A next generation firewall can add a great deal of security to the network. Configured correctly it will not allow connection to known malicious sites. It will scan all unencrypted traffic so has a good chance of blocking the downloading of a virus from a website if that download is not using encryption. One hopes that malicious websites do not have a certificate that is trusted although that cannot be relied upon. Malware authors have previously hijacked certificates to allow such traffic through. In general, the NGFW will not scan the contents of encrypted (https) webpages unless configured for deep ssl inspection. If so configured, many services within the network such as Windows Update may stop working .
Webmail clients such as gmail use https for communication with their servers so unless deep ssl inspection is enabled for webmail services then the NGFW is not protecting against ransomware delivered by that vector.
In order to enable the use of this email with the deep inspection necessary to detect the viruses it is necessary to install the NGFW certificate on all of the client computers that will use the email. Email remains the number one infection route for ransomware so this is a very important albeit moderately difficult to do step.