This is part 3 of a series on the hidden costs of poorly written firewall requests. Start with the overview if you haven’t read it.
Does your form help or hinder?
Pull up your organization’s firewall change request form. Take a look at it from the perspective of someone outside the security team. If your form looks something like this, keep reading:
- Source IP/Subnet (required)
- Destination IP/Subnet (required)
- Protocol (dropdown: TCP, UDP, ICMP, Any)
- Port or Port Range (required)
- Business Justification (text field)
- Change Window (required)
- Approver (required)
On paper, this covers everything the firewall team needs. But if there’s no guidance, no examples, and no validation, it’s asking for precise technical details from people who often don’t have them. If your form looks like this and your tickets are frequently incomplete, the form might be a big part of the problem.
Signs your form is working against you
It assumes the requester already knows the answer. “Source IP/Subnet” is a perfectly clear field if you’re a network engineer. If you’re an application developer, you might not know whether your app runs on 10.12.4.15 or 10.12.4.16, or whether you should enter a /32 or the whole /24. The form doesn’t tell you. There’s no tooltip, no link to a lookup tool, no example showing what a valid entry looks like.
Drop-downs that don’t help. Protocol: TCP, UDP, ICMP, Any. Most requesters will pick TCP because that’s what they’ve heard of, or Any because they’re not sure. “Any” is the most dangerous option on the form and it’s right there, one click away, with no warning about what it means. There’s no “I don’t know, here’s what I’m trying to do” option. There’s no contextual help explaining when you’d pick UDP over TCP.
“Business Justification” is a blank canvas. Some people write a paragraph. Some write “needed for project.” Some leave it empty. The field gives no structure, no prompting questions, no minimum expectations. It’s the form equivalent of asking someone “tell me about yourself” in a job interview. You get wildly inconsistent answers because the question is too open-ended.
No validation until a human looks at it. You can type “server1” in the Source IP field and submit the form. You can enter port 999999. You can request access between two IPs that are already in the same subnet and don’t need a firewall rule at all. The form accepts everything, and the firewall team discovers the problems when they open the ticket. Every bad entry that makes it through the form is a future round-trip.
What a form like this costs
If any of the above sounds familiar, here’s what it adds up to.
A security team processing 80 requests a week, where 60% need at least one round of clarification, is spending roughly 20 hours a week just on back-and-forth. Not on security review. Not on implementation. On asking “what did you mean by this?” That’s half a full-time employee’s week, gone. And on the requester side, each clarification request takes them 15 to 30 minutes to deal with: context switching back to the project, tracking down the information, replying. For 48 incomplete tickets, that’s another 12 to 24 hours of wasted time across the requesting teams.
Add it up over a year and you’re looking at somewhere between 1,500 and 2,000 hours of lost productivity, spread across two departments, caused by a form that could have been better.
What a good form looks like
A good form doesn’t just collect information. It helps the requester succeed. Here are the differences:
Contextual help on every field. Next to “Source IP,” a small note: “This is the IP address of the server initiating the connection. You can find this in [your CMDB link] under the server’s network tab. Example: 10.12.4.15/32 for a single host.” This costs nothing to add and saves hundreds of clarification emails.
Smart defaults and guardrails. If someone selects “Any” for protocol, surface a warning: “Selecting ‘Any’ will allow all traffic types between these hosts. Are you sure you don’t need a specific protocol? Most web applications use TCP.” Don’t block the selection, just make sure it’s a deliberate choice, not a confused one.
Structured business justification. Instead of a blank text box, ask three specific questions: What application is this for? What is the connection used for? Is this permanent or temporary? Three simple prompts produce consistently useful answers where a blank field produces noise.
Inline validation. Check the IP format before submission. Flag port numbers outside common ranges. If the source and destination are in the same subnet, ask if a firewall rule is really needed. If the destination IP doesn’t exist in any known network zone, say so. Every error caught at submission time is a round-trip that never happens.
Examples right on the form. Show a completed example, both a good one and a bad one, right at the top of the form or in a collapsible section. “Here’s what a complete request looks like” followed by a filled-in example with all fields populated correctly. Most people will pattern-match against the example, and that’s exactly what you want.
The pre-validation layer
Even the best form can’t catch everything. People make typos. They copy the wrong IP from a spreadsheet. They request access to a host that was decommissioned last month.
This is exactly the kind of problem I built netbobr to address. You enter your source, destination, protocol, and port, and it tells you immediately if something is wrong: invalid IP format, zone policy conflict, ports that don’t match common services, compliance flags against PCI, CIS, or NIST frameworks. The requester gets feedback in seconds instead of waiting days for a human review.
The difference is like the difference between a word processor that underlines spelling errors as you type versus one that waits until you print the document and then sends it back with red ink.
Fixing the form is the cheapest win
Of all the problems in the firewall request process, the form is the easiest to fix. It doesn’t require cultural change or new tooling infrastructure. It requires sitting down with five or six people who regularly submit requests, watching them fill out the current form, noting where they hesitate or guess, and then redesigning the form to address those gaps.
If your security team has never done this, it’s worth the exercise. A form built based on what the security team needs as output, without considering what requesters need as input, will always produce incomplete tickets.
You won’t get every ticket to 100% completeness on first submission. But getting from 40% first-pass success to 75% would cut your clarification workload in half. That’s hundreds of hours back, every year, from changing a form.
Next in this series: Part 4: Nobody Reads the Docs (and Your Firewall Pays the Price)