I lead firewall migrations. Then I built the platform that makes them provable.

Seventeen years and 280+ migrations across Palo Alto, Fortinet, Check Point and Cisco, encoded in software. Capture the change, check the risk, route the approval, roll out the rule, and prove it happened — across every vendor, on one audit trail.

See the platform → Read the methodology

app.fwchange.com/changes

Built by Nick Falshaw

Principal Security Architect & AI Systems Engineer

17+ years in enterprise security 280+ firewall migrations 33+ vendors supported 11 Tier-1 European enterprises

Manages rules across enterprise firewall platforms

Palo AltoFortinetCheck PointCiscoJuniperSophosOPNsense

The problem

Firewall change is where networks break

Most outages and failed audits don't come from clever attackers. They come from a rule that was changed in a hurry, on the wrong box, with no one watching.

Spreadsheet tracking

Change requests live in Excel and email threads. Approvals go undocumented, requests get lost, and there is no real audit trail when a regulator asks who changed what, and why.

Manual, per-vendor work

Engineers log into each console, translate the rule by hand, check syntax, and document it separately for Palo Alto, Fortinet, Check Point, and Cisco. It is slow, repetitive, and error-prone as the fleet grows.

Multi-vendor chaos

Every vendor speaks a different rule language, exposes a different API, and behaves differently under load. One change across the estate means coordinating several tools, and several chances to get it wrong.

Compliance gaps

PCI-DSS 4.0, ISO 27001, and NIS2 all demand documented approval and complete change history. Without one source of truth, proving it means weeks of manual evidence-gathering before every audit.

Plan · Review · Prove

One workflow for the whole change lifecycle

FwChange brings governance and speed to every rule change, so the team ships safely, without the spreadsheet.

Open Internet → DMZ 443Pending

Allow VPN → App-tierApproved

Block legacy SMBApproved

Decommission rule #4471Draft

Govern every change by people and pipelines

Route each rule change through structured request, peer review, approval, and rollout, for humans and automation alike.

Explore Change Control →

Low

Shadowed rule detectedReview

Overly-broad any/anyHigh

Catch risky rules before they ship

Simulate every change against the live rulebase to surface shadowing, conflicts, and over-permissive access before it reaches production.

See Risk Analysis →

NIS2 evidence packReady

Prove compliance without the audit scramble

Every change is logged, reviewed, and exportable. Turn an audit request into a one-click report instead of a two-week fire drill.

Learn about Reporting →

How it works

From request to audit, on one trail

Request

Capture source, destination, port, and intent in a structured change request, not a free-text ticket.

Analyse

Simulate the change against the live rulebase. Shadow rules, conflicts, and over-broad access surface automatically.

Approve

Route through a configurable approval chain with peer review and a scheduled maintenance window.

Prove

The change is pushed, verified, and logged with who, what, when, and why, exportable for any auditor.

The stakes

Misconfiguration, not vendor flaws, breaks firewalls

99%

of firewall breaches through 2023 traced to misconfiguration rather than vendor flaws. Gartner

NIS2

extends audit and incident obligations to essential and important entities across the EU, change evidence included.

280+

enterprise firewall migrations behind the methodology FwChange encodes — the same failures, made preventable.

The FwChange principle

Every rule change: reviewed, simulated, and logged before it ever touches production.

Nick Falshaw — Principal Security Architect & AI Systems Engineer

Why it exists

Built by the practitioner, not the marketing team

FwChange was born from one observation. Enterprise firewall migrations fail the same preventable ways every time: undetected shadow rules, hand-translation errors between vendor syntaxes, and no automated compliance validation. The platform encodes seventeen years of field-tested method into software.

About the author → The methodology

KRITIS & critical infrastructure — migrations delivered under regulated, high-assurance conditions.
Eleven Tier-1 European enterprises across banking, insurance, automotive, energy, and telecoms.
CCIE Security, ISO 27001 LI, TOGAF 9 — plus AI-102 and AZ-500. Vendor-certified across the estate.
Self-hostable & AI-native — analysis runs against your own rulebase, on your own terms.

From the field notes

Writing on firewall change, migration & compliance

Long-form notes from the migrations behind FwChange: what fails, why, and how to make it provable.

Data

What 280 firewall migrations actually taught me

The failure patterns that repeat across every estate, quantified across a dataset of real migrations.

Nick Falshaw·Apr 2026

Migration

A taxonomy of firewall migration failures

Shadow rules, syntax drift, and broken intent: named, categorized, and made preventable.

Nick Falshaw·Apr 2026

Compliance

NIS2 firewall evidence in 2026

What essential and important entities actually have to show an auditor, and how to produce it on demand.

Nick Falshaw·Apr 2026

Read all writing →

See how the method becomes software

Read the whitepaper on AI-assisted firewall change, or walk the methodology that came out of 280 migrations.

Read the whitepaper See the methodology →