The firewall has been dying for a long time. In the early 2000s, we thought application-layer awareness would make packet inspection obsolete. Mobile devices were supposed to dissolve the perimeter. Cloud adoption was supposed to make on-premises appliances irrelevant. Zero Trust sealed the deal: the firewall was a relic of a security philosophy built for a world that no longer existed.
For MSPs managing hybrid customer environments, this long‑running firewall debate directly affects how they secure, sell, and support networks. Today, the roughly $6 billion global firewall market is still growing, with enterprise refresh cycles active and SMB deployments expanding.
The question worth asking isn’t whether the firewall is dead, it’s why every generation of security innovation has failed to kill it.
Why the Obituaries Were Written
To understand why MSPs and customers still question the firewall’s relevance, it helps to revisit what drove those predictions in the first place. If your data lives in AWS, your applications run in Azure and your workforce is distributed across home offices and coffee shops, what exactly is a box in a data center rack protecting?
That question drove real architectural change. Zero Trust Network Access (ZTNA), identity-based authentication, cloud-delivered web gateways, and browser isolation all addressed genuine gaps the classic firewall could not cover. And still, none of it killed the firewall.
It comes down to something the cloud-first argument consistently undervalues: traffic still must flow somewhere. The point where traffic flows is where you must enforce the policy.
From Appliance to Architecture: How the Firewall Changed Shape
The firewall did not stand still. As SD-WAN took hold, the firewall and the WAN edge collapsed into a single platform. When workloads shifted to SaaS and IaaS, SASE and SSE moved web filtering, threat inspection, and ZTNA into the cloud delivery layer, with the physical firewall anchoring local traffic and fixed infrastructure.
Now, the current transition moves the firewall from rule-based enforcement to a continuously learning enforcement node, drawing on cloud-scale AI. Each shift that declared the firewall’s replacement instead became its next evolution.
Why MSPs Still Need an Inline Enforcement Point
Cloud security architectures are genuinely powerful for controlling access to cloud resources and protecting distributed users. What they cannot replicate is deep, low-latency inspection of traffic at the point where a physical network meets everything else. Most environments are not fully cloud-native. On-premises infrastructure, legacy systems, OT on the plant floor, and local network segments all carry traffic that never touches the public internet.
Performance and resilience also favor an inline device. Routing all traffic through a cloud inspection point introduces latency some applications cannot tolerate. A security architecture that depends entirely on cloud connectivity fails when connectivity is disrupted. In healthcare, manufacturing, and utilities, local enforcement during a WAN outage is a requirement, not a preference.
Chandrodaya Prasad
The majority of enterprise traffic is TLS-encrypted, including the sessions attackers use to deliver malware and exfiltrate data. A next-gen firewall performing inline TLS inspection decrypts, inspects, and re-encrypts that traffic in real time. Cloud proxies cover remote users and endpoint agents cover devices; neither inspects encrypted east-west traffic between internal systems or catches exfiltration hidden inside HTTPS.
Nation-state adversaries are already harvesting encrypted traffic today, expecting to decrypt it once quantum computing matures. This evolution matters for today’s threats as well as for what comes next. As organizations transition to NIST‑standardized PQC algorithms, post‑quantum TLS inspection will be enforced at firewalls.
What the Firewall Is Becoming
Threat intelligence feeds, signature updates, behavioral analytics and sandboxing will move to the cloud. That migration is underway. The appliance that offloads the right workloads while retaining the functions requiring local execution wins.
What remains in the device and what defines its future is the set of functions that are fundamentally dependent on being inline on the traffic path. For MSPs, these functions define where local control remains essential regardless of how much security shifts to the cloud.
- High-speed traffic inspection at the network edge, where latency constraints make cloud routing impractical
- Inline TLS/SSL decryption and re-encryption across more than 95% of enterprise sessions. This includes East-West traffic and post-quantum cryptography enforcement.
- Segmentation policy enforcement within local networks, isolating OT from IT infrastructure and limiting ransomware blast radius
- Local policy execution during connectivity disruptions, so security does not fail open when the WAN link goes down
- Physical integration with operational technology environments, where the device enforces policy adjacent to industrial control systems
The future of the firewall is as a specialized enforcement engine. It handles traffic that must be handled locally, anchoring the hybrid architecture and integrating tightly with cloud services that handle everything else.
That’s a different product than what vendors built in 2005. It also will need to be deployed, refreshed, and maintained for decades.
The OT and IoT Reality
Manufacturing floors run equipment with 20-year lifecycles that organizations cannot patch or migrate to cloud management. Hospitals operate medical devices on isolated network segments. For these environments, a device that enforces segmentation, monitors traffic, and controls access at the network level is the primary security control.
IoT devices compound this. They do not run agents, cannot authenticate to identity providers, and communicate over protocols that identity-centric models were not designed to handle. Securing them requires a device inline in their traffic path. That is a firewall.
Compliance requirements reinforce the same conclusion. PCI-DSS, HIPAA, and NERC CIP all explicitly reference network-level controls. For organizations in financial services, healthcare, and critical infrastructure, removing the firewall is not an architectural decision they can make unilaterally. It is a compliance violation.
AI Is Reshaping This Landscape Faster Than We Can Evolve
Prior architectural shifts played out over years. AI is not following that pattern. The threat landscape and the tooling built to address it are both moving faster than most organizations can track.
- On offense, AI has lowered the skill floor for sophisticated attacks. Attackers generate highly personalized phishing at scale, use LLMs to accelerate vulnerability research, and adapt malware to evade signature detection in near‑real time.
- On defense, AI is replacing rule-based enforcement. Behavioral analytics continuously refine what normal looks like and flag deviations in real time. A firewall dependent on a signature update cycle is already behind. The devices that will matter going forward are those connected to cloud-based AI that learns from the entire install base and delivers updated threat enforcement to the edge automatically and in real time.
The Architecture of the Next Decade
The next decade will not be defined by a choice between cloud and on-premises, but by how well vendors integrate the two.
Cloud delivers what benefits from scale: identity, threat intelligence, behavioral analytics, and application access policies. Physical devices handle what requires local execution: inline inspection, segmentation enforcement, survivability, and OT/IoT security.
Appliance and cloud are not competing propositions. They are complementary layers of a unified architecture.
The firewall isn’t dying; it’s specializing. In a security landscape growing more complex each year, a device with a clear and irreplaceable function is a device with a long future.
Chandrodaya Prasad is chief product officer at SonicWall.
Featured image: AI generated by Copilot
