A firewall is a network security device or software that monitors and filters incoming and outgoing network traffic based on predefined security rules. Its job is to act as a gate between trusted networks (your corporate LAN) and untrusted networks (the internet) — allowing legitimate traffic and blocking everything suspicious. Modern firewalls go far beyond simple port and IP filtering: they perform deep packet inspection, identify applications and users, integrate with threat intelligence feeds, and stop sophisticated attacks. Firewalls are the foundation of network security alongside EDR/XDR for endpoints and IAM for identity.

Six common types by capability: (1) **Packet-filtering firewall** — basic, decisions based on IP and port (largely obsolete on its own), (2) **Stateful firewall** — tracks active connections, blocks unsolicited inbound traffic; the standard for many years, (3) **NGFW (Next-Generation Firewall)** — modern enterprise standard; combines stateful firewall with deep packet inspection, application identification (App-ID), user identity (User-ID), IPS, threat intelligence, sandboxing, (4) **WAF (Web Application Firewall)** — application-layer firewall protecting web apps from SQL injection, XSS, OWASP Top 10 (Cloudflare, AWS WAF, Azure WAF, Imperva), (5) **Cloud-native firewall** — provider-native (AWS Network Firewall, Azure Firewall, GCP Cloud Armor) or third-party (Palo Alto VM-Series, Fortinet FortiGate-VM), (6) **Host-based firewall** — runs on individual hosts (Windows Defender Firewall, iptables/nftables on Linux).

NGFW is the modern enterprise firewall standard. Beyond stateful packet inspection, it provides: (1) **Application identification** (App-ID) — recognises 4000+ applications regardless of port, (2) **User identification** (User-ID) — applies policy by user/group via Active Directory or SAML, (3) **Integrated IPS** (Intrusion Prevention System) — signature and behavioural threat detection, (4) **SSL/TLS decryption** — inspects encrypted traffic (with privacy implications), (5) **Sandbox detonation** — runs suspicious files in isolation, (6) **Threat intelligence** — vendor and third-party feeds, (7) **DNS security** — blocks DNS to known malicious domains, (8) **DLP** (Data Loss Prevention) — detects sensitive data leaving the network. Top NGFW vendors 2026: Palo Alto Networks, Fortinet (FortiGate), Check Point, Cisco Secure Firewall, Juniper SRX, Sophos XG, WatchGuard.

Different use cases, both needed: (1) **Hardware firewall (appliance)** — dedicated physical device, deployed at network perimeter or between segments, high throughput (10-400+ Gbps), purpose-built ASICs for performance; standard at WAN edges, data centres, branch offices, (2) **Software firewall** — runs as VM (Palo Alto VM-Series, FortiGate-VM, Check Point CloudGuard) or container; standard for cloud workloads, distributed environments, where buying hardware is impractical, (3) **Cloud-native firewall** — managed by cloud provider (AWS Network Firewall, Azure Firewall), no infrastructure to manage but vendor lock-in. Most enterprises run a mix: hardware appliances at physical sites, software firewalls in cloud, host-based firewalls everywhere.

Five market leaders: (1) **Palo Alto Networks** — premium NGFW with strong cloud and zero trust integration, market leader in enterprise; expensive, (2) **Fortinet (FortiGate)** — strong price-performance, broad portfolio (firewall, SD-WAN, EDR, SIEM), most popular in mid-market, (3) **Check Point** — strong in regulated industries (finance, government), Quantum and Maestro hyperscale architecture, (4) **Cisco Secure Firewall** (formerly ASA, Firepower) — strong existing customer base, integration with Cisco networking stack, (5) **Sophos XG / XGS** — mid-market focus, integrated XDR. Other notable: WatchGuard, SonicWall, Barracuda, Juniper SRX, Forcepoint. For cloud-native: AWS, Azure, GCP own firewalls plus third-party (Aviatrix). Selection criteria: throughput needs, integration with existing security stack, cloud strategy, regulatory requirements.

Hardware appliances range from $500 (small business) to $500,000+ (data centre). Approximate ranges (2026): SMB hardware (FortiGate 60F, SonicWall TZ370) — $500-1,500 + ~$300/year subscriptions; Mid-market (Palo Alto PA-440, FortiGate 100F) — $5,000-15,000 + $2,000-5,000/year; Enterprise (Palo Alto PA-3220, FortiGate 600F) — $20,000-80,000 + $10,000-30,000/year; Data centre (Palo Alto PA-7000 series) — $200,000-1M+. Cloud firewalls — pay-per-hour (AWS Network Firewall ~$0.395/hour + data processed) or fixed VM cost (Palo Alto VM-Series — $5-50K/year per instance). Subscription fees for threat intelligence, sandboxing, SSL decryption typically add 30-100% to base hardware cost.

A WAF (Web Application Firewall) is an application-layer firewall specifically designed to protect web applications from common attacks — OWASP Top 10 (SQL injection, XSS, broken authentication), DDoS (HTTP flood), bot abuse, API abuse. Where a network firewall sees IP/port and packets, a WAF understands HTTP/HTTPS, application logic, user sessions and API contracts. Three deployment models: (1) **Cloud WAF** — Cloudflare, AWS WAF, Azure WAF, Akamai App & API Protector — easiest to deploy via CDN/DNS, (2) **Software WAF** — ModSecurity, NAXSI, Open AppSec — runs alongside the application, (3) **Hardware WAF** — F5 BIG-IP ASM, Imperva — dedicated appliances, mostly legacy. Most modern deployments use Cloud WAF as the first line, with application-level controls (input validation, prepared statements, CSP) as defence in depth.

Eight practices: (1) **Default deny** — block all inbound by default, allow specific exceptions, (2) **Least-privilege rules** — narrow source/destination/port, no 'any-any-any' rules, (3) **Regular rule audit** — most enterprise firewalls have hundreds to thousands of rules, audit quarterly to remove stale ones, (4) **Network segmentation** — separate user, server, IoT, OT, guest, DMZ networks; restrict cross-segment traffic, (5) **Logging and monitoring** — log all denies and important allows, integrate with SIEM, (6) **Patch management** — firewall vulnerabilities (Fortinet, Palo Alto, Cisco, Citrix) are top ransomware vectors; patch within 24h of critical CVE, (7) **Backup configurations** — version control firewall rules, test restore, (8) **Don't expose management interfaces** to the internet — use jump host, VPN, or vendor's cloud-managed model.