Fast answer
The five most common firewall problems we find on assessments: hardware undersized for full inspection throughput, SSL inspection breaking specific applications, years of accumulated rules nobody dares delete, misconfigured SD-WAN or failover that flaps connections, and firmware so old it misses both security fixes and performance improvements. Every one is diagnosable with data.
1. The throughput number on the datasheet isn\'t real
\nFirewall vendors quote raw throughput, but turn on the features you actually bought it for — intrusion prevention, antivirus, web filtering, SSL inspection — and effective throughput can drop by 80–90%. A firewall sold for a 100 Mbps office connection quietly becomes the bottleneck when the office upgrades to gigabit fibre.
\nThe check: compare your ISP speed with inspection features on versus off. If the gap is dramatic, the box is undersized for the way you use it. Sizing correctly is a core part of our firewall engineering work.
\n\n2. SSL inspection breaking apps in ways nobody connects to the firewall
\nModern traffic is encrypted, so serious inspection means the firewall decrypts and re-encrypts sessions. Done properly, it\'s invisible. Done carelessly, it breaks applications that use certificate pinning — banking tools, some Microsoft 365 features, EMR clients, payment terminals — with error messages that look nothing like a firewall problem.
\nThe fix: a maintained exemption list for pinned applications, a properly deployed inspection certificate on every managed device, and change control so inspection policy updates are tested, not YOLO\'d on a Friday.
\n\n3. Rule sprawl: the config nobody dares touch
\nEvery firewall we inherit tells the same story: temporary rules made permanent, vendor access opened for a project that ended in 2021, an "allow any" placed during an outage and never removed. Sprawl hurts twice — the permissive rules are security holes, and the sheer rule count slows evaluation and makes every change riskier.
\nThe fix: a rule audit with hit counters (rules with zero hits in 90 days are candidates for removal), documentation of what each surviving rule is for, and a naming convention so the next engineer isn\'t archaeology-ing your security policy.
\n\n4. Failover and SD-WAN that make things worse
\nDual internet connections are only as good as the failover logic. Misconfigured link monitors flap between connections on transient blips, dropping every VoIP call and VPN tunnel each time. Some setups fail over correctly but never fail back, leaving the office on the slow backup line for weeks without anyone realizing.
\nThe fix: tuned health checks with realistic thresholds, session-aware failover so calls survive a switch, and monitoring that alerts when you\'re running on backup — because silent degradation is still degradation.
\n\n5. Firmware from two years ago
\nFirewalls are the most attacked device category on the internet — exploitable firewall vulnerabilities are how several of the ransomware incidents in BC we\'ve been called into began. But updates also fix performance and stability bugs, so stale firmware means you\'re slower and exposed.
\nThe fix: a maintenance schedule with tested updates during defined windows, and configuration backups before every change so rollback is minutes, not hours. Our engineers hold Fortinet NSE 7 expert-level certification — this is the discipline that certification actually represents.
\n\n