Focus
Focus
Table of Contents
End-of-Life (EoL)

Remove Unused Rules

To reduce the attack surface, get rid of rules you don’t use.
The migrated rulebase often contains rules that aren’t in use because no application traffic matches those rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and serve a legitimate purpose in the rulebase.
Unused rules may exist for a number of reasons. Rules governing services and applications that the business once used but replaced with other applications may be in the rulebase. A rule that precedes an unused rule may control the applications that would otherwise match the unused rule. In some cases, unused rules are old rules created by administrators who are no longer with the company and no current administrators know the rule’s intent.
View rules over any Timeframe you choose (PoliciesSecurityPolicy OptimizerRule Usage). Set the Usage to Unused to filter out rules that have seen application traffic.
  1. Identify unused rules.
    In PoliciesSecurityPolicy OptimizerRule Usage, set the Timeframe to All time, set the Usage to Unused (to display only rules with a Hit Count of zero), and Exclude rules reset during the last 30 days (to prevent displaying recently reset rules that may not have seen traffic over the last few days but that may see traffic over a longer time period). The result is a list of rules that have not seen application traffic over the selected Timeframe.
  2. Evaluate rules that have seen no traffic and determine if they are needed or if you can disable them.
    In this example, the business used Tsunami file transfer in the past, but investigation shows that the business no longer uses Tsunami, so there is no reason to allow Tsunami application traffic on the network.
  3. Disable or Delete the rule.
    In PoliciesSecurity, select the Tsunami file transfer rule and either Disable or Delete the rule.
    Disabling the rule is safer in case it turns out that your business needs the application, even though it hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into account when investigating whether the business uses an application or if the application is required for a contractor or partner whose traffic only accesses the network periodically.) After a reasonable period of time, delete unused rules that you disabled earlier.