1. Home
  2. Blog
  3. Firewall Best Practices
  4. How to Perform a Firewall Audit – Policy Rules Review Checklist

Last updated December 27th, 2023 by Avigdor Book

The second technical step in a firewall audit is generally a review of the rulebase (also The previous preparing for a firewall audit blog, talked about network security controls and all the control points that an auditor will want to check, like firewalls, routers, and the operating systems to understand if your firewall operations are auditable and repeatable. A firewall audit is a process that provides visibility into your firewall’s existing access and connections, identifies vulnerabilities, and reports on firewall changes, including firewall configuration and real-time notifications.

Today I want to focus on two parts of the firewall audit: the reviewing of the access policy change process, including risk assessment, and the reviewing of the firewall rule base, including baseline security controls. In my experience, these two steps are the most important. I’ll go over many of the technical details you need to check if you’re pre-auditing your firewall before the audit team arrives, or if you’ve been tasked to audit the firewall yourself.

Auditing the Change Process

The first technical step in a firewall audit is usually a review of the firewall change process, including access control procedures. The goal of this step is to make sure that requested changes were properly approved, implemented, and documented. You can accomplish this in a few different ways – depending on whether you have a tool to assist you or you are doing it manually.

You’ll first need to randomly pull around 10 change requests since the last audit. Here are the basic firewall policy rule checklist questions you should be asking when you audit a firewall change, according to the firewall audit checklist:

  • Is the requester documented, and are they authorized to make firewall change requests, including vpn and subnet configurations?

  • Is the business reason for the change documented, including any impact on network devices and topologies?

  • Are there proper reviewer and approval signatures (digital or physical) that meet ISO and HIPAA standards?

  • Were the approvals recorded before the change was implemented?

  • Are the approvers all authorized to approve firewall changes (you will need to request a list of authorized individuals including firewall administrators)?

  • Are the changes well-documented in the change ticket, including any required remediation or cleanup?

  • Is there documentation of risk analysis for each change, including prioritizing and aggregating risks?

  • Is there documentation of the change window and/or install date for each change?

  • Is there an expiration date for the change?

  • Is the target system’s security posture considered, including potential cyberattacks?

Ensure audit readiness with demonstration and documentation of adherence to regulations and internal policies including workflows, change history, approvals and exceptions.

Auditing the Firewall Rule Base

called a policy). The methodology for this step varies widely among firewall vendors.

Firstly, ask the questions related to basic policy maintenance:

  • How many rules does the firewall security policy have? How many did it have at the last audit? Last year?

  • Are there any uncommented rules or rules related to cloud configurations?

  • Are there any redundant rules that should be removed?

  • Are there any policy rules that are no longer used, including vpn or network environments?

  • Are there any overly permissive rules, such as rules with more than 1,000 IP addresses allowed in the source or destination? (you might want a number smaller than 1,000. It’s best practice to keep it around 25.)

Next, ask about risk and compliance. Tools like SecureTrack+ can help answer these questions:

  • Are there any rules that violate our corporate security policy, including SOX and PCI DSS?

  • Are there any rules that allow risky services inbound from the Internet, such as those affecting network security?

  • Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)?

  • Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices, or databases?

FAQs

  • What are the best tools for performing a firewall audit? Tufin SecureTrack+ is the best tool to help with your firewall audit process.

  • How can I ensure compliance with industry standards like PCI DSS and SOX? By following the steps in the firewall audit and utilizing automated tools that consider these regulations, you can ensure compliance.

  • Can a firewall audit help protect against cyberattacks? Yes, a firewall audit will help you identify vulnerabilities and enhance your security posture against potential cyberattacks.

Wrapping Up

Performing a firewall audit is crucial to maintaining robust information security and protecting against potential cyberattacks. By utilizing tools like Tufin SecureTrack+, you can create efficient audit reports, streamlining the entire audit process. Make sure to discover all potential risks and prioritize them accordingly, leveraging best practices from the firewall audit checklist.

Click here for a demo to see how audit tasks can be fully automated allowing you to be well-prepared for any audit work that comes your way.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

In this post:

Background Image