5,732 Firewalls in One Year — The Misconfigurations I See on Almost Every Box
Last year, our team audited 5,732 firewalls. FortiGates, Palo Altos, Sophos, Cisco ASAs. Enterprise data centres, bank branches, hospital campuses, manufacturing plants. The smallest was a single FG-40F in a co-working space. The largest was a pair of ruggedised chassis in a tier-3 data centre.
Every single one had at least one misconfiguration. Many had dozens. And I am not talking about subtle policy gaps that require a red team to find. I am talking about the same basic mistakes, repeated across budgets ranging from ₹5 lakh to ₹50 crore. The scale and the vendor change. The errors do not.
Over 23 years, I have learned the hardware is rarely the problem. The problem is the gap between what the firewall can do and what the operator has configured it to do. That gap is where breaches live.
Here is what I keep seeing—and why it keeps happening.
The Top 5 Misconfigurations (In Order of How Often I See Them)
1. Default Rules Never Reviewed (94% of audits)
The most common issue is not a bad rule—it is a rule that nobody remembers adding. “Allow Any to Any” from a temporary test. Old VPN tunnels to decommissioned branches. Management access from 0.0.0.0/0. We found a major bank’s firewall with a default-permit rule for RDP sitting at position 3, untouched since 2019. The bank had passed its compliance audit because the auditor checked that a firewall existed, not what was inside it.
The fix is process: schedule a rule review every quarter. Not annually. If your team cannot do that, you have too many rules.
2. Logging Disabled on Critical Rules (87%)
It is astonishing how many firewalls have logging turned off on critical rules. “We do not want to fill the disk” is the excuse I hear most. That permit rule from the internet to your mail server? If you are not logging it, you are not detecting brute force attempts. You are blind.
Disk is cheap. Compromise is not. Every deny rule, every critical permit, every NAT translation—log it. Set a retention policy and rotate to an external collector. If you are not using a SIEM, start. A firewall with no logs is a speed bump. For a proper network security audit, the first thing I check is whether the logs tell a coherent story. Most do not.
3. Outdated Firmware (76%)
This is the easiest to fix and most consequential to ignore. I still walk into environments running FortiOS 6.x in 2026—four major versions out of date, with critical-severity remote code execution CVEs that require no credentials to exploit.
I understand the fear: “The upgrade might break something.” But the unpatched vulnerability will break something, and it will be worse. Test on a non-production unit, use FortiManager, schedule a maintenance window. You are trading certain compromise for possible inconvenience. A proper FortiGate audit almost always reveals a critical firmware gap the client did not know existed.
4. Overly Permissive Outbound Rules (71%)
“Allow all to any” on the outbound side is the default on most firewalls. I get it—setting up granular outbound policies is work, and nobody wants to be the person who accidentally blocks the finance team’s SaaS tool. But that open outbound policy is how ransomware phones home. It is how data exfiltration happens. It is how C2 traffic blends in with normal web traffic. In the 2024 Verizon DBIR, 68% of breaches involved the web application server as the vector—and most of those were outbound connections to attacker-controlled infrastructure.
Start with a default-deny outbound and add exceptions. Yes, it will take a couple of weeks to tune. Yes, you will get complaints. Once it is tuned, your security posture improves dramatically—and the complaints stop. Use application control profiles and URL filtering to add context to outbound policies. A rule that allows “HTTPS to finance-saas.example.com” is better than “HTTPS to any.” Layer it. Tighten it. Document it.
5. No Centralised Management (65%)
If you have more than 5 firewalls, you need central management. If you have more than 20, you are actively losing money without it. I have seen organisations with 50+ firewalls managed one-by-one via SSH. Each box has its own config, its own firmware version, its own local admin passwords, its own rules. It is not security—it is chaos with a warranty. A single missed firmware update on one of those 50 boxes is all it takes for a breach.
FortiManager. Panorama. Sophos Central. Whatever ecosystem you are in, use the management platform. Consistent policy across all sites. Firmware compliance checks. Audit trails. Template-based deployment so that a new branch firewall inherits the security baseline automatically. If you are managing firewalls individually, you are not managing security—you are managing firewalls. Central management is table stakes for any serious security hardening programme.
The Hidden Cost of Firewall Misconfiguration
A firewall misconfiguration is not a paperwork issue. It is a security incident waiting to happen. The IBM Cost of a Data Breach 2025 report puts the average cost of a breach in India at ₹19.5 crore. Most involved a configuration gap somewhere in the kill chain. A misconfigured rule that exposes RDP to the internet is ground zero for ransomware. A logging policy that does not capture permits from untrusted zones is how an attacker operates for months unnoticed.
The common thread is operational debt. Nobody sets out to build an insecure firewall. It happens incrementally. One rule added here. One logging policy skipped there. One firmware upgrade postponed. Over time, the firewall becomes a compliance checkbox rather than an active defence.
How Does Your Firewall Score?
If you recognise even two of these in your environment, you are not alone. Every CISO I talk to has at least one of these issues somewhere in their estate. The question is not whether you have them—it is whether you are fixing them.
Start with one. Pick the easiest first. Logging. Then firmware. Then rule review. In three months, your posture will be unrecognisable—and you will wonder why you did not do it sooner. And if you want an expert pair of eyes on your firewall estate, that is what we do. Thousands of audits a year, honest feedback, no fluff.
Sanjay Seth has been in cybersecurity since 1992. He is the CEO of P J Networks, a Fortinet MSSP partner, and the architect behind the PrahiX Ora unified platform. His team audits hundreds of firewalls every year. If you would like a health check on your estate, get in touch.