The exam uses all four names interchangeably. If a question describes any of these, it is describing an NGFW:
- Next-Generation Firewall (NGFW) — the primary term
- Application layer gateway — emphasizes Layer 7 operation
- Stateful multilayer inspection — emphasizes cross-layer state tracking
- Deep packet inspection (DPI) — emphasizes payload reading vs. header-only
The decision rule for NGFW vs. traditional firewall questions: If the scenario requires distinguishing between applications that use the same port, the answer is always NGFW. A traditional firewall makes decisions at the port level only — it cannot tell YouTube from a corporate web portal if both use TCP/443. When the answer requires per-application control, NGFW is correct.
Memory hook: DPI = reads inside the packet (not just the label). Stateful multilayer = tracks the whole conversation across all layers. Application layer gateway = decides at the application, not the port.
The exam has a consistent trap: a scenario shows a firewall with several allow rules but no explicit deny at the bottom, then asks what happens to traffic that does not match any rule. The answer is always: the implicit deny drops it. The implicit deny does not need to be written — it is enforced automatically.
The companion trap: A broad allow rule placed above a specific deny rule silently overrides the deny. The implicit deny only helps for traffic that reaches the bottom of the rule list. If an overly broad allow rule at the top captures traffic that was supposed to be denied by a rule below, the implicit deny never comes into play. The mistake is the allow rule ordering, not the absence of a deny.
Key facts to memorize:
- Implicit deny = drop anything not explicitly allowed; present in virtually all firewalls
- Top-to-bottom evaluation = first match wins; rules below the first match are irrelevant for that traffic
- Specific before general = the most granular rules go at the top
- ICMP has no port number — ICMP rules cannot reference TCP or UDP ports
The exam tests whether candidates understand what a screened subnet does and does not do. The screened subnet does NOT prevent an attacker from compromising the public-facing server. It DOES prevent a compromised public server from becoming a launchpad into the internal network.
The exam trap: A question describes an attacker who compromised a web server in the DMZ and asks what security control "prevented access to the internal database." The answer is the screened subnet architecture (firewall rules blocking DMZ-to-internal traffic), not the web server's security configuration.
What goes where:
- Screened subnet / DMZ: web servers, email servers, public DNS servers, any service that must accept internet connections
- Internal network: databases, file servers, internal applications, confidential data, employee workstations
The firewall rule model: Internet → DMZ is allowed for specific ports (TCP/80, TCP/443). DMZ → internal is blocked except for the minimum required (e.g., TCP/3306 from web server to database only). Internal → DMZ management traffic is allowed as needed.
The exam tests whether candidates can match the IPS detection scenario to the correct detection method. The decision is mechanical once you know the rule:
- Known attack with existing signature → signature-based detection
- New / zero-day / novel attack with no signature → anomaly-based detection
- Legitimate traffic flagged as malicious → false positive (from anomaly-based, usually)
- Real attack missed → false negative (from signature-based missing unknowns)
The exam scenario pattern: "The IPS detected an attack even though no signature had been published for it yet." → Anomaly-based. "The IPS compared traffic to a database of known attack patterns." → Signature-based. "The IPS established a baseline of normal behavior and flagged deviations." → Anomaly-based.
Why both are needed: Signature-based is fast and accurate for known threats. Anomaly-based catches unknowns but generates false positives. Running both together means known threats are caught by signatures (low false-positive cost), and zero-days get a second chance through anomaly detection.