Removable Rules Report

All rules listed in the Removable Rules Report should be analyzed further before removal to cleanup policy inconsistencies.

Displays security rules that are inconsistent in the policy because they are redundant (matching traffic and action with a rule higher in the policy), shadowed (matching traffic but not action with a rule higher in the policy), or inoperative (no matching traffic due to an empty rule set) that should be analyzed further before removal to cleanup policy inconsistencies.

  • A rule (or part of a rule) is considered shadowed when a rule higher in the policy matches traffic (source /destination /service) but not action in this rule. The shadowed rule (or the identified portion of the rule) should be reviewed before removal to ensure the correct action is enforced.
  • A rule (or part of a rule) is considered inoperative when there is no matching traffic to a previous rule due to an empty rule set; this is a misconfiguration. The inoperative rule (or the identified portion of the rule) could be removed from the policy as it serves no useful purpose in the policy. An example would be a source zone that does not intersect the source address on the rule.
  • A rule (or part of a rule) is considered redundant when a rule higher in the policy matches traffic (source /destination /service) and action in this rule. The redundant rule (or the identified portion of the rule) could be removed from the policy as it serves no useful purpose in the policy.

    Additional types of redundancy exist but are simply flagged as redundant:

    • BACKWARD_REDUNDANCY: A rule having a subset of the address space of a subsequent rule with the same action. Any rule that matches a subset of a subsequent rule, or rules, with the same action are misconfigurations (errors) within the same firewall and can be removed.

    • CORRELATION: A rule that intersects the address space of a preceding rule but with the opposite action. Not necessarily removable because it is often used as a technique to exclude certain ranges.

    • FORWARD_REDUNDANCY: A rule having a subset of the address space of a preceding rule with the same action. Any rule that matches a subset of the previous rules with the same action are misconfigurations (errors) within the same firewall and can be removed.
    • HIDDEN: A rule that specifies the same action of the matching preceding rule. Also known as a generalization.

    • REDUNDANCY_CORRELATION: A rule in question is partially in the accept space and deny space.

The rules in the removable rules report are listed sequentially in the order that they appear in the policy; first by policy, then by rule order in that policy.

For some devices this report duplicates rule recommendations—listing them separately for IPv4 and IPv6 even though it is one rule on the device.

To create and schedule this report, complete the following steps.

  1. On the toolbar, click System > Reports.

  2. Click Create > Removable Rules Report.
  3. Complete the General section.
    1. The Name and Description fields are prepopulated, but can be changed.
    1. Select a Device Group, Cluster or Device to associate to the report.
  4. Select from the following in the Options section to include in the report. A blue key indicates inclusion.
    • Rules Causing Shadowing or Redundancy
    • Object Details
    • Group Members
    • Device Summary
  5. Complete the Scheduling Properties section.
    1. Select a Recurrence from the list, and then select the Enable check box.
    2. Enter a Description (or purpose) for the schedule.
    3. Depending on the Recurrence type selected, additional required field boxes will appear.

    Repeat Interval is used to determine how often the report should run during the set Start/End Time. For example, a report set to run daily for a 30-day period with a repeat interval of 2 will run every two days during the set period.

    1. Set a Start Time and End Time. Click the calendar icon to set a day, and the clock icon to set a time.
  1. Complete the Email Notification Settings section.
    1. Select the Users to include. Enter the first few letters of the user's name to search the All Users list.
    2. Enter other recipients in the Additional Email Addresses field. Use a semicolon to separate multiple email addresses.
    3. Select a Report Format output of PDF or CSV.
    4. Optional. Click the Use .ZIP file for email attachment toggle key to enable this feature.
    5. Optional. Click the Sign and encrypt email toggle key to enable this feature.

    Email encryption must be setup to utilize the sign and encrypt email feature.

  1. Click Save.