Firewall
Firewall Security Audit Guide — What to Check Before You Get Hacked
3 May 2026 · 8 min read · VantagePoint Networks
A firewall security audit is a structured review of your perimeter device configuration — rule base, VPN settings, zone design, logging, and firmware status — to identify gaps that could allow unauthorised access or data exfiltration. Most SMB firewalls are configured once and never revisited. Over time, legacy rules accumulate, default settings remain in place, and misconfigurations go unnoticed until they become breach headlines. This guide covers exactly what to check, and what the common findings mean.
Firewalls are the most critical control in any network perimeter. A well-configured firewall blocks the vast majority of automated scanning and brute-force attempts. A misconfigured one provides a false sense of security — traffic logs show a busy firewall, but attackers are getting through unchallenged.
How to Audit Your Firewall: 6-Step Process
1
Inventory devices and management access
List every firewall, UTM, and perimeter device in your environment. For each: confirm the firmware version and when it was last updated, verify who holds admin credentials, and confirm the management interface (web UI, SSH) is not reachable from the internet. Management interfaces exposed to the internet are a critical finding.
2
Review all inbound allow rules
Export your full rule base and review every inbound allow rule. For each rule, ask: is this port still needed? Is the source "any" when it should be a specific IP range? Is there a business justification? Common overly permissive inbound rules include open RDP (3389), SSH (22), and management ports (8080, 8443) with no source restriction.
3
Review outbound rules
Many SMB firewalls have an any-any outbound rule that allows all traffic to the internet. This gives malware free rein to call home, exfiltrate data, or participate in botnets. Replace with destination-specific rules — allow DNS to your resolver, HTTP/HTTPS to internet, SMTP to your relay, and deny everything else.
4
Audit VPN configuration
Check the VPN for: MFA enforcement (a VPN without MFA is a single-password entry point), weak cipher suites (disable 3DES, RC4, DES), split tunnelling policy (all-traffic VPN prevents data exfiltration; split tunnel needs careful DNS consideration), and certificate validity.
5
Evaluate zone design and segmentation
A well-designed perimeter has at minimum three zones: WAN (internet), DMZ (public-facing services), and LAN (internal). Verify that servers are not on the same segment as workstations, that guest Wi-Fi is isolated, and that inter-zone rules are explicit rather than permissive.
6
Check logging, retention, and alerting
Firewall logs are useless if they are not reviewed. Confirm logs are being sent to a central syslog or SIEM. Verify retention meets your policy (90 days minimum, 12 months for compliance). Check that alerts are configured for denied traffic spikes, authentication failures, and policy changes.
Common Firewall Audit Findings
| Finding | Severity | Why It Matters |
|---|---|---|
| Any-any outbound rule | High | Allows all protocols to all destinations. Malware communicates freely. |
| RDP/SSH open to internet | Critical | Brute-forced within hours. Should be behind VPN. |
| VPN without MFA | Critical | Single password grants full network access. |
| Default admin password | Critical | Manufacturer defaults publicly documented online. |
| Management UI on WAN interface | High | Admin panel accessible from internet. |
| Firmware more than 12 months old | High | Known CVEs likely unpatched. |
| Shadow rules / never-matching rules | Medium | Indicate poor hygiene; hide real exposure. |
| No logging configured | High | Incidents cannot be investigated or detected. |
Platform-Specific Notes
Fortinet FortiGate
Check FortiOS version against current release. Review implicit deny logging — disabled by default. Audit SSL inspection certificate trust. Check for any-any policies in the "implicit" section that override explicit denies.
Cisco ASA / FTD
Review access-list hit counts — zero-hit rules are candidates for removal. Check failover sync status if HA pair. Verify ASDM or FMC management access is restricted to admin VLAN only.
Palo Alto Networks
Review security policies for "allow any application" rules. Check App-ID is being used rather than port-based rules where possible. Verify Panorama management is not internet-accessible.
Sophos XG / XGFIREWALL
Check WAF rules if web servers are published. Review IPS policy is set to protect rather than detect-only. Verify Sophos Central sync is current if managed via cloud console.
Frequently Asked Questions
What should a firewall security audit check?
A firewall security audit should check: inbound and outbound rule bases for unnecessary allows, VPN configuration and authentication, zone design and network segmentation, management interface exposure, default credentials, logging and alerting status, and firmware patch level.
How often should you audit your firewall?
Firewall rule bases should be reviewed at least annually, and immediately following any significant network change such as new remote access setup, cloud connectivity, or infrastructure additions. High-risk environments should review quarterly.
Check Your Perimeter Security Score
The free VP Audit assessment includes a dedicated Perimeter & Connectivity domain covering firewall posture, VPN configuration, and remote access controls.
Start Free Assessment →