A control point that permits or denies traffic based on policy — enforcing a security boundary between zones of different trust.
Interfaces grouped into trust levels (Inside/Outside/DMZ). Policies are written zone-to-zone, not just interface-to-interface.
Ordered list of rules matched top-down; first match wins. Implicit deny-all sits at the bottom of most firewalls.
| Type | Inspects | Notes |
|---|---|---|
| Packet Filtering | Header only (IP/port) | Fast, stateless, no context between packets — legacy ACL-style |
| Circuit-Level | Session setup validity | Verifies handshake legitimacy, doesn't inspect payload |
| Stateful Inspection | Header + connection state | Tracks sessions in a state table — today's baseline standard |
| Proxy / Application-Level | Full application payload | Terminates and re-originates connections — highest inspection, most overhead |
| NGFW | Payload + identity + app-awareness | Adds IPS, app control, SSL inspection, user-ID to stateful base |
| WAF | HTTP/HTTPS application layer | Purpose-built for web app attacks (SQLi, XSS), sits in front of web servers |
Firewall identifies the ingress zone based on which interface the packet came in on.
IngressIf this matches an existing session (same 5-tuple), it's fast-pathed — the original policy decision already applies, no full rule re-evaluation needed.
Existing sessionIf no matching state entry exists, the firewall evaluates the rule base top-down: source/destination zone, address, service/port, and (on NGFWs) application and user identity.
New sessionSource and/or destination address is rewritten per any matching NAT rule, and the translation is recorded alongside the session.
Address translationIf enabled: IPS signature matching, antivirus scanning, URL/app filtering, and SSL inspection run against the payload before the packet is allowed through.
Deep inspectionA fresh entry goes into the state table so all future packets in this flow (both directions) skip straight to step 2.
Session trackingPacket is forwarded out the egress interface, silently dropped, or actively rejected (RST/ICMP unreachable) per policy, with the decision recorded in the traffic log.
Final actionget system status
diagnose sys session list
diagnose debug flow trace start 10
show conn
show xlate
packet-tracer input inside tcp 10.1.1.1 1234 8.8.8.8 443
pfctl -s state
pfctl -s rules
| Term | Meaning |
|---|---|
| ALG | Application Layer Gateway — helps protocols that embed IP/port info in payload (e.g. FTP) work through NAT |
| Anti-spoofing / uRPF | Drops packets whose source IP couldn't legitimately arrive on that interface |
| IDS vs IPS | IDS detects and alerts only; IPS sits inline and actively blocks matched traffic |
| Deep Packet Inspection | Examining payload content, not just headers, to identify applications/threats |
| Rate limiting / traffic shaping | Caps bandwidth or connection rate per policy to prevent abuse or ensure QoS |
| Fail-open vs fail-closed | Behavior on firewall failure — pass all traffic unfiltered vs block everything |
| HA (Active/Passive, Active/Active) | Redundant firewall pairs for uptime — with or without synchronized session state |