What is a Next-Generation Firewall and how is it different from a traditional firewall?

A traditional firewall makes allow/deny decisions based on IP addresses, port numbers, and protocols. A Next-Generation Firewall (NGFW) performs deep packet inspection to identify the actual application generating traffic — regardless of what port it uses — and applies policies based on application identity, user identity, and content. NGFWs also include integrated Intrusion Prevention Systems, URL filtering, SSL inspection, and application-layer threat prevention. The result is significantly more granular control and far greater visibility into what is actually traversing your network.

How often should firewall rules be reviewed?

Best practice (and PCI-DSS Requirement 1.1.7) mandates at least a quarterly review of firewall rulesets. However, most organisations only review rules when something breaks — which means rules accumulate unchecked for years. Our managed firewall service includes quarterly rule reviews as a standard deliverable, plus ad-hoc reviews triggered by significant changes to your network architecture or business operations. Every rule in your ruleset should have a documented business justification; any rule that cannot be justified should be removed.

Can you manage our firewall remotely or do you need on-site access?

The majority of firewall management is performed remotely over encrypted management connections. We establish a secure management channel to your firewall management interface (typically HTTPS to the management plane over a dedicated management VLAN or out-of-band management IP) and manage all configuration changes, rule updates, firmware upgrades, and monitoring remotely. For initial deployment and cabling of physical firewall appliances, on-site visits are required. On-site visits for ongoing management are available where preferred.

What is firewall rule creep and why is it dangerous?

Firewall rule creep occurs when firewall rulesets grow over time as new rules are added for specific business needs but old, redundant rules are never removed. After a few years, rulesets become bloated with rules for applications that no longer exist, subnets that have been decommissioned, and users who have left the organisation. This creates security risk (overly permissive rules left in place), performance overhead (the firewall processes more rules per packet), and compliance risk (rules without documented justification fail PCI-DSS audits). Our quarterly rule review process systematically identifies and removes these rules.

Do you support firewall high availability (HA) configurations?

Yes — HA configuration is our recommended deployment for any business-critical environment. We deploy NGFW in active-passive HA pairs where one firewall handles all traffic while a second unit stays in synchronised standby, taking over automatically within seconds if the primary unit fails. For environments requiring zero tolerance for failover latency, active-active HA configurations can distribute traffic across both units simultaneously. We monitor HA pair health continuously and alert immediately if a failover event occurs so root cause investigation begins without delay.

What should we do if our firewall is breached or we suspect a compromise?

Contact us immediately. A compromised firewall is a critical security incident and requires immediate response. Our incident response process for suspected firewall compromise includes: isolating the management plane from the internet, capturing current configuration and logs for forensic analysis, reviewing recent configuration changes for unauthorized modifications, checking for persistence mechanisms (unauthorized admin accounts, scheduled tasks), and failover to a backup appliance while the potentially compromised unit is forensically examined. We recommend changing all administrative credentials and auditing all VPN accounts as immediate containment steps.

Firewall Management

NGFW & Firewall Management — Your First Line of Cyber Defence.

A firewall is only as strong as its configuration and the team managing it. Poorly configured firewalls with bloated rulesets, outdated firmware, and misconfigured VPN gateways are regularly exploited by attackers — often years after the original misconfiguration. Infraspine's firewall management service keeps your perimeter security properly configured, continuously monitored, and compliant with industry standards, with a <5-minute policy change SLA and zero-breach track record under management.

99.99%

Uptime SLA

<5min

Policy Change SLA

Zero

Breaches Under Mgmt

24/7

Rule Monitoring

Get Expert Firewall Management Free Rule Review

The Business Case

A Firewall You Set and Forget Is a Firewall Waiting to Fail

Firewall deployments typically receive significant attention at initial deployment and then comparatively little ongoing management. Rule sets grow as new applications and users are added but rarely get cleaned up. Firmware updates are delayed because of change management concerns and never quite make it onto the schedule. VPN configurations remain with default settings that vendor advisories have since flagged as insecure. Over time, what was a well-configured firewall becomes a poorly understood security liability.

NGFW technology raises both the ceiling and the floor. Modern NGFWs from Fortinet, Palo Alto, and Check Point can perform application-aware inspection, SSL decryption, user-identity-based policy enforcement, and integrated threat prevention — capabilities that traditional firewalls simply do not have. But they require expert configuration to deliver this value. A misconfigured NGFW with default application control policies and disabled SSL inspection is providing almost no additional security over a basic ACL.

Policy management is where ongoing value is created. Every change request — a new application, a new branch, a new remote access requirement — needs to be evaluated for security impact before being implemented, documented in the change log, and reviewed quarterly for continued necessity. This discipline, applied consistently, is what separates organisations that use their firewall as a genuine security control from those that use it as a network traffic director with aspirational security labels.

NGFW capabilities properly enabled — not just deployed at defaults

Quarterly rule reviews eliminate dangerous firewall rule creep

VPN vulnerabilities patched within hours of vendor advisory

Full PCI-DSS Requirement 1 compliance documentation maintained

NGFW vs Traditional Firewall

Feature

Traditional

NGFW

Packet filtering by IP/Port

✓

Application identification

✗

✓

User-identity-based policy

✗

✓

SSL/TLS inspection

✗

✓

Integrated IPS/IDS

✗

✓

URL / web filtering

✗

✓

Advanced threat prevention

✗

✓

Encrypted traffic analysis

✗

✓

Management Capabilities

Comprehensive Firewall Management

From initial NGFW deployment through ongoing policy management, IPS tuning, VPN, and compliance reporting.

NGFW Deployment & Configuration

Next-Generation Firewalls are fundamentally different from traditional packet-filtering firewalls. Where traditional firewalls inspect IP addresses and port numbers, NGFWs perform deep packet inspection, identify applications regardless of port, enforce user-identity-based policies, decrypt and inspect encrypted traffic, and apply machine-learning-based threat prevention inline. Our team designs and deploys NGFW architectures for your environment — whether single-site, multi-site, data centre, or hybrid cloud — with high-availability configurations to eliminate single points of failure.

NGFW architecture design for single-site, multi-site, and hybrid cloud
High-availability (HA) active-passive and active-active deployment
Application-aware policy development from day one
SSL/TLS inspection configuration for encrypted traffic visibility

Firewall Rule Review & Optimisation

Firewall rule sets grow over time and almost never shrink. After three years of operation, a typical firewall ruleset contains a significant proportion of rules that are redundant, overly permissive, or shadowed by other rules above them — a phenomenon known as firewall rule creep. Our rule review service analyses your entire ruleset, identifies unused rules (rules that have never matched traffic), overly broad rules (any-to-any permissions that should be restricted), and rule ordering inefficiencies that create security gaps or performance overhead.

Complete ruleset analysis for unused and redundant rules
Overly permissive rule identification (any-any, broad CIDR ranges)
Rule ordering optimisation for performance and security logic
Documented rule justification register for every remaining rule

IPS/IDS Management

Intrusion Prevention Systems and Intrusion Detection Systems add a critical layer of threat detection beyond basic firewall policy. Our IPS/IDS management service handles signature subscription management (ensuring you are always running current threat signatures), tuning of detection sensitivity to reduce false positives while maintaining detection coverage, and alerting integration with our NOC so every IPS alert receives human review. We operate IPS in blocking mode by default where network architecture permits, providing active threat prevention rather than passive detection.

IPS signature subscription management and regular updates
False positive tuning to reduce alert noise without lowering coverage
Blocking mode operation for confirmed malicious traffic signatures
NOC integration for 24/7 human review of IPS alerts

VPN & Remote Access Management

Remote access has become a permanent fixture for most organisations, and VPN security has never been more critical. Vulnerable VPN gateways are consistently among the top initial access vectors exploited by ransomware groups. We manage your VPN infrastructure from initial configuration through ongoing policy management, certificate lifecycle, user provisioning and deprovisioning, split-tunnel vs full-tunnel policy, and MFA enforcement. Site-to-site VPN tunnels connecting branch offices or cloud environments are managed with the same rigour as remote access deployments.

SSL VPN and IPSec remote access configuration and management
MFA enforcement for all remote access connections
Certificate lifecycle management with automated expiry alerting
Site-to-site VPN for branch office and cloud connectivity

Web Filtering & Application Control

Controlling which websites and applications your users can access from the corporate network is both a security control and a productivity management function. Our web filtering management covers URL category-based filtering (blocking malware distribution sites, phishing pages, and inappropriate content categories), application control policies (restricting or logging specific application usage), and SSL inspection to ensure encrypted traffic does not bypass your content policies. Policy exceptions are managed through a formal request process with business justification and time-limited approval.

URL category filtering with malware and phishing site blocking
Application-layer control for over 5,000 identified applications
SSL/TLS inspection for encrypted web traffic policy enforcement
Exception management with business justification workflow

Compliance & Audit Reporting

Firewall configurations and rule sets are frequently subject to compliance audit requirements. PCI-DSS Requirement 1 dedicates extensive controls to firewall management including quarterly rule reviews, justification documentation for all rules, and separation of duties. Our compliance reporting service provides the evidence auditors need: timestamped rule change logs, quarterly rule review documentation, firewall configuration baselines, and traffic analysis showing that network segmentation controls are functioning as designed.

PCI-DSS Requirement 1 compliance evidence package
Quarterly rule review documentation with formal sign-off
Change management log for all policy modifications
Network segmentation validation through traffic analysis reporting

Firewall Vendors We Manage

Fortinet FortiGatePalo Alto Networks NGFWCisco FirepowerCheck Point NGFWpfSense / OPNsenseSonicWallJuniper SRXBarracuda CloudGenWatchGuard Firebox

FAQs

Firewall Management Questions Answered

Common questions from organisations evaluating managed firewall services.

Let's Work Together

Get Expert Firewall Management

Stop leaving your perimeter security on autopilot. Get properly configured, continuously monitored, and compliance-ready firewall management.

Get Started Call Us Now

No obligation consultation

Response within 2 hours

10+ years enterprise experience

Related Services

More Cybersecurity Services

SOC as a Service Penetration Testing VAPT Vulnerability Assessment Endpoint Protection & EDR Email Security Incident Response Data Loss Prevention Data Encryption Cloud Security Security Alerts & SIEM IT Security Auditing ISO 27001 Consulting PCI-DSS Assessments Cyber Essentials NHS DSPT Assessment DPO as a Service Business Continuity

View all Cybersecurity services