Is the new router CCR2116-12G-4S+ https://mikrotik.com/product/ccr2116_12g_4splus is a next generation firewall?


https://www.cisco.com/c/en/us/products/ ... w-firewall

A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

Marketing generates new names for old technologies. Seems that Next Generation Firewall is a new name for UTM just to sold you same technology again.

MikroTik’s firewall is not next gen and I do not believe that MikroTik want to be in that arena. Next gen firewalls work very comfortably in layer 7 very close to wire speed … they are in a class of their own.

NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. They are better equipped to address Advanced Persistent Threats (APTs).

https://digitalguardian.com/blog/what-n ... -firewalls

MikroTik’s firewall is not next gen and I do not believe that MikroTik want to be in that arena. Next gen firewalls work very comfortably in layer 7 very close to wire speed … they are in a class of their own.

NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. They are better equipped to address Advanced Persistent Threats (APTs).

https://digitalguardian.com/blog/what-n ... -firewalls

So how do i like see statictics of wwhere traffic is comming from? what countries? locations? what IPs are making most requests etc?
Those are features am looking for not virus scanning or the other NGFW features
Just want modern traffic reporting

MikroTik’s firewall is not next gen and I do not believe that MikroTik want to be in that arena. Next gen firewalls work very comfortably in layer 7 very close to wire speed … they are in a class of their own.

NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. They are better equipped to address Advanced Persistent Threats (APTs).

https://digitalguardian.com/blog/what-n ... -firewalls

most NGFW take a hit from 5x to 20x in throughput when using full threat protection

most NGFW only reach wire speed when performing standard-basic firewall

So how do i like see statictics of wwhere traffic is comming from? what countries? locations? what IPs are making most requests etc?
Those are features am looking for not virus scanning or the other NGFW features
Just want modern traffic reporting

A MikroTik Router can log your traffic and send those logs to a syslog server that has reporting capabilities based on the criteria you select by using the Log Analyzer ... that's how .. check out SolarWinds group of products

So how do i like see statictics of wwhere traffic is comming from? what countries? locations? what IPs are making most requests etc?
Those are features am looking for not virus scanning or the other NGFW features
Just want modern traffic reporting

A MikroTik Router can log your traffic and send those logs to a syslog server that has reporting capabilities based on the criteria you select by using the Log Analyzer ... that's how .. check out SolarWinds group of products

For the price of solarwind log analyzer, i might as well pay for fortigate/sophos licensing to get full NGFW features

MikroTik’s firewall is not next gen and I do not believe that MikroTik want to be in that arena. Next gen firewalls work very comfortably in layer 7 very close to wire speed … they are in a class of their own.

NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. They are better equipped to address Advanced Persistent Threats (APTs).

https://digitalguardian.com/blog/what-n ... -firewalls

most NGFW take a hit from 5x to 20x in throughput when using full threat protection

most NGFW only reach wire speed when performing standard-basic firewall

for my use-case, i don't need crazy performance, i only need to connect like a few servers for a 12U colocation
that is key here, my use-case => viewtopic.php?t=183660

Is not necessary pay for syslog server.

PRTG network analyzer also comes with syslog server sensors to put log into it. While you don't exceed 100 sensors with this program, it can be free.

Also you have free Linux solutions like Adiscon LogAnalyzer.

Regards.

For the price of solarwind log analyzer, i might as well pay for fortigate/sophos licensing to get full NGFW features

My personal preference in NGFW is Juniper or Untangle software running in a custom black box ... but there are lots of open source log analyzers that do not cost money but do cost lots of time learning how to

MikroTik’s firewall is not next gen and I do not believe that MikroTik want to be in that arena. Next gen firewalls work very comfortably in layer 7 very close to wire speed … they are in a class of their own.

NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. They are better equipped to address Advanced Persistent Threats (APTs).

https://digitalguardian.com/blog/what-n ... -firewalls

most NGFW take a hit from 5x to 20x in throughput when using full threat protection

most NGFW only reach wire speed when performing standard-basic firewall

The CPUs are now more powerful and capable
and they have been working great so far in the business
there is need for NGFW just same as there is use for non-NGFW

Simple! NO, Mikrotik is not a NGFW.

If we compare Mikrotik with Ubiqity Unifi, then Unifi, for example, uses "Policy based firewall", which is easier to configure and possibly even more secure. It could be?

Possibly? What are you talking about

I'm not sure, so I asked. I read something like this in other forums, so the question arose.

Possibly? What are you talking about

If router administrator isn't highly skilled, then using some simpler interface (whatever it's called) can end up with more secure settings.

If we compare Mikrotik with Ubiqity Unifi, then Unifi, for example, uses "Policy based firewall", which is easier to configure and possibly even more secure. It could be?

Suggest that when mixed in with posts from posters that know and deal with all ranges of products, your half baked maybe statement really has no helpful input into the discussion.
Do you have evidence of what you speak, or is this just vapour talk???

This is not a question --> If we compare Mikrotik with Ubiqity Unifi, then Unifi, for example, uses "Policy based firewall", which is easier to configure and possibly even more secure.

Hi,
I think you are just confusing policy based FW with zone based FW. Every firewall has a policy, even Mikrotik FW has a policy (those are all the rules together). Mikrotik can also have a zone based FW config if you are using interface lists as zones. Zones just abstract away (are just names for) mostly interfaces.
As for NGFW or UTM, there is no real definition, so without a definition its not really possible to tell about MT if it can be considered one.
The real FW vendors provide you almost all the same features today:
-stateful firewall, with multiple policies for multiple routing tables (VRFs), subpolicies
-centralised management and logging
-URL filtering (this does not rely on DNS) and you can just block groups like "Social Media", you don´t maintain those, they are provided by the vendors
-DNS blackholing
-lots of dynamic VPN stuff, like dynamically routing over the VPN link with lover latency and so on
-NAT trickery, like SRCNAT to the Internet by hash of SRC IP
-Virus scanner and even sandbox VMs for downloaded files
-TLS man in the middle (you install the CA certificate generated by yourself into all your clients, so they trust you)
-intrusion prevention (IPS or deep packet inspection)
-application intelligence (for example assigning streaming video to low priority queue and shaping it down)
-portal with different authentication methods to enable some FW rule
-nested firewall objects
-VPN client
-advanced HA + all the routing protocols
-and a few more features, but no ZeroTier or Wireguard, however they mostly have Ipsec VTI
-a hefty price tag is also included >1,5-5000$ for a small office+subscriptions for virus signatures, cloud based stuff

All the best
W

@Woland
NGFW was coined by Gartner 2003 … since then many FW vendors adopted that acronym..

MikroTik cannot be classified as NGFW in any way shap or form because it does not posses any of the attributes the industry ascribes to NGFW.
While a traditional firewall like that found in Tik Routers —- that typically provides stateful inspection of incoming and outgoing network traffic —- >>> a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

That it, that all …. End of story

@Woland
NGFW was coined by Gartner 2003 … since then many FW vendors adopted that acronym..

MikroTik cannot be classified as NGFW in any way shap or form because it does not posses any of the attributes the industry ascribes to NGFW.
While a traditional firewall like that found in Tik Routers —- that typically provides stateful inspection of incoming and outgoing network traffic —- >>> a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

That it, that all …. End of story

Yeh I have seen that Phishy homepage too. but you may find a hundred slightly different definitions across the net. I agree: the MTs are not NGFWs by any definition.

NGFW was coined by Gartner 2003 … since then many FW vendors adopted that acronym..…. End of story

Wow .... Gartner coined ...
Technology rewrapped with a new name to sell "same new toys" to boys and girls again and again.
"Money makes ...>>names<<... go round" https://www.youtube.com/watch?v=PIAXG_QcQNU

NGFW was coined by Gartner 2003 … since then many FW vendors adopted that acronym..…. End of story

Wow .... Gartner coined ...
Technology rewrapped with a new name to sell "same new toys" to boys and girls again and again.
"Money makes ...>>names<<... go round" https://www.youtube.com/watch?v=PIAXG_QcQNU

i preffer this https://youtu.be/JkhX5W7JoWI

I don't think this router is much different from previous models. Also, these routers are not necessary for regular users, as they are probably designed for business. We have a $700 router at work, and it works great. The router became high-speed after we contacted IT support in Kent to set up the data path