← All checklists
Infrastructure Hardening · 130 controls

Firewall Security Configuration Review Checklist

This is the working paper our auditors use to review firewall configurations and rule bases. It covers scope and governance, architecture and segmentation, rule hygiene, network-service security, threat prevention, logging and change management — each control with a test method, the evidence to collect, the risk if it fails, and remediation guidance, mapped to PCI DSS v4.0.1, ISO/IEC 27001:2022, SOC, NIST CSF 2.0 and CIS.

Frameworks: PCI DSS v4.0.1 · ISO/IEC 27001:2022 · SOC 1 / SOC 2 · NIST CSF 2.0 · CIS Controls v8.1 · CERT-In
OEM coverage: Palo Alto PAN-OS · Fortinet FortiGate · Cisco Secure Firewall · Check Point · SonicWall · Sophos · WatchGuard · Huawei · pfSense / OPNsense · AWS / Azure / GCP firewalls
Download the free Firewall Security Configuration Review Checklist

Enter your work email and we’ll unlock the Excel + PDF instantly.

What the firewall audit checklist covers

The checklist is vendor-neutral and structured the way an assessor works a firewall review:

  • Scope & governance — device inventory, firewall policy, default-deny standard, change roles
  • Architecture & segmentation — zones, DMZ, management-plane isolation, HA
  • Rule governance & hygiene — ownership, change traceability, any-any and overly broad rules, unused/expired rules
  • Network service security — inbound/outbound services, insecure protocols, secure alternatives
  • Threat prevention — IPS/AV/URL/TLS inspection profiles applied and tuned
  • Logging & monitoring — rule logging, SIEM use cases, NTP and log completeness
  • Change management & periodic recertification — tickets, approvals, tests, rule review
  • Cloud & shared responsibility — cloud firewall rules, flow logs and the responsibility matrix

Which firewalls and vendors it applies to

One checklist, every vendor. The workbook and companion evidence guidance apply to:

  • Palo Alto Networks (PAN-OS)
  • Fortinet FortiGate
  • Cisco Secure Firewall (FTD/ASA)
  • Check Point Quantum
  • SonicWall, Sophos Firewall and WatchGuard Firebox
  • Huawei USG, pfSense and OPNsense
  • Cloud firewalls — AWS Network Firewall, Azure Firewall and Google Cloud NGFW

How auditors use it

Work each control at device, rule or finding level, set it to Pass, Fail, Partial, Not Applicable or Not Tested, and attach an evidence reference. The Excel workbook includes a review-approach methodology, a normalised rule inventory, a weighted risk-scoring model, a findings register and an evidence-request list — turning a firewall rule-set review into a repeatable, evidence-based exercise rather than a screenshot walk-through.

Framework mapping built in

Every control carries practical mappings to PCI DSS v4.0.1 (Requirement 1 and related), ISO/IEC 27001:2022, SOC 1/SOC 2 Trust Services Criteria, NIST CSF 2.0 and CIS Controls v8.1 — so one firewall review evidences several obligations at once.

Frequently asked questions

What is a firewall audit checklist?

A firewall audit checklist is a structured list of controls for reviewing a firewall’s configuration and rule base — covering policy and governance, segmentation, rule hygiene, threat prevention, logging and change management. This one contains 130+ controls, each with a test method, the evidence to collect and the risk if it is missing.

Does it cover Palo Alto, Fortinet and Cisco?

Yes. The controls are vendor-neutral and apply to Palo Alto PAN-OS, Fortinet FortiGate, Cisco Secure Firewall, Check Point, SonicWall, Sophos, WatchGuard, Huawei, pfSense/OPNsense and the AWS, Azure and Google Cloud firewalls.

Is it aligned to PCI DSS firewall requirements?

Every control is mapped to PCI DSS v4.0.1 (Requirement 1 network security controls and related), ISO/IEC 27001:2022, SOC 1/SOC 2, NIST CSF 2.0 and CIS Controls v8.1 — so a single firewall review supports several compliance obligations.

What format is the download?

You get a multi-sheet Excel rule-set review checklist (with review approach, rule inventory, risk scoring and findings register) and a matching PDF review workbook. Both are free.

Can CyberSigma run the firewall review for us?

Yes — our CERT-In empanelled, PCI QSA authorised auditors perform independent firewall configuration and rule-set reviews against this checklist, with a prioritised findings report and remediation support.

This checklist is provided for educational use and is not a substitute for the licensed text of the referenced standards or a formal audit opinion. © Cyber Sigma Consulting Services LLP.

Related services

VAPT servicesPCI DSS complianceNetwork penetration testing