5.4.c Next-generation firewall
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
A next-generation firewall is not just an ACL with a better interface. It combines stateful filtering with deeper context: applications, users, URLs, files, malware, IPS signatures, and threat intelligence depending on platform and licensing.
Basic firewall versus NGFW
| Feature | Basic ACL | Stateful firewall | NGFW |
|---|---|---|---|
| Source/destination IP | Yes | Yes | Yes |
| Ports/protocols | Yes | Yes | Yes |
| Connection state | No | Yes | Yes |
| Application identity | No | Limited/No | Yes |
| User identity | No | Limited/No | Yes |
| IPS/threat inspection | No | Limited | Yes |
| URL/file/malware controls | No | Limited | Yes |
The exam point: NGFW policy is more context-aware than simple packet filtering.
Where NGFWs fit
Common enforcement points:
- Internet edge.
- Data center edge.
- Cloud edge.
- Branch edge.
- Between high-value internal zones.
- Remote access VPN termination.
A good design uses the firewall where traffic naturally crosses a trust boundary.
Packet crosses zone boundary (e.g. Users -> Internet)
L3/L4 match (IP, port, zone)
App-ID / user-ID context (NGFW)
Threat/URL/file inspection (if licensed)
Allow + log | Deny + logPolicy example in plain language
Allow Engineering users to reach Git over HTTPS.
Inspect downloads for malware.
Block known command-and-control destinations.
Log the user, application, URL category, file verdict, and rule hit.
Deny everything else between the zones unless explicitly allowed.That is much richer than:
permit tcp 10.10.10.0/24 any eq 443The ACL allows HTTPS anywhere. The NGFW policy can distinguish legitimate applications from risky or unwanted behavior using the same port.
Lab using zone-based firewall concepts
You may not always have an NGFW image available. You can still practice the stateful-policy mindset with a zone-based firewall lab.
zone security INSIDE
zone security OUTSIDE
class-map type inspect match-any INSIDE-TO-OUTSIDE
match protocol http
match protocol https
match protocol dns
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE
inspect
class class-default
drop log
zone-pair security ZP-IN-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
interface GigabitEthernet0/0
zone-member security INSIDE
interface GigabitEthernet0/1
zone-member security OUTSIDEThis is not a full NGFW, but it teaches the idea of zones, stateful inspection, default deny, and explicit allowed applications.
Verification mindset
Ask:
- Which rule matched?
- Which user or identity matched?
- Which application was detected?
- Was the session allowed, blocked, inspected, decrypted, or logged?
- Did IPS, URL, DNS, file, or malware policy change the result?
Lab
Goal: Design an NGFW policy for a branch office.
Tasks:
- Define zones: inside, outside, guest, management.
- Write allowed flows in business language first.
- Convert the flows to firewall rules.
- Add logging for deny and high-risk allow rules.
- Add IPS/malware inspection for internet-bound traffic if your platform supports it.
- Test allowed traffic, denied traffic, and return traffic.
- Review logs and confirm rule hits.
Success criteria:
- The policy allows required business traffic.
- The default action denies unneeded traffic.
- Logs identify the rule and traffic context.
- Users and applications are visible when supported.
Exam traps
- NGFWs are usually stateful; ACLs are not.
- Application-aware control matters because many applications use TCP/443.
- Identity-aware policy can match users/groups, not just IPs.
- Threat inspection is only useful when traffic crosses the inspection point.