- Join Our Company
- Email: sales@pjnetworks.com
- Phone: +91-9818361787
Last year, our team audited 5,732 firewalls. That’s not a round number I picked for effect—that’s the actual count from our deployment and audit logs. FortiGates, Palo Altos, Sophos, Cisco ASAs, a few niche vendors. Enterprise data centres, bank branches, hospital campuses, manufacturing plants, multi-site retail chains.
Every single one had at least one misconfiguration. Many had dozens. And I’m not talking about subtle policy gaps that require a red team to find. I’m talking about the same basic mistakes, repeated across budgets ranging from ₹5 lakh to ₹50 crore.
Here’s what I keep seeing—and why it keeps happening.
The most common issue isn’t a bad rule—it’s a rule that nobody remembers adding. “Allow Any to Any” from a temporary test that went live three years ago. Old VPN tunnels to decommissioned branches. Management access from 0.0.0.0/0. We found one firewall—a major bank’s—that had a default-permit rule for port 3389 (RDP) sitting at position 3, untouched since 2019.
The fix isn’t technical. It’s process: schedule a rule review every quarter. Not annually. Quarterly. If your team can’t do that, you have too many rules and not enough simplicity.
It’s astonishing how many firewalls have logging turned off on their most important rules. “We don’t want to fill the disk” is the excuse I hear most. But here’s the thing: that permit rule from the internet to your mail server? If you’re not logging it, you’re not detecting the brute force attempt. You’re not knowing which source IPs are scanning you. You’re blind.
Disk is cheap. Compromise is not. Every deny rule, every critical permit, every NAT translation—log it. Set a retention policy and rotate logs. If you’re using a SIEM, send the logs there. If you’re not using a SIEM, start.
This one hurts because it’s the easiest to fix and the most consequential to ignore. I still walk into environments running FortiOS 6.x in 2026. Six. Dot. Something. That’s four major versions out of date. The CVEs that version has accumulated could fill a small book.
I understand the fear: “The upgrade might break something.” It might. But the unpatched vulnerability will break something, and it’ll be worse. Schedule a maintenance window. Test on a non-production unit. Use FortiManager or Panorama or whatever your vendor offers. But don’t sit on old firmware because you’re afraid of downtime. You’re trading certain compromise for possible inconvenience.
“Allow all to any” on the outbound side is the default on most firewalls. I get it—setting up granular outbound policies is work, and nobody wants to be the person who accidentally blocks the finance team’s SaaS tool. But that open outbound policy is how ransomware phones home. It’s how data exfiltration happens. It’s how C2 traffic blends in with normal web traffic.
Start with a default-deny outbound and add exceptions. Yes, it’ll take a couple of weeks to tune. Yes, you’ll get complaints. Once it’s tuned, your security posture improves dramatically—and the complaints stop.
If you have more than 5 firewalls, you need central management. If you have more than 20, you’re actively losing money without it. I’ve seen organisations with 50+ firewalls managed one-by-one via SSH. Each box has its own config, its own firmware version, its own local admin passwords, its own rules. It’s not security—it’s chaos with a warranty.
FortiManager. Panorama. Sophos Central. Whatever ecosystem you’re in, use the management platform. Consistent policy across all sites. Firmware compliance checks. Audit trails. If you’re managing firewalls individually, you’re not managing security—you’re managing firewalls.
It’s not incompetence. The engineers I meet are smart, experienced, hardworking. The problem is that operations scale faster than processes. A company goes from 5 firewalls to 30 in a year. The team doesn’t triple. The procedures don’t update. The old way of doing things gets stretched until it snaps.
The fix is painful but simple: build operations that scale before you need them to. Standardise your build templates. Automate your config deployment. Monitor your rule hygiene. If you can’t do that internally, outsource it to someone who can. Doing nothing is the most expensive option.
If you recognise even two of these in your environment, you’re not alone. Every CISO I talk to has at least one of these issues somewhere in their estate. The question isn’t whether you have them—it’s whether you’re fixing them.
Start with one. Pick the easiest one first. Logging. Then firmware. Then rule review. In three months, your posture will be unrecognisable—and you’ll wonder why you didn’t do it sooner.
Sanjay Seth has been in cybersecurity since 1992. He’s the CEO of P J Networks, a Fortinet MSSP partner, and the architect behind the PrahiX Ora unified platform. His team audits hundreds of firewalls every year. If you’d like a health check on your estate, get in touch.