I am assuming you are not asking on behalf of a corporation, but as an individual.
For firewall, if you want a firewall engine different than Windows' own, then there is Comodo Firewall and ZoneAlarm. Most anti-malware that comes with a firewall only uses Window's own Base Filtering Engine. Diversity is a concept of security, if you rely on one vendor for all your defenses, like MS, then it is more risky.
If you have several PCs, then you can put an old desktop pc to use by plugging in an extra network adapter and installing pfSense. It is a proper firewall and comes with an Intrusion Prevention System (IPS). Then that could guard your whole network. It is Linux based but simple to install.
For backup I use Macrium Reflect. It is no longer free, but it is fast and the backup compression is good so you save disk space. If you want a free one, there is MiniTools ShadowMaker. It's backup compression is not as good, but it is free. They are both drive imaging programs, which means it does a bit for bit backup, backing up Windows, all Windows settings and all files including your docs, pics etc. But you have to allow drive space because a barebones Windows setup with only an antimalware willl create a 18GB backup file. (Macrium)
For file based backup you can rely on Windows' OneDrive. The bad thing about it is that it synchronizes, which means it deletes from the cloud backup whenever you delete from your hard drive. So it is kinda not a backup software, but can be considered a backup program because it stores a copy of your data files in the cloud, so that accomplishes off-site backup, which is important if your house burns down. There are quite a few file based backup program available for free. I do my file based backups manually because I have to only copy a few folders to USB stick so I don't need a file based backup program.
I need to stress that you must keep several versions of your backups. If you accidentally introduce a malware infection and not know about it, it may exist in your backups too. So then you would need to use an earlier version of your backup. I don't delete backups until I run out of disk space. Backups are your last line of defense - do not omit it.
I will recommend a category not listed by Bot, and that is an anti-executable. What it does is create a list of all your programs and Windows exe's and from then on only allow those to run. Any new exe, malware or not, will not be permitted to run and it will prompt you. It is a 'whitelist' approach rather than a 'blacklist' approach used by anti-malware. These programs don't require constant signature updates and is in a way superior to anti-malware. Many people don't know of this category of protection. A good product is Cyber Lock.
Another defense category omitted by Bot is monitoring. It is common security knowledge among security pros today that it is not 'if' you will be attacked but only 'when' you will be attacked. The computer age has brought a whole generation of computer users and also a sizable population of hackers and cybercriminals. They don't discriminate. You don't have to be a 'target', as per popular folklore. There are different skill levels of hackers and they all know about Kali Linux, the popular penetration attack Linux distro - it is filled with attack tools for any beginner to learn. And some of the tools in that distro are unstoppable by anti-malware. The only solution is to monitor for attacks. Anti-malware vendors are of course not sitting stationary, and they brought along a new category of defense - the EDR. (endpoint detection and response) . It generates Alerts on a web console whenever something suspicious runs. The OpenEDR platform has Auto Containment, which virtualizes anything suspicious. So malware are stopped and hackers are stopped, and it throws alerts at you so you know to put up more defenses, enact containment procedures etc in case that hacker was not stopped. It is priced reasonably at $4/month/pc.
I will add yet another category of defense - network segmentation. Most of us use just one modem/router. Don't. Segment your network into zones; by age group, by rooms, whatever. It is simple to do; just use a seperate router and connect it's laptops for every zone. That way an infection cannot spread, and hackers cannot move around - the routers' NAT firewall stops that. And if things get out of hand, you can contain that infection by pulling the plug to the router.