Firewall management at most SMBs follows a pattern that can be summarized as "configure it once and pray." The firewall gets installed during a project, the initial rules get configured, and then nothing actively manages it for years. Then a security incident happens, an audit fails, or the device just gives up — and everyone wonders why "set and forget" didn't work. Here's what active firewall management actually requires and why it's worth the operational investment.

What "Set and Forget" Actually Costs

The slow accumulation of problems on an unmanaged firewall:

  • Rule sprawl — over years, rules accumulate. New rules added for specific needs, old rules never cleaned up when needs change. Eventually the rule set is too long for anyone to confidently understand
  • Outdated firmware — security vulnerabilities in firewall firmware accumulate; without active patching, the firewall itself becomes a target
  • Stale threat signatures — features that depend on regular signature updates (IPS, antivirus, content filtering) become ineffective when updates stop
  • Misaligned rules — business changes (new applications, departed employees, retired services) leave rules pointing at things that no longer exist
  • Inadequate logging — when an incident happens, the firewall logs aren't useful because logging wasn't configured to capture the right events
  • Default configurations — features that would improve security weren't enabled because nobody reviewed the configuration after initial deployment
Firewall administrator reviewing rule audit, firmware patch status, threat signature updates, and logging configuration for business network security perimeter device

The Active Management Cadence

A reasonable firewall management cadence for SMB and mid-market deployments:

  • Daily — automated monitoring confirms the firewall is up, healthy, and processing traffic. Alert response if anomalies are detected.
  • Weekly — review of any blocked traffic anomalies, unusual access attempts, or rule hit-rate changes
  • Monthly — firmware patch review and application; threat signature update verification; rule changes from the previous month documented
  • Quarterly — rule audit pass: identify unused rules, redundant rules, rules with broader scope than current needs; identify changes since last audit
  • Semi-annually — full configuration backup and disaster recovery validation; review of logging configuration against current incident response needs
  • Annually — full security configuration review against current threat landscape and best practices; benchmark against compliance frameworks (NIST, CIS, etc.)

The Rule Cleanup Process

The single highest-value firewall management activity is rule cleanup. The process that works:

  • Enable rule hit counters so you can see which rules are actually being used
  • Let counters run for at least 90 days to capture infrequent but legitimate traffic patterns
  • Identify rules with zero hits — candidates for removal
  • For zero-hit rules, document what they were intended to allow; if no one can explain or the original need has passed, remove
  • Identify overlapping or redundant rules; consolidate
  • Identify rules with broader scope than needed (any-any rules, broad source/destination ranges); tighten
  • After cleanup, document the rule set so the next admin understands the intent of each rule

A first-time cleanup pass on an unmanaged firewall typically removes 30-50% of the rule count without affecting any legitimate traffic. The simpler rule set is easier to manage, less prone to mistakes, and easier to audit.

The Modern Features That Need Enabling

Modern business firewalls include capabilities that often go unused on poorly-managed deployments. Worth verifying are enabled and properly configured:

  • IPS (Intrusion Prevention) — signature-based detection of attack patterns
  • Application identification — knowing what applications are actually running across the network
  • SSL/TLS inspection — visibility into encrypted traffic where compliance and policy allow
  • Botnet and threat intelligence feeds — automatic blocking of known-bad IPs and domains
  • Geo-blocking — for businesses without international operations, blocking countries where they have no legitimate need
  • DNS security — DNS-layer filtering of malicious domains
  • Logging and SIEM integration — events forwarded to log aggregation for retention and correlation

Why It's Usually Outsourced

Active firewall management at the cadence described above is more work than most SMBs justify hiring for. The work scales poorly across customers; one engineer can manage 30-50 customer firewalls effectively, but a single internal hire would be substantially underutilized at that volume. That's why firewall management is typically delivered as a managed service, included in MSP relationships. At Leonidas, firewall management is part of our managed services practice. If you're scoping firewall management for your environment, a conversation with our team can identify the highest-leverage improvements.

About Leonidas

Leonidas is a managed IT services provider, cybersecurity consulting firm, and unified communications consultancy serving businesses across industries. We offer free 30-minute assessments. Contact us or call 850-614-9343.