Firewall health check checklist for Malaysian businesses
A firewall health check verifies that the device guarding your network is current, cleanly configured and actually watched. The core checks are supported firmware, a rule base purged of unused and shadowed rules, no any-any rules, VPN access behind MFA, logs flowing to central monitoring, a tested HA failover, locked-down admin access, outbound egress filtering, threat prevention on the rules that matter, and disciplined change management.
Why firewalls drift out of shape
Firewalls degrade through accumulation, not failure. Rules are added for projects and never removed, temporary access becomes permanent, firmware upgrades are deferred to avoid downtime, and the engineer who understood the rule base resigns. Whether you run Palo Alto Networks, FortiGate or another platform, the symptoms are the same: a rule base nobody fully trusts and a perimeter with quiet gaps. Unpatched VPN services and exposed management interfaces on firewalls are heavily exploited in real attacks, which makes a periodic health check one of the cheapest risk reductions available.
The firewall health check checklist
- 01
Firmware on a current, supported release
The device runs a vendor-recommended release with recent security fixes applied, and you subscribe to the vendor's security advisories so urgent patches are not discovered by accident.
- 02
Unused and shadowed rules removed
Hit counts and logs identify rules nothing matches, or that earlier rules permanently override, and these are disabled then deleted. A smaller rule base is easier to audit and harder to hide a mistake in.
- 03
No any-any rules
No rule permits any source to any destination on any service. Where one survives as a troubleshooting leftover, it is replaced with specific rules, because an any-any effectively switches part of the firewall off.
- 04
VPN configured deliberately, with MFA
Remote access VPN requires MFA, uses current protocols, and grants access to specific internal resources rather than the whole network. Stale accounts for former staff and vendors are removed.
- 05
Logging into central monitoring
Traffic, threat, VPN and admin-login logs ship to a SIEM or monitoring service where someone will see them. A firewall logging only to its own disk provides forensics, not detection.
- 06
HA pair healthy, failover tested
Both members run matching firmware with synchronised configuration, and failover has been deliberately exercised in a maintenance window within recent memory. An untested HA pair is an assumption, not resilience.
- 07
Admin access hardened
Management interfaces are unreachable from the internet and restricted to a management network, with MFA-protected named admin accounts and default credentials disabled, so every change is attributable to a person.
- 08
Outbound egress filtering applied
Outbound traffic is restricted by policy rather than allowed wholesale, blocking unneeded services and known-bad destinations. Egress control is what hampers malware calling home and data being staged out after a breach.
- 09
Threat prevention profiles on the rules that matter
IPS, anti-malware and web filtering profiles are applied to internet-facing and high-risk rules, with licences current and signatures updating. A next-generation firewall passing traffic without inspection is commodity packet filtering at premium cost.
- 10
Changes go through change management
Rule changes carry a ticket, a business justification, an owner and ideally an expiry date for temporary access, with periodic reviews reconciling the rule base against approvals so drift is caught early.
After the health check
Treat the output as a remediation plan with owners and dates, and repeat the exercise on a regular cycle and after major network changes. Pair the quick wins, such as removing dead rules and restricting management access, with the scheduled work of firmware upgrades and failover tests.
Datasafe Online supports both Palo Alto Networks and Fortinet environments, holding Palo Alto Networks NextWave Innovator status alongside its Fortinet partnership, and provides firewall health checks, ongoing support and central log monitoring through its 24/7 SOC. To arrange a health check, contact sales@datasafe.com.my or 03-2242 3191.
Many Malaysian mid-sized businesses run their perimeter on FortiGate or Palo Alto Networks hardware installed by an integrator years ago and lightly touched since. PDPA due diligence and, for financial institutions, Bank Negara Malaysia RMiT expectations both point to maintained and monitored network security controls, and a documented health check is straightforward evidence for auditors and customers who ask how the perimeter is managed.
Common questions
How often should a firewall health check be done?
A sensible cycle is a full check annually and after major changes such as firmware upgrades, office moves or new internet links, with rule base reviews more often if changes are frequent. Regulated industries may have review frequencies set by their compliance obligations.
Will the health check cause downtime?
The review itself is read-only: configuration export, log analysis and interviews with whoever manages the device. Remediation items such as firmware upgrades and failover tests need maintenance windows, which you schedule on your own terms after seeing the findings.
We have an HA pair, so are we already resilient?
Only if failover actually works. Mismatched firmware, unsynchronised configuration or a dead heartbeat link can make the standby useless at the worst possible moment. Deliberately testing failover in a maintenance window is the only way to know, which is why it is its own checklist item.
Do firewall logs really need to go to a SIEM?
If you want detection rather than after-the-fact forensics, yes. The firewall sees connection attempts, VPN logins and blocked threats, but the box does not call you when something looks wrong. Central monitoring turns those logs into an alert a human acts on.
Can Datasafe check a firewall it did not install?
Yes. Health checks are routinely performed on devices installed by other parties, particularly Palo Alto Networks and FortiGate units, working from a configuration export and log access. The findings are yours regardless of whether remediation is done in-house or with Datasafe's support.
Talk it through with an operator.
A 30-minute Cyber Risk Review maps this topic against your environment, with an analyst from Datasafe's Kuala Lumpur SOC. No slideware, no obligation.