Capability · Security Operations

Firewall policy automation on Cortex XSOAR.

We automate the full firewall policy lifecycle inside Cortex XSOAR — discovery, multi-hop path analysis, rule suggestion, vendor-native command generation, and validation. Across PAN-OS and FortiGate. In air-gapped estates. Without sending a single live packet.

1,500+
Firewalls analysed
2
Vendors, one pipeline
0
Live probes required
The problem

“Open 10.20.30.9 on 443.” Now find every firewall in the way.

In a small estate that is a five-minute question. In a multi-vendor, multi-VRF MPLS estate of a thousand-plus enforcement points, it is a week of engineering — and the answer is a guess.

The traditional answer is to log into devices and probe. Run a path trace here, read a routing table there, ask the team who built the WAN. It does not scale, it needs credentials on production kit, and in an air-gapped or change-frozen environment it is often simply not allowed.

So rules get written defensively. Engineers open a flow on four firewalls because they are not certain which two it actually crosses. The estate accumulates rules nobody can justify and nobody dares remove.

خوارزم A rule you cannot justify is a rule you cannot remove. Permissiveness is what uncertainty looks like six months later.

The question underneath is a routing question, not a policy question. Which devices does this flow traverse? Which interface does it leave by? Which zone does that put it in? Only then: does policy admit it?

Answer the routing question offline — correctly, including NAT, policy-based forwarding, equal-cost paths, and VRF boundaries — and the policy question answers itself. That is the whole idea.

Which is also why most tooling struggles here. Enterprise topologies are well handled. Carrier-style estates, where the MPLS provider edge decides ingress and the firewall sees seven equal-cost routes of which six do not forward, are not.

What we build

An XSOAR content pack that answers the question end to end.

Six stages, each producing something an engineer can inspect before the next one runs. Integrations and automations, a playbook that orchestrates them, and an approval gate before anything reaches a device.

STAGE 01

Discover

Collectors pull a structured snapshot from Panorama and FortiManager: routing tables, hardware FIB, zones, VRFs, interfaces and link state, NAT and PBF rules, address and service objects.

STAGE 02

Trace

An offline engine replays the vendor forwarding pipeline against that snapshot — destination NAT, policy-based forwarding, FIB-over-RIB longest-prefix match, link state, ECMP resolution, VRF-aware egress, HA-peer collapse — and returns every firewall the flow actually crosses.

STAGE 03

Resolve zones

Each hop yields an ingress and egress interface, and therefore a source and destination zone. Interface-based FortiGate policy is handled: an unzoned interface is its own boundary, exactly as the device treats it.

STAGE 04

Suggest

For each transit firewall, the minimum rule that admits the flow — with the existing rule base checked first, so a request already covered produces no change at all.

STAGE 05

Generate

Vendor-native artefacts: address objects, service objects, security rules, and correct rule placement — Panorama rulebase position, FortiManager policy ordering — ready for review.

STAGE 06

Validate

The trace is re-run against the intended post-change state. If the flow still does not pass, the pack says so before an engineer opens a change window.

Platform
Cortex XSOAR 6.10+ content pack — custom integrations, automations, playbooks, and layouts. Deployable into an air-gapped tenant.
Vendors
Palo Alto Networks PAN-OS & Panorama. Fortinet FortiGate & FortiManager. One analysis engine, two forwarding models.
Analysis mode
Fully offline. Devices are read at discovery time only. The engine itself never logs in, never sends traffic, never needs a window.
The hard parts

Where the difficulty actually lives.

None of this is in a datasheet. Each of these is a bug that produced a confidently wrong answer until it was found, understood, and pinned with a regression test.

ECMP that is not load balancing

A WAN hub firewall in an RT-mesh sees seven equal-cost routes to a prefix. Six of them do not forward — they are a routing artefact of the mesh. We resolve the real egress with a two-pass walk that matches next-hops against the ingress addresses of devices proven to be on the path.

MPLS L3VPNRT-meshTwo-pass resolution

VRF-aware egress

A packet arriving on a VRF-bound interface is routed only within that VRF. Miss this and the trace silently exits through a different customer's VRF and suggests a rule on the wrong firewall. Getting it right means normalising VRF identifiers that arrive as integers on one route and strings on the next.

VRFSame-VRF egressType normalisation

Zones that are not where you look

On SD-WAN-enabled FortiGate, zone membership does not live in the zone table at all — it lives in the SD-WAN member list. Read the obvious place and every zone lookup returns empty, quietly, with no error, on every device.

FortiOSSD-WANZone binding

NAT, before routing

A destination NAT rewrites the address the forwarding table is consulted with. Trace the pre-NAT address and you follow the default route into the internet; trace the post-NAT address and you miss the firewall that performed the translation. Both segments of the path have to be modelled, and joined.

DNATSource NATPBF

HA pairs are one hop

Two firewalls sharing a segment are parallel paths, not sequential ones. For any single flow exactly one is active. Reporting both doubles the rule count and confuses the reviewer. We collapse them into a single logical hop and say which peers were folded.

HAPeer collapseUnion-find

Boundaries only a human knows

Some questions have no answer in the routing table. Whether an undiscovered next-hop is a transit device or the edge of your world is an operator decision. We surface it explicitly as a flag rather than guessing — and the tool tells you when it is guessing.

Edge discoveryExplicit uncertainty
How we know it is right

A firewall rule is a security control. It gets tested like one.

Automation that is confidently wrong is worse than no automation, because a human would have hesitated.

01 / PINNED

Every bug becomes a test

The engine runs outside the platform, against synthetic topologies built to reproduce each failure exactly. A fixture that passes for the wrong reason is treated as a broken fixture.

02 / PORTABLE

Validated on a second estate

Logic tuned to one network is a liability. We run the same engine against a deliberately different topology — other naming, other schema, other VRF conventions — and treat whatever breaks as the backlog.

03 / GATED

Nothing ships un-gated

Byte-level artefact parity, compile and execute checks, and a regression suite run before any change is packaged. Superseded builds are pruned, not archived.

It says when it does not know

Every hop carries a confidence: whether the route to the source or destination is directly connected, a specific prefix, an aggregate, or only the default route. A path that rests on a default route is reported as such, not laundered into a certainty.

It reads, before it writes

Analysis and generation are separate from enforcement. The pack produces reviewed artefacts and an approval gate stands between them and any device. Read-only deployment is a supported end state, not a limitation.

How we engage

Four ways in.

Most clients start with the first and decide about the rest once they have seen a path traced across their own estate.

Path analysis proof of concept

We ingest a topology snapshot from your Panorama and FortiManager and trace a handful of flows your team already knows the answer to. You check our work.

Fixed scopeRead-onlyYour estate

XSOAR content pack delivery

The full lifecycle, built for your topology and your change process, deployed into your tenant — air-gapped if that is where you live.

IntegrationsAutomationsPlaybooks

Policy cleanup & rationalisation

Once you can prove which firewalls a flow crosses, you can prove which rules were never needed. Discovery first, deletion second.

Rule hygieneShadowingJustification

Integration & automation engineering

Bespoke XSOAR integrations, third-party connectors, and the unglamorous plumbing that decides whether a playbook survives production.

XSOARXSIAMCustom connectors

Bring us a flow you cannot explain.

If you have a firewall path your team argues about, that is the conversation we want to have. We will tell you what we can determine offline — and what we cannot.