Microsegmentation and firewalls are both central components of a zero-trust architecture, but they perform different tasks at different levels.
Firewalls filter incoming and outgoing traffic between internal and external networks based on IP addresses, ports, or protocols.
Microsegmentation, on the other hand, works within the network. It controls which systems, applications, or hosts are allowed to communicate with each other and enforces fine-grained policies directly at the workload level—that is, at the level where the data flow actually originates.
What this means:
Micro-segmentation only works where an agent is installed. Devices that don't have an agent installed, like printers, aren't covered by micro-segmentation rules. Even if whole IP ranges are covered by rules, these devices are still a blind spot and can still connect because the rules don't apply to them.
Microsegmentation does not replace a firewall!
A firewall controls access to the network.
Microsegmentation regulates traffic within the network.
Note on CIDR-based microsegments:
Even though microsegments can be defined technically using IP address ranges (CIDR), this should not be used as the primary mechanism for segment formation. CIDR-based rules are similar in logic to classic firewall configurations and often result in unaffected hosts receiving unnecessary rules, which can lead to increased complexity and CPU load.
Segment-based control via concrete host references or dynamic tags is therefore recommended, as this is the only way to achieve context-based and enforceable microsegmentation. CIDR-based segments, on the other hand, only work with managed hosts and do not provide reliable protection for unmanaged devices (printers, old VMs, etc.) that do not support rule processing.