LazyHackers.in — Checklist
🧱 Firewall Review Checklist
Ruleset & architecture, item by item: how to check · the finding · the fix
☰ How to use this guide
A firewall review is mostly a white-box config audit (read the running config and rule base) backed by active verification (prove from the wire what the rules actually do). The value isn't a dump of rules — it's finding the overly-permissive, shadowed, unused and unlogged rules that quietly widen the attack surface, and confirming the architecture enforces real segmentation. This guide turns every review item into how-to-check, vendor-agnostic first, then per-vendor.
Get a current, complete config export and the network/zone diagram up front. Automated tools (Nipper, vendor Best-Practice Assessment) give breadth; you still verify segmentation and high-risk rules by hand. Each section ends with a coverage table.
⚠ Authorised review only, on configs/devices you're scoped for. Active verification (nmap/firewalk through the firewall) must be in the RoE; coordinate so probes aren't mistaken for an attack.
# Automated config audit (offline, on the exported config)
nipper --input=running-config.txt --output=fw-report.html # titania nipper-ng
# Vendor best-practice assessments: Palo Alto BPA/Expedition · FortiGate Security Rating
# Cisco Firepower reports · Check Point SmartEvent
# Active verification of what the ruleset really allows (in-scope only):
nmap -sS -p- -Pn <host-behind-firewall> # which ports actually pass
firewalk -S1-1024 -i eth0 <gateway> <target> # ACL/filter mapping0 Scope & information gathering
Collect everything before judging anything: the full config, the topology, the asset/zone inventory, and the business justification source (change tickets).
# Pull a complete running config (examples)
# Cisco ASA: show running-config (or 'more system:running-config')
# FortiGate: show full-configuration
# Palo Alto: set cli config-output-format set ; configure ; show (or export XML)
# Check Point: policy in SmartConsole / $FWDIR/conf/*.W ; show configuration (Gaia)
# pfSense: Diagnostics > Backup (config.xml) ; or pfctl -sr / pfctl -sn⚑ Report as: “Review baseline: complete config, topology and asset/zone inventory obtained”
🛡 Fix: Keep an authoritative, version-controlled config backup and a current network diagram; tie every rule to an owner and a justification (change ticket) so the review can flag the ones with neither.
Scope & information gathering — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Complete current config export | show running-config / export | Config obtained |
| Network/zone topology diagram | request diagram | Topology mapped |
| Asset & zone/interface inventory | enumerate interfaces/zones | Inventory built |
| Firmware/OS version + support status | show version | Version recorded |
| Rule justification source (tickets) | request change records | Justification source |
| RoE for active verification | confirm scope | Active-test scope agreed |
1 Rule base / policy review
The heart of the review. Hunt for overly-permissive rules, dead weight (shadowed/redundant/unused/expired), and rules with no logging or justification.
Overly-permissive & risky rules
- Flag any rule with
anyin source, destination or service — especiallyany→anyand any rule permittinganyservice. - Flag overly-broad objects (large subnets, whole zones) where a host/small group is intended.
- Flag permissive rules to/from the internet on sensitive ports (RDP 3389, SSH 22, SMB 445, DB 1433/3306/5432, mgmt).
- Confirm each risky rule's real effect with nmap/packet-tracer, not just by reading it.
# Grep an exported config for the worst offenders (Cisco ASA example)
grep -iE 'permit .* any any|permit ip any any' running-config.txt
# FortiGate: rules with 'all' service or 'all' address
grep -iE 'set (srcaddr|dstaddr|service) .?all' fortigate.conf
# Palo Alto: any/any in security rules (review 'show running security-policy')
# Then verify what truly passes:
nmap -sS -p3389,22,445,1433,3306 -Pn <internal-host>⚑ Report as: “Overly-permissive firewall rule (any-any / any-service) on the rule base”
🛡 Fix: Least privilege per rule: specific source, destination and service; replace
any with defined objects; remove internet exposure of management/DB/RDP/SSH; tier rules so the most specific match first.Dead weight — shadowed, redundant, unused, expired
Shadowed rules never match (a broader rule above them wins); redundant rules duplicate others; unused rules have zero hits; temporary rules outlive their purpose. All add risk and confusion.
# Hit counts reveal unused rules
# Cisco ASA: show access-list | include hitcnt=0
# FortiGate: diagnose firewall iprope show / policy hit count in GUI
# Palo Alto: show running rule-use rule-base security type unused vsys vsys1
# Check Point: SmartConsole > Logs & Monitor > rule hit count
# Shadow/redundancy analysis: Nipper, or FireMon/Tufin/AlgoSec/Skybox in enterprise⚑ Report as: “Shadowed / redundant / unused (zero-hit) firewall rules present”
🛡 Fix: Remove shadowed and redundant rules; review zero-hit rules with owners and retire the dead ones; give temporary rules an expiry date and review them; document every remaining rule.
Rule-base review — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| any → any rule | grep permit any any | Any-any rule |
| Rule permits any service | grep service all/any | Overly-broad service |
| Overly-broad source/destination | review objects | Overly-broad rule scope |
| Internet exposure of mgmt/DB/RDP/SSH | review + nmap verify | Sensitive service exposed |
| Shadowed rules (never match) | Nipper / analyzer | Shadowed rule |
| Redundant/duplicate rules | analyzer | Redundant rule |
| Unused (zero-hit) rules | hit-count review | Unused rule |
| Expired/temporary rules still active | review temp rules | Stale temporary rule |
| Rules without logging | check log flag | Rule without logging |
| Rules without comment/justification | review comments/tickets | Undocumented rule |
| Disabled rules left in place | review disabled | Disabled-rule clutter |
| Permissive service objects (port ranges) | review service objects | Broad service object |
2 Default policy & cleanup rule
Everything not explicitly allowed must be denied — and that final deny should be logged so you can see what's being dropped.
⚑ Report as: “No explicit logged deny-all cleanup rule (default behaviour relied upon)”
🛡 Fix: End every rule base with an explicit deny-all (cleanup) rule with logging enabled; ensure the implicit default is deny; log denied traffic for visibility and incident response.
Default policy & cleanup rule — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Default policy is deny (implicit) | review default action | Default-deny confirmed/missing |
| Explicit cleanup deny-all rule | check last rule | Missing cleanup rule |
| Cleanup rule logs denies | check log flag | Denies not logged |
| No permit after the cleanup rule | review rule order | Rule after cleanup |
3 NAT review
NAT rules quietly publish internal services. Review every static/destination NAT (port forward) for whether it should be exposed, and whether a matching tight security rule guards it.
# Cisco ASA: show nat ; show xlate
# FortiGate: show firewall vip ; show firewall policy (with VIP as dstaddr)
# Palo Alto: show running nat-policy
# pfSense: pfctl -sn (NAT rules) ; Firewall > NAT⚑ Report as: “NAT/port-forward exposes an internal service without a tight matching rule”
🛡 Fix: Review every static/destination NAT against business need; pair each with a least-privilege security rule (specific source where possible); remove NAT for decommissioned services; avoid overly-broad inbound port forwards.
NAT review — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Static/destination NAT (port forwards) | show nat / VIP review | NAT inventory |
| NAT without matching tight rule | correlate NAT + policy | Unguarded NAT |
| Internal service exposed via NAT | review + nmap verify | Service exposed via NAT |
| Stale NAT for decommissioned host | review targets | Stale NAT rule |
| Overly-broad inbound NAT | review scope | Broad NAT exposure |
4 Segmentation & zoning
The architecture question: are trust zones (internet / DMZ / internal / management / PCI / OT) properly separated, and are inter-zone flows least-privilege? Verify by trying to cross zones.
- Map every interface/zone and its trust level; confirm the DMZ can't freely reach internal.
- Review inter-zone rules: each should be specific, not zone-wide
any. - Verify by attempting reachability from each zone to the others (in scope).
# From a host in one zone, test reachability into another (in-scope verification)
nmap -sS -p 22,445,3389,1433,3306 -Pn <other-zone-host>
# Cisco ASA: confirm a specific flow's verdict precisely
packet-tracer input dmz tcp 10.1.1.5 1234 10.0.0.10 445⚑ Report as: “Network segmentation weakness — DMZ/user zone reaches internal/sensitive zone”
🛡 Fix: Enforce least-privilege between zones (DMZ cannot initiate to internal; user cannot reach server/management/PCI/OT beyond what's needed); isolate management, PCI and OT; verify isolation, don't assume it.
Segmentation & zoning — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Interfaces/zones + trust levels mapped | enumerate zones | Zones mapped |
| DMZ → internal reachable | packet-tracer / nmap | DMZ-to-internal access |
| User → server/mgmt zone over-permitted | review inter-zone rules | Over-permitted zone flow |
| Management zone not isolated | review mgmt rules | Management zone exposed |
| PCI/sensitive zone not isolated | review PCI rules | PCI isolation gap |
| OT/ICS reachable from IT | review OT rules | IT-to-OT reachability |
| Zone-wide any inter-zone rules | review rules | Broad inter-zone rule |
5 Egress / outbound filtering
Outbound is the forgotten direction. Unrestricted egress lets malware exfiltrate and C2 phone home. The firewall should allowlist outbound, not permit any-out.
# Look for permissive outbound from internal/user zones
grep -iE 'permit .*inside.* any|permit ip <internal> any' running-config.txt
# Verify what can actually leave (in-scope egress test):
for p in 53 80 443 4444 8080 6667; do nc -zvw2 <external-ip> $p; done⚑ Report as: “No egress filtering (any outbound permitted) — exfiltration/C2 friendly”
🛡 Fix: Default-deny egress with an allowlist of required destinations/ports; restrict outbound DNS/HTTP(S) to approved resolvers/proxies; block known-bad and unneeded protocols; log outbound denies to catch beaconing.
Egress filtering — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Unrestricted outbound (any-out) | review egress rules | No egress filtering |
| Outbound DNS/HTTP not via proxy/resolver | review egress | Unrestricted DNS/web egress |
| Unneeded protocols allowed out | review egress | Excessive outbound protocols |
| Egress denies not logged | check logging | Egress denies unlogged |
| Covert-channel ports open out | egress test | Covert egress possible |
6 Management plane & administrative access
How the firewall itself is administered. Management reachable from anywhere, weak/default creds, no MFA, cleartext protocols and no RBAC are the high-impact findings.
# Cisco ASA: who/where can manage, and how
show run | include ^(ssh|http|telnet|enable|username|aaa)
# FortiGate: admin access + trusthosts + protocols
grep -iE 'set (trusthost|allowaccess|admin-https|telnet)' fortigate.conf
# Flags: telnet/http (cleartext), management on untrusted iface, no trusthost ACL,
# default/shared admin accounts, no MFA, SNMP community public/private⚑ Report as: “Firewall management reachable from untrusted networks / weak admin auth / no MFA”
🛡 Fix: Restrict management to a dedicated network/jump host (trusthost ACLs); enforce MFA and per-admin accounts with RBAC; use SSH/HTTPS only (no Telnet/HTTP); central AAA (TACACS+/RADIUS); no default/shared creds; SNMPv3 only.
Management plane & admin access — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Management reachable from untrusted net | review mgmt access | Management plane exposed |
| Cleartext mgmt (Telnet/HTTP) | check protocols | Cleartext management |
| Default/shared admin credentials | review accounts | Default/shared credentials |
| No MFA on admin access | check MFA | No admin MFA |
| No RBAC / least-privilege admin roles | review roles | Missing admin RBAC |
| No central AAA (TACACS+/RADIUS) | check AAA | No centralised AAA |
| SNMP v1/v2c / default community | check SNMP | Weak SNMP |
| No mgmt trusthost/source ACL | check trusthost | No management ACL |
| Idle/admin session timeout missing | check timeout | No session timeout |
7 Device hardening & secure config
The device's own posture: firmware currency, secure services, time sync, banners and disabled junk. Map against the vendor CIS benchmark.
# Version + support/EoL status
# Cisco: show version FortiGate: get system status Palo Alto: show system info
# Benchmark the config against CIS:
# CIS-CAT Pro (vendor benchmark) or Nipper's hardening section⚑ Report as: “Outdated firewall firmware with known CVEs / insecure services enabled”
🛡 Fix: Run a supported, patched firmware (track EoL); disable unused services and interfaces; enforce SSH/HTTPS with strong ciphers; configure NTP, login banners, password policy; baseline against the vendor CIS benchmark.
Device hardening — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Outdated/EoL firmware (CVE) | show version + advisories | Outdated firmware |
| Unused services/interfaces enabled | review config | Unnecessary services |
| Weak SSH/TLS ciphers on mgmt | ssh-audit / testssl | Weak management crypto |
| No NTP / time sync | check NTP | No time synchronisation |
| No login banner | check banner | Missing login banner |
| Weak password policy | review policy | Weak password policy |
| Config not CIS-benchmarked | CIS-CAT / Nipper | Hardening gaps vs CIS |
8 VPN review (site-to-site & remote access)
Site-to-site and remote-access VPNs terminating on the firewall: weak crypto (IKEv1/aggressive mode, DES/3DES/MD5), split tunneling, no MFA, and over-broad access once connected.
# Cisco ASA: review IKE/IPsec proposals + tunnel-groups
show run crypto ; show run | include (ikev1|ikev2|group-policy|split-tunnel)
# Flags: IKEv1 aggressive mode, DES/3DES/MD5/DH group 1-2, PSK reuse,
# split-tunnel enabled, no MFA, VPN pool with any-any access⚑ Report as: “Weak VPN crypto (IKEv1 aggressive / DES-3DES / weak DH) / remote-access VPN without MFA”
🛡 Fix: IKEv2 with strong crypto (AES-GCM, SHA-256+, DH group 14+/ECDH); no aggressive mode or weak PSKs; enforce MFA + certificate auth on remote access; disable split tunneling (or tightly control); least-privilege access for VPN pools, not any-any.
VPN review — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| IKEv1 aggressive mode | review IKE config | IKEv1 aggressive mode |
| Weak ciphers (DES/3DES/MD5) | review proposals | Weak VPN ciphers |
| Weak DH group (1/2/5) | review DH | Weak DH group |
| Reused/weak pre-shared key | review PSK | Weak/reused PSK |
| No MFA on remote access | check auth | No VPN MFA |
| Split tunneling enabled | check split-tunnel | Split tunnelling |
| VPN pool over-broad access | review group-policy | Over-broad VPN access |
| No cert-based auth where expected | check auth | Missing certificate auth |
9 Logging, monitoring & alerting
Can the firewall tell you what happened? Logs going off-box, retained, and alerted-on for denies and config changes.
⚑ Report as: “Insufficient firewall logging / no off-box log retention or alerting”
🛡 Fix: Log permits (where useful) and all denies; ship logs to a central SIEM/syslog (immutable, retained per policy); alert on denied bursts, rule changes and admin logins; sync time so logs correlate.
Logging, monitoring & alerting — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Logging enabled on rules | review log flags | Insufficient rule logging |
| Logs sent off-box (syslog/SIEM) | check syslog config | No central logging |
| Log retention per policy | check retention | Insufficient retention |
| Alerting on denies/anomalies | check alerts | No alerting |
| Config-change auditing | check change logs | No change auditing |
| Admin-login logging | check auth logs | No admin-login logging |
| Time sync for correlation | check NTP | No time sync |
10 High availability & backup
Resilience and recoverability: HA pairing, config backups, and a tested restore path.
⚑ Report as: “No high availability / no current tested config backup”
🛡 Fix: Deploy HA (active/standby or active/active) for critical firewalls; take automated, version-controlled config backups stored securely off-box; periodically test restore; document rollback.
High availability & backup — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| HA configured for critical firewalls | check HA status | No high availability |
| HA sync healthy | check sync state | HA sync issue |
| Automated config backups | check backup job | No automated backup |
| Backups stored securely off-box | check storage | Insecure backup storage |
| Restore tested | review restore test | Untested restore |
11 Change management & rule lifecycle
Governance: every rule should trace to a request, an owner and an approval, and the rule base should be reviewed on a cadence (PCI-DSS requires at least every 6 months).
⚑ Report as: “No rule lifecycle / change management — rules lack owner, justification or review”
🛡 Fix: Require documented requests, business justification, owner and approval for every rule; review the rule base on a schedule (PCI-DSS: ≤6 months); decommission rules when the need ends; reconcile rules against tickets.
Change management & rule lifecycle — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Rules trace to a request/ticket | reconcile vs tickets | Untracked rule change |
| Each rule has an owner | review ownership | Rule without owner |
| Change approval process | review process | No change approval |
| Periodic rule-base review (≤6 mo) | check review cadence | No periodic review |
| Decommission process for stale rules | review lifecycle | No decommission process |
12 Advanced threat prevention (NGFW)
On a next-gen firewall, the L3/L4 rules are only half the story. Review whether IPS, application control, URL filtering, TLS inspection, threat intel and geo-blocking are enabled and tuned — profiles attached to rules, not just licensed.
⚑ Report as: “NGFW threat-prevention profiles licensed but not applied to rules / not tuned”
🛡 Fix: Attach IPS/AV/anti-spyware, application-control and URL-filtering profiles to the relevant rules (not just enabled globally); keep signatures/feeds updated; enable TLS inspection where policy allows; use threat intel and geo-blocking; tune to reduce false negatives.
Advanced threat prevention — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| IPS/IDS enabled & profiles on rules | review security profiles | IPS not applied/tuned |
| Antivirus/anti-malware inspection | review AV profiles | AV not applied |
| Application control (App-ID) | review app rules | No application control |
| URL/web filtering | review URL profiles | No URL filtering |
| TLS/SSL inspection (where allowed) | check decryption policy | No TLS inspection |
| Threat-intel feeds updated | check feeds | Stale threat feeds |
| Geo-blocking / IP reputation | review geo rules | No geo/reputation control |
| DNS security / sinkholing | review DNS security | No DNS security |
| Signature/content updates current | check update status | Outdated signatures |
Vendor-specific checks
A Palo Alto (PAN-OS)
Palo Alto (PAN-OS): App-ID and the Best Practice Assessment do a lot of the work; watch for application-default vs any-service, unused rules, and decryption coverage.
show running security-policy
show running rule-use rule-base security type unused vsys vsys1 # unused rules
test security-policy-match from trust to untrust source 10.0.0.5 destination 8.8.8.8 \
protocol 6 destination-port 443 # verify a flow
# Run Expedition / BPA against a tech-support file for a full best-practice report⚑ Report as: “Palo Alto: rules using any service instead of application-default / unused rules / no decryption”
🛡 Fix: Use App-ID with application-default services; remove unused rules (rule-use report); enable decryption where policy permits; attach security profiles (vulnerability/AV/anti-spyware/URL/WildFire) to allow rules; run BPA and remediate.
Palo Alto (PAN-OS) — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| any service instead of application-default | review security rules | Service not application-default |
| Unused rules (rule-use) | show running rule-use | Unused rule |
| No security profiles on allow rules | review profiles | Missing security profile |
| Decryption not configured | review decryption policy | No SSL decryption |
| Default admin / weak mgmt | review admins | Weak management |
| BPA not run / findings open | run BPA | Open BPA findings |
B Cisco ASA / Firepower (FTD)
Cisco ASA/Firepower (FTD): classic ACLs — check for permit ip any any, zero-hit ACEs, weak crypto and management exposure. packet-tracer is your verification tool.
show running-config
show access-list | include hitcnt=0 # unused ACEs
show run | include ^(http|ssh|telnet|enable|aaa|snmp-server)
packet-tracer input outside tcp 1.2.3.4 1234 10.0.0.10 443 # verify a flow⚑ Report as: “Cisco ASA: permit ip any any ACE / zero-hit ACLs / Telnet or weak SNMP enabled”
🛡 Fix: Replace any-any ACEs with specific ACLs; remove zero-hit ACEs; SSH/HTTPS only (no Telnet); SNMPv3; restrict management with ACLs; strong IKEv2 crypto; verify flows with packet-tracer.
Cisco ASA / Firepower (FTD) — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| permit ip any any ACE | grep ACL | Any-any ACE |
| Zero-hit ACEs | show access-list hitcnt=0 | Unused ACE |
| Telnet/HTTP management | show run | Cleartext management |
| SNMP v1/v2c / default community | show run snmp | Weak SNMP |
| Weak VPN crypto (IKEv1/3DES) | show run crypto | Weak VPN crypto |
| Management not ACL-restricted | review ssh/http ACLs | Management exposed |
C FortiGate (FortiOS)
FortiGate (FortiOS): check for policies using all address/service, missing UTM/security profiles, broad trusthosts, and the built-in Security Rating.
get system status # version
show full-configuration | grep -iE 'set (srcaddr|dstaddr|service) .?all'
diagnose firewall iprope show # policy/hit info
# Run the GUI 'Security Rating' (Security Fabric) for a best-practice score⚑ Report as: “FortiGate: policy using all address/service / no security profiles / admin without trusthost”
🛡 Fix: Use specific address/service objects (not all); attach security profiles (IPS/AV/web filter/app control) to policies; set admin trusthosts; HTTPS/SSH mgmt only; run Security Rating and remediate.
FortiGate (FortiOS) — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Policy uses all address/service | grep config | Overly-broad policy |
| No security/UTM profiles on policy | review policies | Missing security profile |
| Admin without trusthost | check trusthost | No admin trusthost |
| Cleartext mgmt (telnet/http) | check allowaccess | Cleartext management |
| Unused policies | review hit counts | Unused policy |
| Security Rating not run | run rating | Open Security Rating issues |
D Check Point
Check Point: layered policy — check for an Any/Any/Accept rule, missing cleanup rule, disabled logging (track=None), and rule hit counts in SmartConsole.
⚑ Report as: “Check Point: Any/Any/Accept rule / missing cleanup rule / rules with Track=None”
🛡 Fix: Remove Any/Any/Accept rules; ensure an explicit cleanup (drop + log) rule at the end; set Track=Log on rules; use the hit-count column to retire unused rules; tighten implied rules; apply IPS/Threat Prevention profiles.
Check Point — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Any/Any/Accept rule | review policy | Any-any-accept rule |
| Missing cleanup (drop+log) rule | check last rule | Missing cleanup rule |
| Rules with Track=None | review track column | Rule not logged |
| Unused rules (hit count) | SmartConsole hit count | Unused rule |
| Permissive implied rules | review implied rules | Permissive implied rule |
| Threat Prevention not applied | review profiles | No threat prevention |
E pfSense / OPNsense
pfSense/OPNsense: per-interface rules — check for allow-any rules, missing logging, default WebGUI exposure, and that outbound isn't wide open.
pfctl -sr # show active filter rules
pfctl -sn # show NAT rules
# Flags: 'pass ... from any to any', WebGUI on WAN, no rule logging, default creds⚑ Report as: “pfSense: allow any-any rule / WebGUI exposed on WAN / default admin credentials”
🛡 Fix: Least-privilege per-interface rules (no allow any-any); enable logging on rules; restrict WebGUI/SSH to LAN/mgmt; change default admin creds + MFA; default-deny with explicit allows; tighten outbound.
pfSense / OPNsense — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Allow any-any rule | pfctl -sr | Any-any rule |
| Rules without logging | review rule logging | Rule without logging |
| WebGUI/SSH exposed on WAN | review mgmt access | Management exposed |
| Default admin credentials | check admin | Default credentials |
| No MFA on WebGUI | check MFA | No admin MFA |
| Outbound wide open | review LAN rules | No egress filtering |
✓ Coverage map & how to run it
Work the universal sections (0–12) on every firewall review, then the vendor block. The rule-base review (§1) and segmentation (§4) carry the most risk; management/hardening (§6–7) carry the easiest criticals.
| Section | Run on | Focus |
|---|---|---|
| Universal 0–12 | Every firewall review | Scope, rule base, default policy, NAT, segmentation, egress, mgmt, hardening, VPN, logging, HA, change mgmt, threat prevention |
| Palo Alto | PAN-OS | App-ID/application-default, rule-use, decryption, BPA |
| Cisco ASA/FTD | ASA/Firepower | any-any ACEs, zero-hit ACLs, packet-tracer, crypto |
| FortiGate | FortiOS | all address/service, security profiles, trusthost, Security Rating |
| Check Point | Check Point | Any/Any/Accept, cleanup rule, Track=Log, hit count |
| pfSense | pfSense/OPNsense | any-any rules, WebGUI exposure, logging, egress |
Core principle: a firewall review is config audit + active verification. Don't just read the rule base — prove from the wire what it actually permits (nmap/packet-tracer), and tie every finding to least privilege, segmentation impact and the rule's missing justification. Map results to PCI-DSS req 1, NIST 800-41 and the vendor CIS benchmark, and tick a box only when you've verified it.