Six steps to optimize firewalls to improve cyber hygiene and reduce risk

Learn how to analyze firewall rule sets and automate change management workflows to improve cyber hygiene, ensure compliance, and reduce risk.

With rapid technology adoption, it’s more important than ever for organizations to secure their networks. One of the best ways to do this is to ensure their firewall rules are up to date, compliant, and running optimally. However, for many organizations, firewall rule changes are time-intensive to implement, often due to firewall rule bloat and complexity. Firewall rulesets become unwieldy and unmanageable over time with superfluous, overly permissive, obsolete, or orphaned rules, expanding an organization’s attack surface and enabling easy access for threat actors.

Removing unnecessary rules and objects reduces firewall policy complexity, increases manageability, eliminates risky rules, and reduces misconfigurations, service disruptions, and rollbacks. A straightforward, intelligible ruleset combined with effective rule lifecycle management processes enables organizations to continuously comply with internal policies and external regulatory frameworks, ensuring you are audit-ready and continuously compliant. Rule optimization is particularly beneficial in industries where periodic rule recertification is mandatory.

However, rule optimization can be daunting even for seasoned administrators when managing complex mixed-vendor environments – this is where firewall management software can help. Automating operational workflows allows administrators to combine rule optimization with automated ticketing and change orchestration processes for seamless provisioning of optimized rulesets.

Firewall Assurance

Improve cyber hygiene and risk management with centralized, optimized firewall management.

Firewall security policy best practices

It’s best to start with the basics when determining the optimal way to review firewall rules. Ideally, IT teams should optimize firewall rulesets regularly to provide a continuous cycle of cyber hygiene. At a minimum, firewall security policy best practices suggest you review rules every 1-2 years. While this is a daunting project without firewall management software, keeping your firewalls running at optimum levels is critical to keeping your organization secure. Additionally, teams should undertake the exercise before firewall migration or rule recertification projects.

Here are six ways you can better optimize your firewall rules:

Best practice #1: Identify shadowed, redundant, expired, or disabled rules

A simpler ruleset facilitates easier documentation of business justification and ownership for each rule. However, you often find redundant rules that have their scope entirely covered by other rules with the same action below it in the rule chain. Eliminating these redundant rules helps create a more manageable firewall ruleset. A firewall management software can help you analyze the rule base to identify shadowed, redundant, administratively disabled, or expired rules to help find redundancies that can be cleaned up.

Best practice #2: Identify duplicate or orphaned objects

Duplicate objects have the same scope but different unique names. Orphaned objects exist within the firewall configuration but are unutilized in any firewall rule. These objects may be pre-existing or newly created due to eliminating duplicate objects, but both bloat your firewall ruleset. Administrators can eliminate the inconsistency of firewall rules that use duplicate objects by reconfiguring all rules to use one object and deleting the extra objects.

Best practice #3: Identify unused rules/objects

Analyze firewall hit counters and traffic logs to identify unused rules and objects that can be safely removed from the firewall. Administrators should conduct the analysis over a sufficiently long period before altering firewall rules. During the analysis period, determine what unutilized rules should be flagged for either deletion or disabling.

Best practice #4: Identify partially used rules/objects, evaluate flows

A detailed, granular view of the partial usage of rules and objects can be obtained by delineating the exact utilization of sources, destinations, and services within a rule or object. Once discovered, you should be able to identify overly permissive rules and objects and map individual flows documenting communication between source, destination, and service tuples.

Best practice #5: Create tickets for rule/object deletion/modification

Once the necessary rule and object changes have been identified, tickets should be created for each deletion, deactivation, or modification. Ideally, your firewall management software should simplify this by integrating with your ITSM or ticketing systems. It is also important to run a risk assessment to ensure that proposed changes do not inadvertently expose vulnerabilities or violate compliance requirements.

Best practice #6: Automated provisioning of rule/object changes on firewalls

The most efficient way to manage firewall rules is to have firewall rule management software that fully automates workflows. This greatly improves business agility through faster firewall rule provisioning, freeing personnel time and allowing for continuous network security, availability, and compliance. Tickets should only be closed after the changes are successfully implemented and verified. It may also be beneficial to recertify the firewall rule set following automated de-provisioning of rules/objects and provisioning of modified rules/objects.

Change Manager

Automate change management workflows for comprehensive risk assessments.


For many organizations, it’s overwhelming to think about reviewing all the firewall rulesets in place – let alone knowing where to begin. However, taking steps to clean and optimize firewall rules helps not only reduce risk but also increases network resiliency. With the right tools in place, IT teams can take steps to optimize their firewall rules to protect their organization better.

See how Skybox can help you better manage your firewalls: