Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of Contents

What Is a Firewall? [Firewall Definition & Explanation]

13 min. read
Table of Contents

Firewalls act as barriers between private and external networks, checking and filtering data based on set security rules. Using these rules, firewalls decide if they should allow, block, or drop the data to protect the network.

Form factors include hardware, software, or a mix of both. This process ensures only safe, legitimate traffic gains entry.

 

What do firewalls do, and how do they work?

"A firewall acts a lot like a secretary for your network. The firewall examines requests for access to your network, and it decides whether they pass a reasonableness test. If so, they are allowed through, and, if not, they are refused entry."
- Mark Stamp, Information Security: Principles and Practice

Firewalls monitor and manage network traffic.

Their job is to protect network devices (also referred to as hosts). That can mean computers, servers, or anything else with an IP address.

Basically, firewalls filter traffic to determine what should be allowed and what should be blocked.

Architecture diagram titled 'How firewalls work' shows traffic flowing between the internet on the left and a private network on the right, with a firewall in the center. Permitted traffic is represented by green arrows passing through the firewall in both directions. One red arrow labeled 'Denied traffic' originates from the internet and is blocked at the firewall, indicating that the firewall selectively allows or denies traffic based on defined rules. Each element—Internet, Firewall, and Private Network—is labeled and illustrated with icons.

To break it down further, a firewall uses rules to make those decisions. Rules can be based on IP addresses, protocols, ports, or other packet-level details. If a packet violates the rules, the firewall blocks it.

Diagram titled 'How firewall rules evaluate traffic' shows a flowchart beginning with an incoming packet entering a firewall. The first decision point is 'Check IP address rules.' If there is no match, the packet is blocked and a security event is logged. If there is a match, the process continues to 'Check port rules.' Again, if there is no match, the packet is blocked and a security event is logged. If there is a match, the packet moves to 'Check protocol rules.' If this also matches, the packet is allowed and logged as allowed traffic. Red arrows indicate blocked traffic paths and are labeled 'No match' with actions to 'Block packet' and 'Log security event.' Green arrows indicate matched traffic paths with actions to 'Allow traffic' and 'Log allowed traffic.' Each step is visually represented by icons: document icons for rule checks, an 'X' icon for blocked packets, and a checkmark icon for allowed traffic.

More advanced firewalls don't just look at packets one by one. Instead, they use stateful inspection, which means they track the entire session that a packet belongs to. That way, they can understand if packet behavior is expected or unusual.

Like this:

A vertical flowchart titled 'Stateful packet inspection example' shows the decision-making process for determining whether a packet from the internet is allowed through. At the top right, a globe icon labeled 'Internet' points to a blue envelope icon labeled 'Packet arrives from internet,' which connects to an orange firewall icon. From there, the packet is evaluated through a series of white decision boxes with green 'Yes' or red 'No' arrows. The boxes ask, in order: 'From valid IP?', 'From permitted port?', 'To permitted port?', and 'Pass protocol checks?' Red 'No' arrows from any decision point lead to a red stop icon with an X in a circle. If all answers are 'Yes,' the packet is either recorded in the connection table or compared against it, with white boxes showing 'Record IP and SYN/ACK data in connection table' or 'Check IP and SYN/ACK against data in connection table.' If it matches, a green arrow leads to 'Translate IP address' followed by the final blue envelope icon labeled 'Packet delivered to destination,' ending at a gray computer icon. Dotted lines are used for alternate flows and protocol verification steps.

This matters because looking at the full context helps detect more complex or stealthy threats.

Firewalls also rely on threat intelligence. They compare traffic against databases of known malicious signatures. If a match is found, the firewall blocks the traffic.

Note:
Signature-based detection only catches known threats. That's why modern firewalls also use behavior analysis and other techniques to catch unknown or zero-day attacks. These capabilities help detect threats that don't yet exist in any signature database.

They also treat traffic differently based on direction.

North-south traffic comes from outside the network and is more likely to carry threats, so it's inspected closely. East-west traffic moves within the network and is often overlooked—but if attackers get in, they can use it to move laterally.

Which is why inspecting internal traffic matters too.

Diagram titled 'North-south vs. east-west traffic inspection' shows a cloud icon at the top, representing external internet traffic entering a network through a series of firewall icons positioned along the perimeter. This downward vertical flow is labeled 'North-south traffic.' A blue annotation box states 'North-south traffic inspection blocks threats.' Inside the network perimeter, horizontal arrows labeled 'East-west traffic' move between internal network segments. One segment is marked 'Compromised' and shows a malware icon and red arrows labeled 'Lateral movement' connecting to other internal segments. East-west firewalls are shown within each internal section, representing inspection between internal systems. Vertical and horizontal directional arrows illustrate the difference between north-south and east-west traffic paths.

Firewalls help enforce access control. Most organizations today follow the principle of least privilege so that users and devices only get access to what they need. No more, no less. It's one of the most effective ways to limit risk.

| Further reading:

 

What are the different types of firewalls?

Diagram titled “Types of firewalls” featuring a central red-orange circle with a firewall icon and four surrounding branches labeled by category. The top right branch, labeled “Systems protected” in yellow, lists two types: Network and Host-based. The middle right branch, labeled “Network placement” in blue, includes Hybrid mesh firewall, Internal, Distributed, and Perimeter. The bottom right branch, labeled “Form factors” in light blue, includes Hardware and Software. The bottom left branch, labeled “Data filtering method” in green, lists Stateful inspection, Proxy, Web app, Circuit level, Packet filtering, and Next generation (NGFW). Thin gray connector lines link each item to the central icon, creating a radial layout.

Not all firewalls work the same way. Some protect individual devices. Others monitor traffic for an entire network. Some are physical appliances. Others run in the cloud.

That's why they're generally categorized based on what they protect, how they're deployed, where they sit in the network, or how they inspect traffic.

Below, we'll break down the main types of firewalls across each of these categories:

Types of firewalls
Category Type Description
Firewalls types by systems protected Network firewall Protects an entire network by inspecting incoming and outgoing traffic.
Host-based firewall Installed on a specific device to monitor traffic to and from that host.
Firewall types by form factors Hardware firewall A physical device placed between network elements and connected devices.
Software firewall A software-based firewall deployed on servers or virtual machines. Includes container firewalls, virtual firewalls, and managed service firewalls.
Firewall types by placement within infrastructure Perimeter firewall Placed at the edge of a network to manage traffic entering or leaving.
Internal firewall Positioned within the network to monitor traffic between internal segments.
Distributed firewall A scalable approach where enforcement is applied across multiple devices.
Hybrid mesh firewall Firewalls deployed across on-premises and cloud environments in a coordinated, distributed architecture.
Firewall types by data filtering method Packet filtering firewall Checks each packet against rule sets and allows or blocks based on criteria.
Stateful inspection firewall Tracks the state of active connections to evaluate traffic in context.
Circuit-level gateway Verifies session-level connections before allowing ongoing communication.
Proxy firewall Intercepts and evaluates application-layer traffic between client and server.
Next-generation firewall (NGFW) Combines traditional firewall features with advanced capabilities like IPS and traffic decryption.
Web application firewall Filters HTTP traffic to and from web apps to block attacks like cross-site scripting or SQL injection.

These distinctions aren't just technical trivia. They reflect how firewalls have adapted to different layers, architectures, and threats.

Knowing the differences helps you make sense of where each firewall fits and what problems it's designed to solve.

| Further reading:

 

What features do firewalls include?

Diagram titled 'Firewall features' displaying two adjacent circles representing categories of firewall capabilities. The right circle is labeled 'Basic firewall features' in orange and contains icons linked to four items: Stateful inspection, Packet filtering, Access control, and Logging & monitoring. Also linked to this section is Network address translation (NAT) positioned at the top left. The left circle is labeled 'Advanced firewall features' in black and includes five items: Next generation CASB, DNS security, Advanced URL filtering, IoT security, and Advanced threat protection. A smaller circle at the center overlaps both categories, showing a firewall icon to indicate shared functionality or progression between basic and advanced features. Thin lines connect each feature to its corresponding category.

Firewalls have evolved. What started as basic traffic filtering has grown into a wide range of capabilities designed to meet different levels of risk.

Some firewall features are foundational: packet filtering, logging, access control, etc.

Others are more advanced, using modern technologies like deep learning and automation to stop sophisticated threats in real time.

Let's break down the primary firewall features into two categories—basic and advanced—and take a closer look at each:

Firewall features
Category Feature Description
Basic Packet filtering Evaluates packets based on criteria like IP address or port to allow or block traffic.
Stateful inspection Tracks the state of active connections to allow only legitimate traffic.
Network Address Translation (NAT) Modifies packet IP addresses to conserve addresses and hide internal network structure.
Logging and monitoring Records network activity for analysis and response to potential threats.
Access control Applies rules to regulate which users or systems can access network resources.
Advanced Advanced threat prevention Uses deep learning to detect zero-day attacks and automate protection workflows.
Advanced URL filtering Uses real-time deep learning to stop known and unknown web threats.
DNS security Applies ML and analytics to block advanced DNS-based attacks and reduce tool sprawl.
IoT security Segments and protects IoT devices using Zero Trust and contextual machine learning.
Next-generation CASB Secures SaaS apps in real time with deeper visibility and modern data protection.

On paper, many firewalls advertise similar features. But the depth, accuracy, and integration of those features vary widely.

What matters most is how well they work together to detect, prevent, and respond to modern threats in real time.

| Further reading:

 

What benefits do firewalls provide?

Diagram titled 'Firewall benefits' showing two connected circles representing basic and advanced firewall benefits. The right circle is labeled 'Basic firewall benefits' in orange and contains five items arranged vertically: Monitoring & filtering network traffic, Blocking unauthorized access, Preventing virus infiltration, Upholding data privacy, and Supporting regulatory compliance. The left circle is labeled 'Advanced firewall benefits' in black and includes five items: Enhanced user identity protection, Zero trust principles, Control over application use, Automated threat intelligence sharing, Encrypted traffic security without privacy compromise, and Advanced threat protection. A central overlapping circle displays a firewall icon, symbolizing the integration of both benefit categories. Thin lines connect each benefit to its respective category.

Firewalls help control traffic, reduce risk, and support compliance.

Some benefits are well established, like blocking malicious traffic, enforcing access controls, and maintaining data privacy.

Others reflect relatively newer capabilities: inspecting encrypted traffic, applying Zero Trust policies across the network, etc.

In other words:

The value of a firewall depends on what it can do and how it's used.

Below, we've grouped firewall benefits into basic protections and more advanced capabilities that support today's hybrid and threat-rich environments.

Firewall benefits
Category Benefit Description
Basic Monitoring and filtering network traffic Inspects data packets and blocks harmful patterns using stateful inspection.
Preventing virus infiltration Blocks known virus patterns and supports antivirus tools. NGFWs improve detection of advanced threats.
Blocking unauthorized access Applies access controls to limit interactions to trusted sources only.
Upholding data privacy Prevents sensitive data exposure by monitoring inbound and outbound traffic.
Supporting regulatory compliance Logs and controls access to sensitive data to support audit readiness and compliance.
Advanced Enhanced user identity protection Applies security policies based on user identity for more precise access control.
Control over application use Identifies and restricts app usage to approved applications only.
Encrypted traffic security without privacy compromise Inspects encrypted traffic for threats while preserving user privacy.
Advanced threat protection Protects against known and emerging threats across multiple attack vectors.
Automated threat intelligence sharing Detects and responds to threats using shared global intelligence feeds.
Zero Trust principles Applies continuous authentication and verification to reduce implicit trust.

Not every firewall delivers every benefit listed here. That's because firewalls are used in many different environments.

What matters is aligning capabilities with your network architecture, threat landscape, and operational needs.

| Further reading: What Are the Benefits of a Firewall?

 

What challenges come with using firewalls?

Firewalls aren't just a set-it-and-forget-it technology. They need to keep up with evolving threats, shifting traffic patterns, and changing business needs.

One of the first challenges is choosing the right type of firewall for each environment. Whether that's a data center, public cloud, branch, or hybrid setup. From there, the real work begins.

Misconfigurations are one of the most common and dangerous issues. Whether it's overly permissive rules, missing updates, or traffic filtering mistakes that leave gaps or create bottlenecks.

Diagram titled 'Effective vs. improper firewall configuration' shows two horizontal network flows. In the top section labeled 'Effective,' green arrows labeled 'Allow legitimate traffic' flow between users, a firewall icon, and the internet. A red arrow labeled 'Block malicious traffic' stops at the firewall, indicating the threat is blocked. In the bottom section labeled 'Improper,' green arrows again indicate that legitimate traffic is allowed, but a red dashed arrow labeled 'Allows malicious traffic' passes through the firewall from the internet to users, showing that the threat is not blocked. Both sections include icons for users, firewalls, and the internet arranged left to right.

Plus, firewall rule sets grow over time. New policies get added, but old ones often remain. That leads to bloated configurations that slow performance, create conflicts, or block legitimate traffic. And tight rules can also cause false positives, which frustrates users and overloads IT teams with unnecessary alerts.

Diagram titled 'Firewall rule set challenges' is split into two sections. On the left, a table illustrates a growing firewall rule list with 12 rows and columns for Rule ID, Source IP, Destination IP, Protocol, Port, and Action. The rules include mixed 'Allow' and 'Deny' actions, with notes indicating that rule growth can increase performance issues, complexity, and conflicts. The last row is labeled 'Excessive rule set growth' in red. On the right, icons show the impact of overly strict rules, including blocked email, sites, and collaboration tools. A central firewall icon connects to three effects: 'Security operations center' with the note 'Analyst fatigue from excessive alerts,' 'Help desk overload' with 'Drowning in unnecessary user tickets,' and 'User frustration' with 'Legitimate traffic blocked.'

Meanwhile, performance demands continue to rise. Deep inspection, encrypted traffic analysis, and advanced features all require processing power. If firewalls aren't properly sized or tuned, throughput suffers.

Bar chart titled 'Firewall performance vs. processing demand' shows throughput in Gbps on the left y-axis and CPU utilization percentage on the right y-axis. The x-axis lists seven firewall capabilities: stateful firewall, IPS/IDS, antivirus, deep packet inspection, SSL decryption, sandbox, and all features. Each capability includes two bars: a red bar representing a poorly sized CPU and a blue bar representing a well-sized CPU. As features increase from left to right, throughput decreases and CPU utilization increases, especially for the poorly sized system. A red box highlights the last three features as a 'Performance bottleneck area.' Above the chart, a banner lists associated performance impacts: high latency, packet drops, session timeouts, user complaints, and service degradation.

Even updates present risks. Regular patches and threat signature updates are critical. But poorly timed changes can disrupt traffic or introduce new issues.

Circular timeline diagram showing the progression of firewall update timing and potential risks. The top arc, labeled 'Normal operation', begins with a gray circle labeled 'Normal operation', followed by 'Peak traffic begins', 'Firewall stable', and 'Patch identified', all marked with connected colored dots. A central dark blue circle labeled 'Update event' follows, connected to 'Patch deployed', 'Firewall performance impacted', and 'Firewall restart'. A red triangle labeled 'Service impact' sits along the lower arc, which is segmented into two phases: 'Response' and 'Recovery'. The 'Response' phase includes icons and steps: 'Support calls flood', 'Users disconnected', 'Traffic blocked', 'Rollback initiated', and 'Emergency troubleshoot'. The 'Recovery' phase follows with 'Service restored' as the final green circle. The diagram emphasizes how an update event can lead to cascading service impacts and operational response before recovery is achieved.

And underlying it all is one consistent challenge: translating business needs into clear, effective firewall rules. That's especially hard during infrastructure changes, when visibility is limited and documentation may be incomplete.

Diagram showing the flow of business logic into firewall enforcement across three roles. On the left, a purple box labeled 'Executive' contains an icon of a person with a briefcase. Below, Step 1 reads: 'Executive initiative to improve overall security posture by reducing phishing.' An arrow labeled 'Business goals' points right to a red box labeled 'Firewall admin' at the center. The firewall admin is shown receiving email logs from a gray box on the far right labeled 'Email admin,' illustrated with a person and envelope icon. Step 2 reads: 'Log analysis of emails.' A vertical line from the firewall admin points downward to an icon of a firewall, labeled with Step 3: 'New firewall rule to block traffic.' The flow demonstrates how a high-level phishing reduction goal is translated into firewall policy through email log analysis.

Bottom line:

Firewall management is an ongoing process. It takes constant tuning, review, and adaptation to keep protections strong without slowing the business down.

| Further reading:

 

How do firewalls compare with other network security technologies?

Firewalls are often one of the first tools people think of when it comes to network security. But they're far from the only one.

From antivirus to web gateways to access control lists, each tool in the stack plays a distinct role. And while many overlap or integrate with firewalls, they aren't interchangeable.

Understanding the differences helps clarify what a firewall does—and doesn't—do. It also helps you spot where it fits in a layered defense strategy.

The table below breaks down how firewalls compare to other common technologies across five dimensions: purpose, deployment, traffic visibility, control, and overlap.

Firewalls vs. other network & security technologies / functions
Technology Antivirus IDS IPS NGFW UTM Proxy server SWG VPN WAF Router ACL
Primary function Scans and removes known malware from endpoints Monitors traffic for suspicious activity Detects and blocks known attacks Inspects traffic using application, user, and content context Combines firewall, antivirus, and intrusion prevention Forwards traffic through an intermediary server Filters outbound web traffic based on policy Encrypts traffic for secure remote access Filters HTTP traffic to web apps and blocks exploits Directs traffic between networks Controls access by specifying which traffic is allowed
Level of control Endpoint-level Network-level monitoring only Network-level blocking Deep, contextual inspection and enforcement Moderate control with basic unified enforcement Traffic relay with optional filtering Policy-based access to internet content Tunnel-level encryption and access control Application-level filtering Basic routing decisions Packet-level filtering
Traffic visibility Scans local files and memory Observes traffic for anomalies Analyzes known exploit patterns Full visibility into traffic, including encrypted data Moderate visibility Limited unless combined with logging/monitoring URL-level visibility and categorization Limited visibility into application traffic Full HTTP/S traffic inspection No inspection No inspection
Deployment scope Device-level Inline or passive network sensor Inline, often combined with IDS Network-wide, hybrid environments All-in-one perimeter devices Edge or cloud-based Cloud-based or appliance Client or gateway-based Perimeter or cloud-based Physical or virtual appliance Integrated into routers/firewalls
Common use case Protecting individual devices from malware Alerting on suspicious network behavior Blocking known network-based attacks Centralized security policy enforcement Simplified security for SMBs Hiding user IP, filtering traffic Blocking malicious or non-compliant web access Securing remote workforce Protecting web apps from OWASP threats Routing LAN/WAN traffic Enforcing basic network security rules
Strengths Detects and removes file-based malware Detects unknown threats via heuristics or behavior Stops known exploits in real time Application-aware, identity-based control Easy deployment with broad protection Anonymity, content caching, filtering URL filtering, DLP, malware prevention Secure tunneling, remote access Shields web apps, prevents common attacks Simple traffic direction Explicit rule control, lightweight
Limitations Can't stop network-based threats Doesn't block traffic by itself Needs tuning to avoid false positives Complexity, resource-intensive Performance, limited advanced control Doesn't inspect deeply by default Limited to web traffic Doesn't inspect traffic content Limited to web app layer Not security-focused Easily misconfigured or bypassed

No single tool can secure an entire environment. But knowing how firewalls interact with the rest of the security stack makes it easier to design defenses that are both complementary and complete.

| Further reading:

Learn the basics of NGFWs, featuring 'Next-Generation Firewalls for Dummies.'

Download eBook

 

Firewall FAQs

A firewall monitors network traffic to allow or block data based on security rules. It inspects packets and sessions to stop unauthorized access or threats and protects network devices from malicious traffic.
A firewall blocks unauthorized access, known threats, and suspicious traffic. It filters data between internal and external networks and protects against both perimeter breaches and internal lateral movement.
A firewall monitors and filters network traffic based on security rules. It uses stateful inspection to assess packets in context and helps block or allow data based on risk.
Yes. Firewalls are essential for both individuals and organizations to block threats, protect data, and maintain secure access across home and business networks.
Firewall selection depends on what you're protecting—entire networks or individual devices—and where it’s deployed. Options include hardware, software, host-based, or network-based firewalls, based on traffic type and filtering needs.
Firewalls are used to secure networks by controlling incoming and outgoing data, allowing safe traffic while blocking malicious or unauthorized access.
Hardware firewalls resemble rack-mounted devices with ports and lights. Software firewalls appear as interfaces for managing rules and traffic. Appearance varies by type and scale.
Examples include network and host-based firewalls, hardware or software firewalls, perimeter or internal placement, and traffic inspection types like NGFWs, proxy firewalls, or WAFs.
A proxy relays traffic between users and external services. A firewall filters and blocks traffic based on policies. Both enhance security but serve different roles.
Related content
Explore all hardware appliances
Take a look at the hardware firewall appliances available.
Product comparison
Compare NGFWs, including physical appliances and virtualized firewalls.
Infographic: The Evolution of Firewalls
Find out how firewalls have evolved from packet filtering to machine learning-powered.
eBook: Small Business Firewall Guide
Learn the top 3 requirements for your next firewall purchase.

Get the latest news, invites to events, and threat alerts