Network Segmentation Audit: How to Review Firewall Rules and VLAN Configurations to Find the Paths That Defeat Your Segmentation Design

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Network segmentation provides meaningful security only if the firewall rules enforcing it match the intended design. In practice, firewall rule sets grow over years of operational changes: emergency exceptions that were never removed, overly broad rules added to fix an application issue, and legacy rules from decommissioned systems that remain active. The audit process reviews the actual rule set against the segmentation design documentation, then validates with connectivity testing.
Building the Segmentation Inventory Before Auditing Rules
Before reviewing individual rules, document what the segmentation design intends:
-
Zone map: List every network zone (DMZ, production servers, workstations, management, OT/ICS, guest WiFi, PCI scope). For each zone, document the VLAN IDs, IP ranges, and the trust level.
-
Permitted flow matrix: For each zone pair, document what traffic should be permitted and what must be blocked. Example:
| Source Zone | Destination Zone | Permitted Ports | Direction |
|-----------------|-------------------|--------------------------|----------|
| Workstations | Production Servers| 443, 8443 (HTTPS) | Outbound |
| Workstations | Production Servers| 445, 3389, 22 | BLOCKED |
| Production Srv | Database | 1433 (SQL), 5432 (Postgres) | Outbound |
| Database | Internet | ALL | BLOCKED |
| Management | All zones | 22, 3389, 443, 161 | Both |
- Enforcement points: Identify every device enforcing segmentation -- perimeter firewalls, internal firewalls between zones, host-based firewalls (Windows Firewall, iptables), cloud security groups, and network ACLs on switches.
The audit cross-references the actual rule set at each enforcement point against the permitted flow matrix.
Firewall Rule Analysis: Finding Overpermissive Rules
Export the rule set from your firewall platform and analyze for high-risk patterns:
Finding any-any rules (Palo Alto example):
# Palo Alto Panorama/NGFW -- show rules matching any-any
show running security-policy | match "any"
# Or via API:
curl -k -G "https://firewall/api/" \
--data-urlencode "type=op" \
--data-urlencode "cmd=<show><running><security-policy></security-policy></running></show>" \
--data-urlencode "key=$API_KEY"
For Cisco ASA, export the running config and parse:
# Extract all permit-any rules from ASA config
grep -n "permit any any" running-config.txt
grep -n "access-list.*permit ip any any" running-config.txt
For iptables (Linux host-based):
# Find any ACCEPT rules with broad scope
iptables -L -n -v | grep -v ESTABLISHED | grep ACCEPT
# Look for rules with 0.0.0.0/0 source or destination in ACCEPT chains
For each overpermissive rule found, determine:
- When it was added (check firewall change logs or git history if rules are in version control)
- What application or operational need it was created for
- Whether a narrower rule can replace it
- Whether the original need still exists
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Rule Hit Counter Analysis: Finding Dead and Unused Rules
Rules with zero hits in 90+ days are candidates for removal (after verification they are not needed for rare traffic patterns):
Palo Alto (PAN-OS):
# Show hit counts for all security policies
show rule-hit-count vsys vsys1 security pre-rulebase security rules all
# Rules with zero hits
show rule-hit-count vsys vsys1 security pre-rulebase security rules all | match " 0 "
Fortinet FortiGate:
# Show policy hit counts
get firewall policy | grep -A5 "policyid"
diagnose firewall iprope show 100004 # Shows hit counts per policy
Cisco ASA:
show access-list | include access-list.*[0-9] hitcnt=0
# Rules with hitcnt=0 have never matched traffic since last counter reset
For each zero-hit rule:
- Check whether traffic that the rule was designed to permit is actually flowing through the firewall via a different path (the rule may be shadowed by a broader rule above it)
- Check with application owners whether the use case the rule was created for is still operational
- Create a cleanup ticket with a 30-day hold period -- disable the rule first, monitor for any application breaks, then remove
Document every rule removed with the original ticket that created it (if known), the removal date, and the approver.
Testing Segmentation Effectiveness with Connectivity Tests
Documentation review is insufficient -- validate actual network connectivity matches the intended design:
From a workstation in the workstation VLAN, test that these connections are blocked:
# Test-NetConnection verifies TCP connectivity
Test-NetConnection -ComputerName 10.10.20.5 -Port 445 # SMB to server -- should FAIL
Test-NetConnection -ComputerName 10.10.20.5 -Port 3389 # RDP to server -- should FAIL
Test-NetConnection -ComputerName 10.10.30.5 -Port 1433 # SQL to DB -- should FAIL
# Test that permitted connections work
Test-NetConnection -ComputerName 10.10.20.5 -Port 443 # HTTPS to server -- should SUCCEED
From a production server, test that internet access is blocked if intended:
# On Linux server
curl -m 5 https://api.ipify.org # Should fail if internet access is blocked
nc -zv 8.8.8.8 53 2>&1 # DNS to Google -- should fail if external DNS is blocked
Testing east-west controls between servers in the same subnet: East-west traffic within the same VLAN typically does not traverse the firewall at all. If host-based firewall or micro-segmentation (NSX-T, Calico, Azure NSG) is the east-west control, test directly between two servers:
nmap -sS -p 445,3389,22,5985 10.10.20.0/24 # Scan the server subnet from another server
# Any open port that is not in the permitted flow matrix is a finding
Document the test date, the testing account, and the results in a test matrix table. Run the same tests after each major firewall change.
Segmentation Controls for Ransomware Containment
Ransomware lateral movement uses SMB (port 445) and WMI/RPC to spread from an initial foothold. Effective ransomware containment through segmentation requires:
1. Block workstation-to-workstation SMB (east-west) Most environments allow workstations to communicate freely within the workstation VLAN. This enables ransomware to spread from one infected workstation to every other workstation on the segment.
Fix: Deploy Windows Defender Firewall via GPO to block inbound SMB on all workstations except from the IT management subnet:
GPO: Computer Configuration > Windows Settings > Security Settings > Windows Firewall
Inbound rule: Block TCP 445 from source = Any, except management VLAN IP range
2. Block workstations from reaching backup storage directly Ransomware encrypts backup shares if the workstation tier can reach the backup VLAN. Ensure:
- Backup storage VLAN has a perimeter firewall rule blocking all access from the workstation VLAN
- Backup agent pull model (backup server pulls from workstation) rather than push model (workstation pushes to backup server) eliminates the need for inbound connectivity to backup storage
3. Segment OT/ICS from IT If IT and OT networks share a firewall, verify that the OT network cannot be reached from the workstation VLAN at all. OT network compromises via lateral movement from IT have caused multiple critical infrastructure incidents.
The bottom line
Network segmentation audits reveal the gap between the architecture diagram and the operational reality. Start with the permitted flow matrix, then compare it against the actual firewall rule set looking for any-any rules, overly broad source or destination ranges, and zero-hit legacy rules. Validate with actual connectivity tests from representative hosts in each zone. For ransomware containment specifically, east-west SMB controls between workstations and blocking workstation-to-backup-storage connectivity are the highest-priority items that most segmentation designs leave unaddressed.
Frequently asked questions
How often should firewall rules be audited?
For perimeter firewalls protecting high-value zones (PCI scope, production databases, OT), audit annually as a minimum with a quarterly review of any rules added in the previous quarter. For internal segmentation firewalls, annual audits are typically sufficient, combined with a change management process that requires security review for any new rule that crosses a zone boundary. Organizations subject to PCI DSS are required to review firewall rules at least every six months (Requirement 1.3.2).
What is the difference between network segmentation and micro-segmentation?
Network segmentation divides a network into zones separated by firewall devices or VLANs, controlling traffic at the zone boundary. Micro-segmentation applies policy at the individual workload level -- each VM, container, or server has its own set of allowed ingress and egress connections enforced by a software-defined policy (VMware NSX, AWS security groups, Azure NSGs). Micro-segmentation controls east-west traffic between workloads in the same zone without requiring them to traverse a physical firewall, which makes it effective for ransomware containment within a tier that traditional network segmentation does not address.
How do I handle legacy applications that require broad firewall rules to function?
Legacy applications that require any-any or very broad firewall rules should be isolated in a dedicated network zone that limits their blast radius. If the application must talk to 'any destination' due to poorly documented dependencies, deploy it in an isolated VLAN, permit its outbound traffic to the application tier only (not to workstations, backup, OT, or management), and monitor its network activity closely with flow logs or packet capture. Use this as the business case for application modernization that removes the dependency on broad network access.
Does VLAN separation provide real security isolation or just logical separation?
VLANs provide logical isolation enforced by switch software. They are not equivalent to physical network separation. VLAN hopping attacks (double tagging, switch spoofing) can bypass VLAN isolation under certain misconfigured conditions. For high-assurance security boundaries (separating compliance scope from non-scope, IT from OT, Internet DMZ from internal), physical separation or firewall enforcement between VLANs is required. VLANs alone are appropriate for organizational separation, not for security-critical isolation.
What is the most efficient way to audit firewall rules across a large enterprise with hundreds of policies?
Use network security policy management (NSPM) tools such as Tufin, AlgoSec, or FireMon rather than manual review. These tools parse firewall configurations from multiple vendors, identify shadowed rules (rules that are never matched because a prior rule already covers the traffic), find overly permissive rules that cover excessive IP ranges or port ranges, and flag rules with no usage traffic for a defined period. For organizations without NSPM tooling, prioritize the audit by impact: review rules with 'any' source or destination first, then review rules for highest-risk zones (Internet DMZ to internal, OT network access). Document and remediate the highest-risk findings before reviewing lower-risk configurations.
How do I validate that network segmentation is actually working and not just documented?
Documentation of firewall rules does not guarantee enforcement. Validate segmentation with active testing: use a scanning tool (Nmap, Nessus, Masscan) from within each network zone to probe what services are reachable from that zone. Compare the observed connectivity to the documented design -- any service reachable that is not in the design is a segmentation gap. For East-West traffic between internal segments, test from compromised-host simulation scenarios: can a workstation in the user VLAN reach the server VLAN on management ports (SSH, RDP, WMI)? Can a server in the application tier reach the database tier directly, or only through the API layer? Schedule segmentation validation tests quarterly, document the results against the expected baseline, and track deviations. A single host with an incorrect VLAN assignment or a firewall rule created for a temporary project that was never removed is enough to break segmentation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
