Firewall Ruleset Review: Manual vs Automated (and How to Get Audit-Ready)
Pull the running config off any firewall that has been in production for five years and count the rules. On a mid-sized bank edge I audited last year, the number was 1,247. When I asked the network lead which of those rules were still needed, he went quiet, then said the honest thing: nobody knew. Half of them predated him. Two of the change tickets referenced a project that had been decommissioned in 2019.
That is the real state of most firewall rulesets in India. Not a clean, documented, least-privilege policy. A sediment of every emergency change, every vendor pilot, every any-any rule someone added at 2am to make an application work and forgot to remove. The device still passes traffic. It just no longer means anything. And when an auditor asks you to justify a rule, silence is not an acceptable answer.
Why a bloated ruleset is a real risk, not a tidiness problem
It is tempting to treat rule sprawl as housekeeping. It is not. Every stale permit rule is a path an attacker can use that you are no longer watching. When you cannot explain why a rule exists, you also cannot tell whether it is being abused. The rule that once allowed a retired jump host to reach the card database is now a quiet lateral-movement route that survives because nobody dares touch it.
There is a compliance cost too, and it is concrete. If you process card data, PCI DSS v4.0 requirement 1.2.7 makes you review network security control rulesets at least once every six months. Requirement 1.2.1 makes you keep configuration standards that define what is allowed and deny everything else by default. For CERT-In empanelled audits and the RBI supervisory expectations that flow from the RBI Cyber Security Framework, an unreviewed firewall is a standing finding. SEBI-regulated entities face the same expectation under the SEBI Cybersecurity and Cyber Resilience Framework. The regulator does not care that traffic flows. The regulator asks who approved this rule, when, and why it is still here.
There is also a performance and blast-radius angle. Shadowed rules, redundant rules, and overly broad rules make the policy slower to evaluate and much harder to change safely. Every future change becomes a gamble because you cannot predict what a bloated ruleset will do. That is how a small edit takes down a payment gateway on a Friday evening.
The six kinds of rot that live in a firewall ruleset
When you actually sit down to review a policy line by line, the same defects recur across every organisation. Name them, because you cannot fix what you cannot categorise.
| Defect | What it looks like | Why it matters |
|---|---|---|
| Shadowed rule | A rule that never fires because a broader rule above it already matches the same traffic | Dead policy that hides intent and inflates the rule count |
| Redundant rule | Two rules with the same effect; removing one changes nothing | Noise that makes the next reviewer distrust the whole policy |
| Overly permissive rule | any source, any destination, any service, or a large subnet where a single host was intended | The classic breach path; violates least privilege directly |
| Orphaned object | A rule referencing a host or group that no longer exists or was decommissioned | Evidence the ruleset is not maintained; often the oldest rot |
| Expired temporary rule | A rule opened for a migration or vendor pilot that was never closed | Standing exposure with no owner and no expiry |
| Undocumented rule | A live rule with no change ticket, no business justification, no owner | The one you cannot answer for when the auditor points at it |
A healthy review does not just find these. It produces a decision for each one: keep with justification, tighten to least privilege, or remove. A finding with no decision is just a longer to-do list.
Manual review: what it buys you and what it costs
Manual review means an engineer reading the ruleset, mapping each rule to a business need, checking hit counts, and deciding its fate. Done well, it is the gold standard for judgement. A human can tell that a permit to a third-party payment aggregator is legitimate business even though it looks broad, and that a tidy-looking rule to an internal subnet is actually the ghost of a dead project.
The problem is that humans do not scale to 1,200 rules across a dozen firewalls twice a year. What actually happens is this. The review gets scheduled for a quarter. Two weeks in, the engineer has read 300 rules, found real issues, run out of time, and signed off on the remaining 900 as reviewed because the review window is closing. The document says the ruleset was reviewed. The reality is that two thirds of it was rubber-stamped. When I test this in an audit, I pick ten rules at random from the untouched end of the file and ask for the justification. The gap shows up in minutes.
Automated review: fast, tireless, and blind in exactly one way
Automated tooling — firewall policy analysers such as those built into vendor management consoles, or dedicated tools like Tufin, AlgoSec, FireMon, or open-source options like Nipper and pfSense config parsers — reads the entire ruleset in seconds. It reliably flags shadowing, redundancy, any-any rules, unused rules by hit count, and objects that no longer resolve. It does not get tired at rule 900. It produces a consistent, repeatable report you can diff between reviews.
What it cannot do is know your business. A tool will flag a broad permit to a regulatory reporting gateway as overly permissive. It cannot tell you that the rule is mandated, approved, and correct. It will happily recommend removing a rule that a quarterly RBI return depends on. Automation finds the candidates. It does not make the call. Anyone who lets a tool auto-remediate a production firewall policy without a human decision layer is one config push away from an outage and a very awkward incident review.
| Dimension | Manual review | Automated review |
|---|---|---|
| Coverage | Partial in practice; degrades with fatigue | Complete every time |
| Speed | Days to weeks per device | Minutes per device |
| Business context | Strong; a human knows intent | None; needs a human to interpret |
| Consistency | Varies by reviewer and mood | Identical logic every run |
| Cost per cycle | High engineer time | Tool licence plus review time |
| Best for | Final decisions and edge cases | Finding candidates and evidence |
The answer is not manual versus automated. It is automated for detection and coverage, manual for judgement and sign-off. The tool builds the shortlist. The engineer, with a change record and a business owner in the room, decides.
The review workflow that actually holds up
Here is the sequence I look for when I audit a mature firewall management practice. If your process skips a step, that is usually where the finding lives.
1. Freeze a config snapshot
Export the running configuration with a timestamp and a hash. Every conclusion you draw is only valid against a fixed baseline. Auditors want to see that the reviewed config and the live config are the same object.
2. Run automated analysis
Let the tool find shadowed, redundant, unused, and overly broad rules. Pull hit counts over a meaningful window — at least 90 days — so a rule that only fires at quarter-end is not mistaken for dead.
3. Map every rule to an owner and a justification
This is the manual heart of it. Each surviving rule needs a business owner, a documented reason, and a linked change ticket. Rules with no owner and no justification go on the remediation list, not the keep list.
4. Decide and document
For each flagged rule: keep with recorded justification, tighten the scope, or remove. Record who decided and when. A decision without a name attached is not evidence.
5. Change-manage the fixes
Removals and tightening go through your normal change process, with rollback ready. You do not clean up a firewall by editing the live policy on a hunch. You stage it, you test it, you have a back-out plan.
6. Reconcile and re-baseline
After changes, re-export, re-run the analyser, and confirm the ruleset now matches the approved state. That closing snapshot becomes the baseline for the next cycle.
What the auditor actually asks for
A firewall review is only worth anything if it produces evidence an auditor accepts. Most reviews fail here — the work was done, but there is no artefact that proves it. When I sit in the audit room, this is the evidence set I ask for, and the exact questions I ask against it.
| Artefact | What it proves | The question I ask |
|---|---|---|
| Timestamped config export | The exact ruleset that was reviewed | Is this the same config that is live right now? |
| Review report per device | Findings against each rule | Show me the ten rules with no justification |
| Rule justification register | Business owner and reason per rule | Who owns this any-any rule and why does it exist? |
| Change tickets for edits | Removals and tightening were authorised | Which ticket approved closing rule 214? |
| Sign-off record | A named person accepted the state | Who signed this off and were they authorised to? |
| Six-monthly review cadence | PCI 1.2.7 or RBI expectation is met | Show me the last two review dates |
Notice what is not on that list: a screenshot of the firewall GUI. A screenshot proves a moment, not a process. Auditors have learned to distrust them. What holds up is a chain — snapshot, analysis, decision, change record, sign-off — that a stranger can follow six months later and reach the same conclusion you did.
A scene from a real payment gateway audit
A fintech client, RBI-regulated, PCI DSS in scope for the cardholder data environment. Their firewall had 640 rules. The team had run a tool, produced a clean-looking PDF, and told me the review was done. I asked for the justification register. There wasn't one — the PDF listed findings but no decisions.
So we opened the config together. Rule 118 was a permit from a /16 corporate subnet straight into the cardholder data environment on a database port. The tool had flagged it as overly permissive. The team had waved it through because it was old and things depended on it. When we traced it, the rule had been opened for a data migration in 2021 and never closed. The migration host was long gone. That single rule put the entire corporate network one compromised laptop away from the card database — a direct PCI DSS requirement 1.3 violation, network segmentation of the cardholder data environment, sitting undiscovered for over two years.
We tightened it to the two application hosts that genuinely needed it, raised a change ticket, and logged the decision with the CISO as owner. The whole fix took forty minutes. The point is not that the tool missed it. The tool caught it. The process around the tool had no step that forced a decision, so the finding died in a PDF nobody read.
The cost and cadence, in real numbers
People underestimate the effort because they think of it as one review. It is a repeating cycle, and the first one is always the heaviest because you are paying down years of debt.
| Item | Typical range (India) | Note |
|---|---|---|
| First full clean-up (mid-size estate) | ₹2.5–6 lakh | One-off; clears accumulated rot across devices |
| Recurring six-monthly review | ₹75,000–2 lakh per cycle | Lower once the baseline is clean |
| Policy analyser tooling | ₹4–15 lakh/year | Scales with device count and vendor |
| Cost of one stale rule breach | ₹50 lakh+ | Investigation, DPDP exposure, remediation, reputation |
Under the Digital Personal Data Protection Act 2023, a breach that traces back to a firewall rule you could not justify is not just a security failure — it is a demonstrable lapse in reasonable security safeguards, which is exactly what the Data Protection Board will weigh when it sets a penalty. The economics are not subtle. The recurring review is a rounding error against a single avoidable incident.
Your fix-it checklist before the next audit
If you do nothing else this quarter, work through this. It is the shortlist I would hand your network lead.
- Export a timestamped, hashed snapshot of every firewall running config and store it as your review baseline.
- Run a policy analyser and pull hit counts over at least 90 days to catch quarter-end rules.
- List every any-any and any-to-critical-zone rule and treat each as guilty until justified.
- Build a rule justification register: owner, business reason, and change ticket for every surviving rule.
- Chase down every temporary or migration rule and confirm it was closed; if not, close it under change control.
- For each flagged rule, record an explicit decision — keep, tighten, or remove — with a named approver.
- Push removals and tightening through change management with a tested rollback, never live-edited on a hunch.
- Re-baseline after changes and diary the next review at six months to satisfy PCI 1.2.7 and RBI expectations.
- Keep the whole chain — snapshot, report, register, tickets, sign-off — in one place an auditor can follow unaided.
Where this leaves you
Come back to that bank edge with 1,247 rules and a network lead who went quiet. The device was not broken. It had simply outlived anyone's understanding of it. A firewall you cannot explain is not protecting you — it is a liability wearing a security badge. The goal of a review is not a tidier config. It is being able to point at any rule and answer, without hesitation, who approved this and why it is still here.
If your last firewall review was a rubber-stamped PDF and you would rather find the stale rules before an examiner or an attacker does, our team at CyberSigma are senior CERT-In empanelled auditors and PCI QSAs who do this line by line, hands-on — not from a template.
FAQs
How often should we review our firewall ruleset?
At least every six months if you are in PCI DSS scope, which requirement 1.2.7 mandates directly. For RBI and SEBI regulated entities, the same six-monthly cadence is the safe default and aligns with supervisory expectations. High-change environments benefit from quarterly reviews, and every material change should be reviewed at the time it is made rather than only at the periodic checkpoint.
Can we fully automate firewall ruleset review?
No, and you should not try. Automation is excellent at detection — shadowed rules, redundancy, unused rules, and overly broad permits. It cannot understand your business, so it cannot decide which broad rule is a legitimate regulatory requirement and which is an orphaned migration rule. Use tooling to build the shortlist and produce evidence, but keep a named human making the keep, tighten, or remove decision.
What evidence do auditors actually accept for a firewall review?
A traceable chain, not a screenshot. That means a timestamped config snapshot, a per-device analysis report, a rule justification register with owners, change tickets for every removal or tightening, and a named sign-off. The test is whether a stranger can follow the artefacts six months later and reach the same conclusion. GUI screenshots prove a moment, not a process, and experienced auditors discount them.
What is the single most common firewall finding you see?
Undocumented and overly permissive rules that were opened for a temporary purpose — a migration, a vendor pilot, a break-fix at 2am — and never closed. They are usually the oldest rules in the policy, nobody owns them, and they frequently provide a direct path into a sensitive zone such as a cardholder data environment. They survive precisely because everyone is afraid to touch them.
How do we prioritise if we cannot review the whole ruleset at once?
Start with rules that touch your most sensitive zones and rules that are broadest. Any rule permitting traffic into a cardholder data environment, a core banking segment, or a regulatory reporting system comes first, followed by every any-any or large-subnet rule anywhere in the policy. Dead rules with zero hits over 90 days are quick wins. Leave narrow, well-documented rules to specific hosts for last.
Will cleaning up the ruleset risk an outage?
Only if you do it carelessly. The risk comes from live-editing the policy on a hunch. Done properly — with a config snapshot, hit-count data proving a rule is unused, a change ticket, a maintenance window, and a tested rollback — the risk is low and controlled. The larger risk is leaving unexplained rules in place, because those are the ones that cause both breaches and audit findings.
Liked the post? Share on:





Leave A Comment