Firewall Configuration Review
Firewall rulebases accumulate years of emergency rules, forgotten test policies, and inherited configuration debt. We conduct an independent rulebase review (ANY/ANY rules, shadowed policies, unfiltered egress, management plane hardening) and return a remediation-ready report your team can action within a week.
Beyond Automated Rule Checking
Vendor Tooling
- Checks compliance, not security context
- No adversarial perspective on rule logic
- Cross-vendor environments not covered
- No shadowed or redundant rule analysis
- Not accepted as independent audit evidence
CREST-Accredited Review
- Industry standard benchmark + PCI DSS Req 1 assessment
- Adversarial rulebase logic analysis
- Shadowed and redundant rule detection
- Cross-vendor unified methodology
- Vendor CLI remediation commands
When to Commission a Firewall Review
Most firewall configuration reviews are triggered by a specific compliance deadline, audit finding, or change in ownership. If any of these scenarios describe your situation, this review provides the evidence you need.
PCI DSS Requirement 1.1.7
PCI DSS Requirement 1.1.7 mandates an independent review of firewall and router rule sets at least every six months. Internal team reviews do not satisfy the independence requirement. Our report provides the documented evidence your QSA needs.
ISO 27001 Surveillance Audit
ISO 27001 Annex A.8.22 (Network Security) and A.8.20 require documented network security controls including regular review of firewall configuration. Our report provides the technical evidence artefact for your surveillance visit.
Pen Test Finding Follow-Up
A penetration test flagged "firewall misconfiguration" without specifying which of the 200+ controls to prioritise. Our review provides the structured remediation path mapped to industry standard benchmarks that the pen test report could not.
Post-Incident Review
A breach investigation found lateral movement through firewall zones that should have been segmented. You need independent verification that the rulebase is enforcing the network architecture your diagrams describe.
Inherited Infrastructure
You have inherited a firewall estate from a predecessor team, an acquisition, or an outsourced provider. The rulebase contains years of accumulated rules nobody can fully account for, and you need a baseline assessment before assuming responsibility.
Cyber Essentials Plus
Cyber Essentials Plus technical audit requires verification of boundary firewall controls. Our configuration review produces findings in a format that maps directly to the Cyber Essentials boundary firewall requirement.
The Rulebase Exposure
RULEBASES WITH ANY/ANY
Overly permissive rules allowing unrestricted traffic are present in the majority of enterprise rulebases we review. Often left from incident response, change-freeze workarounds, or vendor deployment templates that were never tightened.
PCI DSS REVIEW CYCLE
PCI DSS Requirement 1.1.7 mandates independent firewall rule review at least every six months. Internal team reviews do not satisfy the independence requirement. Lapsed assessments are a common QSA escalation point.
STARTING FROM
Single-device firewall configuration review including rulebase analysis, industry standard benchmark assessment, device hardening check, and remediation guidance. Fixed-price quote after scoping.
Controls
What We Typically Find
Across every firewall estate we review, certain misconfiguration patterns appear repeatedly. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
ANY/ANY rule permits all traffic from guest VLAN to production
An overly permissive firewall rule allows unrestricted traffic from the guest wireless VLAN to the production server subnet. Any device connecting to the guest network can reach databases, file shares, and internal applications without restriction.
Management interface accessible via Telnet from internal zone
The firewall management interface accepts Telnet connections on port 23 from the internal network. Telnet transmits credentials in plaintext, allowing any attacker with network access to intercept administrative login sessions via packet capture.
Unrestricted outbound permits C2 channels and data exfiltration
No egress filtering is configured on the firewall. Any internal host can connect outbound on any port to any destination. An attacker who compromises a single workstation can establish command-and-control channels and exfiltrate data without triggering any firewall alert.
Default SNMP community string on management interface
The SNMP service is running with the factory-default community string. An attacker can read the full device configuration, including ACLs, routing tables, and interface details, using standard SNMP tools from any host on the management VLAN.
14 shadowed rules in outbound policy mask real access scope
Fourteen rules in the outbound policy are unreachable because broader rules above them intercept all matching traffic first. These shadowed rules create false confidence in compliance reviews: the rulebase appears to have restrictive controls that are never actually enforced.
Firmware 3 versions behind with known RCE CVEs
The firewall operating system is three major versions behind the current release. Known remote code execution CVEs exist with publicly available exploit code. Firmware patching is the only remediation path for these vulnerabilities.
Most enterprise firewalls we review have at least two Critical and five or more High findings on first independent assessment.
Firewalls We Assess
Each platform is assessed against the applicable industry standard hardening benchmark. Our assessors have hands-on experience with each vendor's management interface, not generic methodology applied to unknown platforms.
Palo Alto Networks
PAN-OS 10.x, 11.x, Panorama
Industry Standard Firewall Hardening Benchmark
Fortinet FortiGate
FortiOS 7.0, 7.2, 7.4, VDOM
Industry Standard Hardening + FortiGuard Advisories
Cisco ASA / Firepower
ASA 9.x, FTD 7.x, FMC
Industry Standard Hardening + PSIRT Advisories
Checkpoint
R80.40, R81.x, SmartConsole
Industry Standard Firewall Hardening Benchmark
Juniper SRX
Junos 21.x, 22.x, 23.x
Industry Standard Hardening + Security Advisories
What We Audit
Firewall rulebases accumulate technical debt across every change request and every incident workaround. We map the full rulebase, including rules that have never been hit, rules that are unreachable due to broader policies above them, and rules that were added for one-off access and never removed, and risk-rate every finding against industry standard security benchmark controls and PCI DSS Requirement 1.
Promiscuous Rules
We identify ANY/ANY rules, wildcard service groups, and overly permissive policies across your rulebase, including Palo Alto App-ID wildcard rules, FortiGate policies with ALL source/destination, and Cisco ASA permit ip any any access-lists. Each finding is mapped to the downstream assets reachable under that rule.
Shadowed Rules
We map rulebase logic to identify shadowed policies: rules that are never evaluated because a broader rule above them intercepts the traffic first. Shadowed rules mask real exposure: an apparently restrictive rule below an ANY/ANY policy provides no security protection, but creates false confidence in compliance reviews.
Outbound Filtering
We verify whether egress filtering is enforced. Unrestricted outbound traffic allows successful C2 channels and data exfiltration from an already-compromised host. We test for DNS tunnelling, HTTPS covert channels, and direct-to-IP outbound connections that bypass proxy controls.
Device Hardening
We audit the appliance itself: default credentials, weak SNMP community strings, unpatched firmware CVEs, and insecure administrative access. Legacy management interfaces such as Telnet and HTTP are flagged for immediate remediation.
Decryption & Inspection
We review SSL/TLS inspection policies to identify traffic that bypasses deep packet inspection. Encrypted traffic without inspection creates blind spots that malware, C2 channels, and data exfiltration exploit. We assess decryption certificate trust chains and policy exclusion lists.
Zone Architecture
We review the inter-zone policy matrix against least-privilege design: which zones can communicate, under what rules, and whether the architecture enforces proper segmentation between untrusted, DMZ, internal, and management zones. Flat zone architectures with implicit trust are flagged.
Firewall Audit Workflow
From configuration export to a compliance-ready report. A safe, offline assessment lifecycle with no live firewall access required.
Configuration Export
You export the device configuration (no live access to the firewall required). We provide vendor-specific export instructions on engagement confirmation: Palo Alto XML snapshot, FortiGate full-config backup, Cisco ASA running-config, Checkpoint policy export. Transfer is via our encrypted client portal.
Automated Analysis
We use algorithmic tools to parse thousands of lines of ACLs, mapping the effective rulebase and identifying logical contradictions, duplicate rules, and never-hit policies.
Manual Logic Check
Algorithms miss context. We manually review the business justification for high-risk rules to ensure they align with least-privilege principles and do not expose critical assets under combinations the automated pass did not evaluate.
Remediation Guide
We deliver a risk-rated findings report (Critical, High, Medium, Low) with specific remediation steps for each finding, vendor CLI examples where applicable, and a compliance mapping to PCI DSS Requirement 1, industry standard benchmark controls, and ISO 27001 Annex A.8.22.
What You Receive
Every firewall configuration review includes the following deliverables, formatted for both technical remediation teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats.
Detect Configuration Drift in Real Time.
A configuration review is a point-in-time assessment. Rules change between reviews: emergency access gets granted, exceptions get added, and the rulebase drifts from its audited state. Feed assessment findings directly into detection rules that alert on configuration changes, anomalous rule hits, and active exploitation attempts.
Discuss Your RequirementsManaged Detection & Response
Monitor firewall logs and detect configuration drift in real time
Configuration Reviews
Server, database, and endpoint hardening reviews
Internal Network Pentest
Test what happens after an attacker bypasses the firewall
External Network Pentest
Validate your internet-facing perimeter controls
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Firewall configuration review pricing typically ranges from £2,500 to £8,000 or more depending on environment complexity and number of devices. Single firewall reviews (Palo Alto, Fortinet, Cisco ASA) average £2,500-£4,000 including rulebase analysis, industry standard benchmark assessment, and remediation guidance. Multi-device reviews (2-5 firewalls, HA pairs, or complex zone architectures) typically cost £4,000-£6,000. Enterprise reviews (5 or more devices, multiple vendors, complex routing) typically cost £6,000-£8,000 or more. Pricing includes PCI DSS Requirement 1.1.7 compliant reporting. We provide fixed quotes after understanding your device inventory and architecture complexity.
Vendor tools check technical compliance but miss security context: (1) Vendor tools cannot assess business justification for rules. ANY/ANY rules may be technically valid but security-inappropriate. (2) Cross-vendor environments require a unified assessment methodology that vendor tools do not provide, (3) Shadowed and redundant rules require logical analysis beyond automated compliance checking, (4) External reviewers bring an adversarial perspective identifying how attackers would exploit misconfigurations, (5) PCI DSS and compliance frameworks require independent third-party review, not vendor self-assessment, and (6) Legacy rules accumulated over years need human review to identify technical debt. External review provides the security expertise vendor tooling cannot deliver.
No. We conduct offline configuration reviews. You export the device configuration and transfer it to us via our encrypted client portal or PGP-encrypted email. You can sanitise the export before transfer (removing pre-shared keys and SNMP community strings) without affecting our analysis. We sign a data processing agreement (DPA) on request. The assessment is conducted entirely on the exported configuration, with no connection to your live environment at any point.
We support all major enterprise firewalls: - Palo Alto Networks (PAN-OS, Panorama-managed) - Fortinet FortiGate (all FortiOS versions, VDOM environments) - Cisco ASA and Firepower / FTD - Checkpoint (SmartConsole, VSX, ClusterXL) - Juniper SRX - WatchGuard We provide vendor-specific export instructions for each platform on engagement confirmation.
Yes. PCI DSS Requirement 1.1.7 requires an independent review of firewall and router rule sets at least every six months. Internal reviews conducted by the organisation's own network team do not satisfy the independence requirement. Our assessment report includes a findings register, risk ratings, remediation steps mapped to PCI DSS Requirement 1 controls, and a compliance attestation statement suitable for submission to your QSA as supporting evidence in your Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ D).
A single-device review (Palo Alto, FortiGate, Cisco ASA, or Checkpoint) completes within 3-5 business days of receiving the configuration export. Multi-device reviews (2-5 firewalls, HA pairs) complete within 5-7 business days. Enterprise reviews (5 or more devices, multi-vendor) are scoped individually and typically complete within 10-15 business days. All timelines are from configuration receipt, not engagement signature. We begin analysis as soon as files are received.
The report includes: an executive summary suitable for board or QSA presentation; a full findings register with every identified issue risk-rated Critical, High, Medium, or Low; per-finding remediation steps with vendor CLI examples where applicable; a compliance mapping table covering PCI DSS Requirement 1, industry standard benchmark controls, and ISO 27001 Annex A.8.22; and a compliance attestation statement for QSA submission. Reports are delivered in PDF format within 3-5 business days of configuration export receipt for single-device reviews.
Yes. We cross-reference your OS version against the vendor's known vulnerability database (CVEs) to identify unpatched exploits. Firmware CVEs are included in the findings register with a risk rating and vendor remediation reference.