Network Security7 min read

The firewall mistakes that quietly leave Israeli SMBs exposed

A capable firewall does nothing on its own. These are the configuration and maintenance gaps we see most often on small-business FortiGate and Check Point boxes, and simple ways to tell whether yours has them.

#Firewalls#FortiGate#Check Point#SMB

A firewall is the one piece of security kit almost every business has, and also the one most likely to be quietly misconfigured. The box gets installed on the day the office opens, it works, the internet flows, and then nobody touches it again for years. The problem is that a firewall is not a set-and-forget appliance. A FortiGate or a Check Point that is well specified but badly configured, or configured once and never maintained, can give a false sense of safety while leaving gaps wide open. These are the mistakes we run into most often when we review small-business firewalls, and simple ways to tell whether yours has them. None of them are exotic. They are the ordinary oversights that add up.

The Management Interface Reachable From the Internet

The single most dangerous mistake is leaving the firewall's own admin interface open to the whole internet. It is convenient, because an engineer can log in from anywhere to make a change. It is also an open invitation. Attackers continuously scan the internet for exposed firewall login pages, and when a vulnerability in a vendor's management interface is discovered, those exposed devices are the first to be attacked, often within days. Fortinet's own hardening guidance is blunt about this: administrative access should not be reachable from the WAN. The right setup restricts management to the internal network or to an authenticated VPN, and never over plain HTTP or Telnet, only encrypted HTTPS and SSH. If you can reach your firewall's login screen from a coffee shop, so can everyone else.

Firmware That Never Gets Updated

Firewall firmware is software, and like all software it has vulnerabilities that are found and patched over time. Both Fortinet and Check Point release updates regularly, many of them fixing security flaws that are already being exploited. A firewall running firmware from three years ago is carrying every known vulnerability discovered since. This is one of the most common ways small businesses get breached through a device they thought was protecting them: the firewall itself becomes the way in. Updating firmware needs a little care, because you want to be on a stable release and you want a way to roll back, but skipping it entirely is far more dangerous than doing it. If you cannot remember the last time your firewall's firmware was updated, that is the answer.

Default or Weak Admin Credentials

Default login credentials for firewalls are publicly documented, and a device still using them is trivially accessible to anyone who finds it. It sounds obvious, yet weak or unchanged admin passwords remain common, especially on devices that were set up quickly. Every firewall should have its default password changed immediately to something strong, admin access should be limited to named accounts rather than one shared login, and multi-factor authentication should protect administrative access wherever the platform supports it. The admin account on your firewall controls your entire network boundary. It deserves at least the same protection as your email.

The Permissive Rule Nobody Cleaned Up

Firewall rules accumulate. Someone opens a port to get a new application working, a temporary rule is added to troubleshoot a problem, an allow-everything rule is put in place to prove something is not the firewall's fault, and then it is never removed. Over a few years the rule set becomes a layered mess where nobody is quite sure what each line does or whether it is still needed, and overly broad rules leave openings no one intended. A firewall should follow the principle of least privilege: allow exactly what the business needs and deny the rest by default. Rules should be reviewed periodically and the ones that no longer serve a purpose removed. A tidy, understood rule set is a security control in itself.

Paying for Protection and Leaving It Switched Off

A modern firewall is only a next-generation firewall when its security subscriptions are active and configured. Threat prevention, intrusion prevention, web filtering, and sandboxing are what separate a real security device from an expensive router, and on both FortiGate and Check Point many of these features ship in a permissive or disabled default state. We regularly find businesses paying every year for subscriptions that were never actually turned on, or left in a monitor-only mode that logs threats without blocking them. It is worth confirming, in plain terms, that the protection you are paying for is switched on and set to actually stop things, not just watch them go past.

Logging Turned Off, or Logs Nobody Reads

A firewall generates a record of what it sees: connection attempts, blocked traffic, configuration changes, and administrator logins. Two failures are common. The first is that logging is never properly enabled, so when something goes wrong there is no trail to follow and no way to understand what happened. The second, more subtle, is that logs are collected but nobody ever looks at them, which means an attack in progress produces alerts that sit unread. Logging should be switched on for system changes, login attempts, and denied traffic, and, crucially, someone should be responsible for reviewing it or feeding it into a monitoring service. A log nobody reads is just disk usage.

A Flat Network Behind the Firewall

Many small offices run a flat network, where the guest Wi-Fi, the security cameras, the staff laptops, and the server holding client files all sit on the same segment and can all talk to each other. The firewall guards the boundary with the internet but does nothing inside. The weakness shows the moment one device is compromised: an infected laptop, or a cheap smart device with a known flaw, can reach straight to the server. Segmentation uses the firewall to divide the internal network so that, for instance, guest and camera traffic cannot touch the systems that hold sensitive data. It is one of the highest-value things a firewall can do beyond its basic job, and it is one of the most commonly skipped.

Remote Access Bolted On in a Hurry

Remote access is where a lot of firewall risk now lives. When staff suddenly needed to work from home, plenty of businesses opened access in whatever way was fastest, sometimes exposing internal systems or remote desktop directly to the internet, which is one of the most reliably exploited mistakes there is. A firewall can do this properly: a VPN with multi-factor authentication, or a Zero Trust approach that grants access to specific applications rather than the whole network. Both FortiGate and Check Point support these models well. The mistake is not enabling remote access, it is enabling it carelessly and never revisiting the shortcut that was meant to be temporary.

Nobody Actually Owns the Device

Underneath all of these is a single root cause: no one is responsible for the firewall. It was installed by whoever set up the office, or by an engineer who has since moved on, and now it belongs to nobody. Firmware goes stale, rules pile up, subscriptions lapse, logs go unread, and the device slowly drifts from an asset into a liability, all without anyone deciding that should happen. The brand on the front makes very little difference to this. A well-maintained FortiGate and a well-maintained Check Point both protect a small office well; a neglected example of either is a risk dressed up as a defence. The question worth asking is not which firewall you have, but who is looking after it.

Finding out where your firewall really stands

Most of these mistakes are invisible from the outside. The internet still works, the firewall light is still green, and nothing looks wrong until the day it matters. A firewall review checks the things that do not show up in daily use: whether the management interface is exposed, whether the firmware is current, whether the protection you pay for is actually running, and whether the rules still make sense. NetFortress manages firewalls for Israeli SMBs on both FortiGate and Check Point, and we are happy to review an existing setup regardless of who installed it. If you are not sure whether your firewall is genuinely protecting your business or just sitting there, ask us for a review and we will give you a clear, practical answer.

Frequently asked questions

How often should a business firewall be updated?

Firmware should be kept current, because both Fortinet and Check Point regularly release updates that fix security flaws already being exploited. A firewall running firmware from years ago carries every known vulnerability found since. Update with care, on a stable release and with a way to roll back, but do not skip it. If you cannot remember the last time your firewall's firmware was updated, it is overdue.

Is a FortiGate or Check Point firewall secure straight out of the box?

Not by itself. Both are capable platforms, but many security features ship in a permissive or disabled state, default passwords need changing, and rules have to be built for your specific network. A firewall that is bought, plugged in, and never touched again drifts from an asset into a liability. How it is configured and maintained matters far more than the brand on the front.

Should I be able to log into my firewall from home?

Not directly over the internet. Leaving the firewall's admin interface exposed to the whole internet is the single most dangerous mistake, because attackers scan for these login pages and target them the moment a vulnerability appears. Management should be restricted to the internal network or reached through an authenticated VPN, and only over encrypted HTTPS and SSH, never plain HTTP or Telnet.

What is the difference between a firewall and a managed firewall?

The hardware is the same; the management is what changes. A managed firewall means someone keeps the firmware patched, tunes and switches on the threat-prevention features you pay for, cleans up accumulated rules, reviews the logs, and adjusts the configuration as the business changes. An unmanaged firewall quietly falls out of date. The ongoing attention, not the box, is what actually protects you.

We are a small office. Do we really need network segmentation?

It is one of the highest-value things a firewall can do. On a flat network, one compromised device, an infected laptop or a cheap smart device with a known flaw, can reach straight to the server holding your client files. Segmentation uses the firewall to separate guest, camera, and payment traffic from your sensitive systems, so a single infection cannot become a whole-office incident.

Ready to secure your business without building an internal IT team?

Book a free consultation and get a practical first look at your IT and Microsoft 365 security posture.