Thursday, June 24, 2021

Tel: +44 (0)1525 850 440
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.


Why do I need a firewall health check and audit?

Firewall rules have changed over time and may no longer adhere to best practice and be leaving the organisation vulnerable. Often organisations are unaware what their firewall is actually doing? In some cases organisations lack understanding of the traffic traversing their firewall and the protocols and applications that make up that traffic? Also, firewall services availability, resilience and risk assessments are often un-investigated. More-over, the firewall may have additional features available which could improve security or the performance of the firewall? Or, it could be the organisation has changed, and the firewall is no longer meeting the needs of the business? So - why not mitigate risk and increase peace of mind with expert validation of your firewall performance?

When shall I have a firewall health check and audit?

We recommend a firewall health check/audit on an infrequent but regular basis, e.g. once per year, depending on how often the firewall rules change or changes are made within the organisation.

Who will perform the firewall health check and audit?

A certified security consultant with extensive experience.

Where is the work performed?

The entire exercise can be done remotely using remote meeting capabilities or on site according to the customer’s preference.

How long will it take typically?

Typically a complete health check and audit will take 2-5 days per firewall or firewall HA cluster. The amount of time depending on the complexity of the rule base and the availability of tools such as FortiAnalyzer to review traffic historically.

What will be assessed?

We will take a holistic view of your firewalling services. The basis of our approach is as follows:

Firstly, we will review the firewall platform: Software revision, CPU / Memory utilisation, Admin accounts, Certificates, UTM features (Anti-Virus/Intrusion Prevention/Application Control/Web Filtering/Botnet Protection), Interfaces, VLANs, High Availability review (failover test optional), SSL VPN, IPSec, Static routing, Equal Cost Multi Path routing, Policy based routing, Logging and logs, Alerting and alerts, Network integration and positioning.

Secondly we will perform the firewall policy audit - review each firewall policy (or firewall rule) one at a time. The related features that are used in the policy would also be reviewed such as: Security profiles, Objects,  Source NAT, Destination NAT, SSL inspection, Traffic shapers.

We can also optionally provide a Firewall Change Process review, to ensure any change requests are properly approved, implemented and documented.

Finally, we would complete and submit a comprehensive report that includes: Executive Summary, documentation of the environment, detailed findings and Recommendations.

Post the Firewall Health Check and Audit we can also provide a service to implement the firewall policy changes needed - if requested to do so.

Contact Us for more details.


If you would like more details on the Audit:

Firewall Policy Audit

This is the review of the firewall’s rule base/policy. Procedure for this step varies between auditors as it is traditionally a difficult task heavily dependent on technology. For each question we should have a ranking based on the nature of the firewall and its placement within your infrastructure. For example, firewalls that are connected to the internet are generally much more at risk than those that are not, and internal firewalls are often more permissive than external ones. Questions related to basic policy management and good design practice should be asked first. To answer these questions we should examine each rule in the rule base, as well as a year’s worth of logs to ascertain which rules are actually used. Until recently, this has been a lengthy manual process, however, with the development of tools (e.g. FortiAnalyzer) which can be used to answer these questions automatically, it has become far easier.

  • How many rules are there compared to last audit/year?
  • Are there any rules without comments?
  • Are there any rules that are redundant and should be removed?
  • Are any rules unused?
  • Are any services within the rules no longer used?
  • Are there any unused groups or networks in the rules?
  • Are there any firewall rules with ANY in the source, destination and service/protocol fields with a permissive action?
  • Are there any rules with a permissive action and ANY in two fields?
  • Are there any rules with a permissive action and ANY in one field?
  • Are there any overly permissive rules, for example, rules with more than 1000 IP addresses allowed in the source or destination?

The second list of questions is related to the risk and compliance of the rule base. These rules are more technically challenging to answer. We must possess an understanding of the workings of your firewall to infer what traffic is actually being passed by a rule, and if there is an ‘allowed services’ group, which ports and protocols actually pass through that rule.

  • Are any rules in violation of the company’s security policy?
  • Are there any rules that allow inbound risky services from the internet, such as those that pass login credentials in the clear like telnet, ftp, pop, imap, http, netbios, etc?
  • Are there any rules that allow outbound risky services from the internet?
  • Do any rules allow direct traffic from the Internet to access the internal network (not the DMZ)?
  • Do any rules allow traffic from the Internet to networks, sensitive servers, devices or databases?


Firewall Change Process Audit

The aim of the Firewall Change Process Audit is to ensure that any requested changes were properly approved, implemented and documented. We can achieve this in several different ways depending on whether you have a tool to assist you or whether you need to do it manually.

We will need to randomly select approximately 10 change requests created since the most recent audit. The questions we should ask when we audit a firewall change are:

  • Is the requester recorded and do they have authorisation to make firewall change requests?
  • Has the business reason for the change been recorded?
  • Are the correct reviewer and approval signatures present (electronic or physical)?
  • Was the change only implemented after the approvals had been recorded?
  • Do the approvers have the authorisation to approve firewall changes?
  • Does the change ticket document the change well?
  • Is there risk analysis documentation for each change?
  • Had the change window and/or install date for the change been recorded?
  • Does the change have an expiration date?

If we are performing this process manually, the first thing you must do is match each change with a firewall device and a policy. Now match the change requests to the specific firewall rule or rules. If we get stuck on this then we already know where we need to improve. The comment with each rule should contain, as a minimum, the change ID of the request and the initials of who implemented the change.

Automated tools (e.g. FortiManager) are readily available and, due to the quantity or rules on most modern firewalls, they are highly recommended to make the auditing process more manageable. They also allow greater visibility and control over your rule base.