Remove Unused Rules

To reduce the attack surface, get rid of rules you don’t use.
The migrated rulebase often contains rules that aren’t in use because no application traffic matches those rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and serve a legitimate purpose in the rulebase.
Unused rules may exist for a number of reasons. Rules governing services and applications that the business once used but replaced with other applications may be in the rulebase. A rule that precedes an unused rule may control the applications that would otherwise match the unused rule. In some cases, unused rules are old rules created by administrators who are no longer with the company and no current administrators know the rule’s intent.
View rules over any
Timeframe
you choose (
Policies
Security
Policy Optimizer
Rule Usage
). Set the
Usage
to
Unused
to filter out rules that have seen application traffic.
  1. Identify unused rules.
    In
    Policies
    Security
    Policy Optimizer
    Rule Usage
    , set the
    Timeframe
    to
    All time
    , set the
    Usage
    to
    Unused
    (to display only rules with a Hit Count of zero), and
    Exclude rules reset during the last 30 days
    (to prevent displaying recently reset rules that may not have seen traffic over the last few days but that may see traffic over a longer time period). The result is a list of rules that have not seen application traffic over the selected
    Timeframe
    .
    remove-unused-rules-tsunami-example.png
  2. Evaluate rules that have seen no traffic and determine if they are needed or if you can disable them.
    In this example, the business used Tsunami file transfer in the past, but investigation shows the business no longer uses Tsunami and replaced it with other file transfer applications, so there is no reason to allow Tsunami application traffic on the network.
  3. Disable
    (or
    Delete
    ) the rule.
    In
    Policies
    Security
    , select the Tsunami file transfer rule. Either
    Disable
    or
    Delete
    the rule.
    Disabling the rule is safer in case it turns out that your business needs the application, even though it hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into account when investigating whether the business uses an application or if the application is required for a contractor or partner whose traffic only accesses the network periodically.) After a reasonable period of time, you can delete unused rules that you disabled earlier.

Recommended For You