Skip to main content
ConnectMyAssets
Solution

Firewall Rule Audit Tool

Your firewall policy has grown for years. Shadow rules, any/any permits, and stale rules from decommissioned projects are hiding inside it. ConnectMyAssets audits your entire ruleset automatically, finding what's redundant, what's dangerous, and what hasn't been used in months, so you can clean up and stay compliant.

  • Shadow rule detection: rules hidden by higher-priority permits
  • Permissive rule detection: any/any, overly broad sources and services
  • Unused rule detection: zero hit counts over configurable period
  • Policy compliance: PCI-DSS, CIS Firewall Benchmark, custom rules
  • Multi-vendor: Fortinet, Palo Alto, Cisco ASA/FTD, Check Point, Juniper SRX
  • Full audit trail with change history and compliance report export
Request a DemoExplore Platform
ConnectMyAssets, Firewall Rule Analysis
fw-edge-01 · Fortinet FortiGate · 247 rules18 findings
PERMISSIVE
#12, Allow-Any-Out
src: any / dst: any / svc: any
SHADOW
#34, Legacy-VPN-Access
shadowed by rule #8 (Allow-VPN)
UNUSED
#67, Project-X-Temp
0 hits · last match: 94 days ago
OK
#89, Allow-HTTPS-Out
src: 10.0.0.0/8 / dst: any / port 443
PERMISSIVE
#103, DB-Direct-Internet
internet → db-vlan / all services · CRITICAL
UNUSED
#118, Old-Partner-Access
0 hits · last match: 201 days ago
● 3 Critical● 7 High● 8 Info

Your Firewall Policy Is Probably a Security Liability

The average enterprise firewall policy has hundreds to thousands of rules, accumulated over years of projects, team changes, and emergency fixes. Studies consistently show that a significant portion of firewall rules in production environments are either shadowed (never evaluated), overly permissive (too broad), or completely unused. Each of these represents a security risk, a compliance finding, and operational complexity that makes troubleshooting harder. A manual firewall rule review is labor-intensive, error-prone, and typically happens once or twice a year at best. ConnectMyAssets automates the entire analysis continuously, identifying problems before your next external audit does.

Complete Firewall Rule Audit Capabilities

From shadow rule detection to PCI-DSS compliance reporting, everything your security team needs to maintain a clean, auditable firewall policy.

👻

Shadow Rule Detection

Shadow rules are firewall rules that can never be matched because a more general rule above them in the policy already catches all the same traffic. They are a sign of policy bloat, configuration errors, and compliance risk, auditors flag them as evidence of poor firewall hygiene. ConnectMyAssets analyzes your entire ruleset top-down, identifies every rule that is fully shadowed by a higher-priority rule, and shows you exactly which rule is doing the shadowing. The result is a clean list of dead rules you can safely remove to simplify your policy.

⚠️

Overly Permissive Rule Detection

Rules with source "any", destination "any", or service "any" are a red flag in any security audit. ConnectMyAssets scans your firewall policies for rules that are broader than they should be, catching any-to-any rules, rules with overly wide source ranges (e.g., 0.0.0.0/0), rules that allow all services on specific hosts, and rules that bypass security zones. Each finding is categorized by severity and comes with a suggested remediation: tighten the source, restrict the service, or replace the rule with a more specific one.

💤

Unused Rule Detection

Firewall rules accumulate over time. Engineers add rules for projects, temporary access, or troubleshooting, and forget to remove them. ConnectMyAssets correlates firewall rule configurations with hit counter data to identify rules that have had zero matches over a configurable time window (7, 30, 90 days). These unused rules expand your attack surface and make your policy harder to manage. ConnectMyAssets flags them for review and generates a cleanup candidate list with rule details, last-seen timestamps, and the recommended action.

📏

Policy Compliance Checks

Verify your firewall ruleset against established security standards and internal policies. ConnectMyAssets includes built-in check packs for PCI-DSS (cardholder data environment segmentation, rule review requirements), CIS Firewall Benchmark controls, and NIST SP 800-41 guidelines. You can also define custom compliance rules: "no rule should allow inbound traffic directly to the database VLAN from the internet", "all management access must be restricted to the management subnet", "deny rules must have a log action". Each check produces a PASS/FAIL verdict with evidence.

🌐

Multi-Vendor Firewall Support

Analyze rulesets across all the firewalls in your environment regardless of vendor. ConnectMyAssets supports Fortinet FortiGate (FortiOS), Palo Alto Networks (PAN-OS), Cisco ASA and Firepower (FTD), Check Point (GAIA), Juniper SRX (JunOS), and others. Each vendor's ruleset is parsed natively, the platform understands FortiOS policy objects, Palo Alto security zones, Cisco access-control lists, and Check Point network objects. All findings are presented in a unified view so you can compare firewall hygiene across vendors and sites.

📋

Audit Trail & Change Reports

Every rule change is captured, timestamped, and attributed. ConnectMyAssets maintains a complete history of your firewall rulesets over time, so you can see what changed, when it changed, and who made the change. For compliance audits, PCI-DSS requires firewall rule reviews at least every six months, you can export a full audit report showing the current ruleset analysis, a history of rule changes, and the remediation actions taken on previous findings. Reports are available in PDF for audit submissions and CSV for further analysis.

How It Works

01

Connect Your Firewalls

Add your firewalls to ConnectMyAssets using read-only API credentials or SSH access. The platform supports agentless collection, no software to deploy on the firewall itself. ConnectMyAssets retrieves the full ruleset, policy objects, address groups, and hit counter data from each device. Multi-vendor environments are handled transparently: FortiGate, Palo Alto, Cisco ASA, Check Point, and Juniper SRX are all connected through the same onboarding workflow.

02

Run Automated Rule Analysis

ConnectMyAssets analyzes your rulesets automatically on a schedule you define, daily, weekly, or triggered by a rule change. The analysis engine checks every rule for shadow conditions, permissiveness, and usage. It applies all compliance policy checks and correlates hit counter data to identify unused rules. Results are available immediately in the dashboard with severity-based filtering. You can drill down to any finding to see the exact rule, its position in the policy, the reason it was flagged, and the recommended action.

03

Clean, Document & Comply

Act on findings through guided remediation workflows: disable a shadow rule, tighten a permissive source, remove an unused rule, or raise a change ticket in your ITSM. After remediation, re-run the analysis to confirm the issue is resolved. Generate a compliance report for your next PCI-DSS firewall review, your NIS2 assessment, or your internal security audit. The report includes the before-and-after state of your ruleset, evidence of all findings, and a record of remediation actions, everything your auditor needs.

Related Platform Features

Firewall Management
Centralized firewall config and change management
Compliance Dashboard
Unified compliance posture across your fleet
PCI-DSS Network
Firewall controls for PCI-DSS requirement 1
NIS2 Compliance
Meet NIS2 Article 21 network security requirements
CVE & Vulnerability Tracking
Track CVEs affecting your network devices

Frequently Asked Questions

Common questions about firewall rule auditing

Clean Up Your Firewall Policy Before Your Next Audit Does

Shadow rules, any/any permits, and years of accumulated stale rules are hiding in your firewall policy. ConnectMyAssets finds them automatically, so your security team can act before an auditor or an attacker does.

Request a DemoExplore Platform