Your company has a firewall. Probably even a good brand. But from years of experience with infrastructure audits, our pentesters know that the firewall itself is rarely the problem. The problem is in how it’s set up. According to Gartner research, 95% of all firewall breaches are caused by configuration errors, not deficiencies in the technology itself. That’s a sobering observation, but also a reassuring one: configuration errors are modifiable.
At Cyberplan, we conduct daily audits and penetration tests at Flemish companies. And the patterns we encounter are remarkably recognizable. In this article, we share the five firewall configuration errors we find most often, so you can check if your own network suffers from them as well.
Why firewall configuration errors are so persistent
The 80% figure sounds high, but is not surprising considering how enterprise networks have evolved in recent years. Where a firewall was a relatively simple gatekeeper a decade ago, today that same firewall must navigate hybrid environments, cloud platforms, home worker VPN connections and a growing number of applications.
That complexity makes mistakes inevitable. Especially if the person configuring the firewall is an IT generalist with 20 other tasks on the plate. On top of that, configurations “drift” over time: temporary rules are created that are never cleaned up, firmware updates are delayed, and documentation becomes obsolete. Our pentesters regularly refer to this as the “forgotten-but-not-deleted” problem.
Mistake 1: too broad access rules in your firewall
The most common firewall configuration error we encounter is the use of overly broad “allow” rules. In practice, this looks like this: during a deployment or failure event, a rule is quickly created that “allows everything” to fix the problem. Understandable in the moment, but that temporary rule is almost always forgotten.
The result? Once an attacker compromises one device on the network, it can move to other systems virtually unimpeded. In a recent audit, we found a rule that had been active for three years and left internal traffic completely open between the office network and the production environment.
The solution: work on the “default-deny” principle. By default, block everything and allow only explicitly documented traffic. Audit your ruleset at least quarterly to identify and remove so-called “zombie rules.”
Mistake 2: default passwords and unsecured management interfaces
It sounds like a beginner’s mistake, but our pen testers find it in almost four out of ten companies: the management interface of the firewall is accessible from the Internet, sometimes still with the default password. During a penetration test, we then see that in some cases an ethical hacker can gain full control of the network within hours, simply by logging into the firewall.
The recent wave of SonicWall incidents painfully illustrates this problem. In 2025, configuration files and passwords from thousands of firewalls proved accessible to attackers, not because of a technological weakness, but because passwords had not been changed after a migration. The Akira ransomware group actively took advantage of this.
The solution: secure the management interface by making it accessible only through the internal network or a secure VPN. Use strong, unique passwords and activate multi-factor authentication (MFA) for each administrator. And never share administrator accounts between multiple people: this not only makes your firewall more vulnerable, but also makes forensic investigation after an incident virtually impossible.
Error 3: missing network segmentation as configuration error
Many companies still work with a so-called “flat” network: once you get past the firewall, everything can communicate with everything. Marketing’s laptop can access the financial database directly, the printer is on the same network as the production line.
In a ransomware attack, this is a disaster. The malware only needs to infect one device and can spread to the rest of the network at lightning speed. The attacks on Duvel Moortgat and TVH demonstrated how quickly a company can completely shut down if segmentation is lacking.
The solution: divide your network into zones using VLANs and internal firewall rules. At a minimum, separate your office environment, production environment, guest network and servers. That way, you limit the damage if an incident does occur. Learn more in our guide on network segmentation in practice.
Mistake 4: outdated firmware and unpatched systems
Firewalls run on software, and that software contains vulnerabilities. Manufacturers regularly release updates to close known vulnerabilities, but in practice many companies delay those updates for months or even years. Attackers do not need to use sophisticated techniques: they simply look for firewalls with known, long-publicized vulnerabilities.
Moreover, outdated protocols such as Telnet and SMBv1 are still regularly allowed on firewalls, even though those protocols do not use encryption. An attacker who has access to the network can then simply watch the traffic.
The solution: schedule firmware updates at least quarterly and subscribe to your firewall manufacturer’s security recommendations. Disable outdated protocols and replace them with modern, encrypted alternatives.
Error 5: disabled logging and monitoring.
A firewall can only protect what it can report. Yet many companies disable logging to save disk space, or simply never view the logs. That means warning signals, such as repeated login attempts from unknown countries or suspicious port scans, go completely unnoticed.
Without central monitoring via a Security Information and Event Management (SIEM) system, it takes an average of more than 180 days to detect an intrusion via a configuration error. That’s almost half a year during which attackers have undisturbed access to your business environment.
The solution: make sure logging is active on your firewall and that the logs are analyzed regularly. Consider a SIEM solution that centrally collects and correlates logs from your firewall, endpoints and cloud environment. That way you detect attacks early rather than after the fact.
Flemish SMEs face additional risk
The numbers don’t lie: 46% of Flemish companies faced a cyberattack in 2024, and in nearly 1 in 10, that attack was actually successful. Belgian organizations are attacked an average of 1,249 times per week, double the number five years ago. And the average cost of a cyber attack for an SME? According to the Federation of Belgian Enterprises, 1.2 million euros per incident.
Many SMBs rely on an outside IT partner for their network management. This is understandable, but that IT partner often focuses on functionality and uptime, not in-depth security. The result is a trust gap: you think security is taken care of, while the basics are insufficiently checked. An independent audit reveals those blind spots.
Get your firewall configuration checked
The mistakes in this article are all recognizable and solvable. But they do require a trained eye. Our OSCP-certified pen testers work daily with IT teams at Flemish companies to identify and address exactly these types of vulnerabilities, without disrupting daily operations.
Did you know that through the SME Portfolio you can get up to 45% subsidy on a cybersecurity audit? For medium-sized businesses, it’s 35%. A firewall audit is often an excellent starting point to know where you stand.
Wondering how your firewall is really doing? Book a no-obligation consultation with one of our security experts.
Frequently asked questions about firewall configuration errors
How do I know if my firewall is configured correctly?
The only reliable way is an independent audit by a specialized party. Your IT team can do an initial check for default passwords, open ports and outdated firmware, but a professional pen test goes much deeper and simulates a real attack.
How often should I check my firewall rules?
We recommend a review of your firewall rules at least quarterly. In addition, after any major change to your network, such as a cloud migration or merger, it is wise to have the configuration reviewed.
What does a firewall audit cost for an SME?
Costs vary depending on the complexity of your network. Through the VLAIO SME Portfolio, small businesses receive a 45% subsidy and medium-sized businesses 35% on cybersecurity consulting services. Contact us for a customized estimate.
Are cloud-based firewalls more secure than physical firewalls?
Not necessarily. Cloud-based firewalls are subject to the same configuration errors as physical firewalls. In cloud environments, an additional risk is added: responsibility for configuration is shared between you and the cloud provider, which can lead to ambiguity about who is securing what.
Does my business comply with NIS2 if my firewall is properly configured?
A properly configured firewall is a basic requirement, but NIS2 compliance includes much more: risk analysis, incident reporting, supply chain security and demonstrable policies. A firewall audit is often a good first step toward full compliance.
