Firewall Audit Checklist
for Dubai Businesses

Photo by FlyD on Unsplash

1. Firewall Rule Base Audit

The rule base is the core of what a firewall does, and it degrades silently over time. Rules are added for specific purposes — a temporary vendor access window, a software deployment, a quick fix during an emergency — and rarely removed when they are no longer needed. After a few years, rule bases in Dubai SME environments commonly contain 30–50% of rules that serve no current operational purpose.

The audit objective is to reach a state where every rule can be justified with a current business reason, an owner, and a review date. Work through the rule base methodically:

Rule Naming and Organisation

Unnamed or poorly named rules are an audit problem and an incident response problem. During a security incident, an engineer working under pressure needs to understand what each rule does immediately. Rules should follow a consistent naming convention — for example: [Purpose]-[Source Zone]-[Destination Zone]-[Date Created]. FortiGate allows rule descriptions; use them.

2. VPN Configuration Review

VPN is one of the highest-risk attack surfaces in any organisation. It is internet-facing by definition, often targeted in credential-stuffing attacks, and in many Dubai offices it was expanded rapidly during the remote work period without a corresponding security review. VPN misconfigurations are consistently listed among the top initial access vectors in published incident reports — and the UAE is not exempt from this pattern.

IKEv2 vs SSL-VPN Protocol Selection

Most FortiGate and Sophos deployments in the UAE run IPsec IKEv2 for corporate device VPN and SSL-VPN as a browser-accessible fallback. IKEv2 is preferable for managed corporate devices — it is faster, more stable across network changes, and supported natively by Windows, macOS, and iOS without additional client software. SSL-VPN is appropriate for BYOD users or access from environments that block UDP 500.

Check whether both VPN types are active on your firewall and whether the SSL-VPN portal is accessible from the public internet. If you have moved all corporate device users to IKEv2 and SSL-VPN exists only as a legacy fallback, evaluate whether it needs to remain public-facing at all.

Departed Staff VPN Accounts

This is a consistent finding in UAE firewall audits. Staff leave, IT receives a deactivation request for their Active Directory account, but the local VPN user database on the firewall — which may not be integrated with AD — is not updated. Export the full VPN user list and cross-reference it against your HR system. Any user not in current employment should be removed immediately.

If your FortiGate uses LDAP or RADIUS authentication for VPN (pulling users from Active Directory), this risk is mitigated because deactivating the AD account disables VPN access simultaneously. If you are using a local user database, that cross-reference must be done manually on a quarterly schedule at minimum.

Split Tunnelling Policy

Split tunnelling routes corporate-destined traffic through the VPN tunnel while internet browsing goes directly from the user's local network. This improves performance but means that a device with malware can communicate with external command-and-control infrastructure without any of that traffic passing through your firewall. For finance, HR, executive, and other high-risk roles, disable split tunnelling. For general staff on managed devices with endpoint protection, it is an acceptable trade-off if documented and reviewed.

3. Firmware and Patch Currency

Firewall firmware vulnerabilities are some of the most aggressively exploited in the threat landscape. The Fortinet SSL-VPN vulnerabilities published in 2022–2024 were exploited within days of disclosure — in some cases before many UAE organisations had even read the advisory. Keeping firmware current is not optional maintenance; it is the baseline cost of running an internet-facing device.

For the three firewall platforms most common in UAE offices:

• Fortinet FortiGate: Fortinet recommends staying within the current major release branch (e.g., FortiOS 7.4.x) and applying patch releases within 30 days of publication. Major version upgrades (6.x to 7.x) require testing in a lab environment or during a planned maintenance window with rollback ready.
• Sophos XGS / XG: Sophos Firewall OS updates are staged — early access, then general availability. Subscribe to the Sophos Community firmware RSS feed. Critical hotfixes are pushed automatically if your device has the automatic hotfix option enabled; verify this is on.
• Cisco ASA / FTD: Cisco publishes PSIRT advisories weekly. ASA running older code branches (9.8.x and below) should be considered end-of-life and migrated to current code. FTD managed by FMC has a centralised upgrade path that is significantly easier to manage across multiple devices.

Firmware Audit Checklist Items

• Current firmware version vs latest stable release — document the gap
• Date of last firmware update — if over 6 months, escalate to P2
• IPS signature currency — separate from firmware; signatures should update automatically daily
• Antivirus and application control signature subscription active and current
• Management interface accessible from internet? — should be restricted to specific admin IP addresses only

4. Logging Configuration and Retention

A firewall that is not logging is a security device that cannot support investigation. Logging configuration is the most commonly neglected area in Dubai SME firewall setups — either because storage is constrained, or because the default configuration was never reviewed after initial deployment.

What to Log

At minimum, every firewall should log:

• All denied traffic (this is where intrusion attempts appear)
• All allowed traffic to and from critical servers (file servers, accounting systems, ERP)
• All authentication events — VPN logins, admin logins, failed authentication
• All policy changes — who changed what rule, and when
• IPS and application control events

Logging all traffic on a busy network can be impractical — the volume overwhelms local storage and creates noise. A pragmatic approach is to log denied traffic comprehensively, log allowed traffic selectively for high-value segments, and ensure all authentication and admin events are captured without exception.

Log Retention and Storage

Local firewall storage (the FortiGate's internal disk or an attached FortiAnalyzer) is not a backup — it is a hot-access store for active investigations. Logs should be forwarded to a SIEM or centralised log management platform for retention. For UAE businesses without a dedicated SIEM, FortiCloud or a cloud syslog destination (Azure Sentinel, for example) provides offsite log retention without significant infrastructure investment.

Retain security logs for a minimum of 12 months. The UAE Cybercrime Law and NESA guidelines both point to this timeframe for security-relevant events. DIFC-regulated businesses should review the DIFC Data Protection Law for additional requirements. Confirming log retention policy is part of any complete cybersecurity review for Dubai organisations.

5. Remote Access Hardening

Remote access — whether via VPN, remote desktop services, or management interfaces — is the most targeted attack surface for UAE businesses. The volume of credential-stuffing and brute-force attacks against VPN endpoints visible in FortiGate logs is significant; even small Dubai offices see thousands of failed authentication attempts per week from automated scanners.

MFA for VPN Access

MFA for VPN authentication is no longer optional. FortiGate supports FortiToken, RADIUS-based TOTP, and SAML-based MFA through Azure AD. If your VPN users are authenticating with username and password only, that should be classified as a critical finding and remediated within 30 days. A single compromised set of credentials can give an attacker an inside-network foothold that bypasses every perimeter defence you have.

Geo-Blocking

Restricting VPN and management interface access to countries where your staff actually work is one of the highest-value, lowest-effort security controls available on a FortiGate. For a typical Dubai company with staff in the UAE, India, Philippines, UK, and Pakistan — a geo-block allowing only those countries at the VPN level eliminates the vast majority of automated scanning from irrelevant regions.

Implement geo-blocking carefully. A staff member travelling to a country not on the allow list will be unable to connect — plan a process for temporary allow-list additions during business travel. The network infrastructure management we provide includes maintaining and updating geo-blocking policies as staff travel patterns change.

Management Interface Exposure

The FortiGate management GUI (port 443 or 8443 by default), SSH access, and SNMP should never be accessible from the public internet. Restrict management access to specific internal IP addresses or, if remote management is required, access via the VPN itself — not directly from the internet. Check this in the FortiGate's trusted hosts configuration under your admin accounts.

6. Documentation Requirements

Firewall documentation is not bureaucracy — it is what allows an incident to be managed effectively at 2am when the engineer who built the original configuration is no longer with the company. Minimum documentation standards for any UAE business running a corporate firewall:

• Network diagram: Current, showing all VLANs, physical segments, DMZ, WAN connections, and the firewall's position in the topology. Updated whenever the network changes, not yearly.
• Rule change log: A record of every policy change — date, engineer, reason for the change, and approval (for organisations with change management processes). FortiGate's Admin Activity Log captures this if logging is configured correctly.
• VPN user register: All active VPN accounts, date created, purpose, and the name of the staff member responsible for each account. For third-party vendor accounts, include the access scope and scheduled review date.
• Firmware history: A log of firmware versions applied, dates, and who performed the upgrade. This is useful both for troubleshooting regressions and for demonstrating due diligence during any security review.
• Emergency access procedure: What happens if the firewall admin account credentials are lost, or the firewall fails and needs factory reset? This procedure should be documented and stored offline (not on the firewall itself).

FortiGate-Specific Checks for Dubai Offices

FortiGate is by far the most common firewall platform in Dubai's SME and mid-market segment. Several checks are specific to FortiOS that are worth calling out separately:

• Check FortiGuard subscription status. IPS, antivirus, application control, and web filtering all depend on active FortiGuard subscriptions. Navigate to System > FortiGuard in the GUI and verify all required licences are active and not within 60 days of expiry. Lapsed subscriptions silently degrade protection without obvious error messages in normal operation.
• Review SSL Inspection profiles. If SSL inspection is enabled, verify the certificate used for inspection is deployed to all endpoint devices. Uninspected HTTPS traffic is a common blind spot — attackers use HTTPS for C2 communication precisely because many firewalls do not inspect it.
• Check HA (High Availability) sync status if running an HA pair. Log into both units and verify synchronisation is current. An out-of-sync HA pair will fail to fail-over correctly, turning your redundant configuration into a single point of failure.
• Review VDOM configuration if VDOMs are in use. Each VDOM is functionally a separate firewall instance — the audit process must cover each VDOM individually, not just the root VDOM.
• Verify NTP sync. Log correlation during incident response depends on accurate timestamps. Check that all FortiGate units are syncing to a reliable NTP source and that the timezone is set correctly — UAE is UTC+4.

How Often to Run This Audit

A full rule base and configuration audit should happen twice per year at minimum. Firmware reviews should happen quarterly, aligned with vendor security advisory schedules. VPN user account reviews should happen monthly or be automated through Active Directory integration. Any major infrastructure change — new office, new server segment, new application requiring external access — should trigger a targeted review of the affected rules before the change goes live.

For businesses that do not have internal staff capable of conducting this audit objectively, engaging an external reviewer annually is good practice. An engineer who built the original configuration is not well-positioned to critically evaluate their own work — the same cognitive biases that created the problem will tend to rationalise it during self-review. The firewall audit and managed security services we provide in Dubai include a formal written finding report with prioritised remediation steps, not just a verbal walk-through.

A well-managed firewall is one part of a broader security posture. Without complementary controls — endpoint protection, email security, user awareness training, and incident response planning — even a perfectly configured firewall cannot protect a business from all threat vectors. If you are running a formal audit, use it as an opportunity to assess the full security stack, not just the perimeter device.