Buying or setting up a security product, like a firewall, in a corporation is not the same as buying any other product. You can't simply call the project complete when it is working. Security is a process and your IT department needs to treat it as such. IT departments should be constantly testing, modifying, and looking for potential issues. If your company does not have good risk management procedures security products are just placebos. Too often companies purchase a product, install it, check it off a list, and move on to the next project. Every year the reseller calls the company up and asks if they want to renew the maintenance. The company says "Yes it is working great. We haven't heard anyone scream." and the away they go. Each year this is repeated until they decide to get a new higher end product that does more than the current unit. Truth is that doesn't really matter because they never were using the original product as they thought.
Just because it is working doesn't mean you are safer than before it was purchased. Companies should be working with partners who are actively engaged in the security and stability of their business.