FARR

Firewall Access Rules Reviewer

Know exactly what your firewalls allow — and prove every rule is justified.

FARR ingests the running configuration from every firewall in the estate — twelve vendors, auto-detected on upload or pulled live over SSH — and turns thousands of rules into an operating picture a security team can govern. It flags risky access, grades each device against a hardening baseline, maps how segments actually reach one another, re-reviews the moment a firewall changes, and proves every rule is still justified — every finding evidenced and exportable.

Request a live demo →Check IAG →

FARRFirewall ReviewScanning

Devices: 37
Risky rules: 58 ▴
Critical paths: 3

Network segments · critical path flagged

SEC-1042PAN-OS · any → any permithigh

SEC-0871FortiGate · no log on permitmed

SEC-0500SRX · justified & ownedok

What you get

The outcomes that matter

Twelve vendors, one model

Upload any supported config and get the same rule findings, hardening checks and segment map.

Risky rules, flagged

Any-to-any, overly permissive, stale, expired, ownerless and unjustified rules — surfaced and ranked.

Critical paths, mapped

See how segments truly reach one another and which paths bypass a security control.

Inside FARR

Every module, end to end

FARR is organised into the work your team actually does — build the picture, govern it, and prove it. Each module below is part of one integrated platform.

Capture every configuration

Multi-Vendor Review

Auto-detects the vendor from any configuration and reviews it against a built-in criteria engine — twelve firewall families, one normalised model.

Offline Upload or Live Retrieval

Review an exported config file, or have FARR fetch the live config directly over SSH — host keys pinned on first contact to abort a man-in-the-middle.

Change-Triggered Reviews

FARR watches each connected firewall and re-runs a full review the moment an administrator changes it — flagging drift from the last approved state.

Find the risk

Access-Rule Risk Findings

Flags overly-permissive any/any rules, insecure services and ports, and shadowed or redundant rules — each tied to the exact rule by name and number.

Device Hardening Review

Grades every device pass / warn / fail across its management plane, SNMP, NTP, banners and password policy.

Administrator & Access-Role Register

Extracts the administrative accounts and roles from each config and marks which are privileged — least-privilege evidenced, not assumed.

Map the network

Network-Segment Classification

Auto-detects address objects, subnets, VLANs and interface IPs, then classifies each as PCI, SWIFT, Servers, End-users, DMZ and more.

User-Terminal Mapping

Register the PAM, DAM, proxy, ZTNA, VPN and jump hosts that should front access into each segment, and map what each covers.

Critical Access Findings

Surfaces any rule that lets an end-user segment reach a sensitive zone directly — bypassing the terminal that should front it.

Govern & prove

Recertification Campaigns

Scheduled campaigns over the rule base that record a certify, modify or revoke decision per rule — a defensible recertification trail.

Live Dashboard

A clickable KPI for every register — firewalls, rules, reviews, critical and high findings, hardening fails, admins, segments and terminals.

Enterprise Access Control

Five role profiles with database-enforced row-level security, plus directory sign-on with an encrypted bind credential.

Branded CSV & PDF Reporting

Export any register or review to CSV or a print-ready PDF carrying your organization’s name, logo and export date.

Immutable Activity Log

Every change, sign-in, authorization failure and retrieval event recorded with who, what, when, from where and the outcome.

How it works

From raw estate to evidence

01
Onboard
Register each firewall with its owner, criticality and optional SSH access.
02
Review
Upload or retrieve the config; the engine flags risky rules, hardening gaps and admin accounts.
03
Map
Classify segments by business scope and the terminals that should front them.
04
Certify
Surface critical access paths and run recertification campaigns — all on an immutable log.

Coverage

Reads the running configuration from every major firewall vendor — auto-detected on upload

Enterprise

Palo Alto PAN-OSFortinet FortiGateCisco ASACheck PointJuniper SRXSophos XGS

Network & SMB

SonicWallWatchGuardMikroTik RouterOS

Open-source & software

VyOSpfSenseOPNsense

Palo Alto in both XML and set-command form — twelve vendors in all, each yielding the same findings.

Deployment & security

Yours to run, built to defend

Every Televestigo platform deploys inside your environment and stays under your control — hardened, directory-integrated, and audit-ready from day one.

On-premise or sovereign cloud

Runs inside your own estate and owned by you — firewall configs never leave your control, and raw configs are never stored alongside findings.

Five roles, row-level scoped

Administrator, Compliance Officer, Firewall Owner, Reviewer and Auditor — owners scoped to only their own firewalls, enforced in the database.

Hardened by default

Directory bind secrets encrypted at rest, SSH host-key pinning on first contact, and CA-signed TLS through an in-platform CSR.

Evidenced & exportable

An immutable activity log over every action, with CSV and print-ready PDF evidence carrying your organization branding.

See FARR in your environment

Tell us about your systems and obligations. We'll come back with a clear, practical view of where you stand — and what we'd do next.

Book a demo →All platforms