A firewall that is misconfigured offers far less protection than one that is not there at all — because it creates the false confidence that the perimeter is defended. Organizations that assume their firewall is doing its job without ever having the configuration reviewed are operating on an assumption that may not be accurate. These are the seven most common firewall configuration mistakes we find in network security assessments.
Mistake 1: Default Credentials Not Changed
Many firewall appliances ship with default administrator credentials: "admin/admin," "admin/password," or similar. If these credentials are not changed during initial setup, anyone who knows the model of your firewall (which is often discoverable through scanning) can attempt to log in with the default credentials. This sounds elementary, but it is surprisingly common — particularly on devices installed by vendors who prioritized getting the device operational over security configuration. The fix is straightforward: change administrator credentials during initial setup, use a strong unique password, and document the credentials securely.
Mistake 2: Overly Permissive Outbound Rules
Most firewall attention focuses on inbound traffic — what is allowed to reach your internal network from the internet. Outbound rules are often set to "allow all," which means that malware that has infected an internal system can communicate freely with attacker-controlled servers to exfiltrate data, download additional payloads, or receive command-and-control instructions. Outbound filtering — allowing only necessary protocols and destinations, blocking known malicious destinations, and logging unusual outbound traffic patterns — is a meaningful control against malware communication that is often missing.
Mistake 3: Unrestricted Administrative Ports Exposed to the Internet
RDP (port 3389), SSH (port 22), Telnet (port 23), and firewall management interfaces exposed directly to the internet are among the most commonly exploited attack surfaces in network security assessments. Attackers use automated scanning tools to find these exposed services and then use brute-force attacks, credential stuffing, or exploitation of unpatched vulnerabilities to gain access. The fix: restrict all administrative port access to VPN-connected sessions only, or limit by source IP to known management systems. Nothing administrative should be accessible directly from the internet.
Mistake 4: Rule Sets That Have Never Been Reviewed
Firewall rule sets accumulate over time. Rules are added for specific purposes — a vendor needs access, a remote office is connected, a new application requires a port to be opened — but are rarely removed when the purpose ends. Over time, the rule set grows into a mix of current, outdated, redundant, and forgotten rules that create exposure through rules nobody remembers adding. A firewall rule set that has not been reviewed in the past 12–18 months almost certainly contains rules that should be removed. The remediation is a structured rule review and rationalization — identifying the purpose of each rule, removing those without current justification, and documenting the rationale for the remaining rules.
Mistake 5: Logging Not Configured or Not Reviewed
A firewall that does not log its traffic produces no visibility into what is happening at the network boundary. A firewall that logs but whose logs are never reviewed produces a false sense of security — you have the data, but no one is watching it. Logging needs to be configured to capture the events that matter (blocked connection attempts, allowed traffic on high-risk ports, authentication events, configuration changes) and reviewed on a regular basis, either manually or through a security monitoring service that watches for anomalous patterns.
Mistake 6: Firmware Not Updated
Firewall vendors regularly release firmware updates that address security vulnerabilities — some of them critical. A firewall running outdated firmware may have known vulnerabilities that can be exploited by attackers. The 2021 Pulse Connect Secure and Fortinet VPN vulnerabilities, exploited by ransomware operators and nation-state actors, are prominent examples of what happens when organizations do not patch network security devices. Establish a process for monitoring and applying firmware updates from your firewall vendor.
Mistake 7: No Separation Between Trusted and Untrusted Network Zones
A flat network — where all devices share the same network segment and can communicate freely — means that a single compromised device can reach everything else. Firewalls should enforce zone separation: servers in a server zone with restricted access; workstations in a user zone; IoT and guest devices on a separate segment; any regulated data (ePHI, cardholder data) in an appropriately isolated zone. This is network segmentation, and it limits the blast radius of a breach by preventing a compromised endpoint from becoming a pivot point to the entire environment.
How to Know Which of These Apply to You
A firewall configuration review is typically part of a network security assessment. If your organization has not had an independent configuration review, you may not know which of these mistakes apply to your specific environment — and assumptions about firewall effectiveness are not a substitute for verification.
Request a network security assessment that includes a firewall configuration review to get an accurate picture of your current perimeter security posture.