has lowered the skill floor for sophisticated attacks. Phishing is generated at scale with high personalization. LLMs accelerate vulnerability research, automate lateral movement and adapt malware to evade signature detection in near-real time. Volume and sophistication are rising together.
On defense, AI is replacing rule-based enforcement. Behavioural analytics continuously refine what normal looks like and flag deviations in real time. A firewall dependent on a signature update cycle is already behind. One that learns from traffic patterns across thousands of deployments and adjusts posture dynamically operates in a different category.
No single appliance can process the telemetry needed to stay current against an AI-accelerated adversary. The devices that will matter going forward are those connected to cloud-based AI that learns from the entire install base and delivers updated threat enforcement to the edge, automatically, in real time. The firewall becomes a local execution point for intelligence that lives in the cloud.
AI will not kill the firewall. It will transform it more profoundly than any shift before it, from a policy enforcement box to a continuously learning enforcement agent.
A Final Thought on Predictions
The core function of inspecting and controlling traffic at a network boundary has proven more durable than any specific implementation of it. Organisations do not replace working infrastructure without a compelling reason, and nothing has provided one compelling enough to remove the device that sits at the edge.
Every generation of security architecture that claimed to make the firewall obsolete was solving a specific failure mode of the previous model.
Cloud security addressed protecting distributed users.
Zero trust addressed implicit trust inside the network.
Identity-centric models addressed network location as a proxy for trust.
None of them solved for the need to inspect and control traffic at the point where it flows. That need hasn't gone away.
And it won't.
The firewall isn't dying. It's specializing. And in a security landscape that grows more complex with every passing year, a device with a clear and irreplaceable function is a device with a long future ahead of it.