Client Overview

A national logistics company with operations across 25 locations relied on a mix of Palo Alto, FortiGate, and Cisco ASA firewalls to protect their network perimeter and segment internal traffic. Their infrastructure supported fleet management systems, warehouse operations, customer portals, and real-time shipment tracking. With increasing cyber threats targeting supply chain companies, the management commissioned a thorough firewall security audit.

Challenge

The firewall infrastructure had been managed by different network administrators over the years, resulting in accumulated rules with no documented purpose. Some firewalls had over 500 rules, many of which were suspected to be redundant or overly permissive. The client had no centralised firewall management platform, and rule change processes were informal. They needed a comprehensive audit to identify security gaps, optimise the rule base, and establish a baseline for ongoing governance.

Our Approach

Codesecure conducted a comprehensive firewall security audit covering the following areas:

• ACL rule analysis across all 25 firewall instances — identifying overly permissive rules, any-any rules, and shadowed rules
• NAT policy review for configuration errors, IP exposure risks, and translation conflicts
• VPN tunnel configuration assessment — encryption algorithms, pre-shared key strength, and split tunnelling risks
• Network segmentation verification — ensuring proper isolation between warehouse operations, corporate IT, customer-facing services, and fleet management systems
• Firewall firmware and patch level assessment across all three vendor platforms
• Logging and monitoring configuration review — syslog forwarding, alert thresholds, and SIEM integration readiness
• High-availability and failover configuration validation
• Rule optimisation recommendations with consolidation and cleanup guidance

Results

We identified 41 findings across the firewall estate — 3 critical, 14 high, and 24 medium severity.

Critical findings included:

• An any-any rule on the warehouse network firewall effectively bypassing all filtering
• A VPN tunnel using DES encryption (deprecated and crackable)
• A management interface accessible from the public internet on one FortiGate device

High findings included:

• 127 shadowed rules that never matched traffic
• 43 rules with no logging enabled
• Missing firmware patches on 6 devices
• Inconsistent segmentation allowing warehouse systems to reach the corporate finance VLAN

The client implemented our recommendations, consolidating 500+ rules down to 340 across the estate and eliminating all critical and high findings.

Conclusion

Firewalls are the first line of defence, but their effectiveness depends on proper configuration and ongoing governance. This audit helped the client transform a sprawling, undocumented rule base into a clean, optimised, and well-documented firewall estate. Contact Codesecure for a comprehensive firewall security audit.