Automated Firewall
Configuration Audit
Posture score + CLI fixes in 60 seconds.
Upload your FortiGate, Palo Alto, Sophos, Check Point, or Cisco ASA config and get prioritized attack paths and ready-to-paste CLI fixes. No agent. No install.
2 free scans · no credit card · results in ~60s · see pricing
WAN → LAN policy allows any/any without IPS
SSL/TLS inspection disabled on internet-facing policies
Management interface reachable from WAN
What every firewall configuration review checks
Security Checks
Policy hygiene, zone segmentation, management exposure, crypto audit, firmware CVEs.
Real Threat Intel
Cross-references your exact firmware against CISA KEV, NVD, and vendor PSIRT feeds.
Configs Stored
Raw configs parsed in memory, never stored. Architecture-level guarantee, not a policy.
Ready-to-Paste Fixes
Every finding includes vendor-specific commands you can paste into your firewall.
What you get
Your firewall security assessment report — not promises
Every scan produces a full posture score, prioritized findings with paste-ready CLI fixes, an attack-path chain map, and compliance coverage. Here is what that looks like.
WAN → LAN any/any policy without security profile
Policy ID 42 permits all traffic from the WAN interface to internal LAN with no Intrusion Prevention, Application Control, or Antivirus profile attached. This is a direct path for exploitation.
# FortiGate CLI — paste into your terminal
config firewall policy
edit 42
set ips-sensor "default"
set av-profile "default"
set application-list "default"
set ssl-ssh-profile "certificate-inspection"
next
endHow misconfigurations chain into an exploitable route
Every finding maps to the frameworks that matter to your auditors
Clean config? You still get a verified pass — with the evidence to prove it to your auditors.
Compliance
Mapped to CIS Benchmarks, PCI DSS, and NIST 800-41
Every finding cites the controls your auditors check. CRWLR maps results to the CIS Benchmarks for your vendor, PCI DSS Requirement 1 (network security controls), and NIST 800-41 firewall policy guidelines — so a scan doubles as audit-ready evidence for your next firewall rule review.
Architecture
Your config never touches our storage
This is not a policy — it is a structural constraint. There is no storage path for raw configuration data, only for the normalized findings your scan produces.
Free one-file script strips every password, PSK, and private key locally — before anything leaves your machine. Audit results stay identical.
Full transparency on sub-processors, data flows, and retention policy at /security. SOC 2 Type II certification is on our roadmap.
Data processed in the EU. Sub-processor table published. Right to erasure supported.
It's not policy, it's structure. There is no write path for raw configs in the codebase.
Multi-tenant firewall audit for MSPs & security teams
Audit every client. Prove every fix.
Built for teams that manage multiple firewalls across multiple clients. Fleet visibility, recurring scans, and auditor-grade evidence exports — all in one place.
Fleet dashboard
All your client firewalls in one view. Composite risk score, firmware alerts, and configuration drift across your entire managed estate.
Scheduled rescans
Set monthly or quarterly automated rescans. Catch configuration drift before it becomes a compliance gap or a breach path.
Audit evidence packages
Export a client's full scan history, findings, and remediation status as a structured evidence package — ready for compliance reviews and audits.
Per-client posture scoring
Each client gets their own posture score, severity breakdown, and findings list. Demonstrate measurable security improvement over time.
Team access with RBAC
Add team members with role-based access control. Keep client data siloed by tenant — engineers see only what they should.
Bulk import
Upload a ZIP of multiple client configs in one pass. All parsed in memory simultaneously — no one's config ever reaches another tenant.
PCI DSS v4.0 Req 1.2.7 requires firewall rule reviews every 6 months. Many frameworks and cyber-insurers expect more frequent reviews.
CRWLR's scheduled rescans run automatically and flag drift — so your next audit isn't a scramble.
Firewall audit by vendor
Frequently Asked Questions
What is a firewall configuration audit?
A firewall configuration audit is a systematic review of your firewall rules, policies, and system settings to find security gaps, misconfigurations, and compliance violations. CRWLR automates this process — upload your config file and get a security posture score with prioritized findings in under 60 seconds.
Which firewall vendors does CRWLR support?
CRWLR supports Fortinet FortiGate (.conf), Palo Alto Networks (XML), Sophos XG/XGS (XML or PostgreSQL dump), Check Point R80+ (JSON from mgmt_cli), and Cisco ASA (show running-config). Each vendor gets tailored remediation commands you can paste directly into your firewall CLI.
How does attack path analysis work?
Attack path analysis maps how multiple individual misconfigurations can chain together into an exploitable route through your network. For example, an overly permissive WAN rule combined with missing SSL inspection and no IPS profile creates a path for data exfiltration that no single finding would reveal on its own.
Is my firewall configuration stored?
No. Your raw config file is parsed entirely in memory and never written to disk or database. This is an architecture-level guarantee, not just a policy. Only the normalized analysis results (findings, scores, remediation) are stored — never the original configuration.
How often should firewall rules be reviewed?
PCI DSS v4.0 Req 1.2.7 requires firewall rule reviews every 6 months. Many frameworks and cyber-insurers also expect more frequent reviews. For organizations with frequent changes, monthly automated scans catch configuration drift before it becomes a compliance gap or security risk.
What compliance frameworks does CRWLR map to?
CRWLR maps findings to CIS Benchmarks (FortiGate, Palo Alto, Sophos), PCI DSS Requirement 1 (network security controls), and NIST 800-41 (firewall policy guidelines). Each finding shows which compliance controls it affects.
Can MSPs use CRWLR for multiple clients?
Yes. CRWLR supports multi-tenant fleet management — manage all your client firewalls from one dashboard with per-client scoring, bulk import via ZIP, and exportable audit evidence packages for compliance reporting.
How does CVE cross-referencing work?
CRWLR detects your exact firmware version and cross-references it against CISA Known Exploited Vulnerabilities (KEV), NVD, and vendor-specific PSIRT feeds. It only alerts on CVEs for features actually enabled on your firewall — no noise from vulnerabilities in disabled modules.
How do you audit a firewall configuration?
Export your firewall configuration (FortiGate .conf, Palo Alto or Sophos XML, Check Point JSON or Gaia clish, or Cisco ASA show running-config) and analyze it for overly permissive rules, missing security profiles, exposed management interfaces, weak VPN crypto, zone-segmentation gaps, and firmware CVE exposure. CRWLR automates the entire firewall configuration audit — upload the file and get a prioritized findings list with vendor-specific CLI remediation in under 60 seconds.
What is a firewall security assessment?
A firewall security assessment evaluates how well your firewall enforces your intended security policy — rule hygiene, segmentation, inspection coverage, administrative hardening, and known-vulnerability exposure — then scores the overall posture. CRWLR produces a 0-100 posture score with severity-ranked findings and an attack-path map, so you see not just individual issues but how they chain into real exposure.
What is the best firewall audit tool for MSPs?
MSPs need multi-tenant firewall audit: per-client scoring, bulk import, scheduled rescans, and exportable audit evidence — without deploying an agent on each client device. CRWLR is agentless (upload a config, nothing to install), supports unlimited firewalls per client tenant with role-based team access, and exports auditor-ready evidence packages. Contact us for per-tenant pricing and white-label reports.
See what your firewall is actually allowing
Upload a config and get a posture score, prioritized attack paths, and paste-ready CLI fixes in 60 seconds. No agent, no install, config never stored.
Start Free Scan2 free scans · no credit card · results in ~60s