One of the problems I think you have here is a firewall itself won’t really have a security posture. It’s got to be considered on the context of the network it’s in and the job that it does. It’s likely stateful, has rules that work north/south and east/west but that are opened an closed as part of an accountable, audited change control process. These days add ZTNA, MicroSeg, SDN, NIDS/NIPS all sitting on top of your routers, layer 3 switches and whatnot.
It will have anti malware/threat scanning, and application aware filtering/proxies and servers, containers etc tend to be quite predictable, but users are crazy so you need proxies, SSL decryption, isolation, sandboxes, deep packet inspection, Mail security, endpoint security, UEBA and a plethora of technologies all traversing our firewall and its multiple buddies helping to secure your network.
Pulling away from user land a little you might consider WAFs here as well as capabilities application developers can code in to help protect their application. If all your SQL is generated on box it’s hard to do injection…
The first metric I’d start with for a firewall given its potential exposure, is it’s over security design and hardening, has it got CVEs? Does the vendor fix them or let them go unpatched for too long?
All firewalls in enterprises also need central management and accounting - your rules must be updated and you need an immutable record of what happened.
I’ll bow out here…
