What is a firewall audit?

A firewall audit is a structured review of a firewall's configuration and rule base to confirm it enforces least-privilege access, follows best practice, and contains no dangerous or dead rules.

6 min readUpdated June 2026

Definition

A firewall audit is the systematic examination of a firewall's configuration — its policies, address and service objects, NAT rules, VPN settings and management access — to verify that it does what it is supposed to do and nothing more.

The goal is to confirm three things: that access follows the principle of least privilege, that the configuration follows security best practices, and that there are no redundant, shadowed or dead rules quietly adding risk.

What a firewall audit covers

  • Policy review: identifying overly permissive, any/any and unused rules
  • Least-privilege validation: confirming each rule grants only necessary access
  • Segmentation: checking that trust boundaries between zones are enforced
  • Exposure: finding internet-facing and management-plane access that should not exist
  • Hygiene: detecting shadowed, redundant and stale rules and objects
  • VPN and remote access: validating encryption strength and access scope

Why firewall audits matter

Industry data has consistently attributed the overwhelming majority of firewall breaches to misconfiguration rather than software flaws. Firewalls are changed constantly — for projects, incidents and exceptions — and without regular audit, temporary rules become permanent and the rule base drifts ever more permissive.

An audit is how you catch that drift before an attacker does. It is also a compliance requirement: frameworks like PCI DSS mandate firewall rule reviews at least every six months, and ISO 27001, SOC 2 and NIS2 all expect documented review of network controls.

Manual vs automated audits

Traditionally, firewall audits are manual: an engineer exports the configuration and reads every rule, tracing objects and cross-referencing zones. On a mature firewall with hundreds of policies, that is days of work — so audits happen rarely and quality varies with the reviewer.

Automated tools like FirewallScan change the economics. By modeling the configuration and applying a consistent baseline, they return a prioritized, documented audit in minutes — making it practical to audit continuously rather than once a year.

How to run an effective firewall audit

  1. Export the current firewall configuration
  2. Reconstruct the effective policy — how rules actually combine
  3. Check each rule against least-privilege and best-practice baselines
  4. Identify exposure, weak segmentation and dead rules
  5. Prioritize findings by real risk, not just presence
  6. Remediate the highest-impact issues and document the review
  7. Re-audit after changes to confirm fixes and catch new drift

Frequently asked questions

Stop reviewing firewall rules by hand

FirewallScan reads your FortiGate configuration with AI and turns it into prioritized, fixable findings. Book a demo to see it on your own setup.