The correct answers are B. Intrusion prevention and C. Application control.
Cisco documentation explains that a traditional firewall typically provides stateful inspection of traffic. A next-generation firewall (NGFW) adds advanced capabilities beyond that, including integrated intrusion prevention and application awareness/control.
Cisco describes Next-Generation Intrusion Prevention System (NGIPS) as a next-generation firewall capability that goes beyond what a standard stateful firewall provides. This allows the firewall to inspect traffic for malicious patterns and block threats, not just permit or deny sessions.
Cisco also lists Application Visibility and Control (AVC) or application awareness and control as a defining NGFW feature. This allows policies to be enforced based on the actual application, rather than only IP addresses, ports, and protocols.
A. Stateful traffic inspection This is a standard firewall capability, not a feature unique to NGFWs. Cisco specifically contrasts NGFW features with traditional stateful inspection.
D. Remote access VPN Cisco lists VPN as a firewall service, but it is not one of the advanced features that distinguish NGFW from a standard firewall. Cisco notes that NGFW capabilities are beyond traditional stateful inspection and VPN.
E. Network telemetry Network telemetry may be used for monitoring and analytics, but it is not identified by Cisco as one of the classic distinguishing NGFW features in this context.
ENCOR exam point:
Know this distinction clearly: