← All posts

Infrastructure · June 7, 2026 · intSignal Network Team

Next-Gen Firewall Best Practices for Real Networks

Ports and protocols stopped describing traffic years ago

The classic firewall rule allowed TCP 443 outbound and called it "web browsing." On a modern network, port 443 carries everything: SaaS applications, remote-access tunnels, file-sharing clients, command-and-control beacons, and a genuine login to your bank. A port number tells you almost nothing about what is actually crossing the wire. That gap is the entire reason next-generation firewalls exist, and it is also why so many teams buy an NGFW, license every module, and still operate it like a 2005 packet filter.

Getting real value out of the platform means using the features that look at content and identity — not just the five-tuple — and then maintaining the rule base with real discipline. A firewall is a critical control in a network security program, but it earns that role only when it is tuned, cleaned, logged, and paired with the controls around it. Here is how practitioners actually run one.

The capability stack: App-ID, User-ID, IPS, and TLS inspection

Four capabilities separate an NGFW from a router with an access list. Each one carries a tradeoff you have to decide on deliberately.

  • Application identification (App-ID). The engine fingerprints traffic by behavior and signatures, so it recognizes a screen-sharing tool or a database protocol regardless of the port it rides on. This lets you write a rule that says "allow this business application" instead of "allow this port and hope." The tradeoff: unknown or custom in-house applications may show up as generic traffic until you build a signature, so plan for a discovery period.
  • User identification (User-ID). By integrating with your directory, the firewall maps an IP address to a named user and group. Policy then follows the person, not the DHCP lease — "the finance group may reach the ERP system" rather than "this subnet may reach that subnet." This is what makes least privilege practical on a network where addresses change hourly.
  • Intrusion prevention (IPS). Signature and behavioral detection block known exploits inline. IPS is only as good as its tuning: run it in alert mode first, suppress the false positives that match your environment, and only then switch high-confidence signatures to block. An untuned IPS in blocking mode is a reliable way to break a legitimate application and lose the team's trust in the platform.
  • TLS inspection. Roughly 90 percent of web traffic is now encrypted, which means App-ID and IPS are largely blind unless the firewall decrypts and re-encrypts the session. Decryption restores visibility, but it is the single most consequential decision on the box.

Layered next-gen firewall controls inspecting application, user, and threat context on encrypted traffic Figure: an NGFW earns its name only when App-ID, User-ID, and IPS can actually see inside the session — which usually means a deliberate decryption policy.

TLS inspection deserves its own paragraph because it is where most deployments quietly fail. Decrypting everything is neither legal nor wise: banking, healthcare, and payroll sessions often must not be intercepted, certificate-pinned mobile apps break outright, and full inspection can cut a firewall's rated throughput by half or more. The workable pattern is a decryption policy with explicit categories — inspect general web and unknown destinations, bypass regulated and privacy-sensitive categories, and size the appliance for the real inspected load rather than the data-sheet number. Test the exceptions before you enforce, and publish an internal notice so the decryption is transparent to employees.

Least-privilege rule design

A firewall rule base is an access-control system, and the same principle applies: default deny, then permit only what the business needs.

  1. End with an explicit deny-all that logs. Most platforms have an implicit final deny, but it usually does not log. Add an explicit logged deny so you can see what is being blocked and why.
  2. Kill the any-any rules. A rule with "any" source, "any" destination, and "any" service is not a policy — it is the absence of one. Every allow rule should name a source zone, a destination, and the specific application or service.
  3. Write rules around applications and user groups, not raw ports, wherever App-ID and User-ID make it possible. These rules survive re-addressing and re-platforming; port rules rot.
  4. Document business justification and an owner on every rule. A rule with no named owner and no reason is a rule nobody will ever dare to remove.
  5. Use address and service objects, not inline literals, so a change is made once and inherited everywhere.

Rule hygiene: the cleanup nobody schedules

Rule bases decay. Every project adds rules; almost no project removes them. Left alone, a firewall accumulates shadowed rules that can never match, overly broad rules that grant far more than intended, expired temporary rules from a migration two years ago, and duplicate objects. This sprawl is not cosmetic — it is attack surface, and it makes every future change riskier because nobody can predict what a new rule will interact with.

Run a hygiene review at least quarterly:

  • Use hit counters to find rules with zero matches over 90 days, then confirm with the owner before removing them.
  • Find and delete shadowed and redundant rules — a broad rule earlier in the list that makes a later, more specific rule unreachable.
  • Tighten overly permissive rules. Most vendors offer a policy optimizer that shows which applications a legacy port-based rule actually carried, so you can rewrite it to allow only those.
  • Reap expired temporary rules. Tag every temporary rule with an expiration date at creation so cleanup is mechanical, not archaeological.
  • Clean the object database of unused and duplicate address and service objects.

For large, multi-site estates this is where policy-management tooling pays for itself, but the discipline matters more than the product.

Logging and change control

An unlogged firewall is a silent one, and a firewall changed by ad-hoc CLI edits is an unmanaged one.

  • Log allowed traffic, not just denies. The record of what was permitted is what lets an analyst reconstruct lateral movement after an incident. Forward all logs to your SIEM so firewall telemetry is correlated with endpoint and identity events rather than sitting in a local buffer that wraps every few days.
  • Run every change through a ticket with peer review. The change should state what, why, who approved it, and how to roll it back. The worst outages and the quietest security holes both come from someone making "one quick change" directly on the box at 5 p.m.
  • Keep versioned configuration backups and diff them, so an unexpected change is visible even if it skipped the process.

High availability that actually fails over

A firewall sits directly in the traffic path, which makes it a single point of failure unless you design otherwise.

  • Deploy a pair, not a single unit. Active/passive is simpler to reason about; active/active raises capacity but demands careful session handling. Either way, confirm that sessions synchronize so a failover does not drop every live connection.
  • Decide fail-open versus fail-closed deliberately. For a security appliance the default should be fail-closed, but map the exceptions where an outage is worse than a brief loss of inspection.
  • Do not forget path and power diversity. Two firewalls on one switch, one circuit, or one PDU is not high availability. Across sites, this redundancy is part of how we design resilient global networks rather than an afterthought.
  • Test failover on a schedule. An HA pair that has never been failed over in anger is a theory, not a control. Pull the cable in a maintenance window and see what happens.

A firewall is not a strategy

The most important best practice is knowing the limits of the box. A next-gen firewall inspects traffic that crosses it — and on a modern network, enormous amounts of traffic never do. Remote users connecting straight to SaaS, workloads talking east-west inside a cloud VPC, and branch offices reaching the internet locally all bypass the data-center perimeter entirely. That is why the perimeter is increasingly delivered as a cloud service through a secure access service edge model, and why the firewall has to sit inside a layered architecture that also includes endpoint detection, identity controls, segmentation, and monitoring. A perfectly tuned firewall in front of a flat network with no other controls is still one phished credential away from a bad day.

Getting more from the box you already own

Most organizations do not need a bigger firewall — they need to use the one they have correctly: turn on App-ID and User-ID, build a deliberate decryption policy, replace any-any rules with least-privilege ones, schedule real hygiene reviews, log everything to a SIEM, and prove the HA pair fails over. That is where the security value lives.

intSignal designs, tunes, and manages next-generation firewalls as part of a broader network security practice — including the rule cleanups and change discipline that keep them effective. If you want a candid review of what your current rule base is actually allowing, talk to our team.