Skip to content
Study CCNP

5.4.c Next-generation firewall

2 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

A next-generation firewall is not just an ACL with a better interface. It combines stateful filtering with deeper context: applications, users, URLs, files, malware, IPS signatures, and threat intelligence depending on platform and licensing.

Basic firewall versus NGFW

FeatureBasic ACLStateful firewallNGFW
Source/destination IPYesYesYes
Ports/protocolsYesYesYes
Connection stateNoYesYes
Application identityNoLimited/NoYes
User identityNoLimited/NoYes
IPS/threat inspectionNoLimitedYes
URL/file/malware controlsNoLimitedYes

The exam point: NGFW policy is more context-aware than simple packet filtering.

Where NGFWs fit

Common enforcement points:

  • Internet edge.
  • Data center edge.
  • Cloud edge.
  • Branch edge.
  • Between high-value internal zones.
  • Remote access VPN termination.

A good design uses the firewall where traffic naturally crosses a trust boundary.

Packet crosses zone boundary (e.g. Users -> Internet)
L3/L4 match (IP, port, zone)
App-ID / user-ID context (NGFW)
Threat/URL/file inspection (if licensed)
Allow + log | Deny + log

Policy example in plain language

Allow Engineering users to reach Git over HTTPS.
Inspect downloads for malware.
Block known command-and-control destinations.
Log the user, application, URL category, file verdict, and rule hit.
Deny everything else between the zones unless explicitly allowed.

That is much richer than:

permit tcp 10.10.10.0/24 any eq 443

The ACL allows HTTPS anywhere. The NGFW policy can distinguish legitimate applications from risky or unwanted behavior using the same port.

Lab using zone-based firewall concepts

You may not always have an NGFW image available. You can still practice the stateful-policy mindset with a zone-based firewall lab.

zone security INSIDE
zone security OUTSIDE

class-map type inspect match-any INSIDE-TO-OUTSIDE
 match protocol http
 match protocol https
 match protocol dns

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE
  inspect
 class class-default
  drop log

zone-pair security ZP-IN-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

interface GigabitEthernet0/0
 zone-member security INSIDE

interface GigabitEthernet0/1
 zone-member security OUTSIDE

This is not a full NGFW, but it teaches the idea of zones, stateful inspection, default deny, and explicit allowed applications.

Verification mindset

Ask:

  • Which rule matched?
  • Which user or identity matched?
  • Which application was detected?
  • Was the session allowed, blocked, inspected, decrypted, or logged?
  • Did IPS, URL, DNS, file, or malware policy change the result?

Lab

Goal: Design an NGFW policy for a branch office.

Tasks:

  1. Define zones: inside, outside, guest, management.
  2. Write allowed flows in business language first.
  3. Convert the flows to firewall rules.
  4. Add logging for deny and high-risk allow rules.
  5. Add IPS/malware inspection for internet-bound traffic if your platform supports it.
  6. Test allowed traffic, denied traffic, and return traffic.
  7. Review logs and confirm rule hits.

Success criteria:

  • The policy allows required business traffic.
  • The default action denies unneeded traffic.
  • Logs identify the rule and traffic context.
  • Users and applications are visible when supported.

Exam traps

  • NGFWs are usually stateful; ACLs are not.
  • Application-aware control matters because many applications use TCP/443.
  • Identity-aware policy can match users/groups, not just IPs.
  • Threat inspection is only useful when traffic crosses the inspection point.