In any case, folks should be continuously profiling their networks integrated into monitoring/alerts. I find many firewalls that are doing different things than my clients expect they are -- or have just been left to diverge from reality in some form of config rot. Automated testing surfaces these differences.

Can you really put "simple" in the same sentence as firewall? Vendors prevent that. Folks don't have time to maintain them.