At a Glance
- Industry: Logistics & Supply Chain
- Engagement type: Firewall Configuration Audit
- Tech stack: Palo Alto Networks (NGFW) at HQ, FortiGate at warehouse sites, Cisco ASA at port operations, Site-to-site VPN mesh, AWS Direct Connect
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Logistics & Supply Chain
Product: Multi-site enterprise logistics network with port and warehouse operations
Tech stack: Palo Alto Networks (NGFW) at HQ, FortiGate at warehouse sites, Cisco ASA at port operations, Site-to-site VPN mesh, AWS Direct Connect
The client is a mid-size Indian logistics enterprise operating 6 warehouses, 2 port operations and corporate HQ with 1,200+ employees. Their firewall infrastructure had grown over 7 years with limited rule hygiene.
Challenge
Three factors drove the urgency of this engagement:
- Rule set bloat. The HQ firewall had 800+ rules accumulated over 7 years with no documented owners or expiry dates
- Multi-vendor complexity. Palo Alto, FortiGate and Cisco ASA created policy inconsistencies and gaps between sites
- Audit-readiness requirement. An ISO 27001 surveillance audit highlighted firewall management as an area requiring remediation
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- Configuration export and analysis across all 9 firewall devices
- Rule set hygiene review identifying overly permissive, shadowed and redundant rules
- NAT policy and routing-table consistency review
- Security profile, IPS signature and SSL inspection configuration audit
- Logging, SIEM forwarding and retention review
- High availability and failover configuration validation
- Firmware vulnerability assessment with vendor patch recommendations
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Any-to-any rule in HQ firewall allowing all VLANs full access to the corporate network, completely bypassing segmentation intent
- Vendor remote access rule with 0.0.0.0/0 source enabling any internet IP to reach internal SCADA management interfaces
- RDP exposed to internet on port 3389 from a 'temporary' rule from 2019 that was never removed
High & Medium Severity
27% of rules with no business owner identifiable, 14% of rules shadowed by earlier rules and never matched, SSL inspection disabled on outbound HTTPS, IPS signatures 18 months out of date, weak management plane MFA on 2 firewalls, no firmware patches applied in 14 months exposing 8 CVEs.
Before vs. After
Before Engagement
- Any-to-any rule bypassing all segmentation
- Vendor remote access from 0.0.0.0/0
- Internet-exposed RDP from 2019
- 800+ rules with no documented owners
- IPS signatures 18 months stale
- SSL inspection disabled
After Remediation
- Strict segmentation with explicit deny-by-default
- Vendor access restricted to known IPs + MFA
- RDP behind VPN with conditional access
- 460 rules retained with owner documentation
- IPS signatures current, daily updates
- SSL inspection enabled with privacy exclusions
"We had a firewall rule from 2019 letting RDP through to a server that no longer existed. The server was decommissioned but the rule remained, pointing at an IP that was now reassigned. Codesecure's audit caught it. That alone justified the engagement."
Anonymous, IT Director, Indian logistics enterprise
Key Lessons
What Other Teams Can Take Away
- Firewall rule sets bloat organically. Quarterly review removes 20-40% of rules with no negative impact. Annual review at minimum.
- Temporary rules become permanent. Every temporary rule needs an automatic expiry date and ownership audit trail.
- Multi-vendor environments need unified policy. Tufin, AlgoSec or FireMon provide cross-vendor visibility worth the investment at scale.
- Firmware patching matters. Firewall vendors release CVE patches regularly; a 14-month-old firewall has known exploitable vulnerabilities.
Conclusion
Firewall rule hygiene is unglamorous and consistently undervalued. A 7-year-old enterprise firewall with 800+ rules typically harbors at least one any-to-any rule, several exposed services from forgotten temporary entries and dozens of redundant or shadowed rules. Each represents an attack path that segmentation was supposed to prevent.
For Indian enterprises with multi-site, multi-vendor firewall infrastructure, annual firewall audit is now an ISO 27001 and PCI DSS expectation. Codesecure delivers structured firewall audits across Palo Alto, Fortinet, Cisco and Check Point with named consultants and a hardened ruleset recommendation.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
