Your firewall is the front door to your network. A misconfigured firewall is like a lock that's never been tested โ it looks secure, but it might not actually stop anyone.
I've reviewed hundreds of firewall configs over the years. These are the hardening steps that actually matter, regardless of whether you're running Cisco, Fortinet, Palo Alto, pfSense, or something else.
The Fundamentals (Non-Negotiable)
1. Default Deny
Your firewall should block everything by default and only allow what's explicitly permitted. This sounds obvious, but I still find configs where the implicit rule is "permit any any" or there's no cleanup rule at the end.
2. Disable Unused Interfaces
If a physical or logical interface isn't in use, disable it. Don't just leave it unconfigured โ explicitly shut it down.
3. Change Default Credentials
Yes, people still forget this. Admin/admin, admin/password, blank passwords on console access. Check and change them.
Access Control Rules
Review Every "Any" Rule
Search your ruleset for "any" in the source, destination, or service fields. Each one is a potential security gap:
- Source: Any โ Who exactly should be able to reach this?
- Destination: Any โ Does this really need to go everywhere?
- Service: Any โ Can we limit this to specific ports?
Remove Stale Rules
That "temporary" rule from 2019? Still there. Set up a process to review rules quarterly and remove anything that's no longer needed. Most firewalls can show hit counts โ rules with zero hits in 90 days are candidates for removal.
Order Matters
Firewall rules are processed top-to-bottom (usually). Put your most specific deny rules before broad permit rules. A common mistake: having a "permit any any" rule above more restrictive rules, making them useless.
Management Access
Restrict Management to Specific IPs
Management interfaces (SSH, HTTPS, console) should only be accessible from designated management networks or jump boxes. Never from the internet. Never from the general user network.
Use Strong Authentication
- Complex passwords (16+ characters)
- MFA if supported
- RADIUS/TACACS+ for centralized auth and logging
- Individual accounts, not shared admin credentials
Encrypt Management Traffic
Disable HTTP, Telnet, and other unencrypted management protocols. Use HTTPS and SSH only.
Logging & Monitoring
Log Denied Traffic
At minimum, log all denied connections. This helps detect scanning, brute force attempts, and misconfigured applications.
Log Allowed Traffic (Selectively)
For critical rules (internet-facing services, admin access), enable logging even for allowed traffic. You want to know who's accessing what.
Send Logs Externally
Forward logs to a SIEM or syslog server. If someone compromises the firewall, local logs can be wiped. External logs survive.
Network Segmentation
Your firewall should do more than just sit at the edge. Internal segmentation limits lateral movement:
- Servers in a DMZ โ Web servers and other public-facing systems shouldn't be on the same network as internal resources
- Separate user and server networks โ A compromised workstation shouldn't have direct access to all servers
- Isolate sensitive systems โ Finance, HR, and backup systems deserve their own segments
Egress Filtering (The Forgotten Rule)
Most companies only filter inbound traffic. But controlling outbound (egress) traffic is equally important:
- Block unnecessary outbound ports (do users really need outbound SSH?)
- Force web traffic through a proxy for inspection
- Block known malware domains at the firewall
- Restrict servers to only the outbound connections they need
If malware can't call home, it can't exfiltrate data or receive commands.
Regular Maintenance
- Firmware updates: Stay current on patches, especially security fixes
- Config backups: Automated, regular backups stored securely
- Rule reviews: Quarterly at minimum
- Access reviews: Who has admin access? Do they still need it?
Need a Complete Hardening Checklist?
I've compiled 80+ hardening steps into a vendor-agnostic guide with detailed explanations and a compliance tracking spreadsheet.
Get the Guide โQuick Wins
If you only do five things today:
- Verify default deny is in place
- Restrict management access to specific IPs
- Search for and review all "any" rules
- Enable logging for denied traffic
- Block outbound traffic to known malware domains
These take an hour or two and significantly improve your security posture.