firewall analyzer

The Challenge

Optimizing Firewall Policies for Improved Security and Business Agility

As thousands of change requests are manually processed by network and security teams, the underlying policy configurations (firewall rules, router and switch ACLs) become very large and complex increasing the risk of vulnerabilities that can be exploited during a security breach.

Overtime, rules become outdated and obsolete, or may be shadowed. These unused rules increase security risk, lead to productivity losses, and make it difficult to prove compliance. However, it is nearly impossible to identify, locate and remove risky rules without impacting business continuity. Maintaining a clean rule base across multi-vendor, hybrid network environments solves issues associated with:

  • Misalignment of resources: senior administrators are spending valuable time making changes when their expertise could be better applied elsewhere.
  • Breach and network downtime: mistakes and misconfigurations from manual error and a lack of visibility into security policy and rules can result in a security breach, or application and network downtime.
  • Performance: a poorly maintained policy can have a major impact on performance.

In order to optimize the firewall, network and security teams must look to automation to maintain secure and efficient security policies across heterogeneous network and hybrid cloud environments.

The Solution

Tufin Orchestration Suite for Firewall Optimization and Cleanup

Tufin Orchestration Suite includes comprehensive firewall optimization as a part of the platform to provide organizations with the ability to automatically clean up and maintain an optimal rulebase for greater efficiency and security.

Organization's use Tufin Orchestration Suite's automated firewall rule cleanup to:

  • Analyze rule and object usage across multiple vendors, routers, devices, and cloud workloads
  • Identify and remove unused rules, ACLs, network objects and group members
  • Identify and remove rules and objects such as, shadowed rules, unattached objects, duplicate objects and services, empty groups and redundant and disabled rules
  • Identify overly permissive rules
  • Enforce compliance with internal and external industry regulations that mandate proper rule documentation, naming conventions, rule base structure, rule recertification policies etc.
  • Automating rule decommissioning
  • Automating server decommissioning
  • Automating the rule recertification process


  • Increase efficiency of security and network teams by automating repetitive administration tasks
  • Reduce cybersecurity risks by tightening access policies across the hybrid network
  • Enforce compliance with internal and industry regulations and reduce audit preparation efforts
  • Optimize performance of network firewalls and routers by eliminating redundancies and resolving conflicts
Identify rules that should be removed in SecureTrack Policy Browser
Initiate a configurable process for decommissioning the rules
Ticket is created in SecureChange for decommissioning selected rules
Automate the design and provisioning of removing the selected rules
Verify the selected rules were successfully removed
Change monitoring shows the new revision with the ticket number for full documentation and audit