PCI-focused firewall review should not be treated as a paperwork exercise. The reviewer will want confidence that cardholder-data environments are properly segmented, access is justified, administrative paths are controlled, and changes are not drifting away from the approved design.
Useful questions include: which rules permit access into sensitive zones, which services are exposed, whether broad source or destination groups are justified, whether logging exists for important flows, and whether temporary exceptions have been removed or formally accepted.
For teams managing FortiGate environments, automated configuration analysis can reduce the pain of gathering this evidence. It gives engineers a current view of the rulebase and helps identify the gaps that should be fixed before the review becomes urgent.