.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
What is a firewall?
Overview
Firewalls are a core security layer, protecting cloud and hybrid networks, supporting remote access, and improving visibility into encrypted traffic. They also reinforce Zero Trust architecture by enforcing least-privilege access and limiting lateral movement if a threat gets inside.
What is a firewall?
A firewall is a security control that monitors and manages network traffic using a set of rules. It sits between trusted environments, such as your office network or cloud resources, and untrusted networks like the internet. By deciding what traffic is allowed in or out, it helps block unauthorized access while still enabling employees and systems to use the applications and services they need. Firewalls can protect entire networks at the perimeter and reduce attack paths by eliminating unnecessary connections, making them a foundational layer in a broader security strategy.
How does it work?
A firewall works by acting as a decision point for network traffic. For every connection attempt, it checks the request against policy, using details like source, destination, and the service or application involved. Based on those rules, it allows approved traffic and blocks or restricts anything suspicious or unauthorized. Many modern firewalls also inspect traffic more deeply, including encrypted sessions where appropriate, and record events so teams can see what happened and investigate issues.
What is an NGFW - next-generation firewall?
A next-generation firewall (NGFW) is a modern firewall that combines basic traffic control with deeper inspection and threat prevention. It can recognize applications and users, apply more detailed policies than simple IP and port rules, and improve visibility into what is happening on the network, including encrypted traffic. NGFWs are commonly used to strengthen protection while keeping policy management and reporting centralized across sites.
Top firewall features
Most NGFWs include capabilities that improve visibility and prevention, such as deep packet inspection (DPI), intrusion prevention (IPS), application control, and web filtering. Many also support encrypted traffic inspection, often including TLS 1.3, to reduce blind spots. Depending on the platform, NGFWs can add malware detection, protection against unknown threats, and automated response actions like blocking risky destinations or isolating suspicious systems.
NGFW vs. traditional firewall
Traditional firewalls mainly control access using network rules like IP addresses, ports, and protocols, sometimes with stateful inspection. NGFWs add more context by understanding applications and inspecting traffic for threats, which helps detect attacks that can pass through basic rules or hide in normal looking activity. The practical difference is that traditional firewalls focus on connection control, while NGFWs extend that control with deeper security for modern, app-heavy, cloud-connected environments.
Types of Firewalls
Here are some of the most common types of firewalls:
Differences between hardware vs. software firewalls
A hardware firewall is a physical device that filters traffic at the network edge, protecting many users and systems at once through centralized policies. A software firewall runs on individual devices and controls traffic for that specific system. Hardware firewalls provide broad perimeter protection, while software firewalls offer granular, host-level control. Most organizations use both to create layered security that blocks threats early and limits risk on individual devices.
What is a hardware firewall?
A hardware firewall is a physical appliance placed between an internal network and untrusted networks like the internet. It inspects inbound and outbound traffic and enforces security rules at the network level. One device can protect entire offices, branches, or data centers using centralized policies and logging. Hardware firewalls help reduce exposure before threats reach endpoints and form the foundation of perimeter security.
What is a software firewall?
A software firewall runs on a specific device, such as a laptop, server, or virtual machine, to control that system’s network traffic. It provides host-level protection by applying rules per device or application. Software firewalls are useful for securing remote users, sensitive servers, and limiting lateral movement. They complement, but do not replace, network firewalls.
What is a perimeter firewall?
A perimeter firewall sits between a trusted internal network and the internet to control what traffic can enter or leave. It enforces security policies, supports VPN and remote access, and provides logging for compliance and investigations. Modern perimeter firewalls go beyond basic port blocking with deeper inspection and threat prevention. Even in cloud-first environments, they remain an effective way to control network entry points and define security boundaries.
What Is an application layer firewall?
An application layer firewall inspects traffic based on the application or service being used, not just IP addresses and ports. This deeper visibility allows it to detect misuse, policy violations, and attacks hidden in legitimate-looking traffic. Application-aware controls are especially effective against modern threats that exploit allowed services. The result is tighter policy enforcement and stronger protection.
SD-WAN and firewalls
An SD-WAN firewall helps keep your business connected and protected — whether your team is in the office, working remotely, or using cloud apps. It automatically chooses the best internet connection to keep things running smoothly, while built-in security protects your data from cyber threats. When combined with a firewall, tools like SD-RED — a small plug-and-play device that securely connects remote or branch offices back to your main network — you can bring new locations online in minutes without complicated setup or sending IT staff on-site. Everything is managed from one place, giving you fast, reliable performance and enterprise-grade security that grows with your business — without adding complexity.
Stateful vs. stateless firewalls: how do they differ?
A stateless firewall evaluates each packet independently using basic rules like IP address and port. A stateful firewall tracks active connections and uses context to determine whether traffic is part of a legitimate session. That context improves accuracy and reduces the need for overly broad rules. While stateless filtering is fast and simple, stateful inspection provides stronger protection for most environments.
What is a stateless firewall?
A stateless firewall inspects each packet on its own and applies rules based on basic attributes like IP address, port, and protocol. It does not track sessions, which limits context and visibility. Stateless firewalls are efficient and useful for simple filtering, but they are less effective against spoofing or complex attacks. They are best used as a foundational control alongside more advanced inspection.
What is a stateful firewall?
A stateful firewall tracks active connections and allows traffic only if it matches a legitimate session. This enables it to automatically permit valid return traffic while blocking unsolicited packets. Stateful inspection improves accuracy and reduces exposure without relying on broad rules. For most organizations, the added context is worth the additional processing overhead.
What is a packet filtering firewall?
A packet filtering firewall examines packet headers, such as IP addresses, ports, and protocols, and allows or blocks traffic based on predefined rules. It operates quickly and efficiently at the network layer. However, it lacks visibility into users, applications, and session state. Packet filtering is often used as a baseline control and paired with deeper inspection for stronger security.
What is a proxy firewall?
A proxy firewall sits between internal users and the internet, evaluating requests before forwarding them externally. This hides internal systems and reduces network exposure. Since it operates at the application layer, it can inspect content, enforce acceptable-use policies, and block risky destinations. Proxy firewalls are commonly used where organizations need tighter control over web and application traffic.
How to evaluate NGFWs
When evaluating NGFWs, focus on three things: security, performance, and manageability. Look for strong threat prevention with application visibility and encrypted traffic support. Compare performance with protections enabled, and prioritize centralized management, consistent policies, and reporting that supports daily operations, audits, and growth across on-prem and cloud environments.
Who are the leading NGFW vendors?
Leading NGFW vendors deliver strong security and performance without adding day-to-day complexity. Peer-review rankings are a useful starting point because they reflect real customer experience. In G2’s Winter 2026 reports, Sophos ranked as the #1 overall firewall solution across enterprise, mid-market, and SMB segments, earning Best Results, Best Usability, and Best Relationship badges. Use vendor lists to narrow options, then compare ease of deployment, ongoing management, and overall fit for your environments.
Are Sophos Firewalls recognized by industry experts and customers?
Sophos Firewall is highly recognized by independent industry analysts and customer review platforms that reflect real-world use. Across these sources, it is consistently noted for strong security, usability, and performance across organizations of different sizes. This recognition provides third-party validation that the product performs reliably in everyday IT environments.
Sophos Firewalls are “Secure by Design”, because firewall hardening matters
Firewalls are built to protect your network, yet as internet‑facing infrastructure, they must also be protected.
Attackers aren’t just targeting users or endpoints anymore. They increasingly probe network infrastructure for weak points, and a misconfigured or unmaintained firewall can create a direct path to unauthorized access, ransomware deployment, or full‑scale network compromise.
That’s why secure‑by‑design principles are so important. A firewall should reduce risk from the moment it’s deployed, not rely on extensive manual hardening or after‑the‑fact tuning to be safe.
What’s in a “Secure by Design” Firewall?
A secure‑by‑design firewall is engineered to be hardened by default, with no exposed management interfaces, strict process isolation, automated patching, and continuous integrity monitoring to protect the firewall itself from attack. Sophos Firewall builds on these principles with unique safeguards that ensure the device defending your network doesn’t become a vulnerability.
Key security foundations include:
- No default internet exposure for administrative services
Preventing external access to management interfaces dramatically reduces the attack surface. - Hardened system architecture with strict access controls
Built‑in least privilege and compartmentalized services limit what an attacker can reach if something goes wrong. - Automatic security updates and rapid patching capabilities
Firewalls must be able to receive and apply critical fixes quickly to shrink the window of exposure. - Proactive monitoring and integrity checks
Early detection of tampering or abnormal behavior is essential to stopping attacks before they escalate. - Ongoing configuration validation against best practices
Continuous assessment helps ensure strong security hygiene over time, especially in dynamic environments.
A properly hardened, secure‑by‑design firewall strengthens your overall security posture and ensures that the device protecting your network doesn’t become a risk itself.
Why Choose Sophos Firewall?
Sophos Firewalls incorporate Secure by Design principles, giving organizations strong protection from the moment they are deployed. Its hardened architecture, non‑exposed management interfaces, strict access controls, and automated updates all work together to reduce risk without adding complexity.
You get the full set of next‑generation capabilities including deep packet inspection, IPS, application control, and encrypted traffic inspection. Management through Sophos Central provides consistent policy enforcement, rapid patching, and clear visibility across every location, user, and workload.
Sophos Firewall stays secure, simplifies daily operations, and strengthens your overall security posture.
Firewall FAQs
What role does a firewall play in network security?
A firewall controls traffic between trusted and untrusted networks, allowing approved connections and blocking risky ones. As cloud services, remote work, and connected devices expand the attack surface, modern firewalls add deeper inspection, stronger threat prevention, and centralized logging to improve visibility, compliance, and incident response.
Is a firewall enough to secure an enterprise network?
A firewall is essential, but it is not enough on its own. Enterprises span cloud services, remote access, encrypted traffic, and thousands of endpoints, giving attackers many entry points beyond the traditional perimeter. Firewalls reduce exposure and control traffic, but they are most effective when paired with endpoint protection, threat detection, segmentation, and visibility into encrypted traffic. Real security comes from coordinated layers that can detect and respond when threats get through.
What is the value of investing in a firewall?
A firewall reduces everyday security and operational risk by controlling access and blocking intrusion attempts. It improves visibility into network and application activity, helping teams triage faster, manage exceptions more consistently, and support audits through centralized logging. Over time, value appears in avoided breach and downtime costs, reduced administrative effort, and consolidation of multiple security functions into a single platform.
• Threats blocked and incidents reduced: Track blocked intrusion attempts, malware callbacks, and the number of security incidents over time.
• Visibility gained: Measure how much traffic is identified by user/app and how much encrypted traffic is inspected versus uninspected.
• Response speed improved: Compare mean time to detect and respond (MTTD/MTTR) before and after deployment.
• Operational time saved: Track admin hours spent on policy changes, troubleshooting, and reporting, plus time to deploy new sites or users.
• Compliance readiness: Measure audit effort, including how quickly you can produce logs/reports and how consistently logging is enabled across key systems.
For small businesses: Adding firewall protection without complexity or expense?
Many small businesses have an ISP router, which only provides basic connectivity, but not business-grade security. A properly sized firewall adds stronger protection by inspecting traffic, blocking known threats, and controlling access. Many modern firewalls are easy to deploy and manage with cloud-based tools and sensible defaults. For most small businesses, a single well-configured, regularly updated firewall delivers solid protection without added cost or unnecessary complexity
For enterprises: How does a firewall align with enterprise-wide security?
In an enterprise, the firewall is one layer within a broader security architecture. Firewalls are deployed across data centers, branches, and cloud environments to enforce policies, segment networks, and shrink the attack surface. Other controls, such as endpoint security, identity protection, monitoring, and response, address threats that bypass the perimeter. The firewall provides visibility and control, but its value depends on how well it integrates into a defense-in-depth strategy.
Do I need a cloud firewall?
A cloud firewall is a next-generation firewall designed to protect cloud networks and workloads. It delivers core controls like traffic filtering and policy enforcement, along with intrusion prevention and advanced threat protection. Cloud firewalls deploy quickly, scale easily, and use centralized management to maintain consistent security across cloud and on-prem environments. For organizations running workloads in AWS, Azure, or hybrid setups, they help ensure protection follows the network.
How do firewalls fit into a SASE architecture?
In a Secure Access Service Edge model, firewalls act as secure connection points between locations, cloud workloads, and cloud-delivered security services. Modern firewalls add SD-WAN and cloud connectivity while enforcing local policies such as segmentation. SASE extends inspection and access control closer to users and applications. Together, they simplify operations and provide consistent security across distributed environments.
Traditional firewall vs. IPS vs. NGFW: what’s the difference?
A traditional firewall controls traffic based on IP addresses, ports, and protocols. An intrusion prevention system detects and blocks known attack patterns in real time. A next-generation firewall combines both, adding application awareness and visibility into encrypted traffic. Traditional firewalls manage access, IPS stops specific attacks, and NGFWs deliver broader, context-rich protection for modern, encrypted environments.
Firewall best practices
Keep firmware up to date
Regularly update Sophos Firewall OS and apply all maintenance releases. Updates include important security fixes and enhancements. Use Sophos Central or scheduled updates to minimize disruption.
Lock down administrative access
Disable WAN access to admin services like HTTPS and SSH unless absolutely required. Restrict internal admin access to trusted IPs only and enforce role-based access controls.
Enforce strong authentication
Enable multi-factor authentication for all admin and user portals. Require strong passwords and block repeated failed login attempts to reduce the risk of credential abuse.
Minimize exposure to the internet
Avoid exposing internal systems through NAT or inbound WAN rules. Do not expose services like Remote Desktop. Use ZTNA or VPN for secure remote access instead of direct internet exposure.
Enable threat protection features
Turn on intrusion prevention, DoS and spoof protection, and threat intelligence feeds. Avoid broad “any-to-any” rules and block traffic from regions where you do not operate.
Monitor, log, and alert
Enable system and security notifications and ensure logs are sent to Sophos Central or your SIEM. Regular monitoring helps detect suspicious behavior early and supports investigations.
Design for resilience and centralized visibility
Use high availability where possible and manage firewalls centrally through Sophos Central. Consistent policy, centralized reporting, and coordinated updates improve reliability and reduce operational risk.
Related resources
Sophos Blog - Sophos Firewall: New XGS Series
Sophos Blog - Sophos DNS Protection
Related security topic: What is endpoint security for remote workers?
