Firewall configuration review
Read the ruleset the way attackers do.
Firewall configuration review from SecureLayer7, every rule re-read by hand against intent, every management-plane service tested for the path that survived the policy. Shadowed rules, any/any ranges, NAT-chain misuse, weak SSH ciphers on the mgmt plane, stale signature feeds, every finding mapped to PCI-DSS and the CIS Firewall Benchmark with a vendor-specific fix and a re-test.
Line-by-line
Every rule re-read for intent, shadowed, preempted, any/any, stale, dead policy. Group-set drift mapped to its source.
Beyond the policy
Management plane, OS train, signature freshness, two-factor on admin paths, the configuration your ruleset depends on.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Why a config check isn't a config audit
Read the policy. Then read around it.
PCI-DSS scorers and CIS Firewall benchmarks parse what's written. A live review reads what an attacker reads, shadowed rules, NAT chains the comments lie about, group-set drift hidden across object groups, and admin paths the benchmark never asks about. SecureLayer7's engagement does both: locks the policy to a defensible baseline you'll defend in audit, then reads the chain that survived the green scorecard.
IN SCOPE.
How we read your ruleset.
Shadowed rules, redundant ANY-ANYs, expired exceptions, rule-base growth past the human read.
NAT paths, asymmetric routes, VPN trust, dynamic routing leaks. Past the policy, not through it.
SSL-inspection coverage, IDS signature drift, decryption bypass categories, TLS 1.3 visibility.
Management interface exposure, role separation, audit-log retention, change-control gaps.
What we review —
Four review surfaces. One engagement.
Each surface is read for intent against the live config, then probed by hand for the chain that survived the policy. Vendor-specific guidance for ASA, Cisco IOS, Palo Alto Networks, FortiGate, Check Point, pfSense, and Juniper SRX.
Ruleset
Any/any ranges, shadowed and preempted rules, dead policy, stale comments, source/destination group drift, NAT translation chains, log-scope coverage, asymmetric-routing exposure.
Deployment & segmentation
Zone map and blast-radius from each zone, redundant placement, fail-open vs fail-close behaviour, management-plane isolation, jump-host enforcement, out-of-band path scope.
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMPv2 community strings, TFTP and HTTP exposure, AAA · RADIUS · TACACS+ scope, two-factor on admin paths, session-timeout policy.
Software & signatures
OS train versus vendor advisories, IPS signature freshness, AV pattern coverage, EOL-hardware risk, planned-upgrade gaps, vulnerability-feed staleness.
FIREWALL REVIEW METHODOLOGY.
Eight phases. Ruleset to traffic.
Threat-modelled to your zone map, regulatory target (PCI-DSS, HIPAA, RBI, ISO), and operational risk model. Not a stock checklist run against every device.
- 01
Asset & topology inventory
Device inventory, interface map, zone classification, traffic peering, management-plane scope, plus out-of-band path catalogued before any rule is read.
- 02
Vendor & version audit
Hardware model, OS train, EOL status, signature or feed staleness, plus vendor advisory deltas captured against the running config.
- 03
Ruleset review
Every rule re-read for intent. Shadowed and preempted rules surfaced. Any-any ranges, dead policy, stale comments, group-set drift, log-scope coverage. Each finding tied to the rule that produced it.
- 04
Deployment & segmentation
Blast-radius modelled from each zone. Redundant placement, fail-open versus fail-close behaviour, management-plane isolation, jump-host enforcement verified against the topology.
- 05
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMP community strings, TFTP and HTTP exposure, AAA scope, two-factor on admin paths. Every service the device speaks, audited.
- 06
Active probe
Manual exploitation against the live config: shadowed-rule bypass, NAT-chain misuse, management-plane reach from data plane, log-evasion paths. Exercised to credential takeover or lateral move.
- 07
Remediation guidance
Vendor-specific config snippets for ASA, Cisco IOS, Palo Alto Panorama, FortiGate, Check Point, pfSense, and Juniper SRX. Commit-ready, written for the network team that runs the fleet.
- 08
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.
Insights
Firewall review Resources.
Ruleset drift, any-any holes, and the firewall-config patterns our reviewers flag during pre-audit reviews.
Meet our expert
Meet our expert
John Dill
vCISO at SecureLayer7
John scopes firewall-review engagements against your zone map, regulatory target (PCI-DSS, HIPAA, RBI), and operational risk model. He guides the pod from kick-off through the active-probe walkthrough and the re-test that closes every shadowed-rule path.
- Scopes ASA, Cisco IOS, Palo Alto, FortiGate, Check Point, pfSense, and Juniper engagements against your real risk model.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
- Drives remediation review and re-test until every ruleset and management-plane path is closed.
Ready to scope a firewall configuration review? Book 30 minutes with John to walk through your fleet, regulatory target, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
HealthTech
HIPAA-scoped network zones, EHR segmentation, telehealth gateway policies.
Built for Saudi Arabia engagements
What changes when we deliver here.
Compliance scoping
NCA ECC 2-5-2 sub-control cited per ruleset finding
Regulatory framework
SAMA D3 change-management approval-trail check
Local engagements
Jeddah port operator cut 41 redundant Palo Alto rules
Local pricing
SAR per-device firewall pricing with VAT 15%
Compliance scoping
Sanitised configs sealed on KSA jump host
Firewall review questions from KSA infra teams.
Is the deliverable mapped to NCA ECC 2-5-2?
Yes. Each rule risk cites ECC 2-5-2 sub-control wording. The NCA reviewer reads the path from rule line to control row.
Does SAMA change-management evidence drop out of the review?
Yes. Rule additions and the change ticket trail are inspected against SAMA D3 change-management. Missing approvals are flagged.
Which vendors do you cover?
Palo Alto, Fortinet, Check Point, Cisco ASA, and SonicWall configurations are read line by line. Each platform has its own rule-quality rubric.
How are configs handled under PDPL?
Sanitised configs sit on a KSA jump host. Cleartext credentials and tunnel keys never leave the Kingdom.
Delivery in Saudi Arabia
Firewall review for NCA ECC 2-5-2 evidence.
Ruleset findings cite NCA ECC 2-5-2 and SAMA change-management control wording. Configs reviewed on a KSA jump host with SAR pricing.
- Direct line
- +966-11-000-0000
- Office
- Riyadh, Saudi Arabia
Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: ruleset diff, shadowed-rule narrative, vendor-specific config snippets ready for ASA, Palo Alto, and FortiGate, and the re-test confirmation. Sent on request after a 5-minute scoping call.