Audit and Assurance

Expand all | Collapse all

Firewall Audit Programme

  • 1.  Firewall Audit Programme

    Posted 17 Mar, 2020 09:04
    Hi all,

    Kindly share an updated Firewall Audit programme.

    Thank you

    Veronica Rose, CISA
    Information Systems Auditor

  • 2.  RE: Firewall Audit Programme

    Posted 18 Mar, 2020 00:22
    Can any community member help Veronica?

    Veronica what vendor Check Point, Juniper, etc.?
    Your best recourse is to consult the vendor configuration and security settings documentation.

    Sal Rodriguez
    Director of Internal Audit

  • 3.  RE: Firewall Audit Programme

    Posted 18 Mar, 2020 00:40
    @Salvador Rodriguez

    Thanks for your response

    The below link is the specs for the firewall intend to audit. I will also source more information from the vendor. Thank you

    Veronica Rose, CISA
    Information Systems Auditor

  • 4.  RE: Firewall Audit Programme

    Posted 18 Mar, 2020 05:10

    Please find below a vendor neutral firewall audit programme
    1.Obtain network diagrams illustrating firewall connections and segmentation on the network
    2.Obtain a list of individuals who have access to change configurations to routers and firewalls.
    3.Obtain firewall rule sets and review for appropriate rule justification and purpose.
    4.Determine if password management features are in place for applicable firewall components and the shadow password file (security/password/etc.) is used.
    • Password management guidelines exist.
      • Passwords are not displayed.
      • Passwords are user maintainable.
      • Password parameters comply with defined standards.
      • Login attempts are limited to three and account is then locked.
      • Login failures are logged.
      • User IDs and passwords are encrypted across the network.
      • Passwords are required.
      • An automatic timeout feature exists

    Review for dial-in access directly to the firewall server.

    • Determine if remote connections are automatically disconnected by the system after a specified length of time of inactivity or if the connection is broken.
    • Only appropriate users have access to dial-in access to firewall.
    • Appropriate individuals authorize dial-in access.
    • Access request forms exist to document approval of dial-in access.
    • Secure protocols are utilized when users are logging into firewalls remotely.
    • The use of dial-in access is logged and reviewed by management
    • Obtain firewall configurations from firewall administrators.
    • Review configurations to verify effectiveness of firewalls


    Firewall components are on an appropriate version and security patches are kept up to date as vulnerabilities and business reasons dictate.

    • A patch ID equates to a certain level of applied patches.
    • Available patch updates are monitored and applied as necessary.
    • Active services running on the firewall servers are appropriate.
    • Only justified start-up scripts are being utilized.
    • An appropriate banner is presented during Telnet/file transport protocol (FTP) access.
    • All server accounts are individual accounts and any use of an administrator account is not initiated directly.

    • Obtain logs from the firewall administrators
    • Review the logs to verify the following items are logged:
      • Login (unsuccessful and successful)
      • Logout (successful)
      • Use of privileged commands (unsuccessful and successful).
      • Application and session initiation (unsuccessful and successful).
      • Use of print command (unsuccessful and successful).
      • Access control permission modification for users and security parameters (unsuccessful and successful).
      • Unauthorized access attempts to files (unsuccessful).
      • System start-up and shutdown (unsuccessful and successful); connection is broken.
      • All system logging and email is isolated to its own partition.
      • All attempts to gain root/administrator access.
      • All dropped packets, denied connections and rejected attempts.
      • Time, protocol and username for successful connections through the firewall.
      • IP addresses
      • Error messages from routers, bastion host and proxying program


    A lockdown rule has been placed at the beginning of the rule base. The lockdown rule protects the firewall, ensuring that whatever other rules you put in later will not inadvertently compromise your firewall. If administrative access is required, then a rule should be placed before the lockdown rule. All other rules should go after the lockdown rule going from most restrictive to general rules. Review the remaining rules.


    Fault tolerance (e.g., mirroring of data) has been implemented for the firewall server.Redundant components are installed where critical failure points exist, or spare parts should be on site.Use the hardware and software configuration information to identify hardware and software in place which provide redundancy and back up.

    If single points of failure exist, plans exist to address the situation(s).Obtain and review a schedule of the retention periods for the firewall's software components and a schedule of the rotation cycle of the firewall's software.The disaster recovery plan includes the firewall server.

    Vikram Raghuveer
    Manager-IT and internal audits

  • 5.  RE: Firewall Audit Programme

    Posted 18 Mar, 2020 05:14
    @Vikram Raghuveer

    Thanks alot​

    Veronica Rose, CISA
    Information Systems Auditor

  • 6.  RE: Firewall Audit Programme

    Posted 18 Mar, 2020 08:12
    Vikram has shared comprehensive list which looks nice.

    just add as much ican recollect..(as this is ngf )
     check if all ingreress traffic has IPS enabled / or if they have separate IPS,check if utm is enabled and to what extent? Does it contents av,url, and content filtering ? Do they have DLP enbaled rules
    Botnet protection rules if any?

    If logs are enable for all above
    Retention of those logs 
    Access level for relevant authorities
    Mac sticky,fips,strict source checking, 
    Ntp is configured
    Telnet and http is disabled for admin access
    If there are red zones what all ports and sources are allowed.
    Is there any analyzer confgiutrres?
    Siem integration
    How many vpn are configured what is source of vpn authentication
    What is the password policy in Any case local or radius. Is it aligned to corporate infosec policy
    Keep alive time of zones/rules
    If they have industrial products is it having subscription for protection.

  • 7.  RE: Firewall Audit Programme

    Posted 19 Apr, 2020 16:26
    Hujambo Rose,

    Adding to the list:

    • Information Flow Diagramming
    • Converting Requirements to ACLs - ACL Audit understanding needed. (
    • Understanding Firewall Design - additional knowledge requirements for edge routers and PCI-DSS infrastructure..
    • Network Architecture Validation - understanding required
    • Rules Review & Analysis - understanding required.
    • Technical Validation of the Firewall Rules - test example and experience required.
    • Sunrise and sunset (decomission routers, process knowledge required)
    • Firmware upgrades if auto note ( how to upgrade - Log into the web-based manager as the admin administrative user. 2) Go to System > Dashboard > Status and locate the System Information widget. 3) Beside Firmware Version, select Update.)
    • Configuration management tool (
    • Software license compliance - how to ascertain - add to the list, link to purchase order/accounts payable payment.
    The list can be overwhelming, put if you logically arrange the sequence, you will gain a lot of knowledge and understanding in the process.

    Thanks and regards,

    Suresh "Sam" Chhabria, MCOM, MBB, TQM, SOX, TOGAG, VCA, CISA
    Technology Auditor
    Governance Advisor