FwChange LogoFwChange
Best Practices

Why Tracking Firewall Changes in Spreadsheets Fails Every Audit

Fw
The FwChange Team
||8 min read

Somewhere in your organization right now, there is a shared Excel file called something like FW_Changes_2026_v3_FINAL_updated.xlsx. It lives on a network drive, or maybe SharePoint, or maybe on a single laptop. It has 47 columns, color-coded rows that only one person understands, and a “Notes” column full of entries like “emergency — will document later.” Later never came.

If this sounds familiar, you are not alone. After 17 years of deploying and managing firewalls across enterprise environments — Palo Alto, Cisco ASA, Fortinet, Check Point — the same pattern shows up in nearly every organization that has not invested in dedicated change management tooling. The firewall hardware costs six figures. The rules that govern it are tracked in a spreadsheet that would make an auditor weep.

This article breaks down exactly why spreadsheet-based firewall change tracking fails, what happens when it does, and what a proper audit trail actually looks like.

The Spreadsheet and Email Reality

Here is how firewall change tracking actually works in most mid-market organizations. Someone — a network engineer, a developer, a helpdesk technician — needs a firewall rule changed. They send an email. Sometimes it goes to a distribution list, sometimes directly to the firewall admin, sometimes to a manager who has no idea what a source NAT is but needs to “approve” the change.

The firewall admin reads the email, makes the change on the firewall, and — if they remember — opens the shared Excel file and adds a row. The row might include the date, the rule number, and a vague description like “opened port 443 for vendor.” Which vendor? Which source IP? What was the business justification? What is the expiry date? Nobody filled those columns in.

What Spreadsheet Tracking Typically Looks Like

  • Multiple versions: Three copies of the “master” spreadsheet exist. Nobody knows which is current. When two people edit simultaneously, one version silently overwrites the other.
  • Email approvals: Approval lives in someone’s inbox. Six months later that person has left the company. The email is gone. The approval is gone.
  • No timestamps: The spreadsheet says the change happened in “March.” Not March 3rd at 14:22 UTC. Just March. Maybe.
  • Lost context: The rule says “allow any to 10.0.5.0/24 on TCP 3389.” Why does RDP need to be open to an entire subnet from any source? The person who requested it left two years ago.
  • Emergency gaps: During an incident at 2am, three rules were added to restore production. Nobody logged them. They are still there 18 months later, wide open.

This is not a failure of individuals. The firewall admin who forgot to update the spreadsheet at 3am during a production outage was doing the right thing — fixing the problem. The failure is systemic. You cannot bolt audit-grade change management onto email threads and Excel files. It does not scale, it does not survive staff turnover, and it does not hold up under scrutiny.

What Goes Wrong: Real Scenarios

The spreadsheet problem is not theoretical. These are situations that repeat across organizations of every size.

Scenario 1: “Who Changed Rule 847?”

The auditor opens their laptop and asks to see the change history for a specific firewall rule that allows inbound access to the database tier. You check the spreadsheet. There is no entry for rule 847. You check the firewall logs. The rule was last modified 14 months ago, but the commit log just shows the admin account — no individual attribution, no ticket reference, no business justification. You check email. Nothing. The auditor writes a finding.

Scenario 2: The 2am Emergency

You get a call at 2am. Production is down. The load balancer cannot reach the backend servers. You SSH into the firewall, identify the problem — a rule that was tightened during a “cleanup” last week now blocks health check traffic. You add a temporary permit rule, restore service, and go back to sleep. The next morning, you mean to document it. But there are 40 emails waiting and a change freeze starts tomorrow. The temporary rule becomes permanent. Three months later, a penetration tester flags it as an overly permissive rule allowing broad access to backend infrastructure. Nobody remembers why it exists.

Scenario 3: The Vendor Migration Without a Baseline

Your organization is migrating from Cisco ASA to Palo Alto. The migration team asks for the current rule baseline — not just what is on the firewall now, but what each rule is supposed to do, who owns it, and whether it is still needed. You open the spreadsheet. It has 2,300 rows. Half are highlighted yellow with no legend. 200 rows reference ticket numbers from a ticketing system you decommissioned in 2024. The migration team spends six weeks manually reviewing every rule because there is no reliable documentation to work from.

Scenario 4: The Stale Access Rule

A contractor was given VPN access and a firewall rule to reach the development environment. The project ended eight months ago. The contractor’s VPN account was disabled by HR. But nobody told the firewall team, and nobody tracks rule expiry in the spreadsheet. The rule is still there, allowing the contractor’s source IP range into the dev subnet. If that IP range gets reassigned or compromised, the path is open.

Why Spreadsheets Fail Every Audit

Compliance frameworks do not care how you track firewall changes internally. They care about evidence. And spreadsheets produce evidence that is unreliable, incomplete, and trivially easy to fabricate. Auditors know this.

What the Standards Actually Require

  • PCI-DSS 4.0 (Requirement 1.2.2): Network security control configurations must be reviewed at least once every six months. Each change must be documented with business justification, authorized by a responsible party, and tested to confirm it does not compromise security. A spreadsheet with “opened port 443 for vendor” does not meet this bar.
  • ISO 27001 (A.8.32 — Change Management): Changes to information processing facilities and systems must be subject to change management procedures. The standard requires formal change requests, impact assessments, approval records, and implementation verification. An email thread between two engineers is not a formal change request.
  • NIS2 (Article 21): Essential and important entities must implement policies on change management including documented procedures for configuration changes to network and information systems. Member states can impose fines up to EUR 10 million or 2% of global turnover for non-compliance.
  • TISAX (VDA ISA 5.2.6): Automotive suppliers must demonstrate controlled change management for all IT systems. Auditors specifically ask to see the approval chain and rollback procedures for infrastructure changes.
  • DORA (Article 9): Financial entities must maintain complete, accurate records of all ICT changes including network security modifications. Every change must be traceable to an authorized request with documented risk assessment.

The common thread across every framework is the same: you need a documented process with formal requests, authorized approvals, implementation records, and verification steps. Spreadsheets fail because they cannot prove any of this reliably. There is no tamper-proof timestamp. There is no guaranteed link between the approval and the implementation. There is no automatic record that the change was actually made as documented. An auditor looking at a spreadsheet row has to take your word for it — and auditors are paid not to take your word for it.

The most common audit findings related to spreadsheet-based tracking are:

  • Changes on the firewall that do not appear in the change log
  • Change log entries with no corresponding approval evidence
  • Missing business justification for permissive rules
  • No evidence of periodic review or recertification
  • Inability to produce a complete change history for a specific rule
  • No rollback documentation for failed changes

Any one of these is a finding. Most organizations using spreadsheets hit three or more.

What Proper Firewall Change Tracking Looks Like

The gap between spreadsheet chaos and audit-ready change management is not about buying expensive software. It is about having a system where the process itself creates the evidence. When the workflow is the audit trail, documentation stops being a chore that gets skipped and becomes an automatic byproduct of doing the work.

The Five Components of Audit-Ready Change Management

  • 1. Structured change requests: Every change starts with a formal request that captures who is asking, what they need, why they need it, and when it should expire. No free-text emails. No verbal requests. A defined form with required fields that cannot be submitted incomplete.
  • 2. Approval workflows with attribution: The right people approve the change based on its risk level and scope. Every approval is timestamped, attributed to a named individual, and stored immutably. If the approver is out, the request escalates automatically — it does not sit in an inbox for two weeks.
  • 3. Automatic audit trail: When the change is implemented on the firewall, the system records exactly what changed — the before and after state of the rule, who pushed it, when it happened, and which approved request it ties back to. This is not a human typing into a spreadsheet after the fact. It is the system capturing the change as it happens. Tools like FwChange generate this audit trail automatically across multi-vendor environments, connecting every rule modification to its original request and approval chain.
  • 4. Baseline comparisons and drift detection: A proper system maintains a known-good baseline of your firewall configuration. Any deviation from that baseline — whether from an unauthorized manual change, a failed rollback, or an emergency rule that was never cleaned up — gets flagged automatically. You should not discover configuration drift during an audit. You should discover it the day it happens.
  • 5. Periodic review and recertification: Rules do not last forever. Access that was justified six months ago may no longer be needed. A proper change tracking system schedules periodic reviews, assigns them to rule owners, and tracks whether each rule was recertified, modified, or removed. When the auditor asks “when was this rule last reviewed?” you have an answer backed by evidence, not a guess.

The difference between this and a spreadsheet is not complexity. It is reliability. A spreadsheet depends on humans remembering to update it correctly every single time. A proper change management system makes it impossible to implement a change without creating the corresponding documentation. The process and the evidence are the same thing.

The Cost of Doing Nothing

Organizations that continue with spreadsheet-based tracking typically pay the price in one of three ways: audit findings that delay certifications and cost consulting fees to remediate, security incidents caused by undocumented rules that should have been removed, or migration projects that take twice as long because nobody knows what the current state actually is.

The irony is that the fix is not difficult. The hard part is not technology — it is breaking the habit of treating firewall changes as informal requests between colleagues rather than controlled modifications to critical security infrastructure. Once you accept that every firewall rule change deserves the same rigor as a code deployment — a request, a review, an approval, a record — the tooling to support that workflow is straightforward.

Start with Visibility

If your organization is still running on spreadsheets and email threads, the first step is not buying software. The first step is understanding your current state. How many rules do you have? How many are actually in use? How many have no business justification, no owner, and no expiry date?

Most teams are surprised by the answer. The average enterprise rulebase contains 40-50% rules that are unused, redundant, or shadowed by other rules. That is not a spreadsheet problem — that is a visibility problem. And it is the reason auditors keep asking questions you cannot answer.

See What Your Spreadsheet Is Missing

FwChange’s free firewall rule scanner analyzes your rulebase for shadow rules, redundancies, overly permissive policies, and compliance gaps — the exact issues that spreadsheet tracking cannot catch. No installation required. Upload a sanitized config export and get results in minutes.

Start Free Firewall Audit →

See How Your Firewall Rules Score

Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.

Try Free ScannerSee All Features

Stay Updated

Get firewall management tips, compliance guides, and product updates.

No spam. Unsubscribe anytime.

Fw

The FwChange Team

Enterprise firewall change management. Built by security professionals with 17+ years of hands-on experience.

Related Articles

Guides

The Complete Guide to Firewall Change Management in 2026

10 min read

Compliance

PCI-DSS 4.0 Firewall Requirements: What Security Teams Need to Know

8 min read

Best Practices

How to Optimize Your Firewall Rulebase: Shadow Rules, Redundancies, and Best Practices

8 min read

Ready to Automate Firewall Changes?

See how FwChange streamlines multi-vendor firewall management with compliance automation and AI-powered rule analysis.

Try Free Scanner