Cybersecurity blog

Firewall Ruleset Review: Manual vs Automated (and How to Get Audit-Ready)

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Firewall Ruleset Review: Manual vs Automated (and How to Get Audit-Ready)

Pull the running config off any firewall that has been in production for five years and count the rules. On a mid-sized bank edge I audited last year, the number was 1,247. When I asked the network lead which of those rules were still needed, he went quiet, then said the honest thing: nobody knew. Half of them predated him. Two of the change tickets referenced a project that had been decommissioned in 2019.

That is the real state of most firewall rulesets in India. Not a clean, documented, least-privilege policy. A sediment of every emergency change, every vendor pilot, every any-any rule someone added at 2am to make an application work and forgot to remove. The device still passes traffic. It just no longer means anything. And when an auditor asks you to justify a rule, silence is not an acceptable answer.

Why a bloated ruleset is a real risk, not a tidiness problem

It is tempting to treat rule sprawl as housekeeping. It is not. Every stale permit rule is a path an attacker can use that you are no longer watching. When you cannot explain why a rule exists, you also cannot tell whether it is being abused. The rule that once allowed a retired jump host to reach the card database is now a quiet lateral-movement route that survives because nobody dares touch it.

There is a compliance cost too, and it is concrete. If you process card data, PCI DSS v4.0 requirement 1.2.7 makes you review network security control rulesets at least once every six months. Requirement 1.2.1 makes you keep configuration standards that define what is allowed and deny everything else by default. For CERT-In empanelled audits and the RBI supervisory expectations that flow from the RBI Cyber Security Framework, an unreviewed firewall is a standing finding. SEBI-regulated entities face the same expectation under the SEBI Cybersecurity and Cyber Resilience Framework. The regulator does not care that traffic flows. The regulator asks who approved this rule, when, and why it is still here.

There is also a performance and blast-radius angle. Shadowed rules, redundant rules, and overly broad rules make the policy slower to evaluate and much harder to change safely. Every future change becomes a gamble because you cannot predict what a bloated ruleset will do. That is how a small edit takes down a payment gateway on a Friday evening.

The six kinds of rot that live in a firewall ruleset

When you actually sit down to review a policy line by line, the same defects recur across every organisation. Name them, because you cannot fix what you cannot categorise.

DefectWhat it looks likeWhy it matters
Shadowed ruleA rule that never fires because a broader rule above it already matches the same trafficDead policy that hides intent and inflates the rule count
Redundant ruleTwo rules with the same effect; removing one changes nothingNoise that makes the next reviewer distrust the whole policy
Overly permissive ruleany source, any destination, any service, or a large subnet where a single host was intendedThe classic breach path; violates least privilege directly
Orphaned objectA rule referencing a host or group that no longer exists or was decommissionedEvidence the ruleset is not maintained; often the oldest rot
Expired temporary ruleA rule opened for a migration or vendor pilot that was never closedStanding exposure with no owner and no expiry
Undocumented ruleA live rule with no change ticket, no business justification, no ownerThe one you cannot answer for when the auditor points at it

A healthy review does not just find these. It produces a decision for each one: keep with justification, tighten to least privilege, or remove. A finding with no decision is just a longer to-do list.

Manual review: what it buys you and what it costs

Manual review means an engineer reading the ruleset, mapping each rule to a business need, checking hit counts, and deciding its fate. Done well, it is the gold standard for judgement. A human can tell that a permit to a third-party payment aggregator is legitimate business even though it looks broad, and that a tidy-looking rule to an internal subnet is actually the ghost of a dead project.

The problem is that humans do not scale to 1,200 rules across a dozen firewalls twice a year. What actually happens is this. The review gets scheduled for a quarter. Two weeks in, the engineer has read 300 rules, found real issues, run out of time, and signed off on the remaining 900 as reviewed because the review window is closing. The document says the ruleset was reviewed. The reality is that two thirds of it was rubber-stamped. When I test this in an audit, I pick ten rules at random from the untouched end of the file and ask for the justification. The gap shows up in minutes.

Automated review: fast, tireless, and blind in exactly one way

Automated tooling — firewall policy analysers such as those built into vendor management consoles, or dedicated tools like Tufin, AlgoSec, FireMon, or open-source options like Nipper and pfSense config parsers — reads the entire ruleset in seconds. It reliably flags shadowing, redundancy, any-any rules, unused rules by hit count, and objects that no longer resolve. It does not get tired at rule 900. It produces a consistent, repeatable report you can diff between reviews.

What it cannot do is know your business. A tool will flag a broad permit to a regulatory reporting gateway as overly permissive. It cannot tell you that the rule is mandated, approved, and correct. It will happily recommend removing a rule that a quarterly RBI return depends on. Automation finds the candidates. It does not make the call. Anyone who lets a tool auto-remediate a production firewall policy without a human decision layer is one config push away from an outage and a very awkward incident review.

DimensionManual reviewAutomated review
CoveragePartial in practice; degrades with fatigueComplete every time
SpeedDays to weeks per deviceMinutes per device
Business contextStrong; a human knows intentNone; needs a human to interpret
ConsistencyVaries by reviewer and moodIdentical logic every run
Cost per cycleHigh engineer timeTool licence plus review time
Best forFinal decisions and edge casesFinding candidates and evidence

The answer is not manual versus automated. It is automated for detection and coverage, manual for judgement and sign-off. The tool builds the shortlist. The engineer, with a change record and a business owner in the room, decides.

The review workflow that actually holds up

Here is the sequence I look for when I audit a mature firewall management practice. If your process skips a step, that is usually where the finding lives.

1. Freeze a config snapshot

Export the running configuration with a timestamp and a hash. Every conclusion you draw is only valid against a fixed baseline. Auditors want to see that the reviewed config and the live config are the same object.

2. Run automated analysis

Let the tool find shadowed, redundant, unused, and overly broad rules. Pull hit counts over a meaningful window — at least 90 days — so a rule that only fires at quarter-end is not mistaken for dead.

3. Map every rule to an owner and a justification

This is the manual heart of it. Each surviving rule needs a business owner, a documented reason, and a linked change ticket. Rules with no owner and no justification go on the remediation list, not the keep list.

4. Decide and document

For each flagged rule: keep with recorded justification, tighten the scope, or remove. Record who decided and when. A decision without a name attached is not evidence.

5. Change-manage the fixes

Removals and tightening go through your normal change process, with rollback ready. You do not clean up a firewall by editing the live policy on a hunch. You stage it, you test it, you have a back-out plan.

6. Reconcile and re-baseline

After changes, re-export, re-run the analyser, and confirm the ruleset now matches the approved state. That closing snapshot becomes the baseline for the next cycle.

What the auditor actually asks for

A firewall review is only worth anything if it produces evidence an auditor accepts. Most reviews fail here — the work was done, but there is no artefact that proves it. When I sit in the audit room, this is the evidence set I ask for, and the exact questions I ask against it.

ArtefactWhat it provesThe question I ask
Timestamped config exportThe exact ruleset that was reviewedIs this the same config that is live right now?
Review report per deviceFindings against each ruleShow me the ten rules with no justification
Rule justification registerBusiness owner and reason per ruleWho owns this any-any rule and why does it exist?
Change tickets for editsRemovals and tightening were authorisedWhich ticket approved closing rule 214?
Sign-off recordA named person accepted the stateWho signed this off and were they authorised to?
Six-monthly review cadencePCI 1.2.7 or RBI expectation is metShow me the last two review dates

Notice what is not on that list: a screenshot of the firewall GUI. A screenshot proves a moment, not a process. Auditors have learned to distrust them. What holds up is a chain — snapshot, analysis, decision, change record, sign-off — that a stranger can follow six months later and reach the same conclusion you did.

A scene from a real payment gateway audit

A fintech client, RBI-regulated, PCI DSS in scope for the cardholder data environment. Their firewall had 640 rules. The team had run a tool, produced a clean-looking PDF, and told me the review was done. I asked for the justification register. There wasn't one — the PDF listed findings but no decisions.

So we opened the config together. Rule 118 was a permit from a /16 corporate subnet straight into the cardholder data environment on a database port. The tool had flagged it as overly permissive. The team had waved it through because it was old and things depended on it. When we traced it, the rule had been opened for a data migration in 2021 and never closed. The migration host was long gone. That single rule put the entire corporate network one compromised laptop away from the card database — a direct PCI DSS requirement 1.3 violation, network segmentation of the cardholder data environment, sitting undiscovered for over two years.

We tightened it to the two application hosts that genuinely needed it, raised a change ticket, and logged the decision with the CISO as owner. The whole fix took forty minutes. The point is not that the tool missed it. The tool caught it. The process around the tool had no step that forced a decision, so the finding died in a PDF nobody read.

The cost and cadence, in real numbers

People underestimate the effort because they think of it as one review. It is a repeating cycle, and the first one is always the heaviest because you are paying down years of debt.

ItemTypical range (India)Note
First full clean-up (mid-size estate)₹2.5–6 lakhOne-off; clears accumulated rot across devices
Recurring six-monthly review₹75,000–2 lakh per cycleLower once the baseline is clean
Policy analyser tooling₹4–15 lakh/yearScales with device count and vendor
Cost of one stale rule breach₹50 lakh+Investigation, DPDP exposure, remediation, reputation

Under the Digital Personal Data Protection Act 2023, a breach that traces back to a firewall rule you could not justify is not just a security failure — it is a demonstrable lapse in reasonable security safeguards, which is exactly what the Data Protection Board will weigh when it sets a penalty. The economics are not subtle. The recurring review is a rounding error against a single avoidable incident.

Your fix-it checklist before the next audit

If you do nothing else this quarter, work through this. It is the shortlist I would hand your network lead.

  • Export a timestamped, hashed snapshot of every firewall running config and store it as your review baseline.
  • Run a policy analyser and pull hit counts over at least 90 days to catch quarter-end rules.
  • List every any-any and any-to-critical-zone rule and treat each as guilty until justified.
  • Build a rule justification register: owner, business reason, and change ticket for every surviving rule.
  • Chase down every temporary or migration rule and confirm it was closed; if not, close it under change control.
  • For each flagged rule, record an explicit decision — keep, tighten, or remove — with a named approver.
  • Push removals and tightening through change management with a tested rollback, never live-edited on a hunch.
  • Re-baseline after changes and diary the next review at six months to satisfy PCI 1.2.7 and RBI expectations.
  • Keep the whole chain — snapshot, report, register, tickets, sign-off — in one place an auditor can follow unaided.

Where this leaves you

Come back to that bank edge with 1,247 rules and a network lead who went quiet. The device was not broken. It had simply outlived anyone's understanding of it. A firewall you cannot explain is not protecting you — it is a liability wearing a security badge. The goal of a review is not a tidier config. It is being able to point at any rule and answer, without hesitation, who approved this and why it is still here.

If your last firewall review was a rubber-stamped PDF and you would rather find the stale rules before an examiner or an attacker does, our team at CyberSigma are senior CERT-In empanelled auditors and PCI QSAs who do this line by line, hands-on — not from a template.

FAQs

How often should we review our firewall ruleset?

At least every six months if you are in PCI DSS scope, which requirement 1.2.7 mandates directly. For RBI and SEBI regulated entities, the same six-monthly cadence is the safe default and aligns with supervisory expectations. High-change environments benefit from quarterly reviews, and every material change should be reviewed at the time it is made rather than only at the periodic checkpoint.

Can we fully automate firewall ruleset review?

No, and you should not try. Automation is excellent at detection — shadowed rules, redundancy, unused rules, and overly broad permits. It cannot understand your business, so it cannot decide which broad rule is a legitimate regulatory requirement and which is an orphaned migration rule. Use tooling to build the shortlist and produce evidence, but keep a named human making the keep, tighten, or remove decision.

What evidence do auditors actually accept for a firewall review?

A traceable chain, not a screenshot. That means a timestamped config snapshot, a per-device analysis report, a rule justification register with owners, change tickets for every removal or tightening, and a named sign-off. The test is whether a stranger can follow the artefacts six months later and reach the same conclusion. GUI screenshots prove a moment, not a process, and experienced auditors discount them.

What is the single most common firewall finding you see?

Undocumented and overly permissive rules that were opened for a temporary purpose — a migration, a vendor pilot, a break-fix at 2am — and never closed. They are usually the oldest rules in the policy, nobody owns them, and they frequently provide a direct path into a sensitive zone such as a cardholder data environment. They survive precisely because everyone is afraid to touch them.

How do we prioritise if we cannot review the whole ruleset at once?

Start with rules that touch your most sensitive zones and rules that are broadest. Any rule permitting traffic into a cardholder data environment, a core banking segment, or a regulatory reporting system comes first, followed by every any-any or large-subnet rule anywhere in the policy. Dead rules with zero hits over 90 days are quick wins. Leave narrow, well-documented rules to specific hosts for last.

Will cleaning up the ruleset risk an outage?

Only if you do it carelessly. The risk comes from live-editing the policy on a hunch. Done properly — with a config snapshot, hit-count data proving a rule is unused, a change ticket, a maintenance window, and a tested rollback — the risk is low and controlled. The larger risk is leaving unexplained rules in place, because those are the ones that cause both breaches and audit findings.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205