firewall optimization

The Challenge

Maintaining Clean, Reliable and Secure Firewall Policies

As thousands of change requests are processed by the security team, the underlying policy configurations (firewall rulebases, router and switch ACLs) become very large and complex. Over time, firewall policies grow increasingly large and complex and often hide unnecessary connectivity that can be exploited during a security breach. In fact, many of the rules and objects in a typical firewall or router policy are obsolete. These unused rules represent a potential security risk and should be eliminated, yet it is nearly impossible for managers to locate them and remove them without risking business continuity.

A poorly managed policy is difficult to maintain and requires the attention of senior administrators with a great deal of expert, undocumented knowledge.  Since a mistake can result in application or network downtime, it isn't feasible to assign policy management to less-experienced or outsourced staff. The potential cost of an error is even higher for security service providers.

In addition to security risks, a poorly maintained policy can have a major impact on performance. The entire rule base is parsed from top to bottom with every network connection, and as it grows, hardware requirements also increase. Security teams need automation in order to maintain secure, efficient policies on all of their firewalls and routers.

The Solution

Tufin Orchestration Suite for Firewall Optimization and Cleanup

Tufin Orchestration Suite offers a comprehensive firewall optimization management solution that gives organizations the ability to keep security policies airtight and lean at all times.

Tufin's automated firewall optimization solution enables organizations to:

  • Analyze actual rule and object usage across multiple time periods
  • Identify for cleanup unused rules, ACLs, network objects and group members
  • Identify rules and objects that need to be optimized or removed such as shadowed rules, unattached objects, duplicate objects and services, empty groups and redundant and disabled rules and ACLs
  • Identify overly permissive rules that need to be replaced
  • Enforce compliance for industry regulations and enterprise policy best practices such as proper rule documentation, naming conventions, rule base structure, rule recertification policies etc.


  • Analyze actual rule and object
  • Identify and cleanup unused rules, ACLs, network objects and group members
  • Identify rules and objects that need to be optimized or removed
  • Change rule order to resolve rule base conflicts
  • Enforce industry best practices
  • Automatically identify and replace overly permissive rules
Identify rules that should be removed in SecureTrack Policy Browser
Initiate a configurable process for decommissioning the rules
Ticket is created in SecureChange for decommissioning selected rules
Automate the design and provisioning of removing the selected rules
Verify the selected rules were successfully removed
Change monitoring shows the new revision with the ticket number for full documentation and audit