Actually, when you deploy an Aruba BGW, you get a full stateful L7 firewall in the same box at no additional cost than the gateway subscription
https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/security/applcation/app-visibility-ctrl.htm
That also includes capabilities like Web Content (WebCC) and Geo Location filtering.
Cloud Security providers like Zscaler or Palo Alto with Prisma have certainly some advanced threat detection/protection capabilities, that a single box can't deliver. The downside is, that for inspection you usually need to redirect traffic to their cloud service and back (reverse path pinning) which can incur delays for a client.
We have simplified these integrations, that you can easily use them alongside the native firewall capabilities of the Aruba BGW
Have a look at these:
https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/security/cloud-security/zscaler_integration.htm
https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/security/cloud-security/pan_cloud_integration.htm