SecurityNetwork+

Firewall Types for CompTIA Network+ N10-009

Firewalls are the primary network security boundary control, and CompTIA Network+ N10-009 tests multiple firewall types, their capabilities, and appropriate use cases. You must distinguish between packet filtering, stateful, application-layer, and next-generation firewalls, understand UTM (Unified Threat Management), and know how WAFs (Web Application Firewalls) differ from network firewalls.

8 min

2 sections · 7 exam key points

1 practice questions

Firewall Types by Inspection Method

Packet filtering firewall (stateless): inspects each packet independently based on source/destination IP, port, and protocol against a rule set (ACL). Fast, simple, lowest overhead. Cannot track connection state — cannot distinguish a response packet from an initiated attack. Does not understand application context. Layer 3–4.

Stateful inspection firewall: tracks the state of TCP connections in a state table. Only allows response packets matching established connections — a reply packet is only allowed if there was an outbound request that established the session. The most fundamental improvement over packet filtering. Operates at Layers 3–4. Virtually all modern firewalls are at least stateful.

Application-layer firewall (proxy firewall): terminates connections and rebuilds them — inspects Layer 7 content. Can enforce application-specific policies: block specific HTTP methods, inspect FTP commands, block file attachments by content type. Slower than stateful (application-layer processing) but far more capable for application control.

Next-Generation Firewall (NGFW): combines stateful inspection with deep packet inspection (DPI), application identification and control, user identity awareness (integrates with AD/LDAP), IPS, URL filtering, SSL inspection (decrypts HTTPS to inspect content), and threat intelligence. Examples: Palo Alto, Cisco Firepower, Fortinet FortiGate, Check Point.

Specialized Firewall Types

WAF (Web Application Firewall): specifically protects web applications from attacks targeting HTTP/HTTPS — SQL injection, XSS (Cross-Site Scripting), CSRF, and OWASP Top 10 vulnerabilities. Operates at Layer 7. Positioned in front of web servers. Different from a network firewall (which protects infrastructure); a WAF protects the application logic.

UTM (Unified Threat Management): a single appliance combining multiple security functions — firewall, IPS, VPN, web filtering, antivirus, DLP, and email filtering. Cost-effective for SMBs. Potential performance bottleneck when all functions are active. Modern UTM devices handle multi-gigabit throughput.

Host-based firewall: software firewall running on individual endpoints (Windows Firewall, iptables/nftables on Linux). Protects the host from network attacks regardless of network location — even when connected to untrusted networks (hotels, coffee shops). Layer 4 (port filtering) with some application awareness.

Firewall Type Comparison

Type	OSI Layer	Key Capability	Limitation
Packet filter	L3–L4	IP/port rules	No connection tracking
Stateful	L3–L4	Connection tracking	No app inspection
Application proxy	L7	Deep app inspection	Higher latency
NGFW	L3–L7	DPI, app ID, user ID, IPS	Expensive, complex
WAF	L7 (HTTP)	Web app attack protection	HTTP only
UTM	L3–L7	All-in-one security	Performance scaling

Key exam facts — Network+

Stateless firewall: per-packet, no state tracking; stateful: connection-aware
NGFW: stateful + DPI + application control + user identity + IPS + SSL inspection
WAF: protects web applications from HTTP attacks (SQLi, XSS); layer 7
UTM: all-in-one appliance — firewall, IPS, VPN, AV, URL filter
Application-layer proxy: terminates and inspects connections at Layer 7
Stateful inspection tracks TCP state — blocks unsolicited inbound packets
Host-based firewall protects individual endpoints regardless of network location

Common exam traps

A NGFW replaces the need for a WAF

NGFWs and WAFs serve different purposes. NGFWs protect network infrastructure with application identification. WAFs are specifically engineered to understand and protect web application logic — SQL injection, CSRF, and OWASP Top 10 attacks require WAF-specific signatures and rules

Practice questions — Firewall Types

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company needs to protect its public web application from SQL injection and cross-site scripting attacks. Which security control is most appropriate?

A.Stateful firewall

B.Next-generation firewall (NGFW)

C.Web Application Firewall (WAF)

D.Host-based firewall

Explanation: A WAF (Web Application Firewall) is specifically designed to protect web applications from OWASP Top 10 attacks including SQL injection and XSS. It inspects HTTP/HTTPS traffic at Layer 7 with rules specific to web application vulnerabilities. A stateful firewall can block by IP/port but cannot inspect web application content. An NGFW provides DPI but WAF-specific logic for application attacks requires a dedicated WAF.

Frequently asked questions — Firewall Types

What is SSL inspection and why does it matter?

SSL/TLS inspection (SSL decryption) allows the firewall to decrypt HTTPS traffic, inspect the content, and re-encrypt it before forwarding. Without SSL inspection, a NGFW sees only encrypted traffic and cannot apply DPI, URL filtering, or malware scanning to HTTPS connections (which is most modern web traffic). SSL inspection requires deploying the firewall's certificate as a trusted CA on endpoints so they trust the re-signed certificates.

Practice this topic

Network+practice questions

Test yourself on Firewall Types

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime