Firewall Rule Base Cleanup: Policy Examples & Best Practices

A firewall rule base is a set of rules that determine what is and what is not allowed through the firewall.

Over time, firewall rule bases tend to become large and complicated. They often include rules that are either partially or completely unused, expired or shadowed. The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organization.

When the rule base gets big and tangled, it starts to affect firewall performance. It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS, NERC-CIP and ISO 27001 require clean-up of unused rules and objects.

With some help from our customers, I’ve put together a list of best practices for cleaning up a firewall (or router) rule base. You can do all of these checks on your own, but if you have Tufin SecureTrack+ you can run most of them automatically.

Delete fully shadowed rules that are effectively useless. If you have SecureTrack+, these are detected by the Rule and Object Usage report.
Delete expired and unused rules and objects. All of these are detected by the Rule and Object Usage and the Expired Rules reports.
Remove unused connections – specific source/destination/service routes that are not in use. You can detect those using the Automatic Policy Generator to analyze traffic patterns.
Enforce object naming conventions that make the rule base easy to understand. For example, use a consistent format such as host_name_IP for hosts. This is an option in the Best Practices report.
Delete old and unused policies. Check Point and some other vendors allow you to keep multiple rule bases. This is another test in the Best Practices report.
Remove duplicate objects, for example, a service or network host that is defined twice with different names. The Best Practices Report can identify these.
Reduce shadowing as much as possible. You can detect partially shadowed rules with Policy Analysis.
Break up long rule sections into readable chunks of no more than 20 rules. This too can be checked with the Best Practices report.
Document rules, objects and policy revisions – for future reference. You can do this with some vendor tools. In SecureTrack+, you can document revisions, for instance, to indicate when an audit was performed. You can also link policy changes to tickets from your help desk to store additional information about the requestor, approver, etc. You can enforce a standard for rule documentation with the Rule Comments Format test in the Best Practices report.

Last but not least, some of your most important security checks also help you maintain a clean, compact rule base. If you use SecureTrack+, try these:

Tighten up permissive rules: Run the Automatic Policy Generator (APG) to detect rules that are too open.
Define a zone-based compliance policy and check it by running an audit report.
Identify and reduce insecure rules using the Best Practices report.
Optimize performance. See my previous posts: Tufin Firewall Expert Tip #4: Vendor and model-specific tips for optimizing firewall performance and Tufin Firewall Expert Tip #3: Best practices for optimizing firewall performance.