Firewalls: Stateless vs Stateful vs NGFW | AP Cybersecurity

Unit 3 • Topic 3.4 • Protecting Networks

Firewalls Explained: Stateless vs Stateful vs Next-Gen (+ ACLs)

A firewall allows or denies network traffic based on rules. Topic 3.4 covers the firewall types (stateless, stateful, next-generation) and how an access control list (ACL) decides what gets through.

The three firewall types
How ACL rules work
Real-world example
Key terms
Match it up
Check for Understanding
FAQ

3firewall types

ACLrules checked in order

First matchwins

Firewall types from simple per-packet filtering to deep inspection.

The three firewall types

A stateless firewall filters each packet on its own, based on fixed rules (such as source, destination, and port), without remembering past traffic. A stateful firewall tracks the state of connections, so it can allow return traffic for a connection it already approved.

A next-generation firewall (NGFW) has both capabilities plus more, such as application awareness and intrusion-prevention features. More capability generally means more inspection of each packet.

Scenario

A firewall allows reply traffic for a connection the internal user started, but blocks unsolicited inbound traffic. Which type is this?

Reveal answer

A stateful firewall. It tracks connection state, so it recognizes the reply as part of an approved connection while blocking unrelated inbound traffic.

Exam tip

Stateless = per-packet, no memory. Stateful = tracks connections. NGFW = both plus extra inspection.

How ACL rules work

A firewall enforces an access control list: an ordered set of rules that allow or deny traffic. Rules are checked in order, and the first matching rule applies, so rule order changes behavior. A typical rule specifies the direction of traffic along with source, destination, and port.

Placement matters too: each network segment and each point of data ingress and egress should have appropriate firewall rules, which ties firewalls to segmentation.

Scenario

An ACL has an 'allow all' rule above a 'deny database access' rule. What happens to database traffic?

Reveal answer

It is allowed. Rules are checked in order and the first match applies, so the broad allow rule matches first and the later deny is never reached. Order must be fixed.

Real-world example

From stateless to next-gen

Early firewalls filtered packet by packet. Stateful firewalls that track connections became standard, and next-generation firewalls now add application awareness and intrusion prevention to the same device.

More capability means more inspection per packet.

Key Terms

Firewall	A control that allows or denies network traffic.
Stateless	Filters each packet against fixed rules.
Stateful	Tracks connection state to allow replies.
ACL	An ordered list of allow and deny rules.
NGFW	A firewall with stateful, stateless, and added features.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.

Term

Definition

All matched. Nice work.

Common Mistakes

Confusing stateless and stateful

Stateless filters each packet alone; stateful tracks connection state.

Ignoring ACL rule order

Rules apply first-match, so order changes the outcome.

Thinking a firewall inspects content by default

Basic firewalls filter by header fields; deep inspection is an NGFW feature.

Placing firewalls only at the perimeter

Each segment and ingress/egress point should have appropriate rules.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.

Question 1

A stateless firewall filters traffic based on:

B. A stateless firewall evaluates each packet on its own against fixed rules, without tracking connections.

Question 2 Predict first

A firewall that tracks connection state to allow return traffic is:

B. A stateful firewall tracks connections and can permit replies for approved sessions.

Question 3

In an ACL, when does a rule take effect?

A. ACL rules are checked in order and the first match applies, so order matters.

Question 4

Which capabilities describe a next-generation firewall? I. Stateful tracking. II. Application awareness. III. Per-packet filtering.

D. An NGFW combines stateful and stateless filtering with added features like application awareness.

Question 5 Predict first

An ACL allows all traffic in its first rule, then denies database access later. Database traffic is:

C. The broad allow matches first, so the later deny never applies. Rule order is critical.

Question 6

Why should firewalls be placed at each segment and ingress/egress point?

A. Rules at each boundary control traffic in and out of every segment, supporting segmentation.

Frequently Asked Questions

A stateless firewall filters each packet independently against fixed rules; a stateful firewall tracks connection state so it can allow return traffic for approved sessions.

An NGFW combines stateless and stateful filtering with added capabilities such as application awareness and intrusion-prevention features.

An ACL is an ordered set of allow and deny rules. Rules are checked in order and the first matching rule applies, so rule order changes the outcome.

← PreviousNetwork Segmentation Next →IDS vs IPS

Keep studying

All Topics Unit 3 Study Guide Practice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]