Firewall Configuration
Understand the importance of firewall configuration and mistakes to avoid when setting up.
Free Firewall Assessment 2025 THREAT LANDSCAPE REPORT
What Is Firewall Configuration?
A firewall plays a vital role in network security and needs to be properly configured to keep organizations protected from data leakage and cyberattacks.
This is possible by configuring domain names and Internet Protocol (IP) addresses to keep the firewall secure. Firewall policy configuration is based on network type, such as public or private, and can be set up with security rules that block or allow access to prevent potential attacks from hackers or malware.
Proper firewall configuration is essential, as default features may not provide maximum protection against a cyberattack.
Importance Of Basic Firewall Configuration
Improper firewall configuration can result in attackers gaining unauthorized access to protected internal networks and resources. As a result, cyber criminals are constantly on the lookout for networks that have outdated software or servers and are not protected. Gartner highlighted the size and magnitude of this issue, predicting that 99% of firewall breaches would be caused by misconfigurations in 2020.
The default settings on most firewalls and protocols like the File Transfer Protocol (FTP) do not provide the necessary level of protection to keep networks secure from cyberattacks. Organizations must ensure basic firewall configuration meets the unique needs of their networks.
How To Configure A Firewall
Proper configuration is essential to supporting internal networks and stateful packet inspection. Here is how to configure a firewall securely:
.png)
1. Secure the firewall
Securing a firewall is the vital first step to ensure only authorized administrators have access to it. This includes actions such as:
- Update with the latest firmware
- Never putting firewalls into production without appropriate configurations in place
- Deleting, disabling, or renaming default accounts and changing default passwords
- Use unique, secure passwords
- Never using shared user accounts. If a firewall will be managed by multiple administrators, additional admin accounts must have limited privileges based on individual responsibilities
- Disabling the Simple Network Management Protocol (SNMP), which collects and organizes information about devices on IP networks, or configuring it for secure usage
- Restricting outgoing and incoming network traffic for specific applications or the Transmission Control Protocol (TCP)
2. Establish firewall zones and an IP address structure
It is important to identify network assets and resources that must be protected. This includes creating a structure that groups corporate assets into zones based on similar functions and the level of risk.
A good example of this is servers—such as email servers, virtual private network (VPN) servers, and web servers—placed in a dedicated zone that limits inbound internet traffic, often referred to as a demilitarized zone (DMZ). A general rule is that the more zones created, the more secure the network is.
However, having more zones also demands more time to manage them. With a network zone structure established, it is also important to establish a corresponding IP address structure that assigns zones to firewall interfaces and subinterfaces.
3. Configure access control lists (ACLs)
Access control lists (ACLs) enable organizations to determine which traffic is allowed to flow in and out of each zone. ACLs act as firewall rules, which organizations can apply to each firewall interface and subinterface.
ACLs must be made specific to the exact source and destination port numbers and IP addresses. Each ACL should have a “deny all” rule created at the end of it, which enables organizations to filter out unapproved traffic. Each interface and subinterface also needs an inbound and outbound ACL to ensure only approved traffic can reach each zone. It is also advisable to disable firewall administration interfaces from public access to protect the configuration and disable unencrypted firewall management protocols.
4. Configure other firewall services and logging
Some firewalls can be configured to support other services, such as a Dynamic Host Configuration Protocol (DHCP) server, intrusion prevention system (IPS), and Network Time Protocol (NTP) server. It is important to also disable the extra services that will not be used.
Further, firewalls must be configured to report to a logging service to comply with and fulfill Payment Card Industry Data Security Standard (PCI DSS) requirements.
5. Test the firewall configuration
With the configurations made, it is critical to test them to ensure the correct traffic is being blocked and that the firewall performs as intended. The configuration can be tested through techniques like penetration testing and vulnerability scanning. Remember to back up the configuration in a secure location in case of any failures during the testing process.
6. Manage firewall continually
Firewall management and monitoring are critical to ensuring that the firewall continues to function as intended. This includes monitoring logs, performing vulnerability scans, and regularly reviewing rules. It is also important to document processes and manage the configuration continually and diligently to ensure ongoing protection of the network.
Mistakes To Avoid When Setting Up A Firewall
Configuring a firewall can present difficulties, which can commonly be prevented by avoiding common mistakes, such as:
- Using broad policies or the wrong firewall settings can result in server issues, such as Domain Name System (DNS) and connectivity issues.
- Ignoring outgoing traffic can present a risk to networks.
- Relying solely on a firewall for network security or non-standard authentication methods may not protect all corporate resources.
Fortinet Products & Services
FortiGate Next Generation Firewalls (NGFW) seamlessly integrates advanced networking and robust security providing industry-leading threat protection and decryption with a custom ASIC architecture for superior performance and energy efficiency at scale.
Powered by FortiOS ensuring consistent security across networks, streamlining operations, and convergence of networking and security across WLAN, LAN, SASE, and NGFW eliminating the need for multiple products with integrated SD-WAN and Universal ZTNA into FortiGates.
Customers are safeguarded against the latest threats with AI-enhanced protection from FortiGuard Security Services and FortiManager for centralized and unified policy management of Hybrid Mesh Firewalls.
FortiGates are the foundation of the Fortinet Security Fabric ensuring consistent security, converging networking and security to rapidly respond to threats, and ensuring a secure, responsive network environment. This comprehensive platform approach, covering everything across diverse networks, endpoints, and clouds, provides a tailored, efficient cybersecurity solution.
Firewall Configuration FAQs
What are the three types of firewall configuration?
The three main types are packet filtering, stateful inspection, and application-level gateways. Packet filtering examines individual packets, stateful inspection tracks connections, and application-level gateways analyze traffic content.
How to configure a firewall?
Firewall configuration varies, but generally involves accessing its interface, defining network zones (trusted, untrusted), creating rules for allowed/blocked traffic, and enabling security features like intrusion prevention.
What are the best practices for firewall configuration?
Best practices include: regularly updating firmware, using strong passwords, implementing least privilege access, logging and monitoring activity, and periodically reviewing and auditing rules.
How often should I update my firewall settings?
Firewall settings should be reviewed at least every quarter, or more frequently if your network undergoes significant changes. Always update firmware as soon as patches are released to address vulnerabilities.
How do I ensure my firewall is properly set up for both inbound and outbound traffic?
Configure rules to allow only necessary inbound traffic, explicitly defining permitted ports and services. For outbound, block any unwanted applications or destinations while allowing legitimate traffic.
What should I do if my firewall configuration is causing connectivity issues?
Start by reviewing recent changes to the firewall rules. Systematically disable rules to isolate the problem. If necessary, consult vendor documentation or seek expert assistance.
How to build a human firewall?
Build a human firewall through ongoing security awareness training, phishing simulations, and clear communication of security policies. Encourage a culture of vigilance and reporting.
Firewall Resources
Speak with an Expert
Please fill out the form and a knowledgeable representative will get in touch with you soon.