Firewalls are the primary network security boundary control, and CompTIA Network+ N10-009 tests multiple firewall types, their capabilities, and appropriate use cases. You must distinguish between packet filtering, stateful, application-layer, and next-generation firewalls, understand UTM (Unified Threat Management), and know how WAFs (Web Application Firewalls) differ from network firewalls.
Practice this topic
Packet filtering firewall (stateless): inspects each packet independently based on source/destination IP, port, and protocol against a rule set (ACL). Fast, simple, lowest overhead. Cannot track connection state — cannot distinguish a response packet from an initiated attack. Does not understand application context. Layer 3–4.
Stateful inspection firewall: tracks the state of TCP connections in a state table. Only allows response packets matching established connections — a reply packet is only allowed if there was an outbound request that established the session. The most fundamental improvement over packet filtering. Operates at Layers 3–4. Virtually all modern firewalls are at least stateful.
Application-layer firewall (proxy firewall): terminates connections and rebuilds them — inspects Layer 7 content. Can enforce application-specific policies: block specific HTTP methods, inspect FTP commands, block file attachments by content type. Slower than stateful (application-layer processing) but far more capable for application control.
Next-Generation Firewall (NGFW): combines stateful inspection with deep packet inspection (DPI), application identification and control, user identity awareness (integrates with AD/LDAP), IPS, URL filtering, SSL inspection (decrypts HTTPS to inspect content), and threat intelligence. Examples: Palo Alto, Cisco Firepower, Fortinet FortiGate, Check Point.
WAF (Web Application Firewall): specifically protects web applications from attacks targeting HTTP/HTTPS — SQL injection, XSS (Cross-Site Scripting), CSRF, and OWASP Top 10 vulnerabilities. Operates at Layer 7. Positioned in front of web servers. Different from a network firewall (which protects infrastructure); a WAF protects the application logic.
UTM (Unified Threat Management): a single appliance combining multiple security functions — firewall, IPS, VPN, web filtering, antivirus, DLP, and email filtering. Cost-effective for SMBs. Potential performance bottleneck when all functions are active. Modern UTM devices handle multi-gigabit throughput.
Host-based firewall: software firewall running on individual endpoints (Windows Firewall, iptables/nftables on Linux). Protects the host from network attacks regardless of network location — even when connected to untrusted networks (hotels, coffee shops). Layer 4 (port filtering) with some application awareness.
| Type | OSI Layer | Key Capability | Limitation |
|---|---|---|---|
| Packet filter | L3–L4 | IP/port rules | No connection tracking |
| Stateful | L3–L4 | Connection tracking | No app inspection |
| Application proxy | L7 | Deep app inspection | Higher latency |
| NGFW | L3–L7 | DPI, app ID, user ID, IPS | Expensive, complex |
| WAF | L7 (HTTP) | Web app attack protection | HTTP only |
| UTM | L3–L7 | All-in-one security | Performance scaling |
A NGFW replaces the need for a WAF
NGFWs and WAFs serve different purposes. NGFWs protect network infrastructure with application identification. WAFs are specifically engineered to understand and protect web application logic — SQL injection, CSRF, and OWASP Top 10 attacks require WAF-specific signatures and rules
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A company needs to protect its public web application from SQL injection and cross-site scripting attacks. Which security control is most appropriate?
Explanation: A WAF (Web Application Firewall) is specifically designed to protect web applications from OWASP Top 10 attacks including SQL injection and XSS. It inspects HTTP/HTTPS traffic at Layer 7 with rules specific to web application vulnerabilities. A stateful firewall can block by IP/port but cannot inspect web application content. An NGFW provides DPI but WAF-specific logic for application attacks requires a dedicated WAF.
SSL/TLS inspection (SSL decryption) allows the firewall to decrypt HTTPS traffic, inspect the content, and re-encrypt it before forwarding. Without SSL inspection, a NGFW sees only encrypted traffic and cannot apply DPI, URL filtering, or malware scanning to HTTPS connections (which is most modern web traffic). SSL inspection requires deploying the firewall's certificate as a trusted CA on endpoints so they trust the re-signed certificates.
Try free Firewall Types practice questions with explanations, topic links and progress tracking.