Updating firewalls can be difficult if many devices need to be manually reconfigured. To assist, vendors provide management tools. If the tool requires manual adding/deleting known firewalls, this is problematic in networks with many devices. If devices are hosted within a virtual private cloud, the tool may adopt a centralized “star” configuration and maintain live contact with all firewalls. This exposes firewalls to risk if the central tool is compromised. An alternative to a central tool is to implement a tool local to an environment, secure the tool with multi-level authentication, and provide automatic active firewall discovery, e.g., automate adding/deleting firewalls in an environment defined with respect to criteria that may be used to define a collection of active firewalls. Configuration changes may be pushed to the collection. Authentication credentials to access the firewalls are ephemerally cached and flushed after use so the tool cannot be compromised.