CyberSec Lab — Firewall Rule Analysis

OBJECTIVES

Review the firewall ruleset

Flag the overly permissive DB rule

Identify the shadowed deny rule

Find the insecure protocol rule

Identify missing egress filtering

Find the catch-all allow misconfiguration

Identify a correctly configured rule

Submit the audit report

🔥

Ruleset Viewer

📋

Findings

🗺️

Topology

📖

Reference

📝

Notepad

📋

Report

NETWORK SECURITY — FIREWALL AUDIT

FIREWALL RULE ANALYSIS

DEVICE: apexlab-fw01 — Palo Alto PA-220

SCENARIO

You are a network security engineer conducting a firewall policy audit on apexlab-fw01. The ruleset has not been reviewed in 18 months. Identify misconfigurations, overly permissive rules, shadowed rules, insecure protocols, and missing controls — then document your findings and recommendations.

NETWORK ZONES

Zone	Subnet	Description
UNTRUST	0.0.0.0/0	Internet / external
DMZ	10.10.15.0/24	Public-facing servers
TRUST	10.10.14.0/24	Internal workstations
SERVERS	10.10.16.0/24	Internal servers
DB	10.10.17.0/24	Database servers (most sensitive)

YOUR TASK

Read through the Ruleset Viewer — all 16 rules
Click a rule to see its full detail
Use Flag Issue or Mark Good to annotate rules
Flagged rules populate the Findings panel
Complete the Audit Report with your findings

FIREWALL RULESET — apexlab-fw01 (16 rules)

Action

Protocol

Src Zone

Src Addr

Dst Addr

Port

State

Description

Click a rule to inspect it

AUDIT FINDINGS

CRITICAL

WARNING

GOOD

Flag rules in the Ruleset Viewer to populate findings

NETWORK TOPOLOGY — APEXLAB

REFERENCE — FIREWALL AUDITING

COMMON MISCONFIGURATIONS

Overly permissive source — using "any" as source for sensitive destinations (databases, admin interfaces) instead of specific trusted subnets.

Insecure protocols — permitting Telnet (23), FTP (21), or unencrypted HTTP (80) where encrypted alternatives exist.

Shadowed rules — a rule that can never be reached because a more general rule above it matches the same traffic first.

Catch-all allows — a broad ALLOW ANY ANY rule before the implicit deny, negating all deny rules below it.

Missing egress filtering — no rules controlling what internal hosts can connect to externally. Critical for C2 detection.

SHADOWED RULES

Rules are evaluated top-down. If Rule 5 allows TCP any:any -> 10.10.17.0/24:3306, then Rule 7 denying TCP 0.0.0.0/0 -> 10.10.17.0/24:3306 is shadowed — the deny never fires because the allow above already matches.

LEAST PRIVILEGE PRINCIPLE

Every rule should grant the minimum access needed. Source should be specific IPs or subnets, not "any". Destination port should be exact, not port ranges where possible.

EGRESS FILTERING

Outbound rules are just as important as inbound. Without egress filtering: malware can establish C2 on any port, data exfiltration goes unblocked, DNS tunneling and beacon traffic is unrestricted.

RULE ORDER BEST PRACTICE

1. Deny known bad (threat intel blocks) 2. Allow specific required traffic 3. Deny everything else (explicit deny) # Never: broad ALLOW before specific DENY