Field notes
Long-form notes from the migrations behind FwChange, what fails, why, and how to make it provable.

A step-by-step Check Point to Palo Alto migration guide: configuration audit, feature parity, Expedition limits, the NAT trap, cutover, and validation.

The edge appliance is no longer the wall around the breach. It is the breach. What the year's exploited-firewall record means for how you trust your own perimeter kit.

The 2am break-glass rule restores service and then lives forever. Why emergency changes skip rollback, and a register that expires and reverts them.

16 billion credentials leaked and stolen sessions walk past MFA. When identity fails, firewall egress filtering, segmentation, and change control are what still contain the breach…

Non-human identities are ungoverned access that piles up like firewall rule sprawl. Apply the rule lifecycle: inventory, owner, recertify, decommission, least privilege…

Prompt injection can't be patched. The control that holds is authorization, scope what an agent may do so a hijack reaches nothing it can break…

Agentjacking turns a web page into code execution on a dev box, and a new AI worm spreads with no cloud API. Both are segmentation problems…

Anthropic put a number on AI agent risk: 31.5% hijacked without safeguards. Treat agent attack-success-rate like a CVSS on your risk register…

The EU Cyber Resilience Act (2024/2847) for security teams: scope, CRA vs NIS2 vs DORA, core obligations, CE marking…

Nine platform-agnostic best practices for migrating to Palo Alto from any vendor: migrate intent not rules, clean the…

Seven PCI-DSS 4.0.1 automation strategies for continuous validation: segmentation monitoring, six-monthly rule reviews…

SOC 2 Type II for European companies: the five Trust Service Criteria, the SOC 2 vs ISO 27001 comparison, the GDPR head…

Active scanning is lawful only against authorized, in-scope targets. A design pattern that enforces it: a hardened app…

The five failure modes that recur when migrating Palo Alto (PAN-OS) to Fortinet (FortiOS): App-ID, security profiles…

Removing a firewall rule is riskier than adding one. The five-stage process for retiring rules without breaking…

Egress turns intrusion into compromise: four control postures, a threat model, a five-phase rollout, and compliance…

Microsegmentation moves firewalls from perimeter zones to thousands of east-west boundaries: segmentation models…

Analysis of enterprise firewall migrations: cutover times, rule counts, defect distribution, and…

Six-class taxonomy of firewall migration defects from hundreds of projects: translation errors, object resolution, NAT drift…

Multi-agent LLM systems have attack surfaces single-LLM apps do not. A 7-class threat model with concrete defenses…

Original methodology for LLM-based firewall rule classification: 3-stage pipeline, structured JSON output, labeled-set…

Mapping EU AI Act Articles 9-15 to concrete technical controls, risk management, data governance, logging, oversight…

NIS2 Article 21 lists 10 risk-management measures. Six require firewall documentation. This guide maps each to the…

When cloud LLM APIs are blocked by regulation: data sovereignty obligations, air-gap realities, hardware economics, and…

How CISA CPGs, NIST 800-53 controls, Executive Order 14028, and CIRCIA shape firewall compliance for US critical…

Zero Trust reframes firewalls as identity-aware enforcement points. This post documents how change-management practices…

Firewall reviewers approve rules without knowing what the IPs are. Connect NetBox to FwChange for inline prefix, VRF…

Emergency firewall changes need structure, not panic. The 5-step workflow that balances speed with audit-trail…

The 12 ISO 27001 firewall controls auditors actually check. Annex A mappings, common findings, preparation timeline…
No tamper-proof timestamps, no approval attribution, no audit trail. PCI-DSS, ISO 27001, NIS2, and DORA all reject…

Firewall rule recertification under PCI-DSS, ISO 27001, NIS2, and TISAX. The 6-step audit process, common failures, and…

DORA mandates documenting every ICT network change with formal approval and audit trails. The 7 critical firewall…

Automated firewall vuln scanning catches policy weaknesses across permissiveness, protocol risk, hygiene, and…

Compare live firewall config against an approved baseline. 8 drift types, 5 severity levels, and 3 resolution workflows…

Cross-reference firewall rules against AbuseIPDB, Emerging Threats, Feodo Tracker, and AlienVault OTX in one workflow…

AI threat detection is reshaping enterprise defense. A field view of what works, what's hype…

Enterprise security compliance lessons from years of audits and implementations, what actually matters for passing…

The story behind building a firewall change management tool, why enterprise solutions fail SMEs and…

1,600+ German KRITIS operators face BSI requirements for network segmentation, logging, and incident response. The…

PCI-DSS 4.0 firewall requirements take full effect March 2025. New segmentation, rule documentation, and change…

Practical guide to mixed firewall fleets, Palo Alto, Fortinet, Check Point, Cisco. Rule normalization, single-pane…

NIS2 docs hit 29,500 German firms by October 2026. What to document for network security and how to prepare audit…

What automotive suppliers must document for TISAX/VDA audits: the 5 critical firewall controls and how to prepare…

Learn how to identify and fix shadow rules, redundant policies, and bloated rulebases. Practical strategies and tools…

PCI-DSS 4.0 changes affecting firewalls: Requirement 1.x, documentation mandates, audit preparation, and how automation…

Firewall rule audit guide with step-by-step process. Detect shadow rules, overlaps, redundancies, and compliance gaps…

The 7-step firewall change management process: common pitfalls, compliance requirements (PCI-DSS, ISO 27001), and best…