An application-proxy gateway is a feature of advanced firewalls that combines lower-layer access

control with upper-layer functionality. These firewalls contain a proxy agent that acts as an
intermediary between two hosts that wish to communicate with each other, and never allows a
direct connection between them. Each successful connection attempt actually results in the creation
of two separate connections—one between the client and the proxy server, and another between
the proxy server and the true destination. The proxy is meant to be transparent to the two hosts—
from their perspectives there is a direct connection. Because external hosts only communicate with
the proxy agent, internal IP addresses are not visible to the outside world. The proxy agent interfaces
directly with the firewall rules.

Another concept brought recently as a contender of the UTM concept, is the “Next-Generation
Firewall” (NGFW) one, which is mainly pushed by the research and consultancy firm Gartner, Inc. To
understand the roots of this “conflict,” we need to take a look at history.

One of the first times the term “Next-Generation Firewall” was mentioned by Gartner was on a
document published in 2004 titled “Next-Generation Firewalls Will Include Intrusion-Prevention,”12
which highlighted the importance of coupling technologies like Deep-Packet Inspection, IPS, and in
general application-inspection capabilities to a firewall, with the objective of stopping threats like
worms and viruses and extending protection to the application layer, so packets with malicious
payloads could be stopped.