Firewall hardening checklist

A focused, step-by-step checklist for hardening a firewall — reducing its attack surface and bringing its configuration in line with security best practice.

7 min readUpdated June 2026

What firewall hardening means

Hardening a firewall means systematically removing weaknesses in its configuration: closing unnecessary access, securing management, enforcing segmentation, and ensuring the device itself is locked down. It is about shrinking what an attacker can do, both through the firewall and to it.

Work through this checklist in order. Each step reduces exposure, and together they move a firewall from 'functional' to 'genuinely hardened'.

1. Secure the device itself

  • Change all default credentials and remove default accounts
  • Restrict administrative access to specific trusted source IPs
  • Disable management access on internet-facing interfaces
  • Enforce MFA and role-based access for administrators
  • Disable unused services, protocols and interfaces
  • Keep firmware and signatures patched and up to date

2. Enforce default-deny and least privilege

  • Ensure an explicit default-deny stance for all traffic
  • Remove or tighten any any/any and overly permissive rules
  • Scope every rule to specific sources, destinations and services
  • Eliminate shadowed and redundant rules
  • Add explicit deny-and-log rules at trust boundaries

3. Strengthen segmentation

  • Define zones by trust level and function
  • Isolate sensitive systems into dedicated, tightly controlled zones
  • Limit east-west traffic to constrain lateral movement
  • Place public services in a DMZ, never on internal networks
  • Verify that segmentation actually enforces the intended boundaries

4. Lock down VPN and remote access

  • Disable weak ciphers and outdated key-exchange groups
  • Use strong, modern encryption for all tunnels
  • Scope remote access to only the necessary resources
  • Require MFA for remote connections
  • Terminate VPNs into a controlled zone, not the internal LAN

5. Enable logging and ongoing review

  • Enable logging on security-relevant rules, including denies
  • Forward logs centrally and synchronize time via NTP
  • Back up the configuration and test restoration
  • Schedule regular reviews — and automate them where possible
  • Re-scan after every change to confirm the hardening holds

Verify your hardening continuously

Hardening is not a one-time event — configurations drift as changes accumulate. The only way to know your firewall stays hardened is to re-check it regularly against a baseline.

FirewallScan automates that check for FortiGate, confirming each item on this checklist and flagging any regression so your firewall stays hardened over time, not just on the day you finished the work.

Frequently asked questions

Stop reviewing firewall rules by hand

FirewallScan reads your FortiGate configuration with AI and turns it into prioritized, fixable findings. Book a demo to see it on your own setup.