175 checks · 5 vendors · no install

Automated Firewall
Configuration Audit

Posture score + CLI fixes in 60 seconds.

Upload your FortiGate, Palo Alto, Sophos, Check Point, or Cisco ASA config and get prioritized attack paths and ready-to-paste CLI fixes. No agent. No install.

2 free scans · no credit card · results in ~60s · see pricing

No agent. No install.Config never stored.No credit card.
crwlr.io — FortiGate_HQ.conf · scan complete175 checks
Posture Score
43 / 100 · 7 critical · 12 high
Critical
7
High
12
Medium
19
Low
8
CRITICALFW-C-001

WAN → LAN policy allows any/any without IPS

HIGHFW-H-017

SSL/TLS inspection disabled on internet-facing policies

HIGHFW-H-031

Management interface reachable from WAN

Scan completed in 4.2s · Run the live demo — no login →

What every firewall configuration review checks

175

Security Checks

Policy hygiene, zone segmentation, management exposure, crypto audit, firmware CVEs.

CVE

Real Threat Intel

Cross-references your exact firmware against CISA KEV, NVD, and vendor PSIRT feeds.

0

Configs Stored

Raw configs parsed in memory, never stored. Architecture-level guarantee, not a policy.

CLI

Ready-to-Paste Fixes

Every finding includes vendor-specific commands you can paste into your firewall.

What you get

Every scan produces a full posture score, prioritized findings with paste-ready CLI fixes, an attack-path chain map, and compliance coverage. Here is what that looks like.

43/ 100AT RISK
Posture Score — FortiGate HQ
7 Critical12 High19 Medium8 Low
175 checks · 46 findings · scan completed in 4.2s
CRITICALFW-C-001CIS FortiGate 2.2 · PCI 1.3

WAN → LAN any/any policy without security profile

Policy ID 42 permits all traffic from the WAN interface to internal LAN with no Intrusion Prevention, Application Control, or Antivirus profile attached. This is a direct path for exploitation.

Paste-ready fix
# FortiGate CLI — paste into your terminal
config firewall policy
    edit 42
        set ips-sensor "default"
        set av-profile "default"
        set application-list "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end
Attack Path Analysis

How misconfigurations chain into an exploitable route

WANInternet
any/any rulePolicy #42
Mgmt port openCVE-2024-21762
Pivot to LANNo segmentation
Data exfiltrationUnchecked egress
Chain risk score: 91/100. 3 misconfigurations create a direct WAN-to-exfiltration path. Fixing policy #42 breaks the chain.
Compliance Mapping

Every finding maps to the frameworks that matter to your auditors

CIS77%
FortiGate Benchmark v2
61 pass18 fail
PCI DSS67%
Requirement 1 — Firewall
8 pass4 fail
NIST 800-4181%
Firewall policy
22 pass5 fail

Clean config? You still get a verified pass — with the evidence to prove it to your auditors.

Compliance

Mapped to CIS Benchmarks, PCI DSS, and NIST 800-41

Every finding cites the controls your auditors check. CRWLR maps results to the CIS Benchmarks for your vendor, PCI DSS Requirement 1 (network security controls), and NIST 800-41 firewall policy guidelines — so a scan doubles as audit-ready evidence for your next firewall rule review.

CIS BenchmarksPCI DSS Requirement 1NIST 800-41

Architecture

Your config never touches our storage

This is not a policy — it is a structural constraint. There is no storage path for raw configuration data, only for the normalized findings your scan produces.

Config uploaded
Your .conf or .xml file
Parsed in memory
Never written to disk
175 checks run
In-process analysis engine
Raw config DISCARDED
Architecture-level guarantee
Findings stored
Score · remediations · CVEs
Config parsed in-process, never serialized to disk
Worker thread discards the parsed tree after analysis
Only normalized findings + scores reach the database
Verified: grep the codebase — no config write path exists

Multi-tenant firewall audit for MSPs & security teams

Audit every client. Prove every fix.

Built for teams that manage multiple firewalls across multiple clients. Fleet visibility, recurring scans, and auditor-grade evidence exports — all in one place.

Fleet dashboard

All your client firewalls in one view. Composite risk score, firmware alerts, and configuration drift across your entire managed estate.

Scheduled rescans

Set monthly or quarterly automated rescans. Catch configuration drift before it becomes a compliance gap or a breach path.

Audit evidence packages

Export a client's full scan history, findings, and remediation status as a structured evidence package — ready for compliance reviews and audits.

Per-client posture scoring

Each client gets their own posture score, severity breakdown, and findings list. Demonstrate measurable security improvement over time.

Team access with RBAC

Add team members with role-based access control. Keep client data siloed by tenant — engineers see only what they should.

Bulk import

Upload a ZIP of multiple client configs in one pass. All parsed in memory simultaneously — no one's config ever reaches another tenant.

Unlimited
Firewalls per tenant
No seat or device cap
Full
Finding history
Ack, status & drift tracked
3
Compliance frameworks
CIS · PCI DSS · NIST
JSON / PDF
Export formats
Evidence packages

PCI DSS v4.0 Req 1.2.7 requires firewall rule reviews every 6 months. Many frameworks and cyber-insurers expect more frequent reviews.

CRWLR's scheduled rescans run automatically and flag drift — so your next audit isn't a scramble.

See plans

Firewall audit by vendor

Frequently Asked Questions

What is a firewall configuration audit?

A firewall configuration audit is a systematic review of your firewall rules, policies, and system settings to find security gaps, misconfigurations, and compliance violations. CRWLR automates this process — upload your config file and get a security posture score with prioritized findings in under 60 seconds.

Which firewall vendors does CRWLR support?

CRWLR supports Fortinet FortiGate (.conf), Palo Alto Networks (XML), Sophos XG/XGS (XML or PostgreSQL dump), Check Point R80+ (JSON from mgmt_cli), and Cisco ASA (show running-config). Each vendor gets tailored remediation commands you can paste directly into your firewall CLI.

How does attack path analysis work?

Attack path analysis maps how multiple individual misconfigurations can chain together into an exploitable route through your network. For example, an overly permissive WAN rule combined with missing SSL inspection and no IPS profile creates a path for data exfiltration that no single finding would reveal on its own.

Is my firewall configuration stored?

No. Your raw config file is parsed entirely in memory and never written to disk or database. This is an architecture-level guarantee, not just a policy. Only the normalized analysis results (findings, scores, remediation) are stored — never the original configuration.

How often should firewall rules be reviewed?

PCI DSS v4.0 Req 1.2.7 requires firewall rule reviews every 6 months. Many frameworks and cyber-insurers also expect more frequent reviews. For organizations with frequent changes, monthly automated scans catch configuration drift before it becomes a compliance gap or security risk.

What compliance frameworks does CRWLR map to?

CRWLR maps findings to CIS Benchmarks (FortiGate, Palo Alto, Sophos), PCI DSS Requirement 1 (network security controls), and NIST 800-41 (firewall policy guidelines). Each finding shows which compliance controls it affects.

Can MSPs use CRWLR for multiple clients?

Yes. CRWLR supports multi-tenant fleet management — manage all your client firewalls from one dashboard with per-client scoring, bulk import via ZIP, and exportable audit evidence packages for compliance reporting.

How does CVE cross-referencing work?

CRWLR detects your exact firmware version and cross-references it against CISA Known Exploited Vulnerabilities (KEV), NVD, and vendor-specific PSIRT feeds. It only alerts on CVEs for features actually enabled on your firewall — no noise from vulnerabilities in disabled modules.

How do you audit a firewall configuration?

Export your firewall configuration (FortiGate .conf, Palo Alto or Sophos XML, Check Point JSON or Gaia clish, or Cisco ASA show running-config) and analyze it for overly permissive rules, missing security profiles, exposed management interfaces, weak VPN crypto, zone-segmentation gaps, and firmware CVE exposure. CRWLR automates the entire firewall configuration audit — upload the file and get a prioritized findings list with vendor-specific CLI remediation in under 60 seconds.

What is a firewall security assessment?

A firewall security assessment evaluates how well your firewall enforces your intended security policy — rule hygiene, segmentation, inspection coverage, administrative hardening, and known-vulnerability exposure — then scores the overall posture. CRWLR produces a 0-100 posture score with severity-ranked findings and an attack-path map, so you see not just individual issues but how they chain into real exposure.

What is the best firewall audit tool for MSPs?

MSPs need multi-tenant firewall audit: per-client scoring, bulk import, scheduled rescans, and exportable audit evidence — without deploying an agent on each client device. CRWLR is agentless (upload a config, nothing to install), supports unlimited firewalls per client tenant with role-based team access, and exports auditor-ready evidence packages. Contact us for per-tenant pricing and white-label reports.

See what your firewall is actually allowing

Upload a config and get a posture score, prioritized attack paths, and paste-ready CLI fixes in 60 seconds. No agent, no install, config never stored.

Start Free Scan

2 free scans · no credit card · results in ~60s