Terminology can be confusing between the different souces as both CBK and AIO3 call an application layer firewall a proxy and proxy servers are generally classified as either circuit-level proxies or application level proxies.
The distinction is that a circuit level proxy creates a conduit through which a trusted host can communicate with an untrusted one and doesn’t really look at the application contents of the packet (as an application level proxy does). SOCKS is one of the better known circuit-level proxies.
Firewalls Packet Filtering Firewall -First Generation
n Screening Router n Operates at Network and Transport level n Examines Source and Destination IP Address n Can deny based on ACLs n Can specify Port
Application Level Firewall -Second Generation n Proxy Server n Copies each packet from one network to the other n Masks the origin of the data n Operates at layer 7 (Application Layer) n Reduces Network performance since it has do analyze each packet and decide what to do with it. n Also Called Application Layer Gateway
Stateful Inspection Firewalls – Third Generation n Packets Analyzed at all OSI layers n Queued at the network level n Faster than Application level Gateway
Dynamic Packet Filtering Firewalls – Fourth Generation n Allows modification of security rules n Mostly used for UDP n Remembers all of the UDP packets that have crossed the network’s perimeter, and it decides whether to enable packets to pass through the firewall. Kernel Proxy – Fifth Generation n Runs in NT Kernel n Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security policies. “Current level firewall” is incorrect. This is an amost-right-sounding distractor to confuse the unwary. “Cache level firewall” is incorrect. This too is a distractor.
“Session level firewall” is incorrect. This too is a distractor. References CBK, p. 466 -467 AIO3, pp. 486 -490 CISSP Study Notes from Exam Prep Guide

Since the application layer firewall makes decisions based on application-layer information in the packet, it operates at the application layer of the OSI stack.
“OSI protocol layer 6, the presentation layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
“OSI protocol layer 5, the session layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
“OSI protocol layer 4, the transport layer” is incorrect. The application layer firewall must have access to the application layer information in the packet and therefore operates at the application layer.
References: CBK, p. 467 AIO3, pp.488 -490

An application layer firewall can also be called a proxy.
“A presentation layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.
“A session layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.
“A transport layer gateway” is incorrect. A gateway connects two unlike environments and is usually required to translate between diffferent types of applications or protocols. This is not the function of a firewall.
References: CBK, p. 467 AIO3, pp. 486 -490, 960

The proxy (application layer firewall, circuit level proxy, or application proxy ) is a second generation firewall
“First generation firewall” incorrect. A packet filtering firewall is a first generation firewall. “Third generation firewall” is incorrect. Stateful Firewall are considered third generation firewalls “Fourth generation firewall” is incorrect. Dynamic packet filtering firewalls are fourth generation firewalls
References: CBK, p. 464 AIO3, pp. 482 -484
Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/… for a general discussion of the different generations.

To the untrusted host, all traffic seems to originate from the proxy server and addresses on the trusted network are not revealed.
“User base” is incorrect. The proxy hides the origin of the request from the untrusted host.
“Operating system design” is incorrect. The proxy hides the origin of the request from the untrusted host.
“Net BIOS’ design” is incorrect. The proxy hides the origin of the request from the untrusted host.
References: CBK, p. 467 AIO3, pp. 486 -490

The application firewall (proxy) relays the traffic from a trusted host running a specific application to an untrusted server. It will appear to the untrusted server as if the request originated from the proxy server.
“Data’s payload” is incorrect. Only the origin is changed. “Data’s details” is incorrect. Only the origin is changed. “Data’s owner” is incorrect. Only the origin is changed.
References: CBK, p. 467 AIO3, pp. 486 -490

The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL’s. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context of the communication and inspects every single packet one by one without understanding the context of the connection.
“Second generation firewall” is incorrect. The second generation of firewall were Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit-level proxy firewall. The application level proxy is very smart and understand the inner structure of the protocol itself. The Circui-Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to the net. Today a great example of this would be the SOCKS protocol.
“Third generation firewall” is incorrect. The third generation firewall is the Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.
“Fourth generation firewall” is incorrect. The fourth generation firewall is the dynamic packet filtering firewall.
References: CBK, p. 464 AIO3, pp. 482 -484
Neither CBK or AIO3 use the generation terminology for firewall types but you will encounter it frequently as a practicing security professional. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/… for a general discussion of the different generations.

Firewall rules can be used to enable access for traffic to specific ports or services. “Service numbers” is rather stilted English but you may encounter these types of wordings on the actual exam –don’t let them confuse you.
“Only unauthorized application port or service numbers” is incorrect. Unauthorized ports/services would be blocked in a properly installed firewall rather than permitting access.
“Only authorized application port or ex-service numbers” is incorrect. “Ex-service” numbers is a nonsense term meant to distract you.
“Only authorized application port or service integers.” While service numbers are in fact integers, the more usual (and therefore better) answer is either service or “service number.”
References CBK, p. 464 AIO3, pp. 482 – 484

Packeting filtering firewalls are devices that enforce administrative security policies by filtering incoming traffic as well as outgoing traffic based on rules that can include the source and/or destination addresses.
“Outgoing data packets” is incorrect. Firewalls filter incoming as well as outgoing traffic. This is sometimes called Egress and Ingress filtering.
“Incoming data packets only” is incorrect. (see previous explantion)
“User data packet” is incorrect. A packet filtering firewall does not typicallly look into the data portion of the packet.
References CBK, p. 464 AIO3, pp. 482 -484

While neither CBK nor AIO3 use the term “screening router,” they both discuss how the packet filtering capabilities of a router can be used to block traffic much like a packet filtering firewall. Krutz and Vine use this term on p. 90.
“A scanning router” is incorrect. This is a nonsense term to distract you. “A shielding router” is incorrect. This is a nonsense term to distract you. “A sniffing router” is incorrect. This is a nonsense term to distract you.
References: CBK, p. 433 AIO3, pp.484 -485