What Is a Firewall? Plain-English Guide for Australian Businesses 2026

What is a firewall? In plain English, a firewall is a piece of software or hardware that decides which network traffic is allowed in and out of a business. It sits between your network and the internet (and sometimes between parts of your own network), enforces rules about what is allowed, and blocks the rest. Every Australian business that connects to the internet has one — often several — even if nobody on the team thinks about it.

This guide explains what a firewall actually does, the different types you will hear about, how to pick one, and what "firewall configuration" really means in 2026.

What does a firewall do, specifically?

A firewall does three things:

1. Inspects network traffic — every packet coming in or out
2. Applies rules — allow, deny, log, inspect further
3. Records what happened — logs for audit, investigation and alerting

The rules can be simple ("allow traffic to port 443 outbound") or sophisticated ("allow Office 365 traffic only for authenticated users in the Finance group between 08:00 and 18:00"). Modern firewalls — next-generation firewalls (NGFW) — sit at the sophisticated end and inspect far more than just ports.

Stateful vs stateless firewalls

You will sometimes see "stateful vs stateless firewall" in vendor documentation.

• Stateless firewalls look at each packet in isolation. Fast and cheap, but limited — cannot tell whether a packet is part of an established connection or an unsolicited probe.
• Stateful firewalls track connections as they happen. They know whether a packet belongs to a connection your side initiated (allow it back in) or is arriving unsolicited (block it). This is the baseline for anything serious.

Virtually every firewall sold for business use in 2026 is stateful at minimum. Stateless has niche use cases (high-speed edge filtering, simple cloud security groups) but is not the starting point for a business firewall.

Next-generation firewall (NGFW) — what it adds

A next-generation firewall (NGFW) adds these capabilities on top of stateful filtering:

• Application identification — the firewall recognises applications (Office 365, Slack, Dropbox) not just ports
• User identity awareness — rules based on who is connecting (integrated with Active Directory or Azure AD), not just IP address
• Intrusion detection and prevention (IDS/IPS) — signature and behaviour-based attack blocking
• Threat intelligence — known-bad IPs and domains blocked automatically
• URL filtering — category-based web filtering
• SSL / TLS inspection — visibility into encrypted traffic where policy allows
• Sandboxing — suspicious files detonated in a safe environment before allowing

Fortigate, Palo Alto, Sophos, Cisco Firepower, Check Point, WatchGuard and Azure Firewall Premium are all NGFWs. For any business above small-office scale, NGFW is the baseline.

See our NGFW Buyer's Guide Australia 2026 for vendor comparison, or firewall configuration service for delivery.

Types of firewalls you will encounter

Network firewall (perimeter)

The classic firewall — sits at the edge of your network between the internet and your LAN. Fortigate, Palo Alto, Sophos, UniFi UDM Pro, Cisco — all perimeter firewalls. Still essential in 2026 despite cloud shift.

Internal / segmentation firewall

Firewalls inside your own network, segmenting (for example) finance systems from general user traffic. Reduces blast radius if a user endpoint is compromised. Increasingly required for Essential Eight maturity.

Host-based firewall

Firewall software running on a single server or endpoint — Windows Firewall, Linux iptables, macOS application firewall. Useful as defence-in-depth, not a replacement for a network firewall.

Cloud firewall

Firewalls inside cloud environments — Azure Firewall, AWS Network Firewall, GCP Cloud Armor, plus cloud-native NGFW virtual appliances (Palo Alto VM-Series, Fortigate VM). Essential for securing cloud workloads. See our Azure Firewall configuration and AWS Network Firewall configuration.

Web application firewall (WAF)

Specialist firewall for HTTP/HTTPS traffic to web apps — blocks SQL injection, cross-site scripting, credential stuffing. Cloudflare, AWS WAF, Azure Front Door WAF, Imperva are common. Complementary to network firewalls, not a replacement.

"Human firewall"

Marketing term for security awareness training — helping users not click phishing links. Important, but not a firewall in any technical sense. Real phishing defence is email security plus endpoint plus network firewall plus training.

What is firewall configuration?

Firewall configuration is the design, implementation and ongoing tuning of firewall rules and policies. It covers:

• Zone and interface design
• Firewall rules — what traffic is allowed where
• NAT and port forwarding
• VPN configuration for remote workers and site-to-site
• Threat prevention and IDS/IPS tuning
• Logging and SIEM integration
• Change management and documentation

Buying a firewall is the easy bit. Firewall configuration is where the security actually lives — and where most environments quietly fail. Our firewall configuration service takes ownership of this end-to-end.

How firewalls fit into Essential Eight

The Australian Cyber Security Centre's Essential Eight mitigation strategies do not name "firewall" as one of the eight, but firewalls are woven through multiple controls:

• Application control — firewalls enforce which applications can reach the internet
• User application hardening — firewalls block unwanted browser protocols and script execution paths
• Restricting admin privileges — firewalls enforce network-level separation for admin systems
• Logging — firewalls are a primary log source for Essential Eight maturity

Good firewall configuration is a prerequisite for Essential Eight Maturity Level 2 and above.

Common firewall questions Australian businesses ask

How much does a firewall cost?

Small business (UniFi, basic Sophos): $1,000–$5,000 hardware, $500–$2,000 per year licences. Mid-market (Fortigate, Sophos XGS): $3,000–$20,000 hardware, $2,000–$10,000 per year licences. Enterprise (Palo Alto, high-end Fortigate): $20,000–$200,000+ hardware, $10,000–$100,000+ per year licences. Cloud firewalls (Azure, AWS) are consumption-based.

Do I need both a cloud firewall and a network firewall?

If you have both on-premise networks and cloud workloads, yes. A network firewall for your office and a cloud firewall (Azure or AWS) for cloud workloads is the standard pattern. Policy should be consistent across both.

Does Windows Firewall count?

Windows Firewall is a useful host-based defence but does not replace a network firewall. Leave it on, and put a real network firewall in front of it.

What is a firewall rule?

A firewall rule is a single entry in the firewall policy that specifies what traffic is allowed or denied — typically source, destination, port, protocol, and action. Real environments have hundreds or thousands of rules. Rule audit and cleanup is a major part of firewall configuration.

Does SSL / TLS inspection break anything?

Occasionally. Some applications pin certificates and refuse to trust the firewall's inspection certificate. These are usually caught in UAT and bypassed cleanly. Scoping SSL inspection properly is part of firewall configuration — see our firewall configuration service.

Choosing a firewall — a short framework

For Australian mid-market businesses in 2026:

• $5M–$30M revenue, single site: UniFi (lean) or Sophos XGS
• $30M–$150M revenue, multi-site: Fortigate is typically the sweet spot
• $150M+ revenue, regulated or enterprise: Palo Alto or high-end Fortigate
• Azure-first workloads: Azure Firewall Premium
• AWS-first workloads: AWS Network Firewall

Vendor-specific guides: Fortigate · Palo Alto · Sophos · Azure Firewall · AWS Network Firewall · UniFi.

Frequently asked questions

What is a firewall in simple terms?

A firewall is a security control that inspects network traffic and enforces rules about what is allowed in and out. It sits between your business network and the internet.

What does a firewall do?

A firewall inspects network traffic, applies rules (allow, deny, inspect, log), and records what happened. Modern firewalls also identify applications and users, block attacks, filter web content and inspect encrypted traffic.

What is NGFW?

A next-generation firewall (NGFW) is a firewall that adds application awareness, user identity, intrusion prevention, threat intelligence and other advanced capabilities on top of traditional stateful filtering.

Is a firewall enough security?

No — a firewall is one layer of defence. You also need endpoint protection, email security, identity protection, backups, patch management and user awareness. But a well-configured firewall blocks a huge portion of routine attacks before they reach the rest of your stack.

Can AI configure a firewall?

AI can assist with policy design, anomaly detection and change review — not replace human firewall engineers. Mature firewall configuration still needs human judgement on Zero Trust design, segmentation strategy and Essential Eight alignment.

The bottom line

A firewall is the first-line network control between your business and the internet. For most Australian mid-market businesses, a well-configured NGFW — Fortigate, Palo Alto, Sophos, Azure Firewall — is the right answer, paired with endpoint and email security. The hard part is not buying the firewall, it is configuring it so it does what you bought it for. Book a firewall scoping call and we will audit what you have honestly.