Security Policy Cleanup

Overview

Improve security and performance by cleaning up shadowed, redundant, and unused rules based on in-depth policy usage insights across hybrid environments.

Security Policy Cleanup guides you through using SecureTrack and SecureChange to:

  • Defining the cleanup scope and reviewing cleanup recommendations across devices.

  • Using dashboards and reports to analyze and validate redundant, unused, and obsolete rules.

  • Using SecureChange workflows to execute rule and object decommission actions.

Why this matters

  • Ensure that security policies remain optimized, lean, and well governed.

  • Reduce operational overhead by minimizing redundant and unnecessary rules.

  • Support compliance and performance objectives through controlled, auditable cleanup activities.

Who this is for

  • Platform administrators responsible for onboarding devices, validating data collection for devices, and maintaining visibility

  • Network and firewall engineers using Rule Viewer and Tufin Query Language (TQL) for rule validation and troubleshooting

  • Compliance analysts responsible for generating and reviewing policy reports for audits

Key capabilities

Security Policy Cleanup leverages key features in SecureTrack and SecureChange for rule and device cleanup:

Prerequisites

Step 1: Identify candidates for cleanup

Start by identifying security policy rules and objects that are candidates for cleanup. SecureTrack provides several UI-based options to help you quickly surface unused, risky, or inefficient rules, and to control how cleanup data is calculated and presented.

Use SecureTrack's:

  • Dashboard for high-level cleanup analysis

  • Cleanup Browser to view cleanup candidates by device

Use Dashboard for cleanup recommendations

The SecureTrack Dashboard is the primary, centralized view for identifying cleanup candidates at a high level. It provides immediate insight into where cleanup is needed and how it evolves over time.

The following widgets are especially useful for cleanup analysis:

  • General: Number of rules that require cleanup, rules relevant for audits, and rules with critical violations.

  • Cleanup Trends: Shows rule candidates for cleanup over time, allowing you to identify patterns and track changes across a selected time period.

  • Cleanup - Optimization: Shows rules which are candidates for optimization, which you review and manage in the Rule Viewer.

See SecureTrack Dashboard.

View cleanup suggestions by device

While the Dashboard provides a high-level overview, the Cleanup Browser lets you drill down into specific devices to see exactly where cleanup candidates exist.

You can:

  • Review cleanup instances by device or device groups

  • Export cleanup instances for the selected device to a CSV file, saved in the Report Repository.

See Cleanup Browser.

Configure Cleanup configuration

SecureTrack includes a predefined set of cleanup types, each with an associated severity level. The Cleanup Browser displays the security score and cleanup instances based on the cleanups selected in the cleanup configuration.

You can:

  • Exclude cleanup types which should affect optimization scores or cleanup calculations.

  • Edit the name, description, and severity of existing cleanups.

See Cleanup Configuration.

Find cleanup candidates in Rule Viewer

Use the Rule Viewer to identify cleanup candidates at the rule level. Search for rules that are disabled, unused, overly permissive, or violating access control policies.

Use:

  • TQL to run precise, query-based searches.

  • AI Assistant Search to quickly surface relevant rule issues using natural language.

See Rule search.

Step 2: Generate reports for cleanup insights

In addition to UI-based options, you can generate reports to analyze cleanup candidates in depth and share findings with stakeholders.
SecureTrack reporting helps you review cleanup data offline, track trends, and support data-driven cleanup decisions.

STRE Rule Analytics report

The Rule Analytics report is useful for cleanup analysis. It uses the same search logic as the Rule Viewer, allowing you to scale your analysis beyond the UI.

You can generate a Rule Analytics report using the same search criteria you use in the Rule Viewer:

  • Copy a TQL query—for example, to find disabled or highly permissive rules—and paste it into the report’s Search field.

  • Select the device for which to display rules and rule KPIs.

Go to SecureTrack > Reports > Reporting Essentials .

See STRE Rule Analytics report.

SecureTrack Rule and Object Usage report

To gain deeper visibility into unused objects and inactive rules before taking cleanup actions, generate the Rule and Object Usage report.

See:

Rule and Object Usage report

Creating/Generating a Rule and Object Usage Report

STRE Security Compliance and Security Violation reports

Use STRE Compliance and Violation reports to prioritize cleanup efforts and rule remediation based on policy risk.

  • Security Compliance

    The Security Compliance report lists all the security requests required to comply with SecureTrack Unified Security Polices (USPs) and indicates whether device rules meet those requirements.

    You can:

    • Identify rules that are in violation with your USPs

    • Prioritize remediation efforts

  • Security Violations

    The Security Violations report provides a detailed summary of security policy violations across the selected domain, devices, and USPs.

    You can:

    • Identify security gaps

    • Prioritize rules for remediation, removal or exception review

    • Ensure consistent awareness of violations by the relevant team

See:

STRE Security Compliance report

STRE Security Violations report

Step 3: Automate Cleanup with SecureChange workflows

Use SecureChange workflows to automate and govern the removal of unused objects and obsolete rules. This step moves cleanup from analysis to execution, ensuring that all changes follow controlled, auditable processes.

Create Network Object Decommission workflow

Configure the Network Object Decommission workflow in SecureChange to safely remove unused network objects. The Decommission network object field in one or more workflow steps lets you manage the process of removing the network objects from the firewalls.

This workflow allows you to:

  • Submit decommission requests for unused or obsolete objects.

  • Validate dependencies before removal.

  • Ensure object cleanup follows an approved and auditable process.

See Decommission Network Object Field.

Submit object decommission requests

After configuring the Network Object Decommission workflow, submit decommission requests for unused objects identified during cleanup analysis.

This step ensures that:

  • Cleanup actions rely on verified usage data.

  • Object removal is tracked and approved through SecureChange.

Create Rule Decommission workflow

Configure a Rule Decommission workflow to support the structured removal of obsolete, unused, or policy-violating rules. The Rule decommission field in a workflow step manages the removal of selected rules from supported devices.

This workflow allows you to:

  • Enforce approval and validation steps before removing a rule.

  • Standardize how rule cleanup requests are reviewed and executed.

  • Reduce risk associated with manual rule deletions.

See Rule Decomission field.

Submit Rule Decommission requests

Initiate Rule Decommission tickets directly from the Rule Viewer.

Submitting requests from the Rule Viewer:

  • Links analysis directly to action.

  • Reduces manual effort and context switching.

  • Accelerates rule cleanup while maintaining governance and auditability.