A firewall in a web application is the security layer that decides which requests may reach a route, controller, or resource, and whether authentication is required first. In frameworks such as Symfony, it helps separate public entry points from protected areas by applying rules based on path, host, session state, or user identity. This is different from a network firewall: here the decision happens inside the application request flow.
Firewalls matter because they define a trust boundary. If routing, redirects, or internal forwards can influence firewall decisions, an attacker may reach code that should only be available after login. Defenders should keep firewall rules explicit, avoid letting request data choose protected destinations, and test that access control still applies after failures, redirects, and subrequests. A correctly configured firewall reduces the chance that an ordinary login failure becomes an authorization bypass.