Expert guides on firewall change management, compliance, rule optimization, and multi-vendor environments. Written by security professionals for security teams.
Migrating from Check Point to Palo Alto is rarely the hard part — planning, testing, and validation decide whether you succeed or firefight for a quarter. This step-by-step guide covers the seven-stage process from SmartConsole audit through Expedition conversion, the NAT processing-order trap, the parallel-run cutover, and post-migration validation, drawn from dozens of Check Point to Palo Alto cutovers in a 280-migration dataset.
Nick Falshaw
Security Consultant
Migrating to Palo Alto from Check Point, Cisco ASA, Juniper, or Fortinet is a re-architecture of how policy is expressed, not a hardware swap. These nine best practices — migrate intent not rules, clean the base first, design zones up front, treat App-ID conversion as a phase, validate threat posture and NAT — are the platform-agnostic principles that held across 280 migrations.
Nick Falshaw
Security Consultant
PCI-DSS v4.0.1 moved compliance from a point-in-time audit to continuous validation: you must prove controls operated every day, not just during audit week. This guide covers seven automation strategies — segmentation monitoring, continuous scanning, the six-monthly firewall rule review, SIEM, key management, and automated evidence collection — that decide whether you pass cleanly or drown in findings.
Nick Falshaw
Security Consultant
The EU Cyber Resilience Act puts security obligations on the product, not just the operator — and it confuses teams already managing NIS2 and DORA. This guide explains what the CRA regulates, how it differs from NIS2 and DORA, the core secure-by-design and vulnerability-handling obligations, CE marking, the December 2027 timeline, and where it meets the network team.
Nick Falshaw
Security Consultant
SOC 2 Type II is the de facto requirement for European companies selling to US enterprises — without it, the sales cycle stalls at vendor risk assessment. This guide covers the five Trust Service Criteria, the SOC 2 vs ISO 27001 comparison, the substantial GDPR head start, and a realistic six-to-twelve-month timeline and cost for European organisations.
Nick Falshaw
Security Consultant
In most security tooling, “authorized” is a box a human ticked once, not a control the software enforces on every scan. This post documents a different design: an app hardened so it physically cannot run a scanner, an isolated worker that does, and an authorization gate that refuses any scan whose target is not inside an active, explicitly-consented engagement scope — with exclusions that always win and a scope snapshot frozen for audit.
Nick Falshaw
Security Consultant
Palo Alto to Fortinet was one of the most common vendor pairs in my 280-migration dataset, and teams routinely budget it as a like-for-like rule export. It is not. PAN-OS and FortiOS diverge on application identity, threat-prevention attachment, NAT, and default behaviour. This post isolates the five failure modes that recurred on this vendor pair, each mapped to the migration failure taxonomy, with the validation pass that catches it before users do.
Nick Falshaw
Security Consultant
Every change-advisory board scrutinises rule additions. Almost none scrutinise removals — so dead rules accumulate for years, expanding the attack surface and the audit burden. Yet removing a rule is the riskier operation: a wrong deny breaks production, often silently, often days later. This guide covers the five-stage decommissioning process, the dependency traps that cause outages, and the audit evidence a clean removal must leave behind.
Nick Falshaw
Security Consultant
Inbound rules are scrutinised at every change-advisory board meeting; outbound rules drift unobserved. Yet every meaningful breach in the past decade has an egress story: command-and-control beacons leaving on TCP/443, DNS tunnels carrying staged data, cloud-storage uploads masquerading as legitimate API traffic. This guide covers the four egress-control postures, the threat model, the five-phase implementation pattern, the recurring failure modes, and the compliance mapping for regulated environments.
Nick Falshaw
Security Consultant
Microsegmentation moves firewall policy from a small number of perimeter boundaries to thousands of east-west boundaries inside the network. Rule volume can grow by a factor of ten to one hundred. Without a matching change-management uplift, microsegmentation collapses into 'more rules, less governance' within twelve months. This guide covers the four segmentation models, the rule-volume reality, the four implementation phases, and the recurring failure modes from observed enterprise rollouts.
Nick Falshaw
Security Consultant
Between 2018 and 2025 I led or contributed to 280+ enterprise firewall migrations. After the dust settled I produced a structured dataset. This post is the headline summary: cutover times, rule counts, six failure classes accounting for 96% of defects, vendor-specific edge cases for ASA, Check Point, Juniper, Fortinet, and PAN-OS. Single-author research, anonymized at engagement level, the basis for the FwChange methodology.
Nick Falshaw
Security Consultant
Across 280 firewall migrations I logged 1,847 distinct cutover defects. Six classes explained 96% of them: translation errors (28%), object resolution gaps (24%), NAT semantics drift (19%), logging policy loss (12%), application-ID divergence (10%), and implicit-deny inversions (7%). This post is the taxonomy with detection signatures and prevention strategies for each class.
Nick Falshaw
Security Consultant
NIS2 Article 21 took effect across the EU in October 2024 and the audit cadence is now 18 months. Six of the ten risk-management measures require specific firewall documentation. This post maps the measures to the evidence artifacts auditors actually check, with the gap pattern from 280+ migrations and the essential-vs-important entity differences.
Nick Falshaw
Security Consultant
The EU AI Act became enforceable in 2026. High-risk AI system providers face concrete obligations under Articles 9-15: risk-management systems, data governance, logging, transparency, human oversight, accuracy, and cybersecurity. This guide maps each article to specific technical controls with crosswalks to ISO 42001 and ISO 27001 so existing security teams can extend rather than rebuild.
Nick Falshaw
Security Consultant
Zero Trust is sold as the end of perimeter security. In practice, ZT architectures still depend on firewalls as policy enforcement points at network boundaries. Micro-segmentation multiplies firewall rule volume by 10x or more, which breaks change-management processes that worked at perimeter scale. This guide documents the four ZT tenets applied to change controls and maps to DoD ZTRA pillars.
Nick Falshaw
Security Consultant
For some industries, the choice between cloud LLM APIs and self-hosted models is a regulatory determination, not a business preference. EU GDPR, German BSI, US ITAR, healthcare HIPAA, and several financial-services frameworks all narrow the deployment options. This guide covers when self-hosting is mandatory, what air-gap actually means for LLM deployments in 2026, the hardware economics, and the operational pattern for production deployment under audit.
Nick Falshaw
Security Consultant
Multi-agent LLM systems are not just LLM+tools from a security perspective. Cross-agent prompt injection, tool misuse, memory poisoning, goal hijacking, privilege escalation, agent collusion, and exfiltration all operate at the orchestration layer. This post documents an original 7-class threat model with per-class attack vectors, defense patterns, detection requirements, and a red-team playbook.
Nick Falshaw
Security Consultant
Static firewall rule analyzers miss roughly 30 percent of risky rules because they cannot reason about business context. This post documents an original 3-stage LLM-based methodology for firewall rule classification — with structured output, labeled-set evaluation, failure-mode analysis, and the audit trail that makes the pipeline deployable in regulated environments.
Nick Falshaw
Security Consultant
The US critical infrastructure firewall compliance stack is fragmented across CISA CPGs, NIST 800-53, Executive Order 14028, CIRCIA reporting obligations, and sector-specific frameworks (CMMC, NERC CIP, HIPAA). This guide maps the overlapping requirements to a single evidence pack — six artifacts that satisfy 80% of common audits.
Nick Falshaw
Security Consultant
Most firewall change reviews happen in a vacuum. A reviewer sees source 10.42.7.0/24, destination 203.0.113.5, port 443 — and has to decide whether to approve it without knowing whether those are production, DMZ, decommissioned, or someone's home lab. That context already exists in NetBox. Here is how to surface it in FwChange.
Nick Falshaw
Security Consultant
Every firewall team faces emergency changes — a critical vulnerability, a production outage, or an urgent business request that cannot wait for normal approval workflows. The challenge is handling these changes fast enough to matter while maintaining the audit trail that compliance demands.
Nick Falshaw
Security Consultant
ISO 27001 certification auditors check specific firewall controls during every surveillance and recertification audit. Yet most security teams prepare by reading the standard cover-to-cover instead of focusing on what auditors actually examine. This checklist covers the 12 controls that matter most.
Nick Falshaw
Security Consultant
After 17 years of enterprise firewall deployments, the same pattern shows up everywhere: six-figure firewall hardware governed by a shared Excel file that would make an auditor weep. This article breaks down exactly why spreadsheet-based firewall change tracking fails, what happens when it does, and what a proper audit trail looks like.
Nick Falshaw
Security Consultant
Every compliance framework requires periodic firewall rule reviews. Yet most organizations still run recertification as a manual spreadsheet exercise once a year — if at all. This guide covers the 6-step recertification process, what auditors actually check, and how automation eliminates the pain.
Nick Falshaw
Security Consultant
DORA firewall compliance became mandatory for EU financial institutions on January 17, 2025. Banks, insurance companies, investment firms, and their ICT service providers must document every network change with formal approval workflows and complete audit trails.
Nick Falshaw
Security Consultant
Most firewall teams audit rules manually once or twice a year. Meanwhile, policy weaknesses accumulate daily — any-any rules, exposed RDP ports, shadow rules, missing logging. Automated vulnerability scanning catches these issues continuously across your entire fleet.
Nick Falshaw
Security Consultant
Your SOC team tracks threat intelligence. Your firewall team manages rules. But who checks whether your firewall rules reference known-bad IPs? This guide explains how to close that gap with automated threat feed cross-referencing.
Nick Falshaw
Security Consultant
Between audits, firewall configurations drift. Emergency rules get added and never removed. Objects are modified without tickets. NAT rules change during incident response. Policy drift detection catches these unauthorized changes before your next compliance audit does.
Nick Falshaw
Security Consultant
Every quarter, another vendor claims their AI powered threat detection platform will revolutionize your security operations. After 17 years of enterprise security consulting, this guide separates genuine capability from marketing theatre.
Nick Falshaw
Security Consultant
Fifteen years ago, I started my career in enterprise security compliance. Along the way, I learned lessons that do not appear in frameworks or certification guides — lessons about what actually matters, what does not, and why some companies breeze through audits while others struggle.
Nick Falshaw
Security Consultant
After 17 years as an enterprise security consultant, I kept seeing the same problem. Companies spent millions on firewalls but could not answer basic audit questions: Who requested this rule? Why does it exist? Who approved it? That is why I built FwChange.
Nick Falshaw
Security Consultant
KRITIS firewall compliance represents one of the most demanding cybersecurity requirements facing German organizations. If you operate critical infrastructure, the BSI holds you to a higher standard than standard enterprise security.
Nick Falshaw
Security Consultant
PCI-DSS firewall requirements underwent significant changes with version 4.0. German payment processors, merchants, and service providers must now demonstrate stricter network segmentation, more frequent rule reviews, and comprehensive change documentation.
Nick Falshaw
Security Consultant
Most enterprise environments run firewalls from multiple vendors. Managing Palo Alto alongside Fortinet, Check Point, and Cisco ASA creates unique challenges around policy normalization, change workflows, and compliance reporting. Here is how to solve them.
Nick Falshaw
Security Consultant
Over 30,000 automotive suppliers globally need TISAX certification, yet 67% fail their first audit due to incomplete firewall documentation. This guide breaks down the specific TISAX firewall requirements you must meet and how to build documentation that passes on the first attempt.
Nick Falshaw
Security Consultant
German manufacturers face a significant compliance deadline. The NIS2 network security documentation requirements take effect in October 2026, affecting an estimated 29,500 German companies. This guide breaks down exactly what documentation you need and practical steps to prepare.
Nick Falshaw
Security Consultant
Rule bloat is one of the most common and dangerous problems in enterprise firewall management. Over time, rulebases accumulate shadow rules, redundancies, and overly permissive policies that increase your attack surface. Here is how to clean them up.
Nick Falshaw
Security Consultant
PCI-DSS 4.0 introduced significant changes to firewall requirements. Requirement 1 has been restructured and expanded, with new mandates around documentation, review cadence, and network security controls. Here is what security teams need to know to stay compliant.
Nick Falshaw
Security Consultant
The average enterprise firewall rule base contains 47% unused rules, 23% shadow rules, and 12% with direct conflicts. This guide covers the 6-step audit process, the 4 types of rule issues, compliance requirements, and how to automate the process.
Nick Falshaw
Security Consultant
Firewall change management is the structured process of requesting, reviewing, approving, implementing, and documenting modifications to firewall rules and policies. In this guide, we cover the complete 7-step process, compliance requirements, common pitfalls, and how automation transforms the workflow.
Nick Falshaw
Security Consultant
See how FwChange helps security teams manage firewall changes across vendors with compliance automation and AI-powered rule analysis.
