Firewall Rule Audit: How to Clean Up 10 Years of Accumulated Rules Without Breaking Production

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Firewall rulesets have a one-way growth characteristic. Rules get added for specific projects, network changes, vendor requirements, and troubleshooting workarounds. They almost never get removed because removing a rule risks breaking something that nobody has documented. An engineer creates a rule in 2014 to allow a legacy application through the perimeter. The application is decommissioned in 2017. Nobody removes the rule because the engineer who created it has left, there is no documentation of what the rule was for, and removing it might break something. This process repeats several hundred times over a decade and produces the archetypal enterprise firewall problem: thousands of rules, many of which are unused or shadowed, with no documentation and no clear ownership. The security risk is significant: any-any rules that were created as temporary workarounds and never removed, overly permissive rules that expanded a narrow exception into a broad allow, and rules that permit access to systems that no longer exist in the same IP range because of re-addressing. This guide provides the systematic approach to auditing and cleaning a large, undocumented ruleset without causing production outages.
The Rule Accumulation Problem and Why It Persists
Firewall rules accumulate because the organizational incentive structure around rule changes is asymmetric. Adding a rule has a known, immediate benefit (the traffic that was blocked now flows) and a diffuse, delayed cost (the attack surface is slightly larger). Removing a rule has a known, immediate cost (the traffic that was allowed might break) and a diffuse, delayed benefit (the attack surface is slightly smaller). Given that asymmetry, engineers and administrators will always find it safer to add than to remove, and they are rationally responding to organizational reality: they will be blamed for the outage caused by a removed rule, but not for the breach enabled by a rule that should have been removed.
The accumulation problem is also driven by firewall change management processes that gate rule additions but have no systematic removal trigger. Most organizations have a process for requesting new firewall rules: submit a ticket, get a network or security review, implement with a change window. Most organizations have no equivalent process for rule retirement: when a system is decommissioned, the decommission workflow does not include a firewall rule review step. Rules for decommissioned systems just sit in the ruleset indefinitely, allowing traffic to IP addresses that may now be assigned to different systems.
Over time, a large undocumented ruleset creates compounding security risks beyond simple attack surface expansion. Auditors and security assessors cannot effectively evaluate a firewall that has no documentation; the time required to understand what each rule does exceeds what any assessment budget allows. Incident response is slowed when investigators cannot determine whether anomalous traffic is permitted by a legitimate rule or is a sign of a misconfiguration or compromise. Change management becomes paralyzed because engineers are afraid to modify anything without understanding the full dependency chain of existing rules.
The solution is a systematic audit and cleanup process that handles the technical problem (identifying unused and shadow rules) and the organizational problem (creating a rule lifecycle process that prevents re-accumulation). This guide addresses both.
Phase 1: Inventory and Categorization
Before touching any rules, export the complete ruleset from every firewall in scope. For Palo Alto Networks firewalls, use the CLI command 'show running security-policy all' or export via Panorama if you have centralized management. For Fortinet FortiGate, use 'get firewall policy' or export the full configuration via the management interface. For Cisco ASA, use 'show access-list' with the full expanded output. Export in a machine-readable format if available (XML for Palo Alto, CSV-compatible formats where supported) to enable spreadsheet analysis.
Categorize every rule across four dimensions: direction (inbound, outbound, internal), action (permit, deny, inspect), specificity (any source, any destination, specific source, specific destination), and function (perimeter access, internal segmentation, management, VPN, legacy application). The any-source or any-destination rules are your immediate priority; these are the rules with the broadest potential impact and the highest likelihood of including unintended scope. Flag every rule that uses 'any' in either the source or destination field for dedicated review.
Create a rule inventory spreadsheet with columns for: rule number, rule name, source zone, source address, destination zone, destination address, application or service, action, hit count (pulled from the firewall logs), last hit date, and a notes column for your categorization work. This spreadsheet is both your audit workbook and the beginning of your ongoing documentation. Build it once and maintain it; do not treat it as a one-time project artifact.
During categorization, identify rules that appear to be temporary workarounds based on naming patterns (rules named 'TEMP,' 'TEST,' 'BYPASS,' 'FIX' are common in poorly managed rulesets), rules with no name at all (a common sign of CLI-created rules without documentation discipline), and rules with overlapping or duplicate scope (multiple rules that match the same traffic). Duplicates may indicate conflicting changes from different engineers over time and should be resolved during cleanup.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Shadow Rules: Rules That Are Never Reached
Shadow rules are rules that are logically unreachable because a more general rule earlier in the evaluation order matches the same traffic first. Firewall policy evaluation is typically top-down and first-match-wins; once a packet matches a rule, evaluation stops. A specific rule below a general rule that covers the same traffic can never be reached. Shadow rules are a security risk when the earlier, more general rule is a permit and the shadowed rule is a deny (intended blocking behavior is silently overridden), and they are operational clutter that makes the ruleset harder to reason about.
Identifying shadow rules manually in a large ruleset is tedious; most enterprise firewall management platforms provide automated analysis. Palo Alto Panorama's Security Policy Optimizer includes a redundancy analysis that identifies shadowed rules. Firewall management platforms like Tufin Orchestration Suite, AlgoSec, and FireMon provide shadow rule analysis as a core feature and can visualize the covering relationship between rules. If you lack these tools, the manual approach is to sort rules by specificity and compare each rule's source, destination, port, and protocol combination against all more-general rules that precede it in the evaluation order.
When you find shadowed rules, do not immediately delete the shadow rule. First understand why it exists. Some shadow rules are intentional: a general permit rule covers most traffic, and the shadowed specific deny was placed there as documentation of an explicit decision to block specific sub-traffic even though the general permit makes it unreachable. In this case, the fix is to reorder the rules (move the deny above the permit) rather than delete the deny. Other shadow rules are genuine accidents: a later engineer added a specific rule without realizing a general rule above it already covered the same traffic. In this case, the shadow rule is deletable, but verify by checking hit counts: a rule that has never been hit may be shadowed, while a rule with hits may have been reachable at some point before the general rule above it was added.
Usage Log Analysis: Identifying Zero-Hit Rules
Hit count analysis is the most objective basis for identifying candidate deletion rules: if a rule has had zero traffic in 90 days, it is either no longer needed (the systems it was built for were decommissioned), shadowed by another rule, or a rule for traffic that occurs less frequently than your monitoring window. None of these represent an active security requirement, and all of them are candidates for investigation.
On Palo Alto Networks firewalls, hit counts are visible in the Security Policy view in the management GUI; each rule shows a hit count and a timestamp for last hit. The CLI command 'show running security-policy' includes hit count data, and you can filter for rules with specific hit count ranges. Importantly, hit counts reset when the firewall restarts or the policy is committed after a change, so interpret zero-hit rules in the context of when the firewall last restarted. If the firewall has been running continuously for 18 months and a rule shows zero hits, that is strong evidence the rule is unused. If the firewall restarted two weeks ago, zero hits means less.
On Fortinet FortiGate, the built-in policy hit counter is visible in the GUI (Policy & Objects > Firewall Policy). Enable the hit counter if it is not already enabled (it is off by default on some firmware versions). The CLI command 'diagnose firewall iprope show 00010000' shows detailed per-policy statistics. FortiGate also provides a 'hitless' policy list showing rules that have seen no traffic since the last policy counter reset. Export this list and cross-reference with your inventory spreadsheet.
For Cisco ASA, the 'show access-list [acl-name] detail' command shows per-ACE hit counts. ASA does not have a native zero-hit filter; export the access-list output and process it programmatically. A simple Python script or spreadsheet formula can identify ACEs with hitcnt=0. Note that ASA access-lists are structured differently from zone-based firewall policies; a single access-list entry (ACE) with zero hits does not necessarily mean the ACL itself is unused, only that that specific line has not matched traffic.
The Safe Deletion Sequence: Disable, Monitor, Then Delete
The critical discipline in firewall rule cleanup is never deleting a rule directly without first disabling it and monitoring for impact. The disable-first approach allows you to observe the effect of removing a rule's traffic processing while preserving the ability to re-enable it immediately if something breaks. A deleted rule requires re-creation from scratch if you discover it was needed; a disabled rule can be re-enabled in seconds.
The safe sequence is: disable the candidate rule during a maintenance window, document the disable in your change management system with the date and the justification (unused per 90-day hit count analysis), monitor traffic logs and application teams for one full business cycle (typically two to four weeks, including any periodic processes like month-end batch jobs or quarterly reports that may use the permitted traffic infrequently), then delete after the monitoring period shows no disruption. Schedule the deletion as a separate change management ticket from the disable, which creates two review gates and two opportunities to catch errors.
Batch the disable actions by category rather than by individual rule. Disable all zero-hit rules from a specific source zone in one change window, rather than disabling individual rules one at a time. This batching makes the monitoring phase more manageable (you are watching one category of changes rather than a hundred individual changes) and makes the rollback simpler (re-enable the batch if something breaks rather than identifying which of many individual changes caused the issue).
For any-any rules specifically, do not simply disable and delete without first understanding the traffic they carry. Any-any rules may be carrying significant legitimate traffic precisely because they are the catch-all that permits everything their more-specific predecessors do not explicitly permit or deny. Before disabling an any-any rule, run a traffic log query for the rule to understand what traffic it is actually matching, segment that traffic into categories, and create specific replacement rules for the legitimate traffic before disabling the any-any. This replace-then-disable sequence prevents the outage that would result from disabling a broadly-used any-any rule.
Any-Any Rules: Why They Exist and How to Scope Them Down
Any-any permit rules in firewall rulesets are almost always the product of one of three scenarios: a temporary workaround during a migration or troubleshooting exercise that was never removed, a catch-all rule created at initial firewall deployment before specific rules were built, or a rule created under time pressure during an outage with the intention of replacing it with something specific once the immediate problem was resolved. In all three cases, the rule was created with the understanding that it would be temporary. In practice, it has been there for years.
Quantifying the traffic scope of an any-any rule is the first step toward replacing it. Run a traffic log query on the firewall for traffic matching the rule, aggregated by source-to-destination pair, over a 30-day window. This gives you the list of actual flows being permitted: Source A to Destination B on Port C, Source D to Destination E on Port F, and so on. Sort by traffic volume and frequency. The top flows by frequency are the ones most likely to represent genuine application requirements. The flows with very low frequency and small data volumes may be legitimate-but-infrequent, scanning noise, or truly orphaned connections.
For each significant flow identified, work backward to find the application owner: which system is at the source address, which application runs on the destination, and what port does it use. This detective work is where the real investment is in any-any rule replacement. Some flows will have obvious owners (web traffic to a specific internal server). Others will require conversation with application teams who may not even know their application has been using a firewall any-any rule instead of a specific one.
Create specific replacement rules for each identified legitimate flow before disabling the any-any. Implement the replacement rules above the any-any in the evaluation order, test that the specific flows still work, then disable the any-any. After the monitoring period confirms no regressions, delete it. This process for a single any-any rule in a large enterprise environment can take two to four weeks of investigative work and change management processing, which is why any-any rule cleanup is a project, not a maintenance task.
Change Window Discipline and Change Management
Firewall changes are among the highest-risk changes in most enterprise environments because an error can affect an entire network segment or deny access to critical business systems instantaneously. Change window discipline is not bureaucratic overhead; it is the operational practice that limits the blast radius of errors and ensures that relevant stakeholders have visibility into changes before they are made.
Every firewall rule change, including disables and deletes during a cleanup project, should go through your change management process. The change request should document: the specific rules being modified, the business justification for the change, the expected impact (none, since you are disabling unused rules, but document that expectation), the rollback procedure (re-enable the specific rules), and the monitoring plan for the post-change period. A change management ticket creates an audit trail that satisfies compliance requirements, provides the rollback documentation you will need if something breaks, and creates organizational visibility that prevents the scenario where the network team disables rules that the application team did not know they were using.
Plan firewall changes for early in a maintenance window, with enough time remaining in the window to observe and rollback if needed. A firewall change at the end of a four-hour maintenance window, with no time remaining to monitor and rollback, is a high-risk change regardless of how confident you are in the analysis. Build in a 30-minute observation period immediately after any firewall rule change before closing the maintenance window.
For large cleanup projects with hundreds of rule changes, create a phased project plan with multiple change windows rather than attempting all changes in a single window. Implement changes in logical groups (all rules in a specific zone, all rules for a specific application, all zero-hit rules from a specific time period), with monitoring periods between groups. This phasing limits the scope of any single change and makes root-cause analysis easier if a change causes an issue.
Palo Alto Networks: Security Policy Optimizer
Palo Alto Networks provides a native tool for firewall policy analysis called Security Policy Optimizer, accessible in Panorama and in the local PAN-OS management interface. Security Policy Optimizer analyzes the existing security policy against actual traffic logs and generates actionable recommendations for policy improvement. For a rule cleanup project, the most useful features are the unused rules identification (rules with zero traffic in the configured timeframe), the overly permissive rules analysis (rules using application 'any' where specific application identification data is available from traffic logs), and the redundant rule analysis (rules that are fully covered by other, more permissive rules).
The application identification capability in Security Policy Optimizer deserves specific attention for organizations running Palo Alto firewalls. PAN-OS performs Layer 7 application identification using App-ID, and traffic logs contain the identified application for each connection. Security Policy Optimizer uses this application data to suggest replacing broad port-based rules with specific application-based rules. For example, a rule permitting TCP 80 and TCP 443 from a source zone to a destination server could be replaced with a rule specifically permitting 'web-browsing' and 'ssl' to that server, blocking other TCP 80/443 uses (which might include tunneling applications or unknown applications that happen to use those ports). This application-based refinement provides security benefit beyond simple rule count reduction.
To use Security Policy Optimizer effectively, the firewall must have been logging traffic with enhanced logging enabled for a minimum of 30 days before the analysis (90 days preferred). Run the analysis from Panorama rather than individual firewall management interfaces if you have Panorama deployed; Panorama aggregates data across all managed firewalls and provides a fleet-wide view of policy optimization opportunities. Export the optimization recommendations as a report before making any changes, and review each recommendation against your change management process rather than accepting all recommendations automatically.
Fortinet FortiGate: Policy Hit Count and Address Object Hygiene
FortiGate's policy analysis tools are less sophisticated than Palo Alto's Security Policy Optimizer but still provide the core functionality needed for a rule cleanup project. The hit count feature, when enabled, provides the basic usage data required for unused rule identification. FortiGate also surfaces unused address objects, a category of technical debt that accumulates in parallel with unused rules and should be cleaned up simultaneously.
Enable policy hit count logging on FortiGate if it is not already enabled: in the GUI under Policy & Objects > Firewall Policy, verify that the 'Hit Count' column is visible. On some firmware versions, hit count tracking requires explicit enablement in the CLI with 'config system settings > set policy-hit-counter enable.' After enabling, allow 90 days before using hit counts as deletion criteria, since counters start from zero after enabling.
Address objects in FortiGate accumulate in the same way as rules: objects are created for specific purposes and never deleted when the purpose ends. Unused address objects (objects not referenced in any current rule or other configuration object) are identifiable in the GUI under Policy & Objects > Addresses; objects that are not referenced anywhere in the policy turn gray in the interface. FortiGate also provides a CLI command 'diagnose firewall iplist unused' that lists address objects with no rule references. Clean up unused address objects after completing the rule cleanup, not before; if you delete an address object that is referenced in a rule you have not yet deleted, you will break the rule configuration.
FortiGate does not have a native shadow rule detection tool equivalent to Palo Alto's redundancy analysis. For shadow rule analysis on FortiGate, use a third-party firewall management platform (Tufin, AlgoSec, FireMon, Skybox) that supports FortiGate integration, or perform manual analysis using the policy export and a spreadsheet. The manual approach is tedious for large rulesets but feasible for rulesets under a few hundred rules.
Documentation Standard and Ongoing Hygiene
The documentation standard that prevents re-accumulation is simple but must be enforced at the process level, not the policy level. Every firewall rule must have: a rule name that describes its purpose in human-readable form (not 'Rule_1243' or 'TEMP_test'), an owner field containing the name or team responsible for the traffic, a business justification comment explaining what application or business process requires this rule, and a last-reviewed date that is updated when the rule is explicitly reviewed and confirmed still needed. This metadata should be required fields in your change management process for rule addition requests.
For Palo Alto Networks firewalls, rule description fields and tags support this documentation approach natively. Use the description field for the business justification and the tag system to label rules with owner team, business system, and review status. In Panorama, you can filter the rule view by tag to see all rules owned by a specific team or associated with a specific business system, making periodic review far more efficient. For FortiGate, the comment field in each policy object serves the same purpose.
The ongoing hygiene process that prevents future accumulation requires two procedural changes. First, integrate firewall rule review into the system decommission workflow: when an IT system is decommissioned, the decommission checklist must include a step to identify and disable all firewall rules that were created for that system. This step should be assigned to the network or security team with a required sign-off before the decommission ticket is closed. Second, establish a quarterly rule review cadence: on a quarterly basis, export the hit count report, identify rules that hit zero traffic in the past 90 days that were not already in the disable-and-monitor process, and initiate the disable-first sequence for each new zero-hit rule. A quarterly review that consistently processes 20-40 rules prevents the accumulation of the backlog that requires a multi-month cleanup project in the first place.
The bottom line
Start with a hit-count report on your entire ruleset and identify every rule with zero hits in 90 days. Disable those rules in a test window, monitor for one full business cycle, and delete only after confirming no impact. Document every rule you keep with a business owner, purpose, and review date. Build the decommission workflow into your system offboarding process so that firewall rules are cleaned up automatically when servers are retired, preventing the next decade of accumulation.
Frequently asked questions
Is it safe to delete a firewall rule that has had zero hits for 90 days?
Zero hits in 90 days makes a rule a strong candidate for deletion, but delete it directly only after first disabling it and monitoring for one full business cycle (two to four weeks). Some legitimate traffic is infrequent enough that 90 days does not capture it: quarterly batch jobs, annual compliance reporting processes, or seasonal business applications. The disable-first approach lets you observe the effect of removing the rule before making the change permanent, with immediate rollback available if something breaks.
What is a shadow rule and why does it matter?
A shadow rule is a rule that is never evaluated because a more general rule earlier in the firewall's evaluation order matches the same traffic first. Shadow rules matter most when the earlier general rule is a permit and the shadowed rule is a deny: the intended blocking behavior is silently bypassed because the permit rule above it matches first. Shadow rules should be fixed by reordering (move the deny above the permit) rather than deleted, unless the shadow rule is a genuine duplicate with no distinct security intent.
How do I handle an any-any permit rule without causing an outage?
Run a traffic log query against the rule for 30 days to identify all actual flows it is permitting, categorized by source-destination-port combination. Work with application owners to identify legitimate flows. Create specific replacement rules for each legitimate flow and implement them above the any-any in the evaluation order. Verify the specific flows still work with the replacement rules in place, then disable the any-any (not delete) and monitor for one business cycle before deleting. Never disable an any-any rule without specific replacement rules already in place and verified.
What documentation should every firewall rule have?
At minimum: a human-readable name describing the rule's purpose, an owner field with the responsible team or individual, a business justification comment explaining what application or business process requires the traffic, and a last-reviewed date. For Palo Alto firewalls, use the description field and the tag system to maintain this metadata. For FortiGate, use the policy comment field. Enforce these fields as required in your change management request form for new rule additions so the documentation standard applies from day one of a rule's existence.
How do I prevent the rule accumulation problem from happening again after cleanup?
Two procedural changes are required. First, add a firewall rule review step to every system decommission checklist, assigned to the network or security team with required sign-off before the decommission ticket closes. Second, establish a quarterly review cadence: export zero-hit rule reports each quarter and initiate the disable-and-monitor process for each new zero-hit rule. Consistent quarterly processing of 20-40 rules prevents the multi-year accumulation that creates the need for a major cleanup project.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
