OH-MY-DC: OIDC Misconfigurations in CI/CD
Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon
Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration
See all Unit 42 Threat Research
Table of Contents
Network Security

What Is a Firewall? [Firewall Definition & Explanation]

13 min. read
Table of Contents

Firewalls act as barriers between private and external networks, checking and filtering data based on set security rules. Using these rules, firewalls decide if they should allow, block, or drop the data to protect the network.

Form factors include hardware, software, or a mix of both. This process ensures only safe, legitimate traffic gains entry.

 

What does a firewall do?

Architecture diagram titled How firewalls work shows traffic flowing between the internet on the left and a private network on the right, with a firewall in the center. Permitted traffic is represented by green arrows passing through the firewall in both directions. One red arrow labeled Denied traffic originates from the internet and is blocked at the firewall, indicating that the firewall selectively allows or denies traffic based on defined rules. Each element—Internet, Firewall, and Private Network—is labeled and illustrated with icons.

Firewalls monitor and manage network traffic. 

Their job is to protect network devices (also referred to as hosts). That can mean computers, servers, or anything else with an IP address.

Basically, firewalls filter traffic to determine what should be allowed and what should be blocked.

To break it down further, a firewall uses rules to make those decisions. Rules can be based on IP addresses, protocols, ports, or other packet-level details. If a packet violates the rules, the firewall blocks it.

More advanced firewalls don’t just look at packets one by one. Instead, they use stateful inspection, which means they track the entire session that a packet belongs to. That way, they can understand if packet behavior is expected or unusual.

Like this:

A vertical flowchart titled Stateful packet inspection example shows the decision-making process for determining whether a packet from the internet is allowed through. At the top right, a globe icon labeled Internet points to a blue envelope icon labeled Packet arrives from internet, which connects to an orange firewall icon. From there, the packet is evaluated through a series of white decision boxes with green Yes or red No arrows. The boxes ask, in order: From valid IP?, From permitted port?, To permitted port?, and Pass protocol checks? Red No arrows from any decision point lead to a red stop icon with an X in a circle. If all answers are Yes, the packet is either recorded in the connection table or compared against it, with white boxes showing Record IP and SYN/ACK data in connection table or Check IP and SYN/ACK against data in connection table. If it matches, a green arrow leads to Translate IP address followed by the final blue envelope icon labeled Packet delivered to destination, ending at a gray computer icon. Dotted lines are used for alternate flows and protocol verification steps.

This matters because looking at the full context helps detect more complex or stealthy threats.

Firewalls also rely on threat intelligence. They compare traffic against databases of known malicious signatures. If a match is found, the firewall blocks the traffic.

Note:
Signature-based detection only catches known threats. That’s why modern firewalls also use behavior analysis and other techniques to catch unknown or zero-day attacks. These capabilities help detect threats that don’t yet exist in any signature database.

 

Firewalls also treat different types of traffic differently.

Inbound traffic—called north-south—comes from outside the network. That includes internet traffic. It’s more likely to carry threats, so firewalls inspect it carefully.

Internal traffic—called east-west—moves between devices inside the network. It’s often overlooked, but it can be risky. Attackers that get past the perimeter can use east-west traffic to move laterally and access more systems.

Architecture diagram illustrating a network layout with two labeled data centers, each containing a firewall icon at the top, connected to four network switches, which in turn connect to a mix of servers, desktop computers, and storage devices. The external network is shown above the data centers, indicating its separation. Vertical arrows on the left represent north-south network traffic flowing between the external network and the data centers, while a horizontal arrow at the bottom represents east-west network traffic flowing laterally between the two data centers.

Which is why inspecting internal traffic is important too.

Not to mention:

Firewalls help enforce access control. Most organizations today follow the principle of least privilege so that users and devices only get access to what they need. No more, no less. It’s one of the most effective ways to limit risk.

| Further reading: What Does a Firewall Do? | How Firewalls Work

 

What are firewall rules?

Diagram titled Types of firewall rules showing four firewall rule types arranged horizontally from left to right, each with a corresponding icon. The first is labeled Access rules and is paired with an icon representing a firewall panel. The second is Network address translation (NAT) rules and features an icon of a server with directional arrows. The third is Circuit-level gateways with an icon resembling a microchip. The fourth is Stateful packet filtering and is represented by an icon of an envelope symbolizing packet inspection. Each rule type is connected by a curved line, indicating they are components of an overarching firewall rule system.

Firewall rules define how to handle network traffic.

These rules decide what to allow and what to block. They’re based on attributes like source and destination IP addresses, ports, and protocols.

There are several types of firewall rules, each handling a different aspect of traffic control:

Types of firewall rules

Scroll the table to read further.
Comparing CASBs with other security technologies table
Rule Type Description
Access rules Manage traffic by evaluating parameters like source and destination addresses, protocol, and port number. Traffic is permitted, blocked or denied based on these evaluations.
Network address translation (NAT) rules Alter IP addresses as traffic moves between networks. Facilitate routing and can help protect private networks from external threats.
Stateful packet filtering Inspects data packets relative to existing network states. Decisions are made by comparing each packet to known connection sessions.
Application level gateways Operate at layer 7 of the OSI model. Mediate traffic between external and internal networks and are often used to control access.
Circuit-level gateways Work at layer 5 of the OSI model. Monitor TCP handshakes to verify session legitimacy without inspecting individual packets.
| Further reading: What Are Firewall Rules? | Firewall Rules Explained

 

What is firewall architecture?

Diagram titled Firewall architecture that shows a circular central icon of a firewall surrounded by three interconnected segments forming a triangle. Each segment represents a different type of architecture. The top segment is labeled Data center architecture in blue and contains an icon of a server rack. The bottom left segment is labeled Public cloud architecture in teal and contains an icon of a cloud. The bottom right segment is labeled Branch architecture in orange and contains an icon of a commercial building. The three segments are joined together around the central firewall icon, illustrating their integration into a unified firewall architecture.

Firewall architecture refers to how firewalls are designed and deployed to protect applications, data, and network traffic. 

The focus today is less about specific types and more about how firewall systems operate across different environments.

Modern architectures are shaped by where the firewall runs and what it protects.

Data center architecture

Architecture diagram titled Data center firewall architecture depicts a hierarchical layout of network components inside a data center with four labeled layers: Aggregation, Aggregation/distribution, Access, and Servers. At the top of the hierarchy, an internet icon connects to a firewall icon, representing traffic entering from the internet. The firewall connects downward to two network switch icons at the Aggregation layer. These switches feed into four larger switch icons at the Aggregation/distribution layer. Below that, in the Access layer, each of the four distribution switches connects to two smaller switch icons. At the bottom, in the Servers layer, each access switch connects to a row of rack-mounted server icons, representing the data center’s computing resources. The diagram shows a top-down flow of traffic from the internet through the firewall and switching layers down to the servers.

Firewalls in data centers are typically placed near workloads—often at the top of the rack. These devices need to support high throughput and low latency.

They also need strong security features. For example(s): Blocking malware and segmenting traffic between different server types.

Here’s why:

Not all servers face the same risks. Public-facing web servers need different protections than internal systems. And segmentation helps ensure each one gets the right level of control.

Public cloud architecture

Architecture diagram titled Public cloud firewall architecture shows a linear network flow from the internet to a virtual private cloud (VPC). On the far left, an icon labeled Internet connects to a circular icon labeled Gateway. The gateway connects to a firewall icon labeled Firewall. From the firewall, the diagram branches into three separate paths within the VPC. These lead to three labeled components: one server icon labeled Servers and two application icons labeled Apps. The structure represents how incoming internet traffic passes through a gateway and firewall before reaching cloud-based resources like servers and applications inside the VPC.

In cloud environments, firewall design has to support native cloud constructs. This includes integration with platform services and scalability.

Some firewalls now support containerized workloads. Others allow admins to define policies directly from cloud consoles.

The goal is the same: Apply consistent security while keeping operations manageable.

Branch architecture

Architecture diagram titled Branch firewall architecture shows a network flow beginning at a branch location and connecting to the internet through a firewall. The firewall sits at the top center and is connected to both the internet on the right and a core switch below. The core switch connects to two aggregate switches. On the left, the aggregate switch connects to local servers, and on the right, the second aggregate switch connects to users. The flow paths are color-coded: red for untrusted traffic from the internet, green for trusted traffic to local servers, and blue for trusted traffic to users. Each component is labeled, and the connections indicate how traffic is routed and segmented through the firewall and switching infrastructure.

At branch locations, firewalls protect local users and systems from internet-based threats. Architecture here is more about positioning and control than physical layout.

That includes using identity- and application-based rules. And it may involve segmenting traffic into zones.

Modern branch firewalls must adapt to evolving user behavior and cloud connectivity. Visibility and control are both essential.

 

What are the different types of firewalls?

Diagram titled Types of firewalls featuring a central red-orange circle with a firewall icon and four surrounding branches labeled by category. The top right branch, labeled Systems protected in yellow, lists two types: Network and Host-based. The middle right branch, labeled Network placement in blue, includes Hybrid mesh firewall, Internal, Distributed, and Perimeter. The bottom right branch, labeled Form factors in light blue, includes Hardware and Software. The bottom left branch, labeled Data filtering method in green, lists Stateful inspection, Proxy, Web app, Circuit level, Packet filtering, and Next generation (NGFW). Thin gray connector lines link each item to the central icon, creating a radial layout.

Not all firewalls work the same way. Some protect individual devices. Others monitor traffic for an entire network. Some are physical appliances. Others run in the cloud.

That’s why they’re generally categorized based on what they protect, how they’re deployed, where they sit in the network, or how they inspect traffic.

Below, we’ll break down the main types of firewalls across each of these categories:

Types of firewalls

Scroll the table to read further.
Comparing types of Firewalls
Category Type Description
Firewalls types by systems protected Network firewall Protects an entire network by inspecting incoming and outgoing traffic.
Host-based firewall Installed on a specific device to monitor traffic to and from that host.
Firewall types by form factors Hardware firewall A physical device placed between network elements and connected devices.
Software firewall A software-based firewall deployed on servers or virtual machines. Includes container firewalls, virtual firewalls, and managed service firewalls.
Firewall types by placement within infrastructure Perimeter firewall Placed at the edge of a network to manage traffic entering or leaving.
Internal firewall Positioned within the network to monitor traffic between internal segments.
Distributed firewall A scalable approach where enforcement is applied across multiple devices.
Hybrid mesh firewall Firewalls deployed across on-premises and cloud environments in a coordinated, distributed architecture.
Firewall types by data filtering method Packet filtering firewall Checks each packet against rule sets and allows or blocks based on criteria.
Stateful inspection firewall Tracks the state of active connections to evaluate traffic in context.
Circuit-level gateway Verifies session-level connections before allowing ongoing communication.
Proxy firewall Intercepts and evaluates application-layer traffic between client and server.
Next-generation firewall (NGFW) Combines traditional firewall features with advanced capabilities like IPS and traffic decryption.
Web application firewall Filters HTTP traffic to and from web apps to block attacks like cross-site scripting or SQL injection.
| Further reading:

 

What are the features of a firewall?

Diagram titled Firewall features displaying two adjacent circles representing categories of firewall capabilities. The right circle is labeled Basic firewall features in orange and contains icons linked to four items: Stateful inspection, Packet filtering, Access control, and Logging & monitoring. Also linked to this section is Network address translation (NAT) positioned at the top left. The left circle is labeled Advanced firewall features in black and includes five items: Next generation CASB, DNS security, Advanced URL filtering, IoT security, and Advanced threat protection. A smaller circle at the center overlaps both categories, showing a firewall icon to indicate shared functionality or progression between basic and advanced features. Thin lines connect each feature to its corresponding category.

Firewalls have evolved. What started as basic traffic filtering has grown into a wide range of capabilities designed to meet different levels of risk.

Some l features are foundational: packet filtering, logging, access control, etc.

Others are more advanced, using modern technologies like deep learning and automation to stop sophisticated threats in real time.

Let’s break down the primary firewall features into two categories—basic and advanced—and take a closer look at each:

Firewall features

Scroll the table to read further.
Comparing Firewall Features
Category Feature Description
Basic Packet filtering Evaluates packets based on criteria like IP address or port to allow or block traffic.
Stateful inspection Tracks the state of active connections to allow only legitimate traffic.
Network Address Translation (NAT) Modifies packet IP addresses to conserve addresses and hide internal network structure.
Logging and monitoring Records network activity for analysis and response to potential threats.
Access control Applies rules to regulate which users or systems can access network resources.
Advanced Advanced threat prevention Uses deep learning to detect zero-day attacks and automate protection workflows.
Advanced URL filtering Uses real-time deep learning to stop known and unknown web threats.
DNS security Applies ML and analytics to block advanced DNS-based attacks and reduce tool sprawl.
IoT security Segments and protects IoT devices using Zero Trust and contextual machine learning.
Next-generation CASB Secures SaaS apps in real time with deeper visibility and modern data protection.
| Further reading:

 

What are the benefits of a firewall?

Diagram titled Firewall benefits showing two connected circles representing basic and advanced firewall benefits. The right circle is labeled Basic firewall benefits in orange and contains five items arranged vertically: Monitoring and filtering network traffic, Blocking unauthorized access, Preventing virus infiltration, Upholding data privacy, and Supporting regulatory compliance. The left circle is labeled Advanced firewall benefits in black and includes five items: Enhanced user identity protection, Zero trust principles, Control over application use, Automated threat intelligence sharing, Encrypted traffic security without privacy compromise, and Advanced threat protection. A central overlapping circle displays a firewall icon, symbolizing the integration of both benefit categories. Thin lines connect each benefit to its respective category.

Firewalls help control traffic, reduce risk, and support compliance.

Some benefits are well established, like blocking malicious traffic, enforcing access controls, and maintaining data privacy

Others reflect relatively newer capabilities: inspecting encrypted traffic, applying Zero Trust policies across the network, etc.

In other words:

The value of a firewall depends on what it can do and how it’s used.

Here, we’ll outline both basic and advanced firewall benefits:

Firewall benefits

Scroll the table to read further.
Comparing Firewall benefits
Category Benefit Description
Basic Monitoring and filtering network traffic Inspects data packets and blocks harmful patterns using stateful inspection.
Preventing virus infiltration Blocks known virus patterns and supports antivirus tools. NGFWs improve detection of advanced threats.
Blocking unauthorized access Applies access controls to limit interactions to trusted sources only.
Upholding data privacy Prevents sensitive data exposure by monitoring inbound and outbound traffic.
Supporting regulatory compliance Logs and controls access to sensitive data to support audit readiness and compliance.
Advanced Enhanced user identity protection Applies security policies based on user identity for more precise access control.
Control over application use Identifies and restricts app usage to approved applications only.
Encrypted traffic security without privacy compromise Inspects encrypted traffic for threats while preserving user privacy.
Advanced threat protection Protects against known and emerging threats across multiple attack vectors.
Automated threat intelligence sharing Detects and responds to threats using shared global intelligence feeds.
Zero Trust principles Applies continuous authentication and verification to reduce implicit trust.
| Further reading: What Are the Benefits of a Firewall?

 

What are the primary firewall challenges?

The primary challenges commonly associated with firewalls include:

  • Selecting an appropriate firewall

  • Effective configuration

  • Regular updates

  • Managing rules and policies

  • Preventing false positives

  • Monitoring and alert management

  • Change management in dynamic environments

  • Robust patch management

  • Business logic translation to firewall rules

  • Layer 7 transition difficulty

  • Balancing security and performance

Managing firewalls isn’t just about deploying the right technology. It’s about keeping that technology aligned with changing environments, evolving threats, and organizational needs.

From choosing the right type of firewall to maintaining performance under load, each step comes with its own set of challenges.

Here are the key areas that can complicate firewall operations and where teams often face the most friction.

Selecting an appropriate firewall

As discussed, there are plenty of firewall types. Some are simple and packet-based. Others offer advanced threat detection and user-based policies.

Choosing the right one depends on what the organization needs to protect and how it operates. Most organizations use more than one type to balance coverage, cost, and performance.

Effective configuration

A firewall is only effective when configured properly. There’s no one-size-fits-all setup. Policies need to reflect specific requirements around segmentation, applications, and bandwidth.

Architecture diagram titled Effective vs. improper firewall configuration is divided into two horizontal sections labeled Effective and Improper. In both sections, the layout includes users on the left, a firewall in the center, and the internet on the right. In the effective configuration at the top, a green arrow labeled Allow legitimate traffic shows bidirectional communication between users and the firewall, and then from the firewall to the internet. A red arrow labeled Block malicious traffic stops at the firewall with an X icon, indicating the firewall successfully blocks unwanted traffic from reaching users. In the improper configuration at the bottom, the same elements are shown, but a red arrow labeled Allows malicious traffic passes through the firewall from the internet to the users. Green arrows still represent allowed legitimate traffic in both directions, indicating that while legitimate communication continues, the improper configuration fails to stop harmful traffic.

Unclear or broad rules can expose gaps or restrict legitimate access. Defining allowed services and applications upfront helps reduce these risks.

Regular updates

Firewalls have to be able to adapt to new threats. And that means regular software updates and threat signature updates are critical.

It’s worth noting, though, that updates can cause downtime or performance issues if not tested. So review the impact of each change before deploying it.

Management of rules and policies

Firewall rule sets can grow over time. New rules get added, but old ones often stay in place—even when they’re no longer needed.

Here’s the problem:

Too many overlapping or outdated rules can cause performance issues and make it harder to spot vulnerabilities.

Firewall compliance audit steps flowchart detailing thirteen steps. Step 1, Define the scope, objectives, specific regulations or internal security policies, is at the top right. Step 2, Gather documentation, follows directly below. Step 3, Review firewall policies configurations, is to the left of step 2. Step 4, Verify compliance with regulations standards, is to the left of step 3. Step 5, Evaluate firewall change management processes, is directly below step 4. Step 6, Conduct a vulnerability assessment, follows to the right of step 5. Step 7, Analyze firewall logs alerts, is to the right of step 6. Step 8, Test firewall effectiveness, follows directly below step 7. Step 9, Verify network segmentation, is to the left of step 8. Step 10, Review user administrative access, is below step 9. Step 11, Document findings recommendations, follows to the right of step 10. Step 12, Present the audit report, is to the left of step 11. Step 13, Follow up on corrective actions, is directly below step 12. Arrows connect the steps, showing the sequence of activities in the audit process.

Regular audits help identify what to remove or optimize.

Preventing false positives

Strict policies are good in theory. But they can block legitimate activity if they’re too aggressive.

This causes frustration for users. It also creates more work for IT teams.

The solution?

Tuning rules to reflect known traffic behavior.

Diagram titled Identifying and classifying firewall rule anomalies for performance tuning consisting of five sections, each illustrating a different type of anomaly between Rule 1 and Rule 2. The first section shows two overlapping circles, labeled Rule 1 in blue and Rule 2 in red, with the label Different action and the term Shadow anomaly to the right. The second section shows two fully overlapping circles with the label Same action and the term Redundancy anomaly. The third section depicts two partially overlapping circles, labeled Same action and the term Generalized anomaly. The fourth section shows two non-overlapping circles with the label Different action and the term Correlation anomaly. The fifth section illustrates two separate circles labeled Rule 1 with the label Same action and the term Non anomaly. Each section of the diagram depicts how different relationships between firewall rules can be categorized as specific anomalies based on their actions and overlaps.

Over time, this reduces false positives while maintaining strong security.

Monitoring and alert management

Firewalls need ongoing monitoring. Metrics like CPU load, session count, or failover events help identify issues early.

Screenshot of the PAN-OS Application Command Center dashboard used to review network activity. The dashboard is divided into two main sections. On the left side, there is a detailed heatmap labeled Application Usage that categorizes different applications by their usage metrics such as bytes, sessions, threats, and content. The heatmap uses various colors and sizes to represent different application categories and their relative usage. Below the heatmap, there is a table listing applications along with their rank, bytes, sessions, threats, content, URLs, and apps, each with specific numerical values. On the right side of the dashboard, there is a graph labeled User Activity that displays data points over time, showing the number of bytes sent and received. The graph uses lines to represent different metrics, such as bytes sent and bytes received, with a legend indicating what each line represents. Below the graph, there is a table listing source users along with their bytes, sessions, threats, content, URLs, and apps, similar to the table on the left side. The interface includes various tabs and options at the top, such as Network Activity, Threat Activity, Blocked Activity, and Tunnels Activity, indicating different views or filters available for analyzing network activity. The image illustrates how network and security administrators can use this dashboard to gain insights into security trends and policy effectiveness.

For example: Unusual failover activity could signal hardware problems or bugs that need investigation before they affect availability.

Change management in dynamic environments

Networks change constantly. New systems, apps, or users mean firewall rules need to change too.

Firewall change management process flowchart outlining eleven steps. Step 1, Request initiation, has a blue icon with a checkmark in a gear. Step 2, Impact analysis, features a blue icon with a graph. Step 3, Review and approval, includes a blue icon with documents and a checkmark. Step 4, Planning, shows a blue icon with a checklist. Step 5, Notification, is depicted with a blue icon of a paper plane. Step 6, Implementation, has a blue icon with a gear. Step 7, Testing and validation, features a blue icon with tools. Step 8, Documentation, includes a blue icon with a document. Step 9, Monitoring, shows a blue icon with a chart. Step 10, Review and feedback, has a blue icon with a megaphone. Step 11, Rollback, is represented by a blue icon with a rotating gear. Arrows connect these steps, showing the sequence of the process.

The challenge is timing.

Some changes require trial and error. Documentation might not clearly explain which ports or protocols are in use. So admins need to be ready to troubleshoot.

Robust patch management

All systems have vulnerabilities. Firewalls are no exception.

It’s important to have a formal patching process for security devices. This includes monitoring vendor updates, applying patches promptly, and tracking which devices are affected.

Business logic translation to firewall rules

Security policies often come from business leaders. But translating those high-level goals into technical firewall rules can be difficult.

Architecture diagram titled Translating business logic into firewall rules shows a sequential flow involving three roles: Executive, Firewall admin, and Email admin. On the left, the Executive icon is labeled with step 1: Executive initiative to improve overall security posture by reducing phishing. An arrow labeled Business goals and connects the Executive to the Firewall admin in the center. The Firewall admin is linked to the Email admin on the right with a dashed arrow pointing toward the firewall admin and labeled 2. Log analysis of emails. Below the Firewall admin is a downward arrow leading to an icon of a firewall, labeled 3. New firewall rule to block traffic, and indicating the outcome of the process.

Why?

Some firewall platforms don’t support business logic directly or intuitively. That can lead to inefficient or overly complex rule sets.

Layer 7 transition difficulty

Some organizations do still rely on older Layer 3 and Layer 4 firewalls. And transitioning to a Layer 7 system can be hard—especially when legacy rules are involved.

This shift requires rethinking how policies are structured. It also requires time to test and validate the new approach.

Balancing security and performance

Firewalls inspect large volumes of traffic. That inspection can slow things down—especially if too many features are enabled at once.

There’s always a tradeoff. Stronger inspection might reduce throughput.

Modern tools like AIOps can help. They use predictive analytics to identify when firewalls are nearing capacity and suggest changes before performance becomes a problem.

| Further reading:

 

What are the main firewall threats and vulnerabilities?

The main firewall threats and vulnerabilities encompass but aren’t limited to:

  • Misconfiguration

  • Outdated software

  • Inactive security features

  • Insufficient documentation

  • Internal threats

  • Weak password protocols

  • Basic inspection protocols

  • Over-reliance on firewalls

  • Evolving threat landscape

  • Advanced attacks on machine learning

Firewalls play a key role in protecting networks, but they’re not immune to risk. Like any security tool, their effectiveness depends on how they’re deployed, maintained, and monitored.

Missteps—whether technical, procedural, or strategic—can create vulnerabilities that attackers exploit.

Below are the most common threats and vulnerabilities that can weaken firewall defenses and introduce gaps in overall security posture.

Misconfiguration

Firewalls are only as effective as their configurations. Mistakes during setup can leave gaps. Default settings are a common risk.

Attackers often look for devices running with unchanged defaults.

Diagram titled Firewall misconfiguration attack example showing a three-step process from attacker to internal resources. On the left is a black-and-white icon of an attacker wearing a hood. In step 1, labeled in red and black text, the attacker gets access to an internal network. An arrow passes through a central vertical firewall icon. Step 2, shown to the right of the firewall, explains that the attacker determines which devices are using default credentials. In step 3, the attacker takes over all vulnerable devices with default credentials. On the far right, icons represent internal resources: a desktop computer, a server stack, and a database. The background is white with thin yellow border lines.

Regular reviews help close these gaps and strengthen security.

Outdated software

Firewall software needs updates. Vendors release patches to fix known bugs and close security holes.

Running an outdated version increases the risk of exploitation. It can also create compatibility issues with other systems.

Keeping software current is part of basic network security hygiene.

Inactive security features

Many firewalls ship with advanced capabilities. But some of those features are off by default.

Anti-spoofing tools are one example. If they’re not enabled, the firewall won’t block traffic from falsified sources.

System audits can help verify that important features are active.

Insufficient documentation

Firewall admins need clear documentation. That includes configuration settings, rule sets, and change history.

Without it, teams may miss important details—especially during handoffs or staffing changes. Poor documentation also makes it harder to audit or troubleshoot later.

Internal threats

Firewalls focus on external traffic. But insider threats still matter.

Employees with system access might bypass firewall protections.

Reviewing user access levels and monitoring internal traffic helps limit that risk.

Weak password protocols

Weak or reused passwords can undermine the entire system.

Some firewalls still ship with default credentials. Others allow simple passwords.

Enforcing strong password policies and regular changes is essential for basic access control.

Basic inspection protocols

Older firewalls inspect traffic based on source, destination, and port. But that’s not enough against modern threats.

Attackers use spoofing or encrypted payloads to bypass shallow inspection.

Architecture diagram titled Deep packet inspection comparing conventional packet inspection and DPI. On the left side, a labeled icon represents Conventional packet inspection with an envelope symbol and waveform. On the right, a similar icon labeled DPI shows the deeper inspection process. Arrows from both icons point to three vertically stacked layers labeled IP, TCP, and App layer. The IP and TCP layers are connected by a bracket labeled Conventional packet analysis, while the App layer is included under a separate bracket labeled Deep packet analysis, indicating that DPI inspects beyond TCP/IP into the application layer.

Deep packet inspection (DPI) gives a clearer view into actual content.

Over-reliance on firewalls

Firewalls are important—but they’re not enough on their own. A strong security posture uses multiple layers.

Architecture diagram titled Deep packet inspection comparing conventional packet inspection and DPI. On the left side, a labeled icon represents Conventional packet inspection with an envelope symbol and waveform. On the right, a similar icon labeled DPI shows the deeper inspection process. Arrows from both icons point to three vertically stacked layers labeled IP, TCP, and App layer. The IP and TCP layers are connected by a bracket labeled Conventional packet analysis, while the App layer is included under a separate bracket labeled Deep packet analysis, indicating that DPI inspects beyond TCP/IP into the application layer.

That includes endpoint protection, network monitoring, and incident response. Relying only on a firewall leaves other gaps exposed.

Evolving threat landscape

New threats emerge constantly. And traditional firewalls often rely on known signatures.

But attackers now use polymorphic code and zero-day techniques. Defenses need to evolve to keep pace with threats that don’t match existing patterns.

Advanced attacks and machine learning

Attackers are using machine learning to improve their techniques. These threats can adapt faster than signature-based tools can respond.

Like fileless malware, for instance:

Architecture diagram titled Fileless attack kill chain example shows a horizontal sequence of six icons connected by arrows, representing the steps of a fileless attack. The first icon shows a user icon with a warning triangle and is labeled A user clicks a malicious link in a phishing email. The second icon is the Flash logo, labeled The linked website loads a Flash object that exploits a vulnerability. The third icon is a command line window, labeled The exploit executes shellcode that runs PowerShell with a command-line argument to download and run a payload directly in memory. Above this step, a dashed red line points to an inset box labeled Scripts and Executables (like Mimikatz), with accompanying icons for a document and gear. Text above the line says, The script retrieves additional tools (like Mimikatz) and executes them in memory to avoid detection. The fourth icon shows a truck, labeled The payload may exfiltrate data, cause system damage, or carry out further attacks. The fifth icon shows a set of curly brackets, labeled A registry entry is added to automatically trigger PowerShell with the same command on system startup. All icons are black and white with key steps emphasized in red text.

To keep up, firewalls need more proactive detection—like behavior analysis and anomaly detection—built into the core platform.

 

How to configure a firewall in 6 steps

Diagram titled How to configure a firewall displaying a horizontal six-step process with numbered icons and short text summaries under each step. Step 1, marked with an orange circle and shield icon, is labeled Secure the firewall and includes three bullet points: Firmware updates, Password changes, and Patching. Step 2, marked with a cluster icon in a blue circle, is labeled Zoning & structure with subpoints: Identify assets, Assign zones, and Proper routing. Step 3, shown with a black circle and network flow icon, is labeled Implement ACLs and lists: Permit traffic, Block traffic, and Rule specification. Step 4, using a light blue circle with a server icon, is labeled Service activation and includes: DHCP, IPS, and Logging. Step 5, represented by a purple circle with a checklist icon, is labeled Testing phase and includes: Vulnerability scan, Pen testing, and Backup config. Step 6, marked with a teal circle and gear icon, is labeled Ongoing monitoring with the points: Monitor logs, Adjust rules, and Evolve ops. Each step is evenly spaced and connected visually in a left-to-right layout.

Firewall configuration is the process of setting specific rules and policies that govern how to monitor and control incoming and outbound traffic. 

Firewall configuration steps include:

  1. Securing the firewall

  2. Designing firewall zones and IP address structure

  3. Implementing access control lists (ACLs)

  4. Activating additional services and logging

  5. Testing the configuration 

  6. Ongoing monitoring and management

Remember: A firewall is only as effective as how it’s configured and maintained.

Step 1: Secure the firewall

  • Start by updating the firmware. This applies recent patches and reduces the risk of known exploits.

  • Remove or disable default accounts. 

  • Change default passwords. 

  • Restrict administrative access to specific systems and users.

Tip:
If possible, segment administrative access behind a jump server or VPN. This adds an extra control layer and reduces exposure from public networks.

Step 2: Design firewall zones and IP address structure

  • Group network assets based on role and risk level. For example: Public-facing servers should be placed in a DMZ.

  • Assign each zone to an interface. This ensures clear boundaries and proper routing between zones.

Tip:
Use consistent naming conventions for zones and interfaces. This helps with readability and reduces the chance of misconfiguration as the network scales.

Step 3: Implement access control lists (ACLs)

Define what traffic is allowed between zones. Use specific source and destination IPs and ports.

Important: End each ACL with a default “deny all” rule. This blocks traffic that hasn’t been explicitly approved.

Tip:
Document the purpose of each rule. If your firewall supports tagging or comments, use them. This makes future reviews and audits much easier.

Step 4: Activate additional services and logging

  • Enable only the services that are needed—such as DHCP or intrusion prevention.

  • Set up logging. Logs should be sent to a centralized system for review and analysis. They help with monitoring and troubleshooting.

Tip:
Test log delivery to the central system during setup. Silent failures in logging pipelines are easy to miss—and often go unnoticed until an investigation is needed.

Step 5: Test the configuration

  • Use vulnerability scanners or penetration testing tools to validate the firewall. This confirms that blocked traffic stays out and legitimate traffic flows as expected.

  • Backup the configuration once it’s verified. This allows fast recovery if needed.

Tip:
Simulate both allowed and blocked traffic during testing. It helps verify that legitimate access isn’t being unintentionally denied.

Step 6: Ongoing monitoring and management

  • Review logs and alerts regularly. Adjust policies when threats change or the network is updated.

  • Also, track firewall health. Metrics like CPU and memory usage help detect early signs of performance issues.

    FYI: Tools like AIOps can help. They identify configuration drift and performance trends. Plus, they also provide guidance on maintaining alignment with security best practices.

Tip:
Schedule regular rule reviews—especially after major network or business changes. Stale or unnecessary rules can accumulate quickly and impact performance or security.

 

| Further reading: What Is Firewall Configuration? | How to Configure a Firewall

 

Top 10 firewall best practices

Diagram titled Top 10 firewall best practices presents nine numbered orange circles arranged in a staggered horizontal layout, each paired with a corresponding best practice in black text. From left to right, the best practices are: 1. Harden & configure firewalls properly, 2. Adopt a customized, phased deployment strategy, 3. Enhance & regularly update firewall protocols, 4. Regularly review & update access controls, 5. Implement a comprehensive logging & alert mechanism, 6. Establish backup & restoration protocols, 7. Align policies with compliance standards, 8. Subject firewalls to regular testing, and 9. Conduct routine firewall audits. A faint rounded rectangle groups steps 4 through 6 in the center, and subtle decorative elements in light gray appear in the background.

The top firewall best practices include:

  1. Harden and configure firewalls properly.

  2. Adopt a customized, phased deployment strategy.

  3. Enhance and regularly update firewall protocols.

  4. Regularly review and update access controls.

  5. Implement a comprehensive logging and alert mechanism.

  6. Establish backup and restoration protocols.

  7. Align policies with compliance standards.

  8. Subject firewalls to regular testing.

  9. Conduct routine firewall audits.

Firewall effectiveness depends on more than just installation. 

It requires secure setup, continuous testing, and proactive management. 

These best practices help reduce risk while keeping your configuration aligned with real-world needs.

1. Harden and configure firewalls properly

Start by hardening the operating system. This includes disabling unnecessary services and applying vendor patches. 

Important: Firewalls protecting internet-facing services, like web servers, need extra scrutiny. Configuration mistakes here are common entry points.

After deployment, configuration is ongoing. Regularly review rules and settings to reflect changes in risk, usage, or business needs.

Tip:
Before deployment, follow trusted setup guides—like those from the vendor or CIS.

2. Adopt a customized, phased deployment strategy

Deployment should match the environment. That includes understanding Layer 2 and Layer 3 network design and assigning zones accordingly.

Here’s why:

A sudden rollout can disrupt access. But a phased approach reduces risk and allows testing along the way.

Tip:
Start with low-risk segments of the network—like non-critical VLANs or test environments. Use early feedback to refine rule sets and interface assignments before broader rollout.

3. Enhance and regularly update firewall protocols

Disable legacy protocols like Telnet or unsecured SNMP. Use modern alternatives where possible.

But it’s not just technical. Admins should stay active in cybersecurity communities. 

New vulnerabilities and patches come fast. Relying on automation is not enough.

4. Ensure rigorous traffic control

  • Use default deny rules. Only allow traffic that’s explicitly needed.

  • Classify traffic into categories—internal, external, or partner—and apply rules based on trust and function. 

  • Then monitor for unexpected flows or access attempts.

5. Regularly review and update access controls

  • Only the right users should have admin access.

  • Review access lists often.

  • Remove unused accounts and update permissions when roles change.

The goal is balance:

Enough access for teams to function. But not so much that risk increases.

6. Implement a comprehensive logging and alert mechanism

  • Enable detailed logging for all inbound and outbound traffic.

  • Send logs to a central system for review.

  • Use real-time alerts to detect anomalies—logging isn’t enough on its own.

  • Then follow up with regular reviews to identify patterns and fine-tune rules.

Tip:
Correlate firewall logs with other security data sources—like endpoint or identity systems. Contextual visibility helps reduce alert fatigue and improves incident response.

7. Establish backup and restoration policies

Backups should include rules, configurations, and policy settings. They also need to be tested.

If a firewall fails or is misconfigured, you need a fast way to restore functionality. So test the process before it’s needed.

Tip:
Store backup configurations in at least two secure, access-controlled locations. Include versioning so you can roll back to a known-good state, not just the most recent one.

8. Align policies with compliance standards

Firewall settings should meet industry regulations. But they should also go beyond basic checklists.

Compliance evolves. Your policy reviews should evolve too. Keep up with regulatory changes and map your configurations to them regularly.

9. Subject firewalls to regular testing

Use tools like path analysis to confirm rules behave as expected. Then go further.

Run penetration tests to simulate attacks. This helps validate how the firewall performs under pressure—and where it can improve.

Tip:
Run targeted tests based on recent changes. For example, test newly added rules or modified interfaces. This keeps validation focused and avoids testing overhead.

10. Conduct routine firewall audits

Schedule routine audits for software versions, log integrity, and rule accuracy. Document all policy changes.

Important: Audits aren’t just for compliance. They also make sure internal changes don’t introduce new risks.

| Further reading: Key Firewall Best Practices

 

Comparing firewalls with other network security technologies

Firewall vs. antivirus

Diagram titled Firewall vs. antivirus visually compares the functions of firewalls and antivirus tools using a split-circle layout. On the left, a red block labeled Firewall connects to three bullet points that state: monitors and regulates traffic, blocks unauthorized access, and operates at network protocol level. On the right, a blue block labeled Antivirus connects to three bullet points that state: scans files and programs for malware, cannot inspect read-only files, and operates within computer systems. The center of the diagram contains a semi-circular ring divided into two arcs—red for firewall and blue for antivirus—with icons representing each function inside the circle. The firewall side has a flame icon and the antivirus side has a biohazard symbol.

Firewalls and antivirus software serve different purposes. Firewalls focus on controlling traffic that enters or leaves a network. Antivirus tools focus on detecting and removing threats that already exist on a system.

So essentially: Firewalls protect at the network level. Antivirus protects at the device level.

Antivirus software scans files and programs for malware—like viruses, trojans, or worms. It removes or quarantines anything suspicious. Some antivirus tools have limitations, such as not inspecting read-only files.

It’s worth noting—these tools work best together. A firewall helps stop threats before they reach endpoints. Antivirus helps remove anything that gets through.

| Further reading: Firewall | Antivirus — What Is the Difference?

Firewall vs. IDS

Diagram titled Firewall vs. IDS visually compares firewall functionality with intrusion detection system capabilities using a split-circle layout. On the left, an orange block labeled Firewall connects to three bullet points that state: inspects and filters network traffic, permits and denies traffic, and operates at network protocol level. On the right, a dark blue block labeled IDS (Intrusion detection system) connects to three bullet points that state: analyzes traffic for patterns of known threats, detects and alerts, and does not block traffic. The center of the diagram features a circle divided into two arcs—orange for firewall and blue for IDS—with icons inside representing each function: a flame icon for firewall and an alert beacon icon for IDS. Lines connect the blocks to the circle, reinforcing the visual comparison between inspection/enforcement and detection-only roles.

Firewalls and intrusion detection systems (IDS) also serve different roles. A firewall controls traffic based on defined policies. An IDS monitors traffic for signs of malicious behavior.

Here’s the key difference:

Firewalls act. IDSs observe.

A firewall enforces rules in real time.

An IDS, on the other hand, inspects traffic for threat patterns but doesn’t block it. It generates alerts when something suspicious is found.

In many environments, these tools are used together. Some modern network security systems combine detection and enforcement into one solution.

| Further reading: IPS. vs. IDS vs. Firewall: What Are the Differences?

 

What is the history of firewalls?

The diagram titled The history of firewalls is a horizontal timeline with five key milestones. The first milestone is marked with an orange circle labeled 1980s and includes the caption Packet Filtering Systems: Basic Destination Check. A horizontal orange bar connects to the second milestone, a yellow circle labeled 2000s, with the caption United Threat Management (UTM): Multi-layered Protection. The third milestone is a blue circle labeled 2008, with the caption Next-Gen Firewalls (NGFWs): Application, User and Content. A horizontal light blue bar connects to the fourth milestone, another blue circle labeled 2020, with the caption ML-Powered NGFWs: Predict and Counter. Each milestone is visually connected by a central timeline with circular nodes representing progression through different eras of firewall evolution.

The earliest firewalls appeared in the late 1980s. 

Packet filtering firewalls evaluated network traffic based on destination address, protocol, and port. If a packet didn’t match the rules, it was blocked or dropped.

Later, stateful firewalls added session awareness. Which means they could track the state of each network connection and evaluate whether incoming packets were part of an ongoing session or a new one. This made filtering way more accurate and easier to manage.

In the early 2000s, vendors introduced unified threat management (UTM) devices. 

These platforms combined multiple security functions—like firewalling, antivirus, and intrusion prevention systems—into a single ecosystem. While UTMs simplified deployment, many struggled with integration and performance under load.

In 2008, Palo Alto Networks introduced a new kind of firewall technology: next-generation firewalls (NGFWs), which emphasized deeper visibility and control. 

There was a shift toward inspecting traffic based on application, user identity, and content. NGFWs also included features like intrusion prevention and SSL decryption. One major area of focus was stopping credential-based threats by tying policies to user identity.

More recently, led by Palo Alto Networks, the industry moved toward ML-powered NGFWs. 

These firewalls use machine learning to detect threats in real time, majorly increasing firewall security overall. ML is used to detect known threats and variants, recognize suspicious behavior, and recommend actions based on context.

Alongside this, cloud-delivered firewall services have grown in use. As more organizations shift to hybrid and remote work models, FWaaS products offer cloud-native security that follows users and workloads wherever they go.

 

| Further reading: The History of Firewalls | Who Invented the Firewall?

 

Firewall FAQs

A firewall is the first line of defense against unauthorized access, malicious traffic, and external threats attempting to enter a network. It regulates traffic based on specific security by scrutinizing data packets and deciding whether to allow, block, or drop them based on established criteria. The primary purpose is to protect network devices by monitoring traffic flow and blocking potential threats.
The role of a firewall in cyber security is to defend computers or networks from unauthorized access and potential threats by monitoring and filtering data between private and external networks. It identifies and blocks malicious traffic by comparing it against known threat signatures and scrutinizing each packet's journey. Additionally, it protects against threats that bypass the perimeter or originate from within an internal network.
A firewall provides the feature of monitoring and regulating incoming and outgoing network traffic based on defined security rules. It scrutinizes packets against established criteria, rejecting or permitting data based on these rules. Also, they use stateful packet inspection to ensure comprehensive evaluation of each packet within the context of its originating session.
For optimal security, both individuals and organizations need firewalls to protect their data and maintain the integrity of their home network or systems.
Firewalls are implemented based on the specific needs and architecture of the network or device they are intended to protect. Types include network firewalls, which protect entire networks; host-based firewalls that monitor individual devices; and form factors such as hardware and software firewalls. The choice also depends on its intended placement within the network infrastructure, the method of data filtering required, and the specific systems it is designed to protect.
The function of a firewall is used for safeguarding networks by controlling and filtering data traffic, ensuring only legitimate traffic gains entry and blocking potential threats.
A firewall can manifest in different forms. As a hardware device, it might resemble a typical rack-mountable networking box with ports and LEDs. In software form, it often appears as a user interface displaying settings and traffic data. The appearance varies based on type, whether it's for a large enterprise, a small office, or an individual device.
Firewall examples include those categorized by systems protected, such as network and host-based; form factors, such as hardware and software; placement within network infrastructure, such as distributed or internal; and data filtering methods, such as NGFW or WAF.
A proxy server acts as an intermediary between a user and the internet, processing user requests by seeking resources from other servers. In contrast, a firewall monitors and controls network traffic based on defined security policies, protecting systems from unauthorized access or threats. While both enhance network security, they have distinct functions.

Related content

  • What is AIOps for NGFW?

    AIOps for NGFW enhances firewall operational experience with comprehensive visibility to elevate security posture and proactively maintain deployment health.

  • Next-Generation Firewall

    Today's Next-Generation Firewalls provide advanced protection for physical or virtual public and private cloud networks.

  • Cloud NGFW Pricing Estimator (AWS and Azure)

    Quickly estimate pricing for Cloud NGFW for AWS and Cloud NGFW for Azure.

  • Cloud NGFW

    Discover how you can stay one step ahead with a fully-managed ML-Powered NGFW delivered as a service on AWS.

Get the latest news, invites to events, and threat alerts