Most firewall breaches come from misconfiguration, not software flaws. These best practices focus on the configuration choices and operational habits that actually reduce risk. Apply them as a baseline, then use regular review to confirm your firewall stays aligned with them over time.
Rule design and least privilege
- Default-deny: block everything, then explicitly permit only what is required
- Scope every rule to specific sources, destinations and services — avoid any/any
- Avoid 'any' in the service field; specify exact ports and protocols
- Avoid 'any' in source and destination; use precise address objects
- Document the business justification and owner for every rule
- Use descriptive, consistent naming for rules and objects
- Group related objects logically instead of duplicating them
- Order rules so specific rules precede broad ones; avoid shadowing
- Remove temporary rules on a defined expiry, not 'eventually'
- Re-validate that each rule still reflects a current business need
Segmentation and architecture
- Segment the network into zones based on trust and function
- Isolate sensitive environments (cardholder data, OT, ePHI) into dedicated zones
- Enforce least privilege between zones, not just at the perimeter
- Place public-facing services in a DMZ, never directly on internal networks
- Restrict lateral movement by limiting east-west traffic
- Separate management traffic onto a dedicated network where possible
- Use explicit deny rules with logging at zone boundaries
- Avoid trust relationships that bypass the firewall between zones
Management and administrative security
- Never expose management interfaces to the internet
- Restrict administrative access to specific trusted source addresses
- Use strong, unique admin credentials and enforce MFA
- Disable unused administrative protocols and services
- Use HTTPS/SSH only for management; disable insecure protocols
- Apply role-based access so admins have only the rights they need
- Keep firmware and security signatures patched and current
- Change all default accounts and credentials before deployment
Logging and monitoring
- Enable logging on security-relevant rules, including denies
- Forward logs to a central SIEM or log server for retention
- Ensure logs are time-synchronized via NTP
- Alert on suspicious patterns and policy violations
- Retain logs long enough to meet compliance and investigation needs
- Review logs to confirm rules behave as intended
VPN and remote access
- Use strong, modern encryption and key-exchange parameters
- Disable weak or deprecated ciphers and DH groups
- Scope VPN access to only the resources each user or site needs
- Require MFA for remote access wherever possible
- Terminate VPNs into a controlled zone, not directly onto internal LAN
- Review remote-access rules as carefully as internet-facing ones
Maintenance and review
- Review the full rule base at least quarterly, and after major changes
- Identify and remove unused, shadowed and redundant rules
- Track configuration changes with an audit trail and approvals
- Maintain configuration backups and test restoration
- Measure posture over time with a consistent baseline or score
- Re-scan after every change to catch newly introduced risk
- Document each review to satisfy compliance evidence requirements
- Automate review so it actually happens at the needed frequency
- Validate segmentation periodically rather than assuming it holds
- Decommission rules tied to retired systems immediately
- Keep an inventory of internet-facing exposure and minimize it
- Treat the firewall as code: review changes before they ship
Putting it into practice
A list like this is only useful if you can verify your firewall actually follows it. Checking 50 practices by hand across hundreds of rules is exactly the kind of work that does not get done consistently.
FirewallScan automates that verification for FortiGate: it checks your configuration against best-practice baselines, flags every deviation with remediation, and lets you re-check continuously — turning this checklist from aspiration into measurable reality.