Why clean up firewall rules
Over time, every rule base accumulates clutter: temporary rules that became permanent, duplicates, shadowed rules that never match, overly broad rules, and objects pointing to systems that no longer exist. This sprawl expands your attack surface, slows performance and makes every change riskier.
Cleanup reverses that. It shrinks the attack surface, simplifies the rule base so changes are safer, and makes the firewall comprehensible again. The challenge is doing it without disrupting legitimate traffic.
Step 1: Understand the effective policy
Before removing anything, understand how the rules actually combine. Export the configuration and reconstruct the effective policy — what access is genuinely granted, and which rules contribute to it. This prevents you from deleting a rule that looks redundant but is actually carrying traffic.
Step 2: Identify cleanup candidates
- Unused rules that match no traffic
- Shadowed rules that can never match because a broader rule precedes them
- Redundant rules duplicated elsewhere
- Overly permissive any/any rules that should be scoped down
- Objects referencing decommissioned systems
- Expired temporary rules that were never removed
Step 3: Validate before removing
For each candidate, confirm it is genuinely safe to remove or tighten. Cross-reference against the effective policy and, where available, traffic logs. Removing a rule that quietly carries needed traffic is the fastest way to cause an outage.
Where you cannot be certain, tighten rather than delete first — narrow the scope, monitor, and remove only once you are confident.
Step 4: Change carefully and document
- Back up the configuration before making changes
- Make changes in controlled batches, not all at once
- Document each change and its justification
- Monitor for impact after each batch
- Re-scan to confirm the cleanup and catch regressions
Make cleanup repeatable
A one-time cleanup helps, but sprawl returns if nothing changes. The durable fix is regular review that catches new clutter before it accumulates.
FirewallScan identifies unused, shadowed, redundant and overly permissive rules automatically for FortiGate, and lets you re-check after every change — so cleanup becomes an ongoing discipline rather than a periodic crisis.