A firewall is only as strong as its configuration. According to Gartner, through 2025 an estimated 99% of firewall breaches were caused by misconfigurations rather than flaws in the firewall itself. That statistic hasn’t improved much since — and for small and mid-sized businesses running lean IT teams, the risk is even greater.
At COMNEXIA, we’ve spent over 35 years managing network security for businesses across metro Atlanta and beyond. In that time, we’ve audited hundreds of firewalls and seen the same preventable mistakes come up again and again. This article walks through the most common firewall configuration errors, explains why they’re dangerous, and offers practical guidance on how to fix them.
What Are the Most Common Firewall Misconfigurations?
The most common firewall misconfigurations include leaving default credentials in place, creating overly permissive access rules, disabling or ignoring logging, neglecting firmware updates, and failing to segment internal networks. Any one of these can give an attacker a clear path into your environment.
What makes these mistakes so persistent is that they’re often invisible. A misconfigured firewall doesn’t throw errors or crash — it just quietly allows traffic that should be blocked. Most businesses don’t discover the problem until after a breach.
Why Do Default Credentials Create Such a Serious Risk?
Default credentials are the single easiest attack vector on any firewall. Every firewall ships with a factory-set username and password — often something like “admin/admin” or “admin/password” — and these defaults are published in vendor documentation that anyone can find online.
Attackers routinely scan the internet for devices still running default credentials. Automated tools like Shodan index exposed management interfaces, and botnets specifically target known default login combinations. If your firewall’s admin panel is reachable from the internet with factory credentials, it’s essentially unlocked.
How to fix it:
- Change the default admin password immediately during initial setup
- Use a complex, unique password (minimum 16 characters with mixed character types)
- Create individual admin accounts for each person who manages the firewall — never share a single login
- Restrict management interface access to specific internal IP addresses or a dedicated management VLAN
- Enable multi-factor authentication (MFA) on the admin interface if your firewall supports it
What Does “Overly Permissive” Mean in Firewall Rules?
An overly permissive firewall rule is one that allows more traffic than necessary. The most common example is an “allow any-any” rule — a rule that permits all traffic from any source to any destination on any port. These rules effectively turn your firewall into an expensive router.
Overly permissive rules often start as temporary fixes. A technician can’t figure out why an application isn’t connecting, so they open everything to get it working, planning to tighten it later. That “later” rarely comes. Over time, these broad rules accumulate, and the firewall’s security posture erodes.
Signs your rules are too permissive:
- Rules that allow “any” as the source, destination, or service
- Rules with no comments or documentation explaining their purpose
- Rules that haven’t been reviewed or modified in over a year
- Hundreds of rules with no clear organizational structure
How to fix it:
- Follow the principle of least privilege: only allow the specific traffic that’s required
- Document every rule with who requested it, why, and when it should be reviewed
- Conduct quarterly rule audits to remove outdated or unnecessary entries
- Use application-aware rules when available (next-generation firewalls can filter by application, not just port)
- Place deny rules explicitly rather than relying solely on a default-deny at the bottom
How Does Disabled Logging Leave You Blind to Attacks?
Firewall logging is your primary record of what traffic is entering and leaving your network. When logging is disabled or misconfigured, you lose visibility into connection attempts, blocked traffic, policy violations, and potential intrusion activity. You’re effectively flying blind.
Many businesses disable logging because of storage concerns or performance impact. Others enable logging but never actually review the logs. Both situations produce the same result: when a security incident occurs, there’s no forensic trail to determine what happened, when it started, or what was affected.
For businesses subject to compliance requirements — PCI DSS, HIPAA, the FTC Safeguards Rule, CMMC — firewall logging isn’t optional. These frameworks require log retention periods ranging from 90 days to one year, and auditors will ask for evidence.
How to fix it:
- Enable logging on all firewall rules, especially deny rules
- Forward logs to a centralized syslog server or SIEM (Security Information and Event Management) platform
- Set up automated alerts for critical events: repeated login failures, connections to known malicious IPs, unusual outbound traffic spikes
- Retain logs for at least 90 days (longer if your compliance framework requires it)
- Schedule regular log reviews — weekly at minimum for high-risk environments
Why Is Neglecting Firmware Updates So Dangerous?
Firewall vendors regularly release firmware updates that patch known vulnerabilities. When these updates aren’t applied, the firewall remains vulnerable to exploits that are publicly documented and actively targeted by attackers.
The timeline between vulnerability disclosure and active exploitation has compressed dramatically. In many cases, attackers begin scanning for vulnerable devices within hours of a CVE being published. Critical vulnerabilities in firewalls from vendors like Fortinet, Palo Alto Networks, SonicWall, and Cisco have been actively exploited in mass campaigns targeting unpatched devices.
The challenge for many businesses is that firewall firmware updates require planning. Unlike a laptop that can restart in a minute, a firewall update typically means a brief network outage. That operational disruption — even if it’s only a few minutes — makes teams postpone updates indefinitely.
How to fix it:
- Subscribe to your firewall vendor’s security advisory mailing list
- Schedule a monthly maintenance window specifically for firewall updates
- Test firmware updates in a lab or staging environment when possible
- Prioritize critical and high-severity patches — apply these within days, not months
- If you can’t update immediately, check if the vendor has published workarounds or mitigation steps
What Happens When You Don’t Segment Your Internal Network?
Network segmentation means dividing your network into isolated zones so that a compromise in one area doesn’t automatically give an attacker access to everything. Without segmentation, a single compromised workstation can reach your servers, financial systems, VoIP infrastructure, security cameras, and every other device on the network.
Flat networks — where every device can communicate with every other device — are common in small and mid-sized businesses. They’re simpler to set up and manage, but they provide no containment when something goes wrong. Ransomware, in particular, thrives on flat networks because it can spread laterally without any barriers.
How to fix it:
- Create separate VLANs for different functions: workstations, servers, VoIP phones, guest Wi-Fi, IoT devices
- Use firewall rules between VLANs to control which segments can communicate
- Isolate critical systems (domain controllers, financial applications, backup servers) in their own segments
- Put IoT devices and security cameras on a completely separate network — these devices often have poor security and shouldn’t share a network with business systems
- Consider microsegmentation for high-value assets in compliance-sensitive environments
How Often Should Businesses Audit Their Firewall Configuration?
Businesses should audit their firewall configuration at least quarterly, with additional reviews after any significant network change — new office locations, cloud migrations, vendor onboarding, or M&A activity. Annual audits are not frequent enough given how quickly network environments change.
A proper firewall audit should cover:
- Rule review: Are all rules still needed? Are any overly permissive?
- Access control: Who has admin access? Are credentials current? Is MFA enabled?
- Firmware status: Is the firewall running the latest stable firmware?
- Logging verification: Are logs being captured, forwarded, and retained properly?
- Network changes: Have new subnets, VLANs, or remote sites been added since the last audit?
- VPN configuration: Are site-to-site and remote access VPN tunnels using current encryption standards?
- Policy alignment: Does the configuration match documented security policies?
For businesses in regulated industries like automotive dealerships (FTC Safeguards Rule), healthcare (HIPAA), or organizations handling payment card data (PCI DSS), these audits aren’t just best practices — they’re requirements.
What Role Does a Managed Firewall Service Play?
A managed firewall service shifts the burden of firewall configuration, monitoring, and maintenance to a dedicated team of network security professionals. For businesses without full-time security staff, this is often the most practical way to maintain a strong firewall posture.
Managed services typically include 24/7 monitoring, proactive firmware management, rule optimization, incident response, and regular configuration audits. The managed provider sees threats across all their clients’ environments, giving them broader visibility into emerging attack patterns.
At COMNEXIA, our network security and infrastructure services include firewall management as a core component. With over three decades of experience securing business networks across industries — from automotive dealership groups with complex multi-location setups to financial services firms with strict compliance requirements — we’ve built firewall management processes that catch misconfigurations before they become incidents.
Frequently Asked Questions
How do I know if my firewall is misconfigured?
The most reliable way is a professional configuration audit. Warning signs include rules you can’t explain, admin accounts that haven’t been reviewed, firmware more than six months old, or no logging in place. If your firewall was set up years ago and hasn’t been reviewed since, there are almost certainly misconfigurations present.
Can a next-generation firewall (NGFW) prevent misconfiguration issues?
Next-generation firewalls offer more granular controls — application awareness, intrusion prevention, SSL inspection — but they don’t prevent misconfiguration. In fact, NGFWs are more complex to configure correctly, which can increase the risk of mistakes if they’re not managed by experienced professionals.
What’s the difference between a firewall misconfiguration and a firewall vulnerability?
A vulnerability is a flaw in the firewall’s software that the vendor needs to patch. A misconfiguration is a human error in how the firewall’s rules, settings, or access controls are set up. Both create risk, but misconfigurations are far more common and are entirely within your control to prevent.
How much does a firewall audit cost?
Costs vary depending on the complexity of your environment — number of firewalls, number of rules, compliance requirements, and number of sites. For most small to mid-sized businesses, a professional firewall audit is a modest investment compared to the cost of a breach. Contact COMNEXIA for a consultation specific to your environment.
Should I manage my own firewall or outsource it?
If you have a dedicated network security professional on staff who stays current with threats and vendor advisories, in-house management can work. For most small and mid-sized businesses, outsourcing to a managed security provider provides better coverage at a lower total cost than hiring and retaining specialized security talent internally.