Managed firewall in 2026, NGFW, IPS, VPN and segmentation: what to ask for and what to avoid

In 2026, a firewall is no longer “the box that blocks ports”. It’s a critical control point for identity, encrypted traffic, sites, cloud and remote work. And that’s precisely why many companies fail in the same way: they buy a powerful NGFW… but operate it as if it were a firewall from 10 years ago. In this article we break down what a managed firewall means in 2026 and what you should demand (and avoid) when you’re looking for a professional service: NGFW, IPS, VPN and segmentation with a practical approach, designed for SMBs.

• • If you want a quick rule of thumb: you buy the firewall once; you operate security every day.

• • Goal: reduce risk and downtime, and avoid “fragile” configurations that blow up at the worst possible time.

• • Approach: what to ask for, what to measure, and which red lines to spot before you sign.

Why in 2026 it’s not enough to “have a firewall”

The classic perimeter no longer exists as a single “entry point”. You have SaaS, remote access, sites, mobile devices, IoT and traffic that’s almost always encrypted. In that scenario, a firewall without continuous operations becomes a “false sense of security”. Best-practice guides insist that the real value lies in the policy, the configuration, the testing and the maintenance of perimeter control, not just in the device. That’s why “managed” matters as much as “NGFW”.

What “managed firewall” means in practice

A managed firewall is a service, not a product. It includes clear responsibilities, processes and metrics. If someone offers you “managed” but only talks about installation and licences, you’re probably buying support, not operations.

• • Design and architecture: zones, segmentation, VPN, secure publishing of services and high availability.

• • Policies and rules: creation, validation, change control and regular clean-up of obsolete rules.

• • Updates: firmware, signatures, hardening and review of insecure configurations.

• • Monitoring: relevant events, actionable alerts and correlation with other systems (XDR/SIEM where applicable).

• • Reporting: executive visibility (risks, trends) and a technical roadmap (prioritised improvements).

At Inmove IT, this approach is integrated with services such as 24/7 IT systems monitoring to detect earlier and act quickly when there are signs of compromise or degradation.

NGFW in 2026: minimum capabilities that should come as standard

An NGFW stands out because it can understand applications and context, not just IP/ports. That enables finer-grained policies, better investigations and fewer “holes” created by poorly designed exceptions.

Application and user-based control (not just ports)

Businesses need understandable rules: “allow Teams and block unauthorised apps”, “only Finance can access the ERP”, “suppliers only to a specific segment”. This reduces exposure without relying on huge, unmanageable rule sets.

Encrypted traffic inspection (TLS) with clear criteria

Most traffic is encrypted. If you inspect nothing, you lose visibility; if you inspect “everything”, you can break performance or privacy. In 2026 the key is designing it properly: what you inspect, where, which exceptions you apply, and how you measure impact.

Web/DNS filtering and protection against known threats

A well-operated NGFW reduces “avoidable” infections by blocking malicious domains, high-risk categories and command-and-control communications. It’s a basic layer, but effective, if it’s tuned to your business.

Real-world performance with security enabled

This point is constantly overlooked: “datasheet” throughput is rarely the same as throughput with IPS, filtering and TLS inspection enabled. When buying, ask for realistic figures and validate them against your usage pattern (sites, VPN, SaaS, video calls). If you want to reinforce the perimeter as a service, it makes sense to link it to a complete perimeter security for companies layer (firewall, policies, segmentation and continuous operations).

IPS in 2026: how to ask for it without drowning in false positives

IPS is a valuable but delicate function: it blocks (or alerts on) attack patterns. The typical mistake is enabling it at “maximum sensitivity” without tuning, creating noise and blocks that end up disabling protection due to alert fatigue.

• • Ask for a tuning plan: learning phase, initial detection mode, then move to prevention with validated rules.

• • Ask for continuous updates: up-to-date signatures and review when your applications change.

• • Ask for context: what was blocked, which asset it affects, and what action is recommended (not just “alert”).

• • Ask for well-documented exceptions: “why it exists” and “when it will be reviewed”.

A well-operated IPS integrates with the rest of your defence (endpoint/XDR, identity, backups, monitoring). For example, if you already use XDR, it makes sense to connect signals to investigate faster and reduce impact. Related: on the blog we cover how to improve detection and response times with Sophos XDR in business environments, especially when multiple security layers coexist.

VPN in 2026: remote access and sites, without opening more doors than necessary

VPN remains key for sites, supplier access and remote work. But in 2026, a poorly designed VPN is a highway for attackers: stolen credentials, missing MFA, excessive privileges and lack of logs.

What to ask for in site-to-site VPN (sites)

Site-to-site VPN must be stable, predictable and segmented. The goal isn’t to “join networks”, but to connect what’s necessary with least-privilege control.

• • Properly configured IPsec/IKE and modern ciphers.

• • Subnet selection and controlled routing (not “everything to everything”).

• • Inter-zone policies: what crosses the VPN goes through rules and logs.

• • Failover tests if you have two ISPs or high availability.

What to ask for in remote-access VPN (users and suppliers)

Remote access must be strong on identity and “minimum access”. It’s not just about encryption; it’s about limiting damage if an account is compromised.

• • MFA mandatory for all remote access.

• • Role-based profiles (employee, IT, supplier) with separated permissions.

• • Device posture where possible (managed device, patching, EDR).

• • Logging and traceability (who connects, from where, what they access and what they change).

What to avoid in VPN (typical mistakes)

Some decisions look convenient but significantly increase risk. They’re small “concessions” that later turn into incidents.

• • Remote access without MFA (or MFA “only for some”).

• • Default “admin” profiles for suppliers “because it’s faster”.

• • No segmentation: the VPN connects and can see the entire internal network.

• • No logging policy: when an incident happens, “there’s no history”.

Segmentation in 2026: the most effective way to reduce impact

If an attacker gets in, what determines the damage isn’t just “whether they get in”, but “how far they can move”. Segmentation (and microsegmentation where applicable) limits lateral movement and protects critical assets. In SMBs, a well-done zone-based segmentation is usually enough: users, servers, VoIP, IoT, guests, OT/production if it exists, and IT management. What matters is that inter-zone communications are governed by policies and logs.

• • VLANs and zones with explicit rules (allow what’s necessary, block the rest).

• • Admin separation (IT management never mixed with user traffic).

• • DMZ for published services (and only publish what’s strictly necessary).

• • ERP/DB access from controlled segments, not from “any PC”.

If your network needs redesign or growth (new sites, enterprise WiFi, IoT), it’s worth addressing it with enterprise networking solutions so segmentation isn’t a patch, but a solid foundation.

Rules, changes and governance: where 80% of perimeter security breaks

Most “firewall incidents” aren’t caused by missing features. They’re caused by accumulated rules, exceptions with no owner, urgent changes without review, and no clean-up. A managed firewall must include a governance process.

• • Change control: who requests, who approves, who executes and how it’s validated.

• • Regular review: unused rules, duplicate rules and “temporary” access that stayed forever.

• • Minimum documentation: every critical rule must have “why it exists” and “what risk it accepts”.

• • Configuration backups: to roll back quickly if something breaks production.

High availability: if the firewall goes down, your business stops

If your firewall is the Internet exit, the site VPN, and the access path to applications, it’s a continuity component. And in 2026, continuity isn’t a luxury: it’s basic operations.

• • HA (active/passive or active/active) with regular failover testing.

• • Dual ISP if your connectivity dependency is high.

• • Power and rack (UPS, redundancy) where applicable.

• • Documented emergency plan: what to do in case of outage, degradation or attack.

Checklist: what to ask for in a managed firewall in 2026

If you only take one part from this article, let it be this one. Use it as a buying checklist and as a quality control list when comparing providers.

• • Operational scope: rules, IPS, VPN, updates, reviews and response to alerts.

• • SLA and coverage hours: real response times and an escalation channel.

• • Change process: approvals, maintenance window and rollback.

• • Useful reporting: security KPIs + actionable recommendations (not a “30-page PDF”).

• • Zone-based segmentation: initial design + evolution as the business changes.

• • VPN with MFA: strong remote access with role-based permissions.

• • Logs and traceability: retention, export and access during an incident.

• • Testing: validation of critical rules, HA failover and restore tests if continuity is included.

• • Risk and compliance: evidence for audits (GDPR, NIS2 where applicable).

• • Expert support: not just “opening tickets”, but real security engineering judgement.

What to avoid: red lines before you sign

These signals often lead to extra costs, incidents or frustration. If they show up during pre-sales, it’s better to address them before contracting, or to look for an alternative.

• • “Managed” = install and forget. No reviews, no tuning, no reporting.

• • Opaque licensing (you don’t know what’s included, what expires, or how it impacts key functions).

• • Uncontrolled exceptions (“we open this and we’ll see later”).

• • No segmentation because “it’s complicated” (or because no one wants to touch the network).

• • VPN without MFA or with overly broad access.

• • Inaccessible logs or insufficient retention for investigations.

Realistic example: what a well-protected SMB should look like

Imagine a company with 80–200 employees, a main site, a branch office and partial remote work. The goal isn’t to “secure everything” at 100%, but to drastically reduce risk and operational impact.

• • Zones: users, servers, VoIP, guests, IoT, IT management.

• • NGFW: application/user control + web/DNS filtering + selective TLS inspection.

• • IPS: progressive tuning, prevention only where it adds value without breaking the business.

• • Site-to-site VPN: only necessary subnets, inter-zone traffic controlled by rules and logs.

• • Remote VPN: mandatory MFA, role-based profiles and minimum access.

• • Operations: change control + quarterly rule review + monthly reporting.

This design reduces lateral movement (key in ransomware) and ensures that, if something happens, you can respond quickly because you have visibility and traceability.

How we approach it at Inmove IT Solutions

When we implement a managed firewall, we treat it as a continuity and security component, not a one-off project. The focus is on operating, measuring and improving.

• • Phase 1 – Assessment: network map, critical services, risks and dependencies.

• • Phase 2 – Design: zones/segmentation, VPN, secure publishing, HA where applicable.

• • Phase 3 – Implementation: need-based rules, hardening, testing and validation with the business.

• • Phase 4 – Operations: monitoring, IPS tuning, rule review and reporting.

• • Phase 5 – Continuous improvement: controlled changes and evolution as the company grows.

If you want to see it as part of a complete service, review perimeter security for companies and, if you’re looking for proactive detection, complement it with 24/7 monitoring. To broaden the executive-level view (cloud, AI and security), you may also be interested in IT Trends 2026: cloud, AI and security for companies.

Frequently asked questions about managed firewalls

These are common questions when a company compares options or reviews its perimeter security. If you want, we can turn them into FAQ Schema to improve SEO.

Does an NGFW replace an antivirus or XDR?

No. They’re different layers. NGFW reduces exposure at network level (control, filtering, segmentation), while endpoint/XDR provides visibility and response within the device. Together they reduce detection and containment times.

What’s the difference between IDS and IPS?

IDS detects and alerts; IPS can also block. In businesses, the key is tuning: start with detection, validate, then move to prevention where it adds value without breaking critical processes.

Do I need TLS inspection no matter what?

It depends on the risk and the type of traffic. Without inspection you lose visibility over a large portion of traffic; with indiscriminate inspection you can impact performance or privacy. The recommended approach is criteria-based: categories, destinations, user profiles and impact measurement.

How often should rules and policies be reviewed?

At minimum, regularly (monthly/quarterly) depending on criticality and business changes. Reviews aim to remove obsolete rules, reduce excessive permissions and keep policies aligned with reality.

When does high availability (HA) make sense?

When a firewall outage means downtime (Internet, VPN, applications, IP telephony). In many cases, HA costs less than a morning of lost productivity.

Next step

If you want to validate whether your current firewall is operated as a “box” or as a “service”, we can help you define a zone-based design, harden VPN, fine-tune IPS and establish governance for changes and reviews. Talk to the Inmove IT Solutions team via contact Inmove IT Solutions and tell us about your scenario (sites, remote work, cloud, critical applications). We’ll tell you what to ask for, what to prioritise and what to avoid so the investment delivers real impact. Recommended external source: to go deeper into firewall policy and best practices, you can consult NIST SP 800-41: Guidelines on Firewalls and Firewall Policy.