← Concepts
Security ArchitectureSY0-701 · Task 3.2

Firewall types — SY0-701

Learn the four firewall types on CompTIA Security+ SY0-701: packet filtering, stateful inspection, application firewalls, and proxy servers.

WHAT IT IS

A firewall is a gateway that limits access between networks in accordance with local security policy. (NIST CNSSI 4009-2015 / SP 800-12 Rev. 1). In practice, "firewall" describes a family of devices and software that each inspect traffic at a different layer of depth — and the exam tests whether you know which type operates at which layer and enforces what kind of policy.

Mental model

Think of the four main types as successively deeper inspectors at a border crossing:

Inspection depthFirewall typeWhat it examines
ShallowestPacket filterHeader fields of individual packets (addresses, ports, protocol)
DeeperStateful inspectionHeader fields plus connection state — blocks packets that deviate from the expected state of an established session
Deeper stillApplication firewallContent of one or more applications using stateful protocol analysis
Separate pathProxy serverIntercepts and forwards requests on the client's behalf — the external destination sees the proxy, not the client

Each row subsumes the row above it in awareness but introduces different trade-offs in performance and complexity.

When to use it

The exam scenario usually gives you a security requirement and asks which firewall type satisfies it. Use this table to match requirement to type:

Requirement in the scenarioBest-fit firewall typeWhy
Block packets based on source/destination address or portPacket filterExamines header fields and provides access control for host addresses and communication sessions (NIST SP 800-41 Rev. 1)
Prevent session-hijacking by blocking out-of-state packetsStateful inspectionTracks connection state and blocks packets that deviate from the expected state (NIST SP 800-41 Rev. 1)
Inspect HTTP/S, FTP, or other application traffic for policy violationsApplication firewallUses stateful protocol analysis for one or more applications (NIST SP 800-41 Rev. 1)
Hide internal client identity from external servers; cache or filter requestsProxy serverServices client requests by forwarding them to other servers (NIST CNSSI 4009-2015), concealing the originating client
Segment a perimeter zone between internal and external networksScreened subnet / DMZ + firewallA perimeter network segment logically between internal and external networks (NIST CNSSI 4009-2015)

COMMON MISCONCEPTION

Stateful inspection is not just a faster packet filter — it enforces connection state.

Candidates often assume a stateful firewall simply remembers past packets like a log. The operative difference is that stateful inspection blocks packets that deviate from the expected state of a connection (NIST SP 800-41 Rev. 1). A packet that carries a valid source address and port can still be dropped if it arrives out of sequence or without a matching session entry. A packet filter has no knowledge of state; it evaluates each packet in isolation against a static ruleset.

A related trap: an application firewall is not the same as a packet filter that blocks application ports. An application firewall applies stateful protocol analysis — it understands the semantics of the application protocol and can enforce policy within a session, not merely on its headers (NIST SP 800-41 Rev. 1).

How it shows up on the exam

The cognitive target for this concept is classification under a constraint: given a described security goal, select the firewall architecture that meets it.

Candidates often confuse stateful inspection with packet filtering when a scenario emphasizes "connection tracking" — stateful inspection's defining behavior is blocking deviation from expected connection state, which is stronger than address- and port-based filtering alone.

Scenarios involving application-layer policies (inspecting HTTP payloads, enforcing protocol conformance) test whether candidates can distinguish an application firewall from a stateful one. Signal phrases to notice: "application-layer," "protocol analysis," "content inspection."

Proxy-server scenarios frequently emphasize the anonymization or mediation role — the proxy acts on the client's behalf, and external servers interact with the proxy rather than the client directly (NIST CNSSI 4009-2015).

DMZ scenarios hinge on the NIST characterization of a screened subnet as a perimeter network segment logically between internal and external networks, enforced by firewall policy — not simply a separate VLAN.

Related concepts

  • Failure modes — understand how firewalls are configured to fail open or fail closed, and why that choice affects the security posture of every firewall type.
  • Jump server — a common companion control to firewall segmentation; jump servers enforce administrative access across firewall boundaries.
  • Intrusion detection and prevention — IDS/IPS monitors and analyzes events for unauthorized access attempts (NIST SP 800-82r3); knowing where it complements rather than replaces a firewall is a frequent architectural question.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.