Security Policy Optimization

Overview

Reduce your attack surface by optimizing firewall and cloud security policies with intelligent, usage-based analysis that drives automated suggestions and continuous policy refinement.

Security policy optimization typically begins by tightening rules with high permissiveness, where the source, destination, or service is broadly defined (for example, set to Any). Such rules increase risk exposure and are prime candidates for refinement.

Permissiveness evaluation

To support consistent evaluation across tools, rules are evaluated and assigned a permissiveness score, from 1 to 100:

1 represents the least permissive rule (for example, one source host, one destination host, and one service)
100 represents the most permissive rule (source, destination, and service/protocol set to ANY)

This scoring model helps you understand how broad a rule is and where optimization will have the greatest impact.

Optimization approach

Once highly permissive rules are identified, select the appropriate optimization approach based on your objective:

Automatic Policy Generation (APG): Use to replace overly broad rules with a new, least-privilege rule set derived from observed traffic.
Rule Optimizer: Use to refine existing rules, in place, by tightening objects and scope while preserving the rule structure.

Together, these tools provide a structured approach to security policy optimization, allowing you to reduce risk exposure while maintaining required business access.

Why this matters

Ensure that security policies remain optimized, lean, and well governed.
Reduce operational overhead by minimizing redundant and unnecessary rules.
Support compliance and performance objectives through controlled, auditable cleanup activities.

Who this is for

Network engineers responsible for creating and analyzing APG jobs.
Policy owners responsible for reviewing optimized rules and approving the changes.
Platform owners responsible for validating rule impact on application availability.

Key capabilities

SecureTrack Dashboard to easily identify rules with high permissiveness
Automatic Policy Generation to generate a new, optimized rule set based strictly on observed traffic
From R25-2, Rule Optimizer to refine existing rules in place

Prerequisites

Successful completion of Centralized Security Policy Visibility
Automatic Policy Generator configured and collecting logs

Step 1: Analyze permissive rules in SecureTrack Dashboard

The Home Dashboard is the default entry point when you log in to TOS. It provides a high-level view of the rules and devices monitored by SecureTrack and surfaces areas that require attention.

In this step, you use the Dashboard as a starting point for security policy optimization. The goal is to quickly identify overly permissive rules and determine where deeper analysis and remediation are needed.

Use SecureTrack's Dashboard to :

Identify rules with high permissiveness that increase attack surface.
Prioritize optimization efforts based on visibility into policy risk.
Navigate directly to detailed rule analysis in Rule Viewer.

Identify highly permissive rules

The General widget in the Dashboard shows the number of Highly Permissive Rules.

Highly permissive rules surfaced here are those with Source, Destination, or Service values set to Any. These rules allow broad access and are common starting points for optimization initiatives.

To view these rules:

In the General widget, click the Highly permissive rules link.

In Predefined Queries, click Which rules have a high permissiveness level?

Both options open the results in Rule Viewer.

See SecureTrack Dashboard.

Analyze rules in Rule Viewer

From the Dashboard, clicking a highly permissive rule link opens Rule Viewer, where you can analyze the rules in detail across devices.

In Rule Viewer, you can:

Review the exact rule definitions contributing to high permissiveness.
Assess scope, usage, and context before making optimization decisions.
Determine if a rule should be refined, replaced, or further optimized using automated tools.

This analysis helps you decide how to optimize each rule and which optimization method is most appropriate before taking action.

See Rule Viewer.

Step 2: Use Automatic Policy Generation

APG helps optimize overly permissive rules by analyzing actual firewall traffic and generating a more precise, least-privilege rule set. Instead of allowing all possible traffic defined by a broad rule, APG limits access to traffic that is actually used in the environment.

In this step, you use APG to replace highly permissive rules with optimized rules based on observed business traffic.

Use SecureTrack's APG to:

Create APG analysis jobs.
Review and refine optimized rule suggestions.
Export optimized rule sets for further review or implementation.

Create a new APG job

Create an APG job to analyze the rule set of a specific device and identify opportunities to reduce rule permissiveness. Running the job allows APG to analyze traffic logs and generate optimization suggestions based on actual usage.

APG derives its analysis and recommendations on logs collected from the device:

To analyze historical traffic, manually upload a log file for the monitored device.
To analyze future traffic, configure the APG job to collect logs sent from the device to the TOS servers. Verify that the device is configured for real time monitoring.

See:

Creating an APG job

Getting logs for APG

Review and refine APG job results

Once the job completes, review the results to understand how different optimization choices affect rule permissiveness and rule count, and refine the suggestions.

Review APG job results

APG provides two complementary views of the results:

Balance Graph

When you run an APG job for the first time, the results display the Balance Graph. This graph shows how the total number of rules changes as you adjust the maximum allowed permissiveness across the rule set.

It helps you choose a balance between:
- Fewer, broader rules
- More, tighter, least-privilege rules
Rule expansion interface

Subsequent APG job runs populate the rule expansion interface, which displays the actual proposed rule sets.

From this view, you can:
- Expand broad rules into multiple, tighter rules
- Collapse rules into fewer, more permissive rules if required for operational reasons

Use these views together to evaluate the tradeoff between security and manageability.

Refine and save optimized rule set

After reviewing the results, refine the suggested rules to align with your organization’s security posture and operational requirements. Saving the rule set ensures the optimized results are available for export and further processing.

Use the Balance Graph to select a starting point that reflects the desired level of permissiveness.
Save the selected balance to automatically update the rule expansion interface.
Fine-tune the suggested rules by expanding or collapsing rules as needed.
Save the optimized rule set to preserve your changes.

See Reviewing APG job results.

Export APG-optimized rule set

Export the final optimized rule set in CSV format for documentation, review, or change control purposes.

Important considerations:

Exported results are intended as replacement rules for the selected rule.
If the logs are from an uploaded file, and the logs were not filtered by a specific rule, the results apply to the entire uploaded log set, not a single rule.

See Viewing and exporting APG job results.

Step 3: Use Rule Optimizer

Rule Optimizer helps reduce risk by refining existing rules based on real network traffic, without replacing the rule structure. It analyzes traffic logs and recommends narrower source, destination, and service objects that still allow required access.

Use the Rule Viewer's Rule Optimizer when you want to:

Reduce the permissiveness of existing rules incrementally.
Preserve the original rule intent and structure.
Apply usage-based tightening without generating a new rule set.

This approach is especially useful when broad rules must remain in place for operational or organizational reasons, but can be safely restricted based on observed usage.

Supported devices and rule requirements

The Rule Optimizer is supported only for specific devices and rule types.

Supported devices

AWS
Azure
Zscaler
(From R25-2 PHF2.0.0) VMWare NSX

Rule requirements

Rule state: Enabled
Action: Allow
Protocol: IPv4 rule

See Prerequisites for Rule Optimizer.

Enable Rule Optimizer

For each device you want to optimize using Rule Optimizer, verify that the required settings are enabled (enabled by default).

Enable the following usage analysis options:

Collect traffic logs for rule usage analysis.
Collect traffic logs for object usage analysis.
(Azure subscriptions only) Enable Rule Optimizer recommendations.

Save and deploy the configuration. Once enabled, SecureTrack begins collecting flow data from the device. This data collection is required to generate usage-based optimization recommendations.

Configure Rule Optimizer data collection window

Define the time period used to collect traffic data before generating optimization recommendations. The collection window is always a rolling window calculated backwards from today.

Default data collection window

Previous 30 days from today.
Custom data collection window

Minimum of 30 days to a maximum of 180 days back from today. A longer data collection window helps ensure recommendations reflect consistent usage patterns rather than short-term or anomalous traffic.
Configure using GraphQL mutations, either globally for all Rule Optimizer recommendations, or per device.

See Custom data collection window for Rule Optimizer.

Configure Rule Optimizer for Special Objects

Special Objects are dynamic objects that change frequently, such as:

FQDN
Azure ASG
VM, Network Tags, Security Groups
Zscaler Internet

By default, when Rule Optimizer detects Special Objects in the Source or Destination fields, it retains them in the optimization recommendations.

IP-based recommendations

To receive IP-based recommendations for rules with Special Objects, use GraphQL mutations - globally or per device.

Switching to IP-based recommendations allows Rule Optimizer to generate more restrictive, least-privilege rules by resolving dynamic objects to the IP addresses actually observed in traffic during the data collection window.
This approach helps maximize rule tightening when the goal is to reduce rule scope as much as possible based on real usage, rather than preserving dynamic object abstraction for future changes.

Rule Optimizer treats unsupported objects that do not resolve to IP addresses as Special Objects.

See Special Object mode for Rule Optimizer.

Review Rule Optimizer recommendations

Review Rule Optimizer recommendations in Rule Viewer. Reviewing and refining recommendations allows you to balance security and operability by validating usage-based suggestions and adjusting rule scope before finalizing optimization.

To find rules eligible for optimization, use predefined TQL queries, such as readyForOptimization = true (flagged for optimization), and ruleOptimizerRecommendations = exists (existing recommendations), or use Search with AI and enter a free-text query.

All rules eligible for optimization display the (Rule Optimizer) icon. Select a rule and open the Rule Optimizer tab to view and adjust the recommendations.
Rule Optimizer’s initial recommendation is the most permissive optimized option, which is still more restrictive than the original rule.

You can further restrict the rule by:
- Manually adjusting the recommendation using the + and – controls.
- Optionally regenerating recommendations for a custom date range within the configured data collection window.

See:

Rule Optimizer recommendations

Regenerate recommendations

Export Rule Optimizer recommendations

The final step is export the recommendations from the Rule Optimizer to a CSV file for further analysis.

You can export:

Adjusted: Manually modified recommendations
Expanded: Detailed recommendations with /32-level granularity

See Export recommendations to CSV.