Plaidnox InfoSec
PLX-2025-024 . Confidential
Firewall EnablementPalo Alto NGFW22 Policy Issues

Firewall Policy Review
[REDACTED]

Next-generation firewall policy review for [REDACTED] covering 4 Palo Alto PA-5220 firewalls protecting the core banking DMZ, internet edge, and inter-datacenter segments. Engagement ref. ENG-2025-0571.

Report IDPLX-2025-024
Client[REDACTED]
Rules Reviewed1,847 rules
AssessedMar 2025
01 . Overview

Firewall Policy Review

Plaidnox reviewed 1,847 firewall rules across four Palo Alto PA-5220 firewalls for [REDACTED]. The review assessed rule quality, shadowed and unused rules, overly permissive policies, and zone-to-zone segmentation effectiveness.

The review identified 22 high-priority policy issues including 8 any-any permit rules on the internet edge, 312 unused rules (not matched in 180 days), 47 rules permitting clear-text protocols (HTTP, Telnet, FTP) into financial system zones, and inadequate micro-segmentation between the card processing and general banking segments.

02 . Rule Inventory

Policy analysis

1,847
Total Rules
8
Any-Any Permits
312
Unused Rules
47
Clear-Text Protocol
FirewallRulesUnusedAny-AnyRisk
FW-EDGE-01 (Internet)412843Critical
FW-DMZ-01 (DMZ)5681022High
FW-DC-01 (DC East)441742Medium
FW-DC-02 (DC West)426521Medium
03 . Key Findings

Priority issues

IDFindingPriority
FW-0013 any-any permit rules on FW-EDGE-01 . allow all inbound and outbound traffic without inspectionCritical
FW-002Card processing zone reachable from general banking zone without application-level controlsCritical
FW-00347 rules allow HTTP (port 80) into financial system zones . should require HTTPS minimumHigh
FW-004Telnet permitted from network management zone to 28 network devices . should be SSH onlyHigh
FW-005312 unused rules create management overhead and ambiguity . should be decommissionedMedium
04 . Remediation Plan

Policy cleanup roadmap

ActionTimelineOwner
Remove and replace all 8 any-any permit rules with explicit application-aware policiesWk 1-2Network Ops
Implement micro-segmentation between card processing and banking zones (PCI DSS Req 1.3)Wk 2-6Plaidnox / Network
Block HTTP, Telnet, FTP on all rules targeting financial system zonesWk 1-3Network Ops
Decommission 312 unused rules following change control processWk 3-8Network Ops
Enable URL filtering and App-ID inspection on internet edgeWk 4-6Plaidnox / Network
Conclusion
Any-any rules and card segment exposure require immediate remediation for PCI DSS compliance
The presence of any-any permit rules on the internet edge firewall and inadequate micro-segmentation between PCI-in-scope zones are direct violations of PCI DSS Requirements 1.2 and 1.3. These must be remediated before the QSA assessment scheduled for Q3 2025. The 312 unused rules represent a management risk that should be cleared in the same change window to simplify the policy baseline.
Plaidnox InfoSec . firewall
Confidential . Authorised Distribution Only