Services

Firewall Ruleset Review

Our firewall ruleset review removes unnecessary rules, enforces least privilege, and strengthens network security.

Firewall ruleset review for network access control

Aligning firewall enforcement with business intent

A firewall ruleset review is the structured examination of a firewall’s access control rules to verify that each rule reflects a documented business requirement and conforms to the principle of least privilege, per NIST SP 800-41 Rev.1. Unlike a network penetration test, which actively exploits vulnerabilities, a firewall ruleset review identifies misconfiguration and rule debt. For organisations that have inherited years of firewall changes, the review provides a methodical basis to justify, tighten, or remove rules without disrupting business-critical connectivity. Swarmnetics delivers firewall ruleset reviews through consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials.

When any-any rules become a breach path

Because every rule tells a story—we read them all

In November 2025, threat actors compromised a FortiGate firewall appliance and created four policies setting source and destination to any, granting traversal across all zones. Those overly permissive firewall rule configurations went undetected for two months. The attacker then decrypted embedded Active Directory credentials and enrolled rogue workstations into the victim domain. A firewall ruleset review would have identified those any-source, any-destination entries before they enabled lateral movement into the internal network.

Read more

Accumulated rule debt creates unnecessary exposure that can persist for years — and no vulnerability scanner will catch it.

Gartner Peer Insight Review

Rule debt is the attack surface vulnerability scanners miss

Rule reviews that strengthen segmentation and limit blast radius

The assessment phase starts with the extraction of the firewall rule base using command-line tools and the management interfaces of your firewall vendors. We then evaluate every rule against least-privilege principles and your stated business requirements.

During the firewall rules review, each rule is tested against three questions: does a documented justification exist, is the permitted traffic as narrow as the business need requires, and is the rule still active. Overly permissive rules, disabled rules, unnecessary rules that should have been deleted, shadowed entries that are never reached, and any-service definitions that expose the internal network all produce findings. Where configuration intent is ambiguous, we interview system owners directly so remediation tightens access without breaking business-critical connectivity. The result is a clearer basis to retain justified rules, narrow overbroad access, remove stale entries, and flag rules that still require owner confirmation before cleanup.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more
CREST Pentest

What gets reviewed in the rule base

Narrow overbroad access, remove stale entries

Our consultants examine the following scope items across the firewall rule base in each firewall audit:

  • Overly permissive rules, including any-source and any-destination entries
  • Rules without documented business justification or named owner
  • Disabled rules and rule groups pending deletion
  • Shadowed rules masked by a preceding rule and never evaluated
  • Redundant and duplicate rules that inflate rule-base complexity
  • Source and destination IP ranges wider than required
  • Service and port definitions broader than the permitted application traffic
  • Rules granting management access from overly broad network ranges

FAQ

A firewall ruleset review examines the rule base without sending traffic. A network penetration test actively exploits weaknesses to measure real-world impact. The two services address different questions: penetration testing shows what an attacker can do, while a ruleset review identifies overly permissive rules, undocumented entries, and rule debt before they can be abused.

The review examines every rule in the firewall rule set, including any-source and any-destination entries, rules without a documented business justification, disabled and shadowed rules, and service or port definitions that are broader than required. It also reviews management access rules, deny-all placement, and whether inbound and outbound controls are applied consistently across interfaces.

No live traffic capture is required. Ruleset extraction uses command-line access and management interfaces, supported by discussions with system owners to confirm configuration intent. That grey-box approach helps ensure the findings reflect your actual business requirements rather than assumptions about how the environment is meant to operate.

Overly permissive rules can let an attacker move across network segments, reach isolated systems, and harvest authentication credentials without generating the traffic patterns many detection tools are tuned to catch.

A firewall ruleset review from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report maps every finding to network least privilege principles and accepted firewall management practices with a severity rating, a description of the configuration gap, and specific remediation guidance. An executive summary is included for non-technical stakeholders. After you have remediated the findings, we conduct a follow-up review to confirm adequate remediation.

A firewall ruleset review is relevant to any organisation that needs to validate that its firewall rules and network access controls are configured securely. It is particularly relevant for organisations subject to regulatory, contractual, or industry security requirements, which requires demonstrable evidence of secure configuration and hardening. A firewall ruleset review is also recommended after significant infrastructure changes, migrations, or new system deployments. Swarmnetics has delivered firewall ruleset reviews across all sectors since 2015.

The duration of a firewall ruleset review depends on the number of firewalls and ruleset volumes in scope and their complexity. A typical firewall ruleset review engagement takes three to five business days, followed by an initial report within five business days for your review.

A firewall ruleset review is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must implement and validate secure configurations for network access controls. It provides documented evidence of compliance with hardening standards that regulators and auditors may request.

Every firewall ruleset review follows a three-phase process. In the planning phase, Swarmnetics agrees the scope and schedule with your team. In the assessment phase, our consultants extract the firewall ruleset using command-line and management interface tools and assess them against network least privilege principles and the organisation’s stated business requirements, conducting interviews with relevant team members where needed to confirm configuration intent. In the reporting phase, we deliver a draft report for review and a final report with remediation guidance mapped to the applicable standard.

All Swarmnetics configuration reviews are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and serves as a trusted VAPT partner for leading enterprises across technology, telecommunications, and professional services.

The security assessment report includes specific, actionable remediation guidance for every finding — not generic advice. For each vulnerability, we describe the fix, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each issue has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.