Over time, firewall rulesets become bloated with shadowed, redundant, and overly permissive rules. In this capstone lab, you will analyze a simulated firewall policy, identify security gaps, remove shadowed rules, and optimize the ruleset for performance and security.
A shadowed rule is one that can never be hit because a broader rule above it catches the traffic first. Use policy analysis tools or manual review to find rules that are logically impossible to trigger.
💡 Pro-tip: Look for 'ANY' in the destination or service fields. A rule allowing 'Source: ANY, Dest: ANY, Service: HTTP' effectively negates all segmentation for web traffic and must be restricted.
Rules with zero hit counts over a long period are candidates for removal. Rules with extremely low counts might be shadowed by a broader rule higher in the list.
Replace individual IP addresses with Object Groups to simplify management. Ensure the final rule in the policy is an explicit 'Deny All' with logging enabled to capture dropped traffic for threat hunting.
⚠️ Never delete a rule without verifying its purpose. A rule with zero hits might be a critical 'break-glass' rule used only during emergency failover scenarios. Always consult the change management history.
| Issue | Indicator | Action |
|---|---|---|
| Shadowed | Never hits, broader rule above | Delete or reorder |
| Over-permissive | Uses 'ANY' extensively | Restrict to specific objects |
| Unused | Zero hits for 6+ months | Archive and remove |
Verify exercises to earn ★ 250 XP and unlock next lab level.