A firewall is a key component of an IT security infrastructure. But even the best hardware and most advanced features won’t protect your network if they’re misconfigured. In reality, most threats stem not from a lack of a firewall, but from its incorrect use. In this article, we examine the most common firewall configuration errors, dividing them into two main categories: negligence (i.e., lack of configuration, documentation, and maintenance) and configuration errors. Both groups lead to real threats that can (and should) be effectively mitigated.
Part I: Negligence That Opens the Door to Attackers
There will be no surprises here. In this section, I’ll show you the mistakes we encounter during infrastructure audits. While everyone seems to know not to make them, with growing needs and overloaded IT teams, they’re easy to fall into.
Lack of firewall configuration documentation
Without documentation, there is no transparency, and without transparency, there is no control. Administrators operate blindly, unaware of what rules already exist and what they are used for. This leads to policy duplication, inconsistencies, and problems during incidents. Furthermore, the lack of documentation means lack of compliance with regulations such as NIS2, ISO 27001, and PCI-DSS. The lack of rule change history also complicates the analysis of security incidents, as it’s unclear who made the modifications and when.
Documenting policies, their purpose, scope, and duration is essential, although I don’t know any engineer who is passionate about creating new documents. Fortunately, this can be made easier by using scripts for exporting and analyzing rules.
How to maintain firewall documentation? Checklist.
Document every rule: purpose, IP range, ports, and reason for implementation.
Use dedicated configuration management systems that can automatically document changes, such as:
Use version control to track changes. GIT or another versioning tool is useful here.
Review and update documentation regularly to eliminate unnecessary or outdated rules.
Use change management. Every change should be approved and documented in a ticketing system (e.g., Jira, ServiceNow).
Lack of logging and monitoring of firewall events
A firewall that doesn’t log traffic is practically blind. Without logs, you won’t be able to identify or explain an incident. Outgoing traffic to C2 servers, brute-force attacks on SSH, port scanning – all of this will go unnoticed. Logs should be sent to a SIEM (e.g., Splunk, Graylog) and analyzed. Setting logging levels and alerting is a minimum.
Although it may seem hard to believe, organizations often rely solely on default firewall settings, which may not record all key events. Without systematic log analysis, it’s difficult to identify attacks such as port scanning, unauthorized access attempts, or network traffic anomalies. From a procedural perspective, ISO 27001, NIS2, GDPR, and PCI-DSS standards require the retention of logs as potential evidence in audits.
How to log events on the firewall?
Enable logging in the firewall and configure logging for allowed and blocked traffic.
Redirect logs to SIEM systems (e.g., Splunk, Graylog, ELK, Wazuh, etc.).
Configure alerts for suspicious events (e.g., critical, warning, informational, debug).
Regularly analyze logs for anomalies. Adjust log retention to meet legal requirements for available resources.
Lack of software updates and/or security signatures
Outdated firewalls are not only a threat but also a real cost. A device with firmware that’s three years old may contain known vulnerabilities with available exploit code. Reasons: end of manufacturer support (End of Support or End of Life), lack of an update procedure, lack of a test environment. The same applies to signature updates.
More mundane consequences include the risk that older IPS/IDS signatures may not detect new threats, and unpatched bugs may cause firewall crashes, incorrect rule handling, or system instability.
Therefore, regular CVE reviews, patching schedules, and testing are absolutely essential.
How to update your firewall?
Regularly check for available updates. You can do this on official websites and in the manufacturer’s repositories. Check IPS signatures daily and update firmware as soon as a new version is released.
Automate the update process whenever possible. Deploy security patches during scheduled maintenance windows, but also remember that patches can impact the operation of the production network.
Deploy updates in stages. First, in less critical areas of the network, and then throughout the entire infrastructure.
Test new versions in a test environment before deployment. Testing in production is a bad idea.
Monitor threats and CVEs related to your firewall, for example, using NIST NVD, Exploit DB, or Threat Intelligence, as well as information provided by the manufacturer’s PSIRT team.
Create a backup before each update. If problems arise, you can easily revert to the previous version.
Lack of Configuration Backups
A firewall without backups is a ticking time bomb. A faulty update, hardware failure, or configuration change may not be quickly restored. If the firewall is a critical component of the infrastructure, its failure can result not only in a reduced level of security but even a complete loss of connectivity.
Backups should be automatic, encrypted, stored remotely, and tested. Backups before any significant change are standard.
How to implement a firewall backup policy?
Configure a schedule for automatic backups on the firewall.
Keep more than one backup. Keeping the last few backups allows you to revert to a stable configuration.
Store backups in a location separate from the firewall (e.g., an FTP/SFTP server, backup system, cloud).
Test restores. Regularly restore the configuration in a test environment to verify the restore is correct.
Back up before any major changes, such as firmware updates, changes to security rules or policies.
Encrypt and protect your backups from unauthorized access.
Part II: Firewall Configuration Errors That Put Your Network at Risk
And so we come to the second type of errors, those that don’t result from negligence, but from a lack of knowledge about how to properly configure individual features or how to leverage their potential to secure your connection to the Internet.
Overly Complex or Inconsistent Configuration
Rules that are difficult to understand are also difficult to manage. When policies are created ad hoc, without clear rules and reviews, security holes and rule conflicts arise. Examples? Broad “ANY-ANY” rules that open uncontrolled access, unnecessary exceptions that allow unauthorized traffic, or blocking that interferes with the operation of critical services.
Too many suboptimal rules also impact firewall performance and complicate management. Lack of consistency means chaos, and chaos in a security system is a recipe for incidents. Organizations required to comply with standards such as ISO 27001, NIS2, or PCI-DSS should take particular care to maintain transparent and consistent access policies, with regular reviews and documentation of every change.
A firewall should be logical, zoned, and easy to understand. The use of groups, comments, and the “restrictive first” principle are essential.
How to simplify firewall configuration?
Analyze rules (e.g., quarterly) to eliminate obsolete and unused entries.
Eliminate duplicate and overlapping rules.
Optimize the order of rules (most restrictive at the top, general at the bottom).
Regularly check rules for compliance with internal policies and legal requirements.
Use firewall policy hit counters to identify unused rules.
Use rules with a schedule; automatically disabling a policy after a specified time will make it easier to purge the firewall of unnecessary policies.
Establish standards for security policies.
Use uniform naming schemes for rules (e.g., “Allow_HTTP_Internal_to_DMZ”).
Define clear policies for different network zones (LAN, DMZ, WAN).
Use the principle of least privilege (Least Privilege).
Segment the network.
Use objects, IP address groups, and port groups instead of individual entries.
Automate rule management. Use tools like Ansible, Terraform, Firepower Management Center (Cisco), Panorama (Palo Alto), or Check Point SmartConsole.
Keep your documentation organized (yes, I know, it’s boring, but necessary).
Use a ticketing system (e.g., JIRA, ServiceNow) to track changes. Implement a Change Management policy where every change goes through testing and approval.
Test and validate new rules. Simulate the impact of new rules on network traffic before implementing them.
Use penetration testing to detect potential configuration vulnerabilities.
Improperly Assigning Permissions
If everyone can do everything, it means no one controls anything. Excessive permissions lead to escalation, accidental errors, and difficult-to-detect changes. Excessive user permissions or a lack of role separation increases the risk of both intentional and accidental security breaches.
RBAC, least privilege, audits, and logging of administrative operations are the absolute minimum if you want to comply with security standards that require the principle of least privilege (Least Privilege).
How to Properly Manage Firewall Permissions?
Use the principle of least privilege (Least Privilege). Assign users only the permissions necessary to perform their duties.
Implement Role-Based Access Control (RBAC). Define system roles (e.g., administrator, operator, auditor) and assign permissions based on them.
Separate roles so that one person cannot approve and implement changes simultaneously (e.g., split between configuration and log review).
Use MFA (multi-factor authentication) mechanisms for administrative accounts. Check Cisco Duo or Yubikey for reference.
Review roles and permissions regularly (at least quarterly) to remove unnecessary access.
Log and monitor administrator activities. Log all firewall operations and analyze them in the SIEM system.
Control access based on time and location. Restrict administrator logins to specific IP addresses and business hours.
Encrypt and securely store credentials, for example, in tools like PAM (Privileged Access Management).
Lack of network segmentation. A fundamental, but not isolated, mistake.
A flat address space is a haven for malware. The lack of VLAN division and inter-segment policies invites lateral movement. Without segmentation, it’s difficult to monitor, restrict, and isolate. The solution? VLANs, firewall zones, micro-segmentation, and the principle of least privilege.
How to implement network segmentation?
Divide your network into VLANs. This will separate internal traffic based on function (e.g., VLANs for users, VLANs for servers, VLANs for IoT).
Define security zones on your firewall. Define access policies between segments (e.g., DMZ, LAN, WAN, OT).
Apply the principle of least privilege (Least Privilege). This will allow you to restrict access to services based on the actual needs of users and systems.
Use internal firewalls (Internal Segmentation Firewalls (ISFWs)), which filter traffic between VLANs.
Use micro-segmentation, which virtually restricts access at the application level. You can use Cisco TrustSec, VMware NSX, or Zero Trust Network Access for this purpose.
Monitor traffic between segments. Using IDS/IPS or SIEM systems to analyze logs from network segments can help.
Regularly verify that access policies are effective and aligned with organizational requirements.
Lack of two-factor authentication for firewalls and VPNs
A password is not enough. If a password is leaked or compromised, an attacker can gain complete control of the network infrastructure. In the age of phishing and credential stuffing, the lack of MFA is like an open door. All administrative and VPN access should require two-factor authentication (e.g., Duo, RSA, TOTP applications).
How to implement MFA for firewalls and VPNs? A step-by-step checklist.
Implementing MFA for a firewall
If the firewall supports native MFA, it should be enabled (e.g., FortiGate, Palo Alto, Cisco ASA).
If not, it’s worth integrating the firewall with an LDAP/RADIUS service and enforcing MFA through an IAM system (e.g., Azure AD, Okta, Duo Security).
Implementing MFA for a VPN
Configure two-factor authentication at the VPN server level.
Use mobile apps to generate codes (Google Authenticator, Microsoft Authenticator, Duo Security).
Use hardware tokens (YubiKey, RSA SecurID) or digital certificates.
Integration with a central identity management (IAM) system
Connect with Active Directory, Azure AD, Okta, Keycloak, FreeIPA, etc.
Enforce MFA policies for specific roles and devices.
Enforce MFA for access from external locations.
Require additional authorization for logins from outside the trusted corporate network.
Monitoring and Testing
Set alerts for failed login attempts and unusual locations.
Regularly verify that all administrative accounts have MFA enabled.
Test security effectiveness, for example, through Red Teaming or SOC audits.
IPS Not Tailored to Network Needs
An Intrusion Prevention System (IPS) is a key element of network security, capable of detecting and blocking suspicious activity. It must be tailored to network traffic. Too sensitive generates false positives, while too lenient allows attacks to pass. Implementation begins with monitoring mode, then tuning, and only then moves to prevention mode. SIEM integration, signature updates, incident analysis – everything matters.
How to adapt an IPS to your network infrastructure?
Analyze network traffic before deployment to identify typical traffic patterns. Based on these, create a profile of normal network traffic.
Disable unused signatures if this impacts firewall performance.
Prioritize rules based on the current threat landscape (e.g., CVE, malware campaigns).
Analyze logs to eliminate false positives before moving to active blocking.
Regularly update IPS signatures and policies. Automatically download updates from the firewall vendor’s databases. Analyze new threats and manually add custom rules (e.g., IOCs).
Create exceptions for key systems. If the IPS is causing problems with legitimate services, it may be necessary to create exceptions based on source/destination IPs, ports, or applications. Remember to test exceptions before deploying them in a production environment.
Integrate the IPS with other systems. For example, send IPS logs to a SIEM system to analyze correlations with other events.
Test whether your IPS is working properly. You can use tools like Scapy, Metasploit, or Atomic Red Team.
Lack of Device Hardening
A firewall, as a critical component of network protection, also requires protection. Lack of proper hardening exposes it to attacks, configuration errors, and unauthorized access. The most common threat is access to the administration interface from the internet – attackers can then attempt brute-force attacks, exploit vulnerabilities in the management panel, or take over the device using default login credentials. Unused but active services such as SNMP, Telnet, or SSH are also a common problem – if they are not properly secured or simply unnecessary, they constitute an open door.
Hardening also involves introducing login restrictions (time, IP address), changing default accounts and passwords, activating MFA, software updates, and implementing mechanisms for monitoring and protecting administrative sessions. Neglecting these issues not only results in device vulnerability but often allows for control of the entire infrastructure – and this is not a mistake, but a disaster.
How to harden a firewall?
Organize firewall access
Restrict access to the administration panel to specific IP addresses or VPNs.
If access from the internet is necessary, use MFA and secure connections with certificates.
Change default credentials. User “admin” and password “admin” are the first thing attackers will check.
Limit the duration of administrative sessions.
Implement access control lists (ACLs) to restrict traffic to the firewall.
Disable unnecessary services. If SSH is necessary, restrict access to specific IP addresses and enforce the use of keys instead of passwords.
Log activity
Forward logs to the SIEM/Syslog system.
Regularly analyze login attempts and detect anomalies.
Configure IPS to monitor attacks on the management interface.
Stay up-to-date
Establish a firewall firmware update policy (e.g., quarterly reviews and patch testing) and stick to it! Once a critical vulnerability is identified, minimize update times.
Subscribe to your firewall vendor’s security bulletins.
Perform regular firewall configuration audits.
Perform penetration tests to verify the effectiveness of your security measures.
Skipping Configuration Testing
One of the most serious and still underappreciated omissions is the lack of systematic testing of firewall configurations. It’s naive to think that installing a firewall automatically solves all security problems. However, without testing the performance of rules and policies in practice, even the best-looking configuration can prove useless.
How to effectively test a firewall configuration?
Testing involves several levels. The first is manual configuration audits, in which administrators analyze policies and remove unnecessary entries. The next level is automated audits using specialized tools that identify inconsistencies and potential vulnerabilities. Next, there are penetration tests and vulnerability analysis using tools such as Nmap, Nessus, and Metasploit, allowing us to verify whether the firewall is effectively blocking attacks. Finally, performance testing using traffic generators (e.g., Ixia, Spirent, Cisco T-rex) to identify the impact of rules on throughput, and environmental testing – conducted in a controlled environment before implementing changes in production.
All of these activities should be supported by log analysis and integrated with the change management policy.
Testing is not a luxury – it’s a standard, without which a firewall becomes a mere security façade.
Lack of decryption for encrypted traffic
The modern network is largely encrypted – HTTPS, TLS, and SSL. If a firewall doesn’t perform SSL inspection, it loses the ability to detect and block threats hidden within the encrypted channel. This is a serious problem, as malware, phishing, and communication with Command and Control servers can occur through encrypted connections. Lack of decryption also means the inability to enforce DLP policies – data can leak through channels the firewall doesn’t understand.
Furthermore, IDS/IPS systems are helpless against encrypted exploits, and application control becomes ineffective. Access policies, such as blocking specific HTTP methods, also cannot be effectively enforced without analyzing the content of requests. An organization that doesn’t invest in SSL inspection or doesn’t consciously implement it (with exceptions for online banking, for example), effectively gives up visibility and control over the traffic that constitutes the majority of network transmissions today. It’s like running video surveillance in a company, but with the camera at the main entrance disabled.
How to implement encrypted traffic decryption?
Enable SSL/TLS Inspection on the firewall. Note that you have two inspection modes available: Forward Proxy, which decrypts traffic leaving the network (e.g., users browsing websites), and Inbound Inspection, which decrypts traffic arriving at the organization’s servers (e.g., locally hosted websites). What does this look like on popular firewall models?
Use your own CA (Certificate Authority) certificate. The firewall generates its own CA certificate and imports it to endpoints (workstations, servers). In corporate environments, you can enforce this action via GPOs (Group Policy Objects) in Active Directory or directly from the firewall. Mobile devices require manual certificate installation (alternatively, you can use MDM for them).
Configure exceptions (bypass). Certain services should be excluded from inspection (e.g., banking, government applications, cloud services with a pinning certificate). The exception list should be known to administrators and regularly updated.
Ensure efficient hardware resources. Traffic decryption requires significant processing power, which can significantly burden the firewall. Consider dedicated hardware accelerators or spreading traffic across multiple devices.
Monitor and analyze traffic. After implementing decryption, monitor logs for certificate errors and possible application compatibility issues.
Lack of or Improper Application of Security Profiles on Filtered Traffic
Improper application of security profiles in network protection devices (e.g., firewalls, IPS, DLP systems) can lead to various security gaps, both through excessive and insufficient traffic filtering. Well-configured profiles are crucial for effective threat defense, while incorrect configuration can result in undesirable consequences, such as blocking legitimate traffic or leaving the network open to attacks. Furthermore, they can unnecessarily burden the firewall.
How to Implement Appropriate Security Profiles?
Start with a needs and risk analysis. Before configuring profiles, it’s important to thoroughly understand which applications, services, and users require network access and what threats may exist within the organization. Then, identify risks related to unauthorized access, use of dangerous applications, and data leakage.
Assign policies to user groups and network segments. Design network segments that require different levels of protection (e.g., remote users, guests, employees). Group users based on their roles (e.g., administrators will have different access than standard users). Establish separate policies for mobile devices due to the risks associated with their connection to external networks.
Configure profiles that determine which ports can be used on a given network. Assign security profiles for different types of services (HTTP, FTP, SSH) to block unauthorized services.
Define rules for application profiles. Use Application Control technologies that block unauthorized P2P applications, instant messaging clients, and tunneling tools. It’s worth using dedicated application signature databases – for example, FortiGate, Cisco, and Palo Alto have built-in application databases that allow traffic filtering based on detected applications. Application policies allow you to control which applications can use the network.
Regularly review and update profiles.
Firewalls are like seat belts
They work, but only if they’re properly installed. A firewall can be incredibly effective, but it requires knowledge, discipline, and a systematic approach. Eliminating negligence, precise configuration, audits, and documentation aren’t add-ons—they’re the foundation. Because, as the examples above show, the biggest enemy of a network isn’t an attacker, but a false sense of security.
If you’re unsure whether your organization’s advanced firewalls are fulfilling their role and operating in accordance with best practices and security policies, it’s worth scheduling an infrastructure security audit. We regularly conduct such audits for our clients.
Blog
Enterprise Networks
