To reduce the attack surface, get rid of rules you don’t
The migrated rulebase often contains rules
that aren’t in use because no application traffic matches those
rules. Unused rules clutter the rulebase and offer avenues of attack
to adversaries. Remove these rules to clean up the rulebase and
reduce the attack surface, or modify them so they apply to application traffic
and serve a legitimate purpose in the rulebase.
may exist for a number of reasons. Rules governing services and applications
that the business once used but replaced with other applications
may be in the rulebase. A rule that precedes an unused rule may
control the applications that would otherwise match the unused rule.
In some cases, unused rules are old rules created by administrators
who are no longer with the company and no current administrators
know the rule’s intent.
View rules over any
filter out rules that have seen application traffic.
Identify unused rules.
display only rules with a Hit Count of zero), and
rules reset during the last 30 days
(to prevent displaying
recently reset rules that may not have seen traffic over the last
few days but that may see traffic over a longer time period). The
result is a list of rules that have not seen application traffic
over the selected
Evaluate rules that have seen no traffic and determine
if they are needed or if you can disable them.
In this example, the business used Tsunami file transfer
in the past, but investigation shows the business no longer uses
Tsunami and replaced it with other file transfer applications, so
there is no reason to allow Tsunami application traffic on the network.
select the Tsunami file transfer rule. Either
Disabling the rule is safer in case it turns out that
your business needs the application, even though it hasn’t seen
any traffic. (This may happen if you don’t take quarterly and annual
events into account when investigating whether the business uses
an application or if the application is required for a contractor
or partner whose traffic only accesses the network periodically.)
After a reasonable period of time, you can delete unused rules that
you disabled earlier.