Field notes

Writing on firewall change, migration & compliance

Long-form notes from the migrations behind FwChange, what fails, why, and how to make it provable.

Guides

Check Point to Palo Alto Migration: A 7-Step Field Guide

A step-by-step Check Point to Palo Alto migration guide: configuration audit, feature parity, Expedition limits, the NAT trap, cutover, and validation.

FW FwChange·May 27, 2026
Thought Leadership

2026: The Year the Firewall Became the Way In

The edge appliance is no longer the wall around the breach. It is the breach. What the year's exploited-firewall record means for how you trust your own perimeter kit.

FwChange·Jul 13, 2026·8 min
Best Practices

The Emergency Firewall Change That Never Gets Rolled Back

The 2am break-glass rule restores service and then lives forever. Why emergency changes skip rollback, and a register that expires and reverts them.

FwChange·Jul 5, 2026
Security

MFA Bypass Is Routine. Your Firewall Is the Last Identity Control.

16 billion credentials leaked and stolen sessions walk past MFA. When identity fails, firewall egress filtering, segmentation, and change control are what still contain the breach…

FwChange·Jun 27, 2026·9 min
Security

Non-Human Identities: Govern Them Like Firewall Rules

Non-human identities are ungoverned access that piles up like firewall rule sprawl. Apply the rule lifecycle: inventory, owner, recertify, decommission, least privilege…

FwChange·Jun 27, 2026·9 min
Security

AI Agent Authorization: The Control Prompt Injection Can't Beat

Prompt injection can't be patched. The control that holds is authorization, scope what an agent may do so a hijack reaches nothing it can break…

FwChange·Jun 21, 2026·8 min
Security

Agentjacking and the AI Worm: Segment the Dev Workstation

Agentjacking turns a web page into code execution on a dev box, and a new AI worm spreads with no cloud API. Both are segmentation problems…

FwChange·Jun 20, 2026·10 min
Security

AI Agent Attack-Success-Rate: A CVSS for Your Risk Register

Anthropic put a number on AI agent risk: 31.5% hijacked without safeguards. Treat agent attack-success-rate like a CVSS on your risk register…

FwChange·Jun 7, 2026·9 min
Compliance

The Cyber Resilience Act: What Security Teams Must Document

The EU Cyber Resilience Act (2024/2847) for security teams: scope, CRA vs NIS2 vs DORA, core obligations, CE marking…

FwChange·May 27, 2026·5 min
Best Practices

9 Palo Alto Migration Best Practices for a Clean Cutover

Nine platform-agnostic best practices for migrating to Palo Alto from any vendor: migrate intent not rules, clean the…

FwChange·May 27, 2026·5 min
Compliance

PCI-DSS 4.0 Compliance Automation: Continuous Validation

Seven PCI-DSS 4.0.1 automation strategies for continuous validation: segmentation monitoring, six-monthly rule reviews…

FwChange·May 27, 2026·6 min
Compliance

SOC 2 Type II for European Companies: 5 Criteria + GDPR

SOC 2 Type II for European companies: the five Trust Service Criteria, the SOC 2 vs ISO 27001 comparison, the GDPR head…

FwChange·May 27, 2026·6 min
Methodology

An Authorization Gate for Active Scanning: Safe by Construction

Active scanning is lawful only against authorized, in-scope targets. A design pattern that enforces it: a hardened app…

FwChange·May 23, 2026·6 min
Research

Palo Alto to Fortinet Migration: 5 Failure Modes, hundreds of migrations

The five failure modes that recur when migrating Palo Alto (PAN-OS) to Fortinet (FortiOS): App-ID, security profiles…

FwChange·May 22, 2026·9 min
Best Practices

Firewall Rule Decommissioning: Retire Rules Without Outages

Removing a firewall rule is riskier than adding one. The five-stage process for retiring rules without breaking…

FwChange·May 14, 2026·10 min
Architecture

Firewall Egress Filtering: A Data Exfiltration Control Guide

Egress turns intrusion into compromise: four control postures, a threat model, a five-phase rollout, and compliance…

FwChange·May 9, 2026·9 min
Architecture

Firewall Microsegmentation: Enterprise Implementation Guide

Microsegmentation moves firewalls from perimeter zones to thousands of east-west boundaries: segmentation models…

FwChange·May 9, 2026·8 min
Research

hundreds of firewall migrations: Dataset Findings 2026

Analysis of enterprise firewall migrations: cutover times, rule counts, defect distribution, and…

FwChange·Apr 28, 2026·7 min
Research

Firewall Migration Failure Taxonomy: Six Classes

Six-class taxonomy of firewall migration defects from hundreds of projects: translation errors, object resolution, NAT drift…

FwChange·Apr 28, 2026·8 min
Methodology

AI Agent Security Threat Model: 7 Attack Classes + Defenses

Multi-agent LLM systems have attack surfaces single-LLM apps do not. A 7-class threat model with concrete defenses…

FwChange·Apr 25, 2026·10 min
Methodology

AI-Driven Firewall Rule Analysis: 3-Stage LLM Pipeline

Original methodology for LLM-based firewall rule classification: 3-stage pipeline, structured JSON output, labeled-set…

FwChange·Apr 25, 2026·11 min
Compliance

EU AI Act Security Controls: Articles 9-15 to Technical Measures

Mapping EU AI Act Articles 9-15 to concrete technical controls, risk management, data governance, logging, oversight…

FwChange·Apr 25, 2026·5 min
Compliance

NIS2 Firewall Evidence: Mapping Article 21 to Documentation

NIS2 Article 21 lists 10 risk-management measures. Six require firewall documentation. This guide maps each to the…

FwChange·Apr 25, 2026·5 min
Architecture

Self-Hosted AI for Regulated Industries: Cost + Architecture

When cloud LLM APIs are blocked by regulation: data sovereignty obligations, air-gap realities, hardware economics, and…

FwChange·Apr 25, 2026·5 min
Compliance

US Critical Infrastructure Firewall Compliance: CISA + NIST

How CISA CPGs, NIST 800-53 controls, Executive Order 14028, and CIRCIA shape firewall compliance for US critical…

FwChange·Apr 25, 2026·8 min
Architecture

Zero Trust Still Needs Firewall Change Management

Zero Trust reframes firewalls as identity-aware enforcement points. This post documents how change-management practices…

FwChange·Apr 25, 2026·4 min
Integrations

NetBox Context for Firewall Rule Reviews

Firewall reviewers approve rules without knowing what the IPs are. Connect NetBox to FwChange for inline prefix, VRF…

FwChange·Apr 23, 2026·4 min
Best Practices

Emergency Firewall Change Management: 5-Step Workflow

Emergency firewall changes need structure, not panic. The 5-step workflow that balances speed with audit-trail…

FwChange·Mar 27, 2026·8 min
Compliance

ISO 27001 Firewall Audit: 12 Controls Checklist

The 12 ISO 27001 firewall controls auditors actually check. Annex A mappings, common findings, preparation timeline…

FwChange·Mar 27, 2026·8 min
Best Practices

Why Spreadsheet Firewall Tracking Fails Every Audit

No tamper-proof timestamps, no approval attribution, no audit trail. PCI-DSS, ISO 27001, NIS2, and DORA all reject…

FwChange·Mar 27, 2026·10 min
Compliance

Firewall Rule Recertification: 6-Step Audit Process

Firewall rule recertification under PCI-DSS, ISO 27001, NIS2, and TISAX. The 6-step audit process, common failures, and…

FwChange·Mar 18, 2026·4 min
Compliance

DORA Firewall Compliance for Financial Institutions

DORA mandates documenting every ICT network change with formal approval and audit trails. The 7 critical firewall…

FwChange·Mar 9, 2026·7 min
Security

Firewall Vulnerability Scanning: 18 Automated Checks

Automated firewall vuln scanning catches policy weaknesses across permissiveness, protocol risk, hygiene, and…

FwChange·Feb 21, 2026·6 min
Best Practices

Policy Drift Detection: Catch Unauthorized Firewall Changes

Compare live firewall config against an approved baseline. 8 drift types, 5 severity levels, and 3 resolution workflows…

FwChange·Feb 21, 2026·7 min
Security

Threat Intel for Firewalls: 4 Feeds, One Workflow

Cross-reference firewall rules against AbuseIPDB, Emerging Threats, Feodo Tracker, and AlienVault OTX in one workflow…

FwChange·Feb 21, 2026·5 min
Security

CISO Guide to AI-Powered Threat Detection

AI threat detection is reshaping enterprise defense. A field view of what works, what's hype…

FwChange·Feb 12, 2026·10 min
Thought Leadership

Enterprise Security Compliance: What Actually Matters

Enterprise security compliance lessons from years of audits and implementations, what actually matters for passing…

FwChange·Feb 10, 2026·7 min
Origin

Why FwChange Was Built

The story behind building a firewall change management tool, why enterprise solutions fail SMEs and…

FwChange·Feb 8, 2026·6 min
Compliance

KRITIS Firewall Compliance: BSI Requirements

1,600+ German KRITIS operators face BSI requirements for network segmentation, logging, and incident response. The…

FwChange·Feb 6, 2026·6 min
Compliance

PCI-DSS 4.0 Firewall: German Payment Processors

PCI-DSS 4.0 firewall requirements take full effect March 2025. New segmentation, rule documentation, and change…

FwChange·Feb 6, 2026·6 min
Architecture

Managing Multi-Vendor Firewall Environments

Practical guide to mixed firewall fleets, Palo Alto, Fortinet, Check Point, Cisco. Rule normalization, single-pane…

FwChange·Feb 5, 2026·6 min
Compliance

NIS2 Network Security Documentation: Practical Guide

NIS2 docs hit 29,500 German firms by October 2026. What to document for network security and how to prepare audit…

FwChange·Feb 4, 2026·9 min
Compliance

TISAX Firewall Requirements for Automotive Suppliers

What automotive suppliers must document for TISAX/VDA audits: the 5 critical firewall controls and how to prepare…

FwChange·Feb 4, 2026·10 min
Best Practices

Firewall Rulebase Optimization: Shadow Rules & Cleanup

Learn how to identify and fix shadow rules, redundant policies, and bloated rulebases. Practical strategies and tools…

FwChange·Jan 29, 2026·6 min
Compliance

PCI-DSS 4.0 Firewall Requirements: What Teams Need to Know

PCI-DSS 4.0 changes affecting firewalls: Requirement 1.x, documentation mandates, audit preparation, and how automation…

FwChange·Jan 22, 2026·6 min
Guides

6 Essential Firewall Rule Audit Steps for 2026

Firewall rule audit guide with step-by-step process. Detect shadow rules, overlaps, redundancies, and compliance gaps…

FwChange·Jan 20, 2026·10 min
Guides

The Complete Guide to Firewall Change Management in 2026

The 7-step firewall change management process: common pitfalls, compliance requirements (PCI-DSS, ISO 27001), and best…

FwChange·Jan 15, 2026·8 min