{{ result.summary.heading }}
{{ result.summary.primary }}
{{ result.summary.line }}
{{ badge.label }}
Use recent firewall, cloud security group, or policy exports when possible so the review queue includes owner, use, expiry, and scope evidence.
{{ params.rules.length.toLocaleString() }} chars
{{ sourceStatus }}
{{ fileError }}
Use the evidence cutoff date from the recertification or change window.
Choose the policy surface closest to the reviewed firewall, security group, or host policy.
Use your policy recertification window; 180 days is a common conservative cleanup threshold.
days
Optional review title for handoff evidence.
Set to 0 if the export does not include temporary-rule expiry dates.
days
Keep at 0 for strict unused-rule review, or raise it for policy cleanup sprints.
hits
Use /16 for conservative internet-facing reviews; internal reviews can use a lower-sensitivity threshold.
/
Use commas or spaces. Service aliases such as ssh, rdp, smb, mysql, postgres, and mssql are accepted.
{{ result.reportMarkdown }}
{{ header }} Copy
{{ cell }}
No rows for the current input.
Tags: Networking, Security
Export to PDF Fullscreen
Customize
Advanced
:

Firewall rule reviews decide whether existing access still has a current business reason. A rule that was correct during a migration, incident response window, or partner setup can become risky after traffic stops, ownership changes, or the temporary exception expires. The review is strongest when it looks at the rule path and the evidence behind it together: action, protocol, source, destination, service, owner, justification, last use, hit count, expiry, and the proposed review decision.

Firewall policy is meant to express allowed traffic, not merely collect historical exceptions. Broad sources such as 0.0.0.0/0, wide internal CIDRs, and administrative ports such as SSH, RDP, SMB, and database services deserve close attention because they can expose sensitive paths even when the row has a familiar label. A low-use or unused rule is not automatically wrong, but it needs stronger evidence than an actively used, tightly scoped rule with a named owner.

Periodic review also protects change teams from deleting the wrong row. A stale date may reflect a quiet disaster-recovery path, an application that only runs monthly, or a logging gap rather than unused access. That is why a useful review queue should point to the reason for follow-up and the next action, not just rank rows by age.

Compliance and audit programs often ask for recertification evidence, but the practical job is simpler: prove that each allow rule still has a narrow path, a responsible owner, a current reason, and a review outcome that matches the access. The result should help a reviewer decide which rules to keep, remove, tighten, archive, or send back for owner confirmation.

A rule review report is not a firewall simulation. It does not replace vendor policy testing, object-group expansion, NAT checks, zone logic, identity-aware policy checks, or live traffic verification. It helps turn an inventory export into a focused cleanup queue that a network, security, or audit team can inspect before making policy changes.

Technical Details:

Firewall recertification starts with a policy row and its evidence. The technical fields describe traffic scope: action, protocol, source, destination, and service. The governance fields explain why the row exists: owner, justification, last-used date, recent hit count, expiry date, review decision, and any note or ticket reference. Risk rises when a permissive traffic scope and weak governance evidence appear in the same row.

Deny-by-default policy makes allow rules the main cleanup target. A deny row can still be useful, especially for baseline blocks such as SMB, but a broad allow with a privileged service should receive stronger review pressure than a protective deny with the same service. Review surface changes the pressure as well. Internet edge and administrative access reviews treat broad allow paths more severely than host-firewall or internal segmentation reviews.

The review model turns each parsed row into a score from 0 to 100. It adds points for stale or missing evidence, broad address scope, privileged services, expiry issues, missing ownership, missing justification, and explicit review decisions. A deny action reduces the final score slightly because deny rows usually reduce access rather than grant it.

Rule Core:

The score is a prioritization aid. It is strongest when the inventory has current dates, accurate hit counts, and expanded address or service values.

Signal Points When it applies
Missing owner 22 The owner is blank or uses a placeholder such as unknown, unassigned, tbd, or -.
Missing justification 10 The business reason field is empty after parsing.
Missing last-used evidence 18 The last-used value cannot be parsed as a date.
Stale last use 18 The parsed last-used date is older than Stale threshold. The default threshold is 180 days.
Low or zero recent hits 12 The row has a 30-day hit count at or below Low-use hit threshold.
Expired rule 24 The expiry date is before the selected Review date.
Near expiry 12 The expiry date falls within Expiry warning window.
Broad allow source 16 or 24 An allow row uses any, all, *, 0.0.0.0/0, ::/0, or an IPv4 prefix at or shorter than Broad IPv4 prefix. Internet edge and administrative access reviews use the higher score.
Broad allow destination 8 An allow row has a broad destination and the review surface is not Endpoint or host firewall.
Privileged service exposure 14 or 22 An allow row includes a service in Privileged services. Administrative access review uses the higher score.
Review decision pressure 14 to 32 review adds 14, tighten adds 20, and remove adds 32.

The final label comes from the bounded score. The recommendation then applies ordered cleanup rules, so an explicit removal decision can outrank a lower numeric trigger.

Result area Rule Practical reading
Critical Score is 75 or higher. Start review here, especially when the row combines broad access, stale evidence, expiry, or privileged services.
High Score is 50 to 74. The rule needs review before normal recertification is accepted.
Medium Score is 25 to 49. The row enters the queue when the recommendation is not already Keep.
Low Score is below 25. The row may still need owner review if evidence is incomplete, but it is not the first cleanup priority.
Recommendation Remove, Tighten scope, Owner review, Recertify, Archive disabled row, or Keep. The recommendation explains the action path behind the score.

CSV parsing is header-aware. A full export can use headers such as rule_id, action, protocol, source, destination, service, owner, justification, last_used, hits_30d, expires, decision, and note. A compact legacy row can also use rule, owner, last_used, decision, note when no action column is present.

Area Accepted or returned values Why it matters
Firewall rule inventory Pasted CSV text, TXT, LOG, CONF, or CSV file input up to the file-size guard shown by the page. This is the evidence source for every queue, table, chart, and report value.
Action Allow-style words such as allow, accept, pass, and permit; deny-style words such as deny, drop, block, and reject. Allow rows can create exposure findings; deny rows are scored with less pressure.
Service Named services, numeric ports, port ranges, comma-separated services, whitespace-separated services, or any. Common aliases such as ssh, rdp, smb, mysql, postgres, and mssql map to watched port numbers.
Review surface Internet edge or cloud ingress, Internal segmentation policy, Administrative access policy, or Endpoint or host firewall. The surface changes broad-source, broad-destination, and privileged-service pressure.
Rule Queue Rule, recommendation, risk, owner, age, exposure, reason, and next action. This is the main cleanup queue for review work.
Rule Evidence Normalized action, protocol/service, source, destination, owner, last used, hits, expiry, decision, and evidence text. This table lets reviewers confirm why a row was or was not queued.
Rule Risk Mix Stacked counts of Low, Medium, High, and Critical rows by recommendation. The chart shows whether the review is mostly cleanup, recertification, scope tightening, or keep decisions.

The model cannot infer live business need, firewall rule order, vendor object membership, application identity, schedule objects, NAT translations, routing paths, or whether logging is complete. Treat the score as a review triage signal and use firewall-native evidence before changing enforcement.

Everyday Use & Decision Guide:

Start with a recent export from the firewall, cloud security group, host firewall, or policy system being recertified. Keep the row slice focused on one review surface so the summary badges and Rule Risk Mix describe the same policy question.

Flow diagram showing rule rows normalized, checked for review signals, and summarized into a queue, evidence table, risk mix, and report outputs.

Use Internet edge or cloud ingress when a source can reach from outside a controlled network boundary, and use Administrative access policy when SSH, RDP, VNC, database, or file-sharing access is the review focus. Internal segmentation policy and Endpoint or host firewall are better fits when the review is about internal application paths or local host rules.

  • Use Sample to see the preferred header shape before pasting a vendor export.
  • Use Normalize after copying rows from a ticket, spreadsheet, or terminal output with blank gaps.
  • Set Review date to the recertification cutoff, not necessarily today's date.
  • Keep Stale threshold at 180 days for a conservative first pass, then adjust it to match your policy window.
  • Set Expiry warning window to 0 when the export has no temporary-rule expiry dates.
  • Raise Low-use hit threshold above 0 only when low traffic should be reviewed, not just unused traffic.
  • Set Broad IPv4 prefix to the prefix your team treats as broad. A shorter prefix catches wider address ranges.

Do not treat Keep as proof that the rule is approved. It means the current row did not cross the configured review triggers strongly enough to enter the queue. Named objects, schedules, identity rules, NAT behavior, and incomplete logs can still change the real access path.

The best handoff starts with Rule Queue, then checks Rule Evidence for rows that were kept. Copy the Markdown report only after the queued recommendations and evidence text match the review story you are willing to defend.

Step-by-Step Guide:

Work from one policy export or review slice at a time so the queue and report stay coherent.

  1. Paste rows into Firewall rule inventory, drop a CSV or text file, or choose Browse. If the status line reports a loaded file, the textarea should contain the source rows before results are trusted.
  2. Include a header row when possible. Columns such as rule_id, action, protocol, source, destination, service, owner, justification, last_used, hits_30d, expires, and decision give the parser the strongest match.
  3. If the warning area says no usable rows were found, no rows remained after header detection, or a compact row shape is wrong, fix the inventory before reading Rule Queue.
  4. Set Review date. The Age values in Rule Queue and stale-use reasons are measured against this date.
  5. Choose Review surface. Watch the summary badge because it should show Internet edge, Internal segmentation, Admin access, or Host firewall for the selected surface.
  6. Set Stale threshold. Rows older than this threshold can show reasons such as 246 days since last use.
  7. Open Advanced to set Report name, Expiry warning window, Low-use hit threshold, Broad IPv4 prefix, and Privileged services. The summary queue count should update as those settings change.
  8. Review the top summary. Rule review queue shows the queued count, percentage of rules needing follow-up, high-risk count, stale count, owner gaps, expiry items, and selected surface.
  9. Open Rule Queue. Start with Critical and High rows, then read Recommendation, Reason, and Next action together.
  10. Open Rule Evidence for kept rows and edge cases. Confirm that a row with No cleanup triggers found really has the owner, use, expiry, and scope evidence you expect.
  11. Use Rule Risk Mix when the queue is large. The stacked bars show whether the review is dominated by removal, scope tightening, owner review, recertification, archive, or keep outcomes.
  12. Use Review Report and JSON after the tables make sense. The Markdown report summarizes the review focus, priority queue, and evidence thresholds for handoff.

A complete pass has no parsing warnings, a review date that matches the evidence cutoff, and a queue whose recommendations agree with the firewall owner or change reviewer.

Interpreting Results:

The first result to read is Rule Queue. A row appears there when its recommendation is not Keep or when its risk score reaches at least 25. That queue is intentionally conservative: it is meant to focus human review on rows with stale evidence, broad exposure, expiry pressure, ownership gaps, privileged services, or explicit cleanup decisions.

Use the score and recommendation together. Critical (100) with Remove means the evidence strongly supports a removal workflow, but the final action still needs rollback and owner checks. Tighten scope points to broad source, broad destination, or privileged service exposure. Owner review means the row cannot be recertified cleanly until accountability and business reason are confirmed.

Output cue What it means Useful follow-up
3 queued in the summary Three parsed rows need follow-up under the current thresholds. Start with the highest Risk value in Rule Queue.
Owner gaps At least one row has a missing or placeholder owner. Confirm ownership before keeping or recertifying the row.
Expiry items One or more rows are expired or inside the warning window. Remove, extend, or recertify temporary access with a current reason.
Broad source or Privileged service in Exposure The row grants access from a wide range or to watched services such as SSH, RDP, SMB, or database ports. Tighten the source, destination, or service before accepting the row.
No cleanup triggers found in Rule Evidence The row did not hit the configured review checks. Still verify object groups, policy order, logging completeness, and owner approval.

A high score does not prove that traffic is unsafe, and a low score does not prove that access is right. The result is a triage signal based on the fields in the supplied inventory. Confirm the live rule, expanded objects, and owner approval before deleting, narrowing, or recertifying policy.

Security Handling Note:

Firewall inventories can reveal internal IP ranges, hostnames, partner networks, privileged ports, owner names, and change references. Paste only the rows needed for the review and remove unrelated sensitive values when a smaller slice will answer the question.

The pasted inventory and selected file are processed in the browser. The reviewed rows are not submitted to a server by this tool; copied reports, downloaded tables, chart images, and JSON exports are created from the current page state. Handle those outputs with the same controls used for firewall audit evidence.

Worked Examples:

Internet-facing SSH exception:

A row such as FW-1001, allow, tcp, 0.0.0.0/0, 10.20.4.15, 22, Platform Ops, Emergency break-glass access, 2025-09-02, 0, 2026-05-20, review produces a Critical (94) queue item when the review date is 2026-05-06, the stale threshold is 180 days, and the surface is Internet edge or cloud ingress. Reason includes 246 days since last use, zero 30-day hits, expires in 14 days, internet-wide or any source, and privileged service exposure. Next action recommends replacing the broad path with a narrow approved path.

Expired database migration rule:

A row such as DB-1433, allow, tcp, 10.10.8.0/24, 10.60.9.12, 1433, , ETL migration, 2025-09-10, 2, 2026-05-01, remove has a missing owner, stale use, an expired date, privileged service exposure, and a review decision that requests removal. Rule Queue shows Remove with Critical (100), and Next action tells the reviewer to open a removal change or mark the rule for deletion after rollback checks.

Current partner HTTPS flow:

A row such as WEB-443, allow, tcp, 203.0.113.64/27, 10.70.3.11, 443, Partner API, Current partner traffic, 2026-04-20, 300, 2026-12-31, keep stays out of the queue under the default privileged services because HTTPS is not in that watched set and the row has a recent last-used date, owner, justification, and future expiry. Rule Evidence shows No cleanup triggers found, which means the row is a lower review priority, not an automatic approval.

Bad source shape:

If a pasted file contains only a heading or rows that do not match the compact legacy format, the warning area can report that no usable rows were found or that rows without a header should use the expected compact or full export format. In that case, Rule Queue should not be used yet. Add a recognizable header row or convert the source to the accepted column order, then check whether the summary count matches the inventory slice.

FAQ:

What columns should my export include?

Use a header row with rule ID, action, protocol, source, destination, service, owner, justification, last-used date, 30-day hits, expiry, decision, and note when possible. The parser accepts several common header aliases, and a compact row shape of rule, owner, last-used, decision, and note is also supported.

Why did an allow rule become Critical?

A Critical label appears at 75 points or more. Broad sources, stale last-use dates, zero hits, expiry pressure, privileged services, missing ownership, missing justification, and removal or review decisions can combine quickly.

Does a Keep recommendation mean the rule is approved?

No. Keep means the supplied row did not trigger the configured cleanup checks strongly enough. Review owner approval, object expansion, policy order, NAT, schedule, identity, and logging evidence before accepting the rule.

How are disabled rows handled?

Rows with disabled-style values are marked as disabled and can receive the Archive disabled row recommendation. If a header is named disabled, the value is interpreted in the opposite direction so a true disabled flag is not treated as enabled access.

Why does a deny rule sometimes score lower?

A deny action subtracts from the score because deny rows normally reduce access. A deny row can still appear in evidence, but broad allow rows with privileged services and weak governance evidence carry more cleanup pressure.

Does the tool send my firewall inventory to a server?

No server submission path is used for the pasted rows or selected file. The review runs in the browser, and report, CSV, chart, and JSON outputs are created from the current page state.

Glossary:

Firewall rule inventory
The exported rows being reviewed, including traffic fields and governance evidence.
Review surface
The policy context selected for scoring, such as internet edge, internal segmentation, administrative access, or host firewall.
Stale threshold
The number of days after last use when a row becomes stale for this review.
Broad IPv4 prefix
The CIDR prefix length at or below which an IPv4 source or destination is treated as broad.
Privileged services
Ports or service aliases that deserve higher review pressure, such as SSH, RDP, SMB, MSSQL, MySQL, PostgreSQL, and VNC.
Rule Risk Mix
The chart that groups Low, Medium, High, and Critical row counts by recommendation.

References: