noc india 24x7 hero

Firewall rule cleanup before the auditor lands: one Pune payments company’s week

By Priya Sharma, Compliance Lead, Data Loss Prevention practice, Sirius Star Enterprise Technologies.

08:40 on a Monday. Anand called before I had finished the first coffee. He runs infrastructure for a card-payments company in Pune, about 600 people, head office in Kharadi. His voice had that flat quality people get when they have already done the panic and now just want a plan.

“The QSA wants the rule-change history. Across every firewall. We have 23 of them. The re-certification is in three weeks.” Then the line that gets me every time. “I do not actually know what half these rules do.”

The estate nobody had fully mapped

This is the normal state of a mid-market Indian payments shop. Nobody planned the sprawl. It accreted. FortiGate boxes sat at the branch offices because that is what the reseller quoted in 2020. Two Palo Alto appliances guarded the data centre because a former architect liked them. A legacy Check Point cluster still fronted the old card-processing zone because moving it felt risky, so it stayed, year after year.

Three brands. Three management consoles. Three different ideas of what a rule should look like. The rule bases had drifted apart the way garages fill with boxes. Around 4,000 rules in total, and a real number of them belonged to people who had left the company. That is the jhamela Anand woke up to. Not a breach. A filing problem with a deadline attached.

₹250 Cr is the statutory penalty cap under the DPDP Act 2023 (source: MeitY, DPDP Act 2023, section 33). A 4,000-rule firewall base with no change history is exactly the kind of finding that starts that clock. Card data and personal data sit behind the same rules.

Book a free firewall scoping call
200+ Indian businesses. Written quote within 8 working hours.

Firewall rule cleanup is a paperwork problem first

Here is the part buyers get wrong. They think a firewall rule cleanup is a security exercise. It is, eventually. But the auditor does not want to admire your tightened ruleset. The auditor wants evidence. Who changed rule 1842, when, who approved it, and why does it still allow traffic that the application retired in 2022.

So we did the unglamorous thing first. We pulled every rule base into one place. FireMon does this part well, which is why we lead with it for multi-vendor estates: it reads the Fortinet, Palo Alto, and Check Point rules read-only and lines them up on a single risk scale. The platform we deploy is documented on our FireMon firewall policy management page, and the engagement runs from our Navi Mumbai team.

Inside 48 hours Anand had the inventory his CISO had been promising the QSA for six months. Not a tightened firewall yet. Just the list. Sometimes the list is the whole win. The relief on that call was real. Bas, finally something on paper.

The amber rule I read wrong

I want to be honest about a mistake, because the mistake is the lesson. On day three the risk scoring flagged a permit-any rule on the legacy Check Point cluster. Wide open, any source to a small server subnet. I assumed it was scoped out of the card environment. The kind of thing you note and move past.

It was not scoped out. That subnet had quietly started hosting a reporting service that touched cardholder data eight months earlier. The rule was a leftover from a 2019 vendor proof-of-concept that nobody closed. So a trial that ended before the pandemic had left a door open into the part of the network the entire audit was about. Arre. I had read an amber signal as background noise. It was the whole story.

We have seen this pattern more times than I would like. The breach is rarely the clever attack. It is the rule everyone stopped looking at.

FireMon, Tufin, or AlgoSec

Anand asked the fair question every buyer asks. Why this tool. There are three names auditors recognise in firewall policy management, and the honest call depends on your tooling and your team, not on a leaderboard.

ToolWins whenWatch for
FireMonSpeed of rule analysis and change automation matter most. Mixed-vendor estate.Over-engineered for a single FortiGate office.
TufinYou run a mature ServiceNow ITSM process and want the deepest change workflow.Heavier to stand up. Pays off at larger scale.
AlgoSecBusiness-application-to-firewall mapping is your priority.Best when an app owner drives the rule logic.

For this estate, mixed brands and a clock running, FireMon was the right shape. If Anand had owned one FortiGate at one site, I would have told him to use FortiManager and keep his money. We say that out loud. It is on the page too.

Get my firewall rule-cleanup plan
Read-only inventory across every vendor. No card, no contract for the scoping call.

What the cleanup actually changed

By the end of week two we had run the first cleanup wave. The Policy Optimizer found the shadowed rules, the duplicates, and the permissive ones that did nothing but widen the attack surface. Most estates shed 15 to 30 percent of their rules in this pass (per FireMon’s own Policy Optimizer guidance). This one came down by about a quarter, from roughly 4,000 to a shade under 3,000.

More important than the count was the trail. Every change now ran through one approval record. The compliance pack for PCI DSS 4.0 exported in a click, and the same evidence carried most of the way through an ISO 27001 view and an RBI cyber resilience read, because the underlying control statements overlap. The 40-page Word document Anand’s team had started writing by hand shrank to eight.

His line on our review call, lightly anonymised: “The QSA accepted the rule-change history on first read. Six months of nagging emails, solved in a fortnight.” His CFO, who had flinched at the licence cost in week one, did not mention it again once the audit passed.

What I would tell you before your own audit

If a QSA, a DPDP review, or an RBI inspection is on your calendar, do not wait for the pre-assessment to tell you the rule base is a mess. You already know it is. Pull the inventory now, while there is time to fix what the scan finds instead of explaining it under pressure. Report a real incident to CERT-In inside the window and you will be glad the change history exists.

The cleanup is not the hard part. The hard part is admitting you have 4,000 rules and a memory of maybe 200 of them. Achha, once that is on the table, the rest is just method.

FAQ

How long does a firewall rule cleanup take?
For a multi-vendor estate the inventory lands in about 48 hours. A first cleanup wave and a PCI DSS report pack fit inside two to three weeks. A quarterly retainer keeps the drift contained after that.

Will a cleanup break production traffic?
Not if you sequence it. The first pass is read-only analysis and risk scoring. Changes go through impact analysis and an approval record before anything is touched, so the rule that matters does not get removed by accident.

Does this help with DPDP, not just PCI DSS?
Yes. The same firewall-rule hygiene and change traceability that PCI DSS 4.0 expects feeds a DPDP fiduciary review and an RBI cyber resilience check. One evidence pack, three audiences. Our DPDP compliance package picks up where the firewall layer ends.

We only run one firewall brand. Do we still need this?
Probably not a full policy platform. If it is a single FortiGate or one Check Point, the native manager is the right tool. We will tell you that rather than sell you something. See the Check Point India page or read how a Hyderabad hospital ran its firewall cutover.

Start the free 8-hour scoping call
Reach us on WhatsApp at +91 91375 93228, 10 to 7 IST, or email care@siriusstar.in. Pan-India delivery from Vashi, Navi Mumbai.

P.S. Priya here. A broking firm in Mumbai called us last month with the same shape of problem ahead of a SEBI-driven review: four firewall brands, no rule owner, and an inspection date. We ran the scoping call on a Thursday. By the next Thursday they had the inventory and a cleanup plan their auditor accepted. If that is your week, you already know who to call.



Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *