Firewall Logs as an Important Component of Zero Trust
Sanjay Seth, P J Networks Pvt Ltd
Here I am—on my third coffee, buzzing because I just got return from DefCon’s hardware hacking village, and thinking about something that has been bubbling in the back of my brain: firewall logs, and their unsung role in Zero Trust security. The very stuff I was wrestling with in ’93—but network admin days, wrestling with muxes for voice and data over PSTN—is ironically still relevant to what I do today.
Zero Trust. You all know the buzzword, but the thing is, it’s not just about fancy policies and AI-powered magic. It is trust no one, verify everything. And firewall logs? They are the quiet, dogged workhorses that keep those verifications honest.
So pull up a chair. Allow me to explain why firewall logs are important, not just bits and bytes lying around in some storage silo. They’re at the center of improving Zero Trust frameworks — particularly if you want to spot the bad actors before they wind up making your bank, or your enterprise, toast. (Yes, I literally assisted with three bank overhauls of their Zero Trust architecture; the stakes are real.)
Zero Trust & Firewall Logs
The zero trust security is also pitched as this panacea, magical bullet. But in reality it’s a mindset, a practice — and logs are your eyes and ears.
Fact: Firewalls, in their essence, permit or deny traffic based on rules. But that’s not the entire story. The logs they produce inform you of what occurred. Every attempted connection, every packet that was blocked, every strange path someone sought to travel — it’s all right there.
Remember the Slammer worm in 2003? It propagated quickly because it took advantage of systems with weak verification. Real-time log parsing and monitoring of firewall logs could’ve minimized a great deal of damage back then. You’d have watched anomalous traffic firing off the way someone gets on the gas in a vintage muscle car on an empty highway. It’s obvious if you are paying attention.
Why does this matter today? Because Zero Trust champions continual verification, not a one-and-done gatekeeper. And that feedback loop is provided by the firewall logs.
The Records of Access Control Violations Can Be Monitored
Zero Trust is mostly about access control. But perfecting policies is only part of the puzzle. People mess up. Systems get misconfigured. Malicious insiders or compromised accounts “just this once” attempt to sneak where they should not.
You get to see those access control violations from the firewall logs in their raw form.
- Blocked attempts: When someone tries to hit a restricted server or sensitive application, the firewall says no—and logs it.
- Unusual access patterns: A user accessing the HR database at 3 AM? Those strange patterns are captured in logs.
- Attack IPs from failed authentications: Little attention paid here, but really important in identifying brute-force attacks or account takeover.
Here’s a little bit of truth — I used to dismiss how critical those “denied” logs at the client were until one incident at one of my financial clients proved otherwise and I learned the hard way. This device was not meant to have user account compromised, attempted hopping across systems. Our firewall logs flagged hundreds of denied attempts that, if we’d clicked through, would have been a full-blown breach.
The key? Don’t just store logs. Monitor them actively.
Identify Illicit Lateral Movement
What does Zero Trust make attacks a nightmare? Their inability to move laterally unhindered once on your network. But acting as if they’ll never get inside is childhood fantasy land. They will. The difference is — they shouldn’t get far.
Firewall logs are the breadcrumbs that expose lateral movement. And this is where I’ve seen the majority of organizations stumble.
September 28 2023- A rogue device starts talking to internal IPs.
- Odd port usage between internal segments.
- Traffic that crosses normal segmentation boundaries.
For example, I worked on upgrading three banks’ Zero Trust models recently, and the low-hanging fruit was certainly in correlating firewall logs with endpoint data. When one machine began “chatting” unexpectedly with a number of internal assets, firewall logs screamed a silent alarm.
Here’s a pro tip:
If internal firewall segmentation is possible, enable it and log as granularly as possible. No more blind spots. That’s because lateral movement is the stealth mode of the attackers’ playbook.
If you consider firewall logs a daily report card rather than a dusty archive, catching this one early isn’t just possible — it’s necessary.
Automating Log Analysis
This is where the industry begins raising the AI-powered banner, and to be frank, I’m dubious. Don’t misunderstand—I recognize that automation and machine learning have their utility. But if you allow an AI to do your thinking for you while having no idea what’s happening under the hood, you’re just handing hackers a blindfolded map.
After years of this, I came to understand — automation should supplement humans, not substitute them.
Here’s how automation should be used around firewall logs in Zero Trust deployments:
- Threshold enforcement: rules for unusual spikes, too many might be too high access denials or a sudden increase in traffic patterns
- Correlation engines: Combine firewall logs with authentication logs, endpoint telemetry and vulnerability scanners to create a better picture.
- Baseline learning: Become familiar with “normal” over time, so deviations—however subtle—are prioritized.
At P J Networks we tailor log ingestion pipelines for every client—context, is king. An anomaly in a startup’s firewall logs may be the norm in a bank.
And yeah, getting the right tooling takes time and investment — but that’s nothing compared to the cost of a post-breach clean-up.
Real-Time Security Audits
Here is where firewall logs really excel — and where many organizations fail spectacularly.
You can have the best Zero Trust policies; however, without auditing them in real time … you’re driving blind.
By auditing your firewall logs consistently, you can:
- Ensure that policies are consistently enforced.
- Detect policy misconfigurations in advance of exploitation by adversaries
- Detect emerging attacks in the reconnaissance phase.
Short version: A client retained PJ Networks after experiencing what they referred to as a “Zero Trust failure.” It turned out, some firewall rules were not being applied consistently — firewall logs showed old rules on a critical path. That was a gaping hole large enough for crooks to drive a tank through.
What I always tell teams is to think of your Zero Trust policy as a layered lasagna. One layer contributes to the overall structure—if a single one melts away (misconfigured, ignored), the entire dish collapses. Firewall logs are your thermometer in the kitchen.
Quick Take
- Firewall logs provide constant validation, essential for Zero Trust
- All access control violations are not noise, they are your first clues
- Internal Firewall logs visibility is essential for lateral movement detection
- Automation goes a long way—but usually, in conjunction with expert tuning & context
- Logs keep real-time audits to recognizable weaknesses before attackers
Final Thoughts
After nearly 30 years working in networking and security — starting as a greenhorn who couldn’t find his way out of twisted pairs and PSTN muxes — only to become the consummate skeptic of hype. Firewall logs are probably of the old school. But in a Zero Trust world, they’re more relevant now than ever.
I understand the lure of trusting the sheen of new AI-powered security gadgets. But believe me, your best armor is to know your own data. Logs show what’s really (and sometimes not really) happening on your network.
So if you actually want to implement Zero Trust—start looking in your firewall logs. Don’t just gather them—act on them.
Because the alternatives? They’re nightmarish.
If you want help making this happen (I’ve literally done it with banks recently), let me know. Though this year marks 20 years for me in the infosec world, every day is still like a brand new roller coaster ride—and I’m still learning, still excited, still need that third cup of coffee!
Be Brave, be Lensed—Sanjay Seth, P J Networks Pvt Ltd