Firewall configuration review
Read the ruleset the way attackers do.
Firewall configuration review from SecureLayer7, every rule re-read by hand against intent, every management-plane service tested for the path that survived the policy. Shadowed rules, any/any ranges, NAT-chain misuse, weak SSH ciphers on the mgmt plane, stale signature feeds, every finding mapped to PCI-DSS and the CIS Firewall Benchmark with a vendor-specific fix and a re-test.
Line-by-line
Every rule re-read for intent, shadowed, preempted, any/any, stale, dead policy. Group-set drift mapped to its source.
Beyond the policy
Management plane, OS train, signature freshness, two-factor on admin paths, the configuration your ruleset depends on.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why a config check isn't a config audit
Read the policy. Then read around it.
PCI-DSS scorers and CIS Firewall benchmarks parse what's written. A live review reads what an attacker reads, shadowed rules, NAT chains the comments lie about, group-set drift hidden across object groups, and admin paths the benchmark never asks about. SecureLayer7's engagement does both: locks the policy to a defensible baseline you'll defend in audit, then reads the chain that survived the green scorecard.
IN SCOPE.
How we read your ruleset.
Shadowed rules, redundant ANY-ANYs, expired exceptions, rule-base growth past the human read.
NAT paths, asymmetric routes, VPN trust, dynamic routing leaks. Past the policy, not through it.
SSL-inspection coverage, IDS signature drift, decryption bypass categories, TLS 1.3 visibility.
Management interface exposure, role separation, audit-log retention, change-control gaps.
What we review —
Four review surfaces. One engagement.
Each surface is read for intent against the live config, then probed by hand for the chain that survived the policy. Vendor-specific guidance for ASA, Cisco IOS, Palo Alto Networks, FortiGate, Check Point, pfSense, and Juniper SRX.
Ruleset
Any/any ranges, shadowed and preempted rules, dead policy, stale comments, source/destination group drift, NAT translation chains, log-scope coverage, asymmetric-routing exposure.
Deployment & segmentation
Zone map and blast-radius from each zone, redundant placement, fail-open vs fail-close behaviour, management-plane isolation, jump-host enforcement, out-of-band path scope.
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMPv2 community strings, TFTP and HTTP exposure, AAA · RADIUS · TACACS+ scope, two-factor on admin paths, session-timeout policy.
Software & signatures
OS train versus vendor advisories, IPS signature freshness, AV pattern coverage, EOL-hardware risk, planned-upgrade gaps, vulnerability-feed staleness.
FIREWALL REVIEW METHODOLOGY.
Eight phases. Ruleset to traffic.
Threat-modelled to your zone map, regulatory target (PCI-DSS, HIPAA, RBI, ISO), and operational risk model. Not a stock checklist run against every device.
- 01
Asset & topology inventory
Device inventory, interface map, zone classification, traffic peering, management-plane scope, plus out-of-band path catalogued before any rule is read.
- 02
Vendor & version audit
Hardware model, OS train, EOL status, signature or feed staleness, plus vendor advisory deltas captured against the running config.
- 03
Ruleset review
Every rule re-read for intent. Shadowed and preempted rules surfaced. Any-any ranges, dead policy, stale comments, group-set drift, log-scope coverage. Each finding tied to the rule that produced it.
- 04
Deployment & segmentation
Blast-radius modelled from each zone. Redundant placement, fail-open versus fail-close behaviour, management-plane isolation, jump-host enforcement verified against the topology.
- 05
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMP community strings, TFTP and HTTP exposure, AAA scope, two-factor on admin paths. Every service the device speaks, audited.
- 06
Active probe
Manual exploitation against the live config: shadowed-rule bypass, NAT-chain misuse, management-plane reach from data plane, log-evasion paths. Exercised to credential takeover or lateral move.
- 07
Remediation guidance
Vendor-specific config snippets for ASA, Cisco IOS, Palo Alto Panorama, FortiGate, Check Point, pfSense, and Juniper SRX. Commit-ready, written for the network team that runs the fleet.
- 08
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.
Insights
Firewall review Resources.
Ruleset drift, any-any holes, and the firewall-config patterns our reviewers flag during pre-audit reviews.
Meet our expert
Meet our expert
John Dill
vCISO at SecureLayer7
John scopes firewall-review engagements against your zone map, regulatory target (PCI-DSS, HIPAA, RBI), and operational risk model. He guides the pod from kick-off through the active-probe walkthrough and the re-test that closes every shadowed-rule path.
- Scopes ASA, Cisco IOS, Palo Alto, FortiGate, Check Point, pfSense, and Juniper engagements against your real risk model.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
- Drives remediation review and re-test until every ruleset and management-plane path is closed.
Ready to scope a firewall configuration review? Book 30 minutes with John to walk through your fleet, regulatory target, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
HealthTech
HIPAA-scoped network zones, EHR segmentation, telehealth gateway policies.
Built for Australia engagements
What changes when we deliver here.
Regulatory framework
ASD ISM gateway control per rule finding
Compliance scoping
Essential 8 Strategy 7 admin-privilege evidence
Local engagements
AU insurer — 4500 rules normalised in 3 weeks
Local pricing
AUD per-policy review, GST itemised
Compliance scoping
CAB change-log reconciliation appendix
Questions Australian network ops teams ask first.
Which firewall platforms do you cover?
Palo Alto, Fortinet, Cisco, Check Point, Juniper, Sophos, and AWS / Azure cloud firewalls. Each rule cites the platform-specific hardening guide gap.
Do you check rule-base hygiene against ISM?
Yes. Stale, shadowed, and overly-permissive rules are scored. Each issue lists the ASD ISM gateway control and the rule line number.
How do you handle change-management trails?
Sample of recent changes is reconciled against the CAB record. Gaps are flagged against the CPS 234 ¶32 control framework requirements.
Is the report usable for an Essential 8 review?
Yes. Strategy 7 (restrict admin privileges) and gateway-level controls feed Maturity Level 1 / 2 evidence.
Delivery in Australia
ASD ISM gateway. ACSC change trail.
Rule-base, NAT, and threat-feed findings cite ASD ISM gateway hardening controls. Change-log gaps map to ACSC configuration management guidance.
- Direct line
- +61-2-0000-0000
- Office
- Sydney, Australia
Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: ruleset diff, shadowed-rule narrative, vendor-specific config snippets ready for ASA, Palo Alto, and FortiGate, and the re-test confirmation. Sent on request after a 5-minute scoping call.