Why Firewall Types Matter for the Exam
The CompTIA exams don't just ask "what is a firewall" — they present scenarios requiring you to choose the correct firewall type for a specific requirement. Protecting a web application from SQL injection requires a WAF, not a stateful firewall. Blocking outbound connections to known malicious domains requires an NGFW with threat intelligence, not a packet filter. Understanding what each type can and cannot do is the key to answering these scenario questions correctly.
Packet Filtering Firewall — Layer 3/4, Stateless
The oldest and simplest firewall type, packet filtering inspects each packet in isolation against a rule set. Rules match on: source IP address, destination IP address, source port, destination port, and protocol (TCP/UDP/ICMP). If a packet matches a permit rule, it passes; if it matches a deny rule or no rule, it's dropped. "Stateless" means the firewall has no memory of previous packets — it evaluates every packet independently, with no awareness of whether it belongs to an established connection.
The critical weakness: a packet filter cannot distinguish between a legitimate response to an outbound request and an unsolicited inbound packet using the same port. If you allow inbound TCP port 80, you allow all TCP port 80 packets — including attack traffic. Packet filters are fast (hardware can implement them at line rate) and appropriate for high-speed interfaces where basic ACL filtering is needed, but they've been largely replaced by stateful firewalls for perimeter security. Router ACLs are essentially packet filters.
Stateful Inspection Firewall — Tracks Connection State
Stateful inspection (also called stateful packet inspection or SPI) tracks the state of network connections. The firewall maintains a state table — a record of all active connections including source IP, destination IP, source port, destination port, protocol, and connection state (SYN sent, established, FIN wait, etc.). When a packet arrives, the firewall first checks whether it belongs to an established, permitted connection in the state table. If it does, the packet is allowed through without re-evaluating the full rule set. If it doesn't match any established connection, it's evaluated against the rule set.
The key capability: stateful firewalls automatically allow return traffic for outbound connections. When a user's browser connects to a web server, the firewall creates a state table entry. The web server's response packets are automatically permitted because they match the established connection — you don't need an explicit inbound allow rule for the return traffic. This dramatically simplifies rule management and eliminates the packet filter's inability to distinguish legitimate responses from attack traffic. Stateful inspection is the baseline for all modern firewalls — every firewall sold today is at minimum stateful.
Next-Generation Firewall (NGFW)
NGFWs extend stateful inspection with capabilities that operate at Layer 7 (Application layer): Deep Packet Inspection (DPI) examines packet payloads, not just headers — it can identify applications regardless of port (identifying Facebook traffic on port 443 even though it looks like HTTPS). Application awareness allows rules like "block Netflix but allow YouTube" rather than just "block port X." Integrated IPS detects and blocks attack signatures inline. TLS/SSL inspection decrypts encrypted traffic for inspection, then re-encrypts it — essential since most web traffic is now HTTPS. Threat intelligence feeds automatically block connections to known malicious IP addresses and domains.
NGFWs are the current enterprise standard for perimeter firewalls. Major vendors include Palo Alto Networks, Fortinet, Cisco Firepower, and Check Point. The exam distinguishes NGFWs from traditional firewalls primarily through application awareness and DPI — if a scenario requires controlling applications by name or inspecting traffic content, the answer is NGFW.
Web Application Firewall (WAF)
A WAF operates at Layer 7 and specialises in protecting web applications from application-layer attacks. It understands HTTP/HTTPS and inspects web requests and responses for attack patterns: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), path traversal, command injection, and other OWASP Top 10 vulnerabilities. A traditional stateful firewall sees a web request as "TCP port 443 traffic from an allowed IP" — it cannot tell the difference between a legitimate login attempt and one containing a SQL injection payload. A WAF inspects the payload of every HTTP request and blocks those containing attack patterns.
WAFs are deployed in front of web servers and web application servers. Cloud WAF services (AWS WAF, Cloudflare WAF, Azure Application Gateway WAF) protect internet-facing applications without requiring on-premises hardware. The exam question trigger for WAF: any scenario involving protecting a web application from application-layer attacks — especially SQL injection or XSS. "Which firewall protects against OWASP Top 10 attacks?" → WAF.
Proxy Firewall
A proxy firewall acts as an intermediary for all traffic — clients connect to the proxy, the proxy inspects the content, and the proxy makes a new connection to the destination. Unlike stateful firewalls that inspect packet headers, a proxy firewall terminates the client connection, fully reassembles and inspects the application-layer content, then originates a new connection to the server. This provides the most complete inspection but introduces latency. Forward proxies handle outbound client requests (filtering what users can access). Reverse proxies handle inbound requests to servers (protecting web applications, similar to WAF functionality). Application-layer proxies that reconstruct content provide protection against protocol-level evasion techniques that can bypass packet-based inspection.
Firewall Types Comparison
| Type | OSI Layer | State Awareness | App Awareness | Best For |
|---|---|---|---|---|
| Packet Filter | 3–4 | No — stateless | No | Router ACLs, high-speed basic filtering |
| Stateful | 3–4 | Yes — connection tracking | No | Perimeter baseline — all modern firewalls |
| NGFW | 3–7 | Yes | Yes — DPI | Enterprise perimeter, threat prevention |
| WAF | 7 | Yes | Yes — HTTP/HTTPS | Web application protection, OWASP Top 10 |
| Proxy | 7 | Yes — full reconstruction | Yes | Full content inspection, URL filtering |
Implicit Deny — The Foundation of Firewall Rules
A core firewall concept tested on both Network+ and Security+ is implicit deny: any traffic not explicitly permitted by a firewall rule is denied by default. Most firewalls are configured with a final rule of "deny all" at the bottom of the rule set — traffic that doesn't match any permit rule is dropped. This is the correct security posture: the default is to block, and specific traffic is explicitly allowed. The opposite — implicit permit — would allow all traffic by default unless specifically blocked, which is far too permissive for a security boundary.
Firewall rules are evaluated in order — the first matching rule is applied and evaluation stops. This creates the critical concept of rule ordering: more specific rules must appear before more general rules. A specific deny rule placed after a broad permit rule will never be reached — the broad permit matches first. This is a classic exam trap: "why is the more specific deny rule not working?" — because a broader permit rule appears before it in the list.
Stateful Firewall and NAT — Why They Work Together
Network Address Translation (NAT) is commonly implemented on the same device as a stateful firewall. NAT translates private IP addresses to a public IP address for outbound traffic, and the state table maintains the mapping of which internal host made which outbound connection — so when the response comes back, it knows which internal host to forward it to. This state tracking is fundamentally the same mechanism as stateful firewall connection tracking: both track the source, destination, port, and state of each connection. NAT on a home router provides a degree of firewall-like protection simply because inbound packets that don't match an existing NAT state table entry have no internal address to be forwarded to — they're dropped by default. This "NAT as firewall" effect is not true firewall protection but is why home routers provide some protection even without explicit firewall rules.