How often should you review firewall rules?

The short answer: at least every six months, ideally quarterly, and after every significant change. The better answer: as often as your firewall changes — which automation now makes practical.

5 min readUpdated June 2026

The traditional cadence

Conventional guidance is to review firewall rules at least quarterly, with a hard floor of every six months for regulated environments. That cadence reflects a manual reality: reviews are expensive, so they are done as infrequently as risk and compliance allow.

The problem is that firewalls do not change on a quarterly schedule. They change whenever a project ships, an incident is fixed, or an exception is granted — which means a configuration reviewed in January can be dangerously misconfigured by March.

What compliance frameworks require

  • PCI DSS: firewall and router rule sets reviewed at least every six months, documented
  • ISO 27001: regular, documented review of network controls as part of the ISMS
  • SOC 2: evidence that network controls operate effectively across the audit period
  • NIS2: risk-based, demonstrably reviewed network security measures

Why point-in-time review is not enough

Any review is a snapshot. The moment a rule changes, the snapshot is out of date. The gap between scheduled reviews is precisely where risky temporary rules calcify and where misconfigurations go unnoticed.

For frameworks like SOC 2 Type II that care about controls operating effectively over time, a single annual review is also weak evidence — it shows the control happened once, not that it operates continuously.

The case for continuous review

The ideal cadence matches your change cadence: review the firewall whenever it changes. Until recently that was impossible to do manually, but automated analysis makes it realistic.

Because tools like FirewallScan return a full review in minutes, teams can re-check the configuration after every change set, keeping risk low and producing a continuous trail of evidence rather than periodic snapshots.

Frequently asked questions

Stop reviewing firewall rules by hand

FirewallScan reads your FortiGate configuration with AI and turns it into prioritized, fixable findings. Book a demo to see it on your own setup.