LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the firewall design checklist to take away?

A practical checklist for designing or auditing any firewall deployment, distilled from these key principles.

The checklist:

☐ Default-deny on the perimeter
☐ DMZ for all public-facing servers (never in Intranet)
☐ Stateful inspection minimum
☐ Application-level inspection (NGFW or WAF) for HTTP/HTTPS services
☐ Outbound traffic restricted, not allow-all
☐ Internal segmentation (at least: Office / Servers / Guest)
☐ Regular rule review (deprecate unused rules)
☐ Logging enabled, especially on the catch-all deny rule
☐ Backup configurations + tested restore procedure
☐ HA cluster for production-critical environments
☐ Patches applied (firewalls have CVEs too)
☐ Personal Firewall on every endpoint
☐ Documentation of zone purposes and rule rationales

The five-rule baseline (always):

  1. no Direct Internet → Intranet
  2. yes Public servers in DMZ only
  3. yes Internet → DMZ tightly scoped
  4. yes Outbound restricted via proxy
  5. no Dangerous protocols (NetBIOS, NFS, TeamViewer over Internet)

The trust hierarchy:

Most trusted ──→ Internal Servers (DB, AD)
                     ↑
                Internal Workstations
                     ↑
                Guest WiFi / IoT segments
                     ↑
                B2B Partners
                     ↑
                DMZ public servers
                     ↑
Least trusted ──→ Internet

Each step up = a firewall barrier with explicit rules.

The defense-in-depth multiplier:

Layer Tool
Perimeter FW NGFW with IDS/IPS
DMZ FW Separate FW or zone in same FW
Web servers WAF for HTTP/S
Internal segments Internal FWs / micro-segmentation
Endpoints Personal FW + EDR
Identity MFA + Zero-Trust

No single layer is sufficient. The goal is that an attacker who breaches one layer faces fundamentally different defenses at the next.

The decision tree for "do I need this?":

Question Answer
"Is this a SOHO / home network?" Router NAT + OS Personal FW = enough
"Hosting any public service?" Need DMZ + perimeter FW
"Multiple departments / regulated industry?" Add internal segmentation FW
"Web-app-heavy?" Add WAF
"Compliance-mandated?" Possibly dual-FW DMZ + dedicated audit logging

Tip: Firewall security is configuration security. A Palo Alto NGFW with bad rules is worse than pfSense with good rules. Spend time on rule design, periodic review, and testing — not just on buying expensive hardware.

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026