Firewalls enforce network access via a positive control model, where only specific traffic defined in policies is granted access to the network while all other traffic is denied.
Access Control Lists (ACLs) initially performed this functionality, often in routers, but their rudimentary approach gave way to dedicated packet filtering and stateful inspection firewall devices that offered deeper levels of access controls.
Unfortunately, these traditional firewalls shared a common shortcoming—an inability to see all of the applications traversing the network across all ports and protocols. The use of proxy-based devices began providing more granular visibility into a small set of applications and protocols where traditional firewalls were blind.
A standalone, proxy-based URL filtering solution remains to this day an isolated, disconnected tool – partially because it has an incomplete view of all network traffic, and due to its limited role among other security devices on the network.