FwChange LogoFwChange
Founder Story

Why I Built a Firewall Change Management Tool (From Security Consultant to Founder)

Fw
The FwChange Team
||9 min read

After 15 years as an enterprise security consultant, I kept seeing the same problem. Companies spent millions on firewalls but couldn’t answer basic audit questions: Who requested this rule? Why does it exist? Who approved it?

I’ve conducted hundreds of firewall audits across Germany and Europe. TISAX assessments for automotive suppliers. PCI-DSS audits for retailers. ISO 27001 certifications for manufacturers. The technology was always fine. The documentation was always a disaster.

That’s why I built a firewall change management tool. Not because the world needed another security product, but because the existing solutions didn’t solve the actual problem mid-market companies face.

The Problem I Kept Seeing

Every audit started the same way. I’d ask to see firewall change records. The IT team would produce a mix of:

  • Excel spreadsheets with missing entries
  • JIRA tickets that didn’t link to actual rules
  • Email threads nobody could find
  • Tribal knowledge from engineers who’d since left

The firewall itself worked perfectly. Palo Alto, Check Point, Fortinet — all properly configured, all protecting the network. But when auditors asked “show me the change history for this rule,” everything fell apart.

I’d watch companies fail audits not because their security was weak, but because they couldn’t prove their security was strong. Documentation gaps turned passing grades into major findings.

The BSI doesn’t accept “we think someone approved this in 2019” as evidence. Neither does any serious auditor.

Why Existing Tools Don’t Work for Mid-Market

Enterprise firewall change management tool options exist. AlgoSec, Tufin, FireMon — they’re excellent products. I’ve implemented all of them for large enterprises. But they share common problems for mid-market companies:

Cost

Enterprise licensing starts at €100,000+ per year. For a company with 5-10 firewalls, the math doesn’t work. You’re paying for capabilities you’ll never use.

Complexity

These tools require dedicated administrators. Multi-month implementation projects. Professional services engagements. Mid-market IT teams don’t have those resources.

Overhead

The workflow overhead often exceeds the benefit. Engineers resist tools that triple the time to make a simple change. Adoption fails, and you’re back to spreadsheets.

I watched a 200-person manufacturer spend €150,000 on an enterprise solution, struggle through 6 months of implementation, and still fail their TISAX audit because nobody actually used it. The tool sat there while changes happened via SSH and manual documentation.

The Moment I Decided to Build

The breaking point came during a TISAX assessment in 2024. A Tier-1 automotive supplier — good security team, modern infrastructure, real commitment to compliance. They’d done everything right except document their firewall changes.

The auditor asked for 6 months of change history. The IT manager produced a spreadsheet with 40 entries. The firewall logs showed 200+ changes in that period. The gap was inexplicable.

Emergency changes. After-hours modifications. Rules added during incidents. All undocumented because the process was too cumbersome to follow under pressure.

They failed. Not because their firewall was insecure — it was excellent. They failed because they couldn’t prove governance over their change management process. A BMW contract hung in the balance while they scrambled to remediate.

I’d seen this pattern too many times. Talented teams, solid security, failed audits. The tools weren’t the problem. The process was the problem. And the existing solutions made the process worse, not better.

What FwChange Does Differently

I built FwChange around one principle: documentation should happen automatically, not as extra work. When you make a change through FwChange, documentation is the byproduct. You’re not filling out forms after the fact. You’re making the change, and the audit trail generates itself.

Request

Someone needs a firewall rule. They submit through FwChange with business justification. Takes 2 minutes.

Approve

Approval workflow routes to the right people based on priority. They approve in Slack, Teams, or the web UI. One click.

Implement

The change pushes to the firewall automatically. Or an engineer implements manually and marks complete. Either way, it’s tracked.

Document

Every step is logged automatically. Who requested, who approved, who implemented, when, why. Immutable record.

When auditors ask for change history, you generate a report. Everything’s there. No spreadsheet archaeology required.

Designed for Real IT Teams

A firewall change management tool only works if people use it. I designed FwChange for the IT teams I’d worked with for 15 years:

  • Fast deployment: Docker containers, 2-hour setup. No professional services required. Your team can do it.
  • Multi-vendor: Palo Alto, Check Point, Fortinet, Cisco, OPNsense, pfSense. One interface for all your firewalls. According to industry research, most mid-market companies run 2-3 firewall vendors.
  • Low friction: Changes take minutes, not hours. Engineers adopt it because it’s faster than the old way, not slower.
  • Affordable: Per-firewall pricing that makes sense for mid-market budgets. Not enterprise pricing for mid-market needs.
  • JIRA/Taiga integration: Link to existing tickets. Don’t force a separate workflow. Meet teams where they already work.

The goal was simple: make the right thing to do also the easy thing to do. If documentation requires extra effort, it won’t happen. If documentation is automatic, it always happens.

Solving Real Audit Problems

Every feature in FwChange traces back to an audit problem I encountered:

  • Rule ownership: “Who owns this rule?” Every rule has an assigned owner. No more orphan rules that nobody claims.
  • Business justification: “Why does this rule exist?” Required field on every request. Not optional, not “we’ll add it later.”
  • Approval evidence: “Who approved this?” Timestamped approval records with the approver’s identity. No ambiguity.
  • Rule review: “When was this last validated?” Scheduled review reminders. Annual recertification tracking. Evidence of ongoing governance.
  • Emergency changes: “What about urgent changes?” Emergency workflow with expedited approval and retroactive documentation. Because emergencies happen.

The ENISA guidelines on network security management informed much of this design. I wanted a firewall change management tool that auditors would love as much as IT teams.

From Consultant to Founder

Building a product is different from consulting. As a consultant, I identified problems and recommended solutions. As a founder, I have to solve problems completely. The transition taught me things I couldn’t learn as a consultant:

  • Simplicity is hard: Anyone can build a complex tool. Building something simple that solves the problem — that’s the challenge. Every feature request gets evaluated: does this make the core workflow better or worse?
  • Users vote with behavior: In consulting, you deliver recommendations and move on. In product, you see whether people actually use what you built. That feedback loop is humbling and invaluable.
  • Support is product: When a customer struggles, that’s not a support ticket — it’s a design flaw. If the tool needs explanation, the tool needs improvement.

I’m still a consultant at heart. I still do audits and assessments. But now I can offer clients a solution I built specifically for the problems I’ve spent 15 years documenting.

What’s Next

NIS2 takes effect in 2026. TISAX requirements keep tightening. The demand for firewall change management solutions will only grow as mid-market companies face compliance requirements previously reserved for enterprises.

FwChange is ready. Built by someone who’s failed audits, passed audits, and knows exactly what evidence auditors need. Built for IT teams who need solutions that work, not products that promise.

If you’re facing TISAX, NIS2, PCI-DSS, or ISO 27001 compliance — and your firewall documentation is held together with spreadsheets and hope — I built FwChange for you. Try the free rulebase scanner and see why documentation should be automatic, not additional work.

See How Your Firewall Rules Score

Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.

Try Free ScannerSee All Features

Stay Updated

Get firewall management tips, compliance guides, and product updates.

No spam. Unsubscribe anytime.

NF

The FwChange Team

Enterprise firewall change management. Built by security professionals with 17+ years of hands-on experience.

Related Articles

Guides

The Complete Guide to Firewall Change Management in 2026

10 min read

Compliance

PCI-DSS 4.0 Firewall Requirements: What Security Teams Need to Know

8 min read

Best Practices

How to Optimize Your Firewall Rulebase: Shadow Rules, Redundancies, and Best Practices

8 min read

Ready to Automate Firewall Changes?

See how FwChange streamlines multi-vendor firewall management with compliance automation and AI-powered rule analysis.

Try Free Scanner