The traditional cadence
Conventional guidance is to review firewall rules at least quarterly, with a hard floor of every six months for regulated environments. That cadence reflects a manual reality: reviews are expensive, so they are done as infrequently as risk and compliance allow.
The problem is that firewalls do not change on a quarterly schedule. They change whenever a project ships, an incident is fixed, or an exception is granted — which means a configuration reviewed in January can be dangerously misconfigured by March.
What compliance frameworks require
- PCI DSS: firewall and router rule sets reviewed at least every six months, documented
- ISO 27001: regular, documented review of network controls as part of the ISMS
- SOC 2: evidence that network controls operate effectively across the audit period
- NIS2: risk-based, demonstrably reviewed network security measures
Why point-in-time review is not enough
Any review is a snapshot. The moment a rule changes, the snapshot is out of date. The gap between scheduled reviews is precisely where risky temporary rules calcify and where misconfigurations go unnoticed.
For frameworks like SOC 2 Type II that care about controls operating effectively over time, a single annual review is also weak evidence — it shows the control happened once, not that it operates continuously.
The case for continuous review
The ideal cadence matches your change cadence: review the firewall whenever it changes. Until recently that was impossible to do manually, but automated analysis makes it realistic.
Because tools like FirewallScan return a full review in minutes, teams can re-check the configuration after every change set, keeping risk low and producing a continuous trail of evidence rather than periodic snapshots.