INTERVIEW PREP · FIREWALL

Firewall Interview Field Reference
Concepts, Q&A & Vendor Notes

fundamentals → stateful inspection → NAT → VPN → policies → scenarios → vendor quick-hits
UNTRUST ZONE
policy + state table
FIREWALL
NAT + logging
TRUST ZONE
01 Core Concepts
?

What Is a Firewall

A control point that permits or denies traffic based on policy — enforcing a security boundary between zones of different trust.

Zones & DMZ

Interfaces grouped into trust levels (Inside/Outside/DMZ). Policies are written zone-to-zone, not just interface-to-interface.

Policy / Rule Base

Ordered list of rules matched top-down; first match wins. Implicit deny-all sits at the bottom of most firewalls.

02 Firewall Types
TypeInspectsNotes
Packet FilteringHeader only (IP/port)Fast, stateless, no context between packets — legacy ACL-style
Circuit-LevelSession setup validityVerifies handshake legitimacy, doesn't inspect payload
Stateful InspectionHeader + connection stateTracks sessions in a state table — today's baseline standard
Proxy / Application-LevelFull application payloadTerminates and re-originates connections — highest inspection, most overhead
NGFWPayload + identity + app-awarenessAdds IPS, app control, SSL inspection, user-ID to stateful base
WAFHTTP/HTTPS application layerPurpose-built for web app attacks (SQLi, XSS), sits in front of web servers
03 Interview Q&A — Fundamentals
Q What's the difference between a stateless and a stateful firewall?
A Stateless evaluates every packet independently against static rules. Stateful tracks each connection in a table and automatically permits the return traffic of an already-allowed session, without needing a matching inbound rule.
Q Why is there an implicit deny at the end of a rule base?
A Default-deny is the safer security posture — anything not explicitly permitted is blocked, rather than anything not explicitly blocked being allowed.
Q What's the purpose of a DMZ?
A Isolates public-facing services (web, mail) in their own zone, so if one is compromised the attacker still doesn't have direct access to the internal network.
Q What does "first match wins" mean for rule order?
A The firewall evaluates rules top-down and stops at the first match — so a broad allow rule placed above a specific deny rule will silently override it. Ordering matters as much as the rules themselves.
04 Interview Q&A — Stateful Inspection
Q What's stored in the state table?
A Per-connection entries: source/dest IP, source/dest port, protocol, TCP state (or a UDP pseudo-state), and an idle timeout.
Q How does a stateful firewall handle UDP, which has no real "state"?
A It builds a pseudo-session based on the 5-tuple and a short idle timer — if a reply arrives within that window from the matching pair, it's treated as part of the same flow.
Q What happens to state table entries when a link fails over (HA)?
A With session synchronization enabled, the standby unit already has a mirrored state table, so existing connections survive failover instead of dropping.
Q What is SPI?
A Stateful Packet Inspection — the general term for tracking connection state rather than evaluating packets in isolation.
05 Interview Q&A — NAT on a Firewall
Q Does NAT provide security by itself?
A Not by design — NAT hides internal addressing, which incidentally makes unsolicited inbound connections harder, but it isn't a substitute for policy enforcement. The firewall's rule base is what actually decides what's allowed.
Q What's the difference between source NAT and destination NAT?
A Source NAT rewrites the sender's address, typically for outbound internet access (PAT/overload). Destination NAT rewrites the destination, typically to publish an internal server (port forwarding).
Q How does the firewall decide policy when NAT is involved?
A Policy lookup order varies by vendor, but generally the firewall evaluates security policy against the pre-NAT or post-NAT address depending on direction and platform — this is a common point of confusion and a favorite interview trap.
06 Interview Q&A — VPN
Q What are the two phases of an IPSec tunnel?
A Phase 1 (IKE) establishes a secure, authenticated management channel between peers. Phase 2 negotiates the actual IPSec SAs that encrypt the real data traffic.
Q Site-to-site VPN vs remote-access (SSL) VPN — when would you use each?
A Site-to-site connects two networks permanently (branch to HQ). Remote-access/SSL VPN is for individual users connecting in from anywhere, usually through a client or browser portal.
Q What causes a Phase 1 negotiation to fail most often?
A Mismatched pre-shared key, mismatched proposal (encryption/hash/DH group), or a NAT device in the path without NAT-T enabled.
Q What is a Security Association (SA)?
A The negotiated agreement between two IPSec peers describing exactly how they'll encrypt/authenticate traffic — keys, algorithms, and lifetime.
07 Interview Q&A — Policies & Zones
Q What's the principle of least privilege as applied to firewall rules?
A Write rules as specific as operationally possible — exact source/destination/port/service — rather than broad "any-any" rules that grant more access than needed.
Q Why is rule cleanup/auditing important?
A Rule bases accumulate unused, overly broad, or shadowed rules over time — each one is attack surface and a source of troubleshooting confusion. Regular audits catch rules that are dead, redundant, or never actually hit.
Q What's a "shadowed" rule?
A A rule that can never actually trigger because an earlier, broader rule already matches the same traffic first.
08 Scenario-Based Questions
Q A new rule was added but traffic is still blocked — what do you check first?
A Rule order (is a rule above it matching/denying first?), whether the policy was actually committed/applied, NAT interaction, and whether the session is being blocked by an app-control/IPS profile rather than the base policy.
Q Users report intermittent VPN drops — how do you approach it?
A Check Phase 1/Phase 2 SA lifetimes and rekey timing, look for DPD (dead peer detection) misconfiguration, check for asymmetric routing, and review logs for repeated re-negotiation around the drop times.
Q A server behind the firewall isn't reachable from the internet — walk through your checks.
A Confirm the DNAT/port-forward rule exists and targets the right internal IP/port, confirm the matching security policy allows it, confirm the server itself is listening and its host firewall isn't blocking, then check the state table for the actual attempt.
Q How would you troubleshoot a suspected asymmetric routing issue through the firewall?
A Stateful firewalls expect to see both directions of a flow — if return traffic takes a different path, the firewall never completes state tracking and drops it. Check routing tables on both paths and confirm the firewall is in the return path too.
09 How a Firewall Processes a Packet
1

Packet arrives on an interface

Firewall identifies the ingress zone based on which interface the packet came in on.

Ingress
2

State table lookup

If this matches an existing session (same 5-tuple), it's fast-pathed — the original policy decision already applies, no full rule re-evaluation needed.

Existing session
3

New session → policy lookup

If no matching state entry exists, the firewall evaluates the rule base top-down: source/destination zone, address, service/port, and (on NGFWs) application and user identity.

New session
4

NAT applied if configured

Source and/or destination address is rewritten per any matching NAT rule, and the translation is recorded alongside the session.

Address translation
5

Security profiles applied (NGFW)

If enabled: IPS signature matching, antivirus scanning, URL/app filtering, and SSL inspection run against the payload before the packet is allowed through.

Deep inspection
6

New state entry created

A fresh entry goes into the state table so all future packets in this flow (both directions) skip straight to step 2.

Session tracking
7

Forward, drop, or reject — and log

Packet is forwarded out the egress interface, silently dropped, or actively rejected (RST/ICMP unreachable) per policy, with the decision recorded in the traffic log.

Final action
10 Vendor Quick Reference
FG

FortiGate

get system status diagnose sys session list diagnose debug flow trace start 10
Policies are numbered, zone/interface based; VDOMs provide multi-tenant separation.
CA

Cisco ASA

show conn show xlate packet-tracer input inside tcp 10.1.1.1 1234 8.8.8.8 443
Interfaces carry a security level (0–100) — higher-to-lower is allowed by default.
PF

pfSense

pfctl -s state pfctl -s rules
Built on OpenBSD's PF — rule evaluation is last-match by default unless "quick" is used.
11 Quick-Fire Glossary
TermMeaning
ALGApplication Layer Gateway — helps protocols that embed IP/port info in payload (e.g. FTP) work through NAT
Anti-spoofing / uRPFDrops packets whose source IP couldn't legitimately arrive on that interface
IDS vs IPSIDS detects and alerts only; IPS sits inline and actively blocks matched traffic
Deep Packet InspectionExamining payload content, not just headers, to identify applications/threats
Rate limiting / traffic shapingCaps bandwidth or connection rate per policy to prevent abuse or ensure QoS
Fail-open vs fail-closedBehavior on firewall failure — pass all traffic unfiltered vs block everything
HA (Active/Passive, Active/Active)Redundant firewall pairs for uptime — with or without synchronized session state