Precursor Security
ACL Optimisation

Firewall Rule Audit & Ruleset Review

A bloated rulebase is a compliance liability and an operational burden. We extract, analyse, and optimise your firewall policies across Palo Alto, Fortinet, Checkpoint, and Cisco estates, delivering a priority-ranked remediation report and PCI DSS 1.1.6 compliance evidence pack. Typically reducing rule count by 30-50%. Fixed pricing from £2,000.

Get a QuoteSee Our Process
CREST-Accredited Assessment
30-50% Typical Rule Reduction
PCI DSS 1.1.6 Audit-Ready Evidence
Palo Alto, Fortinet, Cisco & Checkpoint
Scroll
Built-in Hit Counts vs Expert Audit

Beyond Rule Usage Stats

Management Tool Reporting

Built-in Hit Counts

  • Shows hit counts, not security context
  • Cannot detect logically shadowed rules
  • No cross-rule attack path analysis
  • Object duplication not identified
  • Does not produce PCI 1.1.6 evidence
Expert Rule Audit

CREST-Accredited Analysis

  • Shadowed, unused, and overly permissive detection
  • Cross-rule attack path identification
  • Object consolidation analysis
  • PCI DSS 1.1.6 compliance evidence pack
  • Priority-ranked clean rulebase specification
Risk Intelligence

What a Clean Rulebase Is Worth

Critical
40%

AVERAGE RULESET BLOAT

The typical proportion of rules in an enterprise firewall estate with zero hit count over 90+ days. Dead weight that increases processing overhead and obscures real threats.

High
30-50%

TYPICAL RULE REDUCTION

After removing unused, shadowed, and duplicate rules, most estates reduce total rule count by 30-50%, measurably improving throughput and simplifying change management.

Compliance
1.1.6

PCI DSS REQUIREMENT

PCI DSS v4.0.1 requires documented business justification for every firewall rule, reviewed every six months. Our report is formatted for direct QSA submission.

Mapped
Controls
PCI DSSRequirement 1.1.6
PCI DSSRequirement 1.1.7
ISO 27001Annex A.8.20
Cyber EssentialsBoundary Firewalls
When to Commission

When to Commission a Rule Audit

Most firewall rule audits are triggered by a compliance deadline, an inherited estate, or operational frustration with a rulebase that has grown beyond control. If any of these scenarios describe your situation, a rule audit provides the clarity you need.

PCI DSS 1.1.6 Audit Deadline

Your QSA has flagged Requirement 1.1.6: no documented business justification exists for your firewall rules. Our audit produces the compliance evidence pack your QSA needs, formatted for direct submission.

Inherited Firewall Estate

You have inherited a firewall rulebase from a departed engineer or offboarded MSP. There is no documentation, no change log, and no clarity on which rules carry legitimate traffic. You need a baseline before assuming responsibility.

Paralysed Change Window

Thousands of rules across multiple gateways. 40% are orphaned from decommissioned projects. Every change window is a gamble because nobody can predict the impact of removing a rule. You need the rulebase mapped before the next change.

Performance Degradation

CPU load on the firewall estate is climbing. The firewall processes rules top-down and hundreds of legacy rules from decommissioned projects are evaluated for every packet. You need measurable operational improvement, not just a security report.

ISO 27001 Surveillance Audit

ISO 27001 Annex A.8.20 requires documented network security controls including periodic review of firewall rules. The surveillance audit is approaching and your ISMS evidence pack does not contain a dated, externally-verified firewall rule review.

Post-Migration Cleanup

A cloud migration, data centre move, or vendor consolidation has left the rulebase full of rules referencing decommissioned subnets, retired servers, and services that no longer exist. You need the dead weight removed before it masks real security issues.

Common Findings

What We Typically Find

Across every rulebase we audit, the same patterns appear. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.

Critical
Dead Rules

ANY/ANY rule from decommissioned project active for 26 months

A temporary ANY/ANY rule was added during a project migration two years ago and never removed. The rule permits unrestricted traffic from a development VLAN to the production database subnet. The original project team has left the organisation, and no change record documents the rule's purpose.

CVSS 9.1PCI 1.1.6
Business ImpactUnrestricted lateral movement from development to production databases
Critical
Shadowed

340 shadowed rules in outbound policy create false compliance

Three hundred and forty rules in the outbound policy are logically unreachable because broader permit rules higher in the rulebase intercept all matching traffic. Compliance reviews documented these rules as "restrictive controls" when they have never been evaluated by the firewall engine.

CVSS 8.5PCI 1.1.7
Business ImpactFalse compliance confidence masking actual unrestricted outbound access
Critical
Emergency

Temporary incident-response rule left permanently active

During an incident, a rule was added granting the incident response team broad access across all zones. The incident was closed six months ago but the rule remains active with a comment reading "TEMPORARY - remove after IR." It permits any source to reach any destination on ports 22, 443, and 3389.

CVSS 8.8PCI 1.1.6
Business ImpactUnrestricted remote access across all network zones via SSH, HTTPS, and RDP
High
Objects

87 duplicate address objects inflating rulebase complexity

Eighty-seven address objects reference identical IPs or overlapping subnets under different names (e.g., "WebServer01", "Web-Svr-01", "10.1.2.50/32"). This duplication means a single IP change requires updating multiple objects across multiple rules, increasing the risk of incomplete changes and inconsistent enforcement.

CVSS 6.5PCI 1.1.6
Business ImpactIncomplete changes during maintenance windows due to object fragmentation
High
Unused

480 rules with zero hit count in 180+ days consuming CPU

Four hundred and eighty rules have recorded zero traffic matches in over six months. The firewall evaluates every rule in sequence for every packet. These dead rules increase per-packet processing latency and obscure the rules that are actually enforcing security policy.

CVSS 5.8PCI 1.1.7
Business ImpactMeasurable throughput degradation and obscured security posture
High
Compliance

60% of rules lack documented business justification

Sixty percent of active firewall rules have no documented business justification, no change ticket reference, and no identified owner. PCI DSS Requirement 1.1.6 requires each rule to carry a documented business need. The current state would result in a non-conformity finding during QSA assessment.

CVSS 7.0PCI 1.1.6
Business ImpactPCI DSS non-conformity and inability to demonstrate rule accountability

Most enterprise rulebases we audit have at least two Critical and five or more High findings on first independent assessment.

Ruleset Analysis Methodology

What We Analyse

We analyse your full ACL and object database against traffic logs, compliance requirements, and least-privilege principles. The output is not a findings list. It is a clean rulebase specification with every recommendation ranked, justified, and ready to implement.

Dead Rules

Unused Rules

We identify rules with zero hit counts over 90+ days. On Palo Alto estates, we correlate security policy hit counts against 90-day traffic logs exported via Panorama or PAN-OS API. On FortiGate, we analyse policy usage statistics from FortiAnalyzer where available. Removing these rules reduces processing overhead and eliminates potential backdoors left from old projects.

Shadow Analysis

Shadowed Rules

We detect rules that are technically active but logically unreachable because a broader rule above them intercepts the traffic first. Shadow rule detection on Checkpoint policy layers requires evaluating both ordered and unified policies, a distinction automated tools frequently miss.

Permissive Access

Overly Permissive

We flag rules using ANY in Source, Destination, or Service fields. We specifically flag App-ID-disabled rules on Palo Alto platforms and implicit 'any' service matches on FortiGate policies that may pre-date migration from port-based to application-based rulesets. These configurations often violate PCI DSS and allow lateral movement.

Object Health

Object Consolidation

We identify duplicate address objects (such as Server-Web and Web-Svr) effectively pointing to the same IP. Consolidation simplifies management, reduces rule complexity, and eliminates the ambiguity that causes errors during change windows.

Compliance

Compliance Mapping

We produce a rule-by-rule business justification register formatted for direct submission to PCI QSAs, satisfying Requirement 1.1.6 (justified business need per rule) and 1.1.7 (review at least every six months). Every rule is mapped to a specific business justification, ensuring you pass your next ISO 27001 or PCI DSS audit with zero non-conformities.

NAT Review

NAT Policy Audit

We review NAT rules for unused static translations, overlapping DNAT entries, and misconfigured source NAT that exposes internal addressing. Orphaned NAT rules from decommissioned services consume resources and create unexpected traffic paths that bypass intended access controls.

Platform Coverage

Firewalls We Audit

We extract and analyse configurations from all major enterprise firewall platforms. Our assessors have hands-on experience with each vendor's policy model, not generic methodology applied to unknown platforms.

Palo Alto Networks

Versions

PAN-OS 10.x, 11.x, Panorama

Extraction Method

Security policy hit counts + PAN-OS API / Panorama export

Fortinet FortiGate

Versions

FortiOS 7.0, 7.2, 7.4, VDOM

Extraction Method

Policy usage statistics via FortiManager / FortiAnalyzer

Checkpoint

Versions

R80.40, R81.x, SmartConsole

Extraction Method

Ordered + unified policy layer evaluation via SmartConsole export

Cisco ASA / Firepower

Versions

ASA 9.x, FTD 7.x, FMC

Extraction Method

ACL hit counts + running-config / FMC policy export

Juniper SRX

Versions

Junos 21.x, 22.x, 23.x

Extraction Method

Security policy counters + config backup export

WatchGuard

Versions

Fireware OS, WatchGuard Cloud

Extraction Method

Policy export via System Manager or WatchGuard Cloud

Engagement Pipeline

Four-Step Audit Workflow

From config extract to clean rulebase. No live firewall access required at any point.

Step 01

Rule Extraction

We extract the full ACL and object database from your firewall via API or config backup. No management platform access required. We work from config backup exports (text/XML) from Palo Alto, Fortinet, Checkpoint, Cisco ASA/Firepower, Juniper SRX, and WatchGuard. Traffic logs can be provided separately and are not mandatory.

Step 02

Traffic Analysis

We correlate the static rulebase with traffic logs (if provided) to definitively identify which rules are actually being used by legitimate traffic. Log-based findings are flagged separately from static analysis findings, so you know which recommendations are evidence-backed versus logic-based.

Step 03

Optimisation Plan

We verify if temporary access rules have been left active, identify shadowed rules, flag overly permissive policies, and propose a consolidated rulebase that maintains legitimate access but reduces risk and processing overhead.

Step 04

Clean Rulebase

You receive a priority-ranked remediation report, typically reducing total rule count by 30-50%. Deliverable includes: executive summary, per-rule analysis table, priority-ranked remediation list, object consolidation report, PCI DSS 1.1.6 business justification register, and proposed clean rulebase specification. Formatted for direct submission to QSAs and ISO 27001 auditors.

Deliverables

What You Receive

Every firewall rule audit includes the following deliverables, formatted for both technical remediation teams and compliance stakeholders.

Executive summary with total rule count before and after optimisation
Per-rule analysis table identifying unused, shadowed, overly permissive, and non-compliant rules with severity rating
Priority-ranked remediation list with specific remediation action per rule
Object consolidation report identifying duplicate address and service objects
PCI DSS 1.1.6 business justification register mapping each retained rule to its documented business need
Proposed clean rulebase specification ready for implementation
Compliance attestation suitable for QSA and ISO 27001 auditor submission
Retesting within the assessment window to confirm remediated findings at no additional cost

We recommend a "Disable then Delete" approach: rules are deactivated for 30 days to ensure no service impact before permanent removal.

Keep It Clean

Prevent Ruleset Drift.

Ruleset drift begins the moment your next change is approved. Emergency access gets granted, exceptions get added, and the rulebase drifts from its audited state. Pair your rule audit with ongoing monitoring that detects policy violations and configuration changes in real time.

Discuss Your Requirements

Firewall Configuration Review

Device-level hardening, industry standard benchmarks, and firmware CVE assessment

Managed SOC

Monitor firewall logs and detect policy violations in real time

Internal Network Pentest

Test what happens after an attacker bypasses the firewall

Configuration Reviews

Server, database, and endpoint hardening reviews

Service Catalogue

Full Penetration Testing Catalogue

Comprehensive penetration testing services tailored to your environment.

Assumed Breach

Internal Testing

Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.

Active Directory AssessmentInternal Network Penetration TestWorkstation Build AssessmentServer Build AssessmentCitrix/VDI Breakout AssessmentAD Password AuditSegmentation TestingFirewall Config AssessmentFirewall Ruleset AssessmentAdversarial EmulationWireless Network TestingDatabase Configuration Assessment
Discuss your requirementsFree scoping call with a CREST-certified engineer.
Ready to Secure

The best time to test your defences is now.

Join the high-growth companies relying on Precursor for continuous offensive and defensive security.

Start Your Assessment
Talk to an Engineer
CREST Triple Accredited|Fixed Price Quotes|Free Scoping Call|UK Based Team

Frequently Asked Questions

Common questions about this service, methodologies, and deliverables.

Firewall rule audit pricing typically ranges from £2,000 to £6,000+ depending on rulebase complexity and device count. Single firewall ruleset audits (Palo Alto, Fortinet, Cisco ASA) average £2,000-£3,500 including shadow rule detection, unused rule identification, and optimisation recommendations. Multi-device audits (2-5 firewalls with complex ACLs) typically cost £3,500-£5,000. Enterprise environments (5+ devices, thousands of rules, multiple vendors) typically cost £5,000-£6,000+. Pricing includes PCI DSS 1.1.6 compliance mapping and a priority-ranked remediation report. We provide fixed quotes after reviewing your rule count and device inventory.

Built-in rule usage tracking misses critical security context: (1) Management tools show hit counts but cannot identify logically shadowed rules that never fire due to rule ordering, (2) 'Used' rules may still be overly permissive, allowing more access than business justification requires, (3) Object consolidation opportunities require cross-rule analysis that management consoles do not provide, (4) PCI DSS 1.1.6 requires documented business justification for each rule. Usage stats alone do not satisfy auditors, (5) Years of accumulated rules create technical debt that requires human review to untangle, and (6) External reviewers identify attack paths through rule combinations that individual rule analysis misses. Professional audit provides the compliance evidence and security optimisation that tooling alone cannot deliver.

A Firewall Configuration Review examines the device-level security settings: administrator access controls, firmware and OS version, logging configuration, management plane hardening, SSL/TLS inspection settings, and HA configuration. A Firewall Rule Audit examines the access control lists: which traffic is permitted, whether rules are still needed, whether they violate least-privilege, and whether they carry documented business justification. The two services are complementary. Many clients commission both in the same engagement. If you are unsure which applies to your situation, our Firewall Configuration Review page provides a detailed scope comparison.

No. We provide a report listing rules to be disabled. We recommend a 'Disable then Delete' approach where rules are deactivated for 30 days to ensure no service impact before permanent removal.

Yes, positively. Firewalls process rules top-down. Removing unused rules from the top of your ACL can significantly reduce CPU load and latency. Most estates see measurable throughput improvement after implementing our recommendations.

A professional firewall rule audit covers: (1) unused rules: rules with zero hit count over 90+ days; (2) shadowed rules: rules logically unreachable due to rule ordering; (3) overly permissive rules: any/any configurations and unnecessarily broad port ranges; (4) duplicate and redundant objects: address and service objects referencing the same IPs or ports; (5) temporary rules left permanently active; (6) compliance gaps: rules lacking documented business justification as required by PCI DSS Requirement 1.1.6; (7) NAT policy review: unused and misconfigured NAT rules. The output is a priority-ranked remediation list and, where required, a PCI DSS compliance evidence pack.

PCI DSS Requirement 1.1.7 mandates a firewall rule review at least every six months. ISO 27001 Annex A.8.20 requires periodic review of network security controls. NCSC guidance recommends annual firewall configuration reviews as a baseline. In practice, organisations undergoing rapid change (cloud migration, mergers, system decommissions) should review their rulebase every quarter. Organisations with static environments benefit from a semi-annual audit aligned to their compliance cycle.

We support all major enterprise firewall platforms: Palo Alto (PA-Series, VM-Series, Panorama-managed estates), Fortinet FortiGate (including VDOM configurations via FortiManager/FortiAnalyzer), Checkpoint (R81.x SmartConsole, including unified and ordered policy layers), Cisco ASA and Firepower (ASDM and FMC-managed), Juniper SRX, and WatchGuard. We extract configurations via vendor API, management platform export, or direct config backup file. No management plane access is required during the analysis phase.

Our firewall rule audit report includes: an executive summary with total rule count before and after optimisation; a per-rule analysis table identifying unused, shadowed, overly permissive, and non-compliant rules with severity rating; a priority-ranked remediation list with specific remediation action per rule; an object consolidation report identifying duplicate address and service objects; a PCI DSS 1.1.6 compliance evidence section mapping each retained rule to its documented business justification; and a proposed clean rulebase specification. Reports are formatted for direct submission to PCI QSAs and ISO 27001 auditors.