Firewall configuration review
Firewall Configuration Review that proves what your rules actually let through.
A clean-looking firewall policy can still leave a path open. We read every rule, test what actually passes, and map each gap to the firewall controls your PCI DSS, NIST 800-41, and SOC 2 auditors check, with evidence they accept.
Line-by-line
Every rule re-read for intent, shadowed, preempted, any/any, stale, dead policy. Group-set drift mapped to its source.
Beyond the policy
Management plane, OS train, signature freshness, two-factor on admin paths, the configuration your ruleset depends on.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The rule someone added "temporarily" five years ago is now your widest exposure.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Past the checklist.
Read the policy. Then read around it.
A rule can pass its own audit and still leave a path open. We read the entire ruleset the way an attacker does, shadowed rules, NAT chains the comments lie about, group-set drift, and the implicit-allow a PCI DSS line check never flags. Then we prove which gaps actually pass traffic.
What we review
Four review surfaces. One engagement.
Each surface is read for intent against the live config, then probed by hand for the chain that survived the policy. Every finding ships with the exact rule, the proof it passes traffic, and the fix. Vendor-specific for ASA, Cisco IOS, Palo Alto Networks, FortiGate, Check Point, pfSense, and Juniper SRX.
Ruleset
Any/any ranges, shadowed and preempted rules, dead policy, stale comments, source/destination group drift, NAT translation chains, log-scope coverage, asymmetric-routing exposure.
Deployment & segmentation
Zone map and blast-radius from each zone, redundant placement, fail-open vs fail-close behaviour, management-plane isolation, jump-host enforcement, out-of-band path scope.
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMPv2 community strings, TFTP and HTTP exposure, AAA · RADIUS · TACACS+ scope, two-factor on admin paths, session-timeout policy.
Software & signatures
OS train versus vendor advisories, IPS signature freshness and drift, AV pattern coverage, SSL-inspection coverage and decryption-bypass gaps, TLS 1.3 visibility, EOL-hardware risk, planned-upgrade gaps, vulnerability-feed staleness.
FIREWALL REVIEW METHODOLOGY.
Eight phases. Ruleset to traffic.
Threat-modelled to your zone map, regulatory target (PCI DSS, HIPAA, SOC 2, NIST 800-41, ISO 27001), and operational risk model. Not a stock checklist run against every device.
- 01
Asset & topology inventory
Device inventory, interface map, zone classification, traffic peering, management-plane scope, plus out-of-band path catalogued before any rule is read.
- 02
Vendor & version audit
Hardware model, OS train, EOL status, signature or feed staleness, plus vendor advisory deltas captured against the running config.
- 03
Ruleset review
Every rule re-read for intent. Shadowed and preempted rules surfaced. Any-any ranges, dead policy, stale comments, group-set drift, log-scope coverage. Each finding tied to the rule that produced it.
- 04
Deployment & segmentation
Blast-radius modelled from each zone. Redundant placement, fail-open versus fail-close behaviour, management-plane isolation, jump-host enforcement verified against the topology.
- 05
Services & management plane
SSH cipher and KEX policy, HTTPS-mgmt scope, SNMP community strings, TFTP and HTTP exposure, AAA scope, two-factor on admin paths. Every service the device speaks, audited.
- 06
Active probe
Manual exploitation against the live config: shadowed-rule bypass, NAT-chain misuse, management-plane reach from data plane, log-evasion paths. Exercised to credential takeover or lateral move.
- 07
Remediation guidance
Vendor-specific config snippets for ASA, Cisco IOS, Palo Alto Panorama, FortiGate, Check Point, pfSense, and Juniper SRX. Commit-ready, written for the network team that runs the fleet.
- 08
Patch verification
Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.
Insights
Firewall review Resources.
Ruleset drift, any-any holes, and the firewall-config patterns our reviewers flag during pre-audit reviews.
Meet our expert
One lead re-reads every rule by hand.
John Dill
vCISO at SecureLayer7
John scopes firewall-review engagements against your zone map, regulatory target (PCI DSS, HIPAA, SOC 2, NIST 800-41), and operational risk model. He guides the pod from kick-off through the active-probe walkthrough and the re-test that closes every shadowed-rule path.
- Scopes ASA, Cisco IOS, Palo Alto, FortiGate, Check Point, pfSense, and Juniper engagements against your real risk model.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
- Drives remediation review and re-test until every ruleset and management-plane path is closed.
Ready to scope a firewall configuration review? Book 30 minutes with John to walk through your fleet, regulatory target, and timeline.
Book a 30-min callCommon procurement questions
What buyers ask about firewall configuration review.
Six questions procurement teams send before signing a firewall review SOW. Answered against our methodology and your auditor.
Show all 6 questionsShow less
Have a procurement question not listed here?
Firewall reviews by industry.
These scopes come from real firewall engagements in each sector. Pick the closest fit.
HealthTech
HIPAA-scoped network zones, EHR segmentation, telehealth gateway policies.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: ruleset diff, shadowed-rule narrative, vendor-specific config snippets ready for ASA, Palo Alto, and FortiGate, and the re-test confirmation. Sent on request after a 5-minute scoping call.