https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69029#M40130 <P>Company called Firemon has a product that assists with this.</P> <P>&nbsp;</P> <P><A href="https://www.firemon.com/" target="_blank">https://www.firemon.com/</A></P> Fri, 04 Dec 2015 14:48:27 GMT googol 2015-12-04T14:48:27Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69027#M40129 <P>Anyone know of any good firewall optimization software for PA. One that can review the rules and make good suggestion to improve the rule order, removal etc?</P> Fri, 04 Dec 2015 14:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69027#M40129 jdprovine 2015-12-04T14:40:51Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69029#M40130 <P>Company called Firemon has a product that assists with this.</P> <P>&nbsp;</P> <P><A href="https://www.firemon.com/" target="_blank">https://www.firemon.com/</A></P> Fri, 04 Dec 2015 14:48:27 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69029#M40130 googol 2015-12-04T14:48:27Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69032#M40132 <P>I assume firemon has a price, anyone know of an open source version as well to look at?</P> Fri, 04 Dec 2015 16:28:09 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69032#M40132 jdprovine 2015-12-04T16:28:09Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69107#M40170 <P>I was in the same boat as you are; inherited about 850 lines of sec policies being migrated from other vendor's solution. My apporach to clean/optimize was to enable "Hightlight unused rules" and after a month i started disabling unused rules. Waited another month, documented disabled rules and scheduled rule removeal. And four more weekends like that. It took me about 2 months to reduce number of rules from 850 to 200. In the same time this excersise allowed me to get better understanding of the infrastructure. Out of all those disabled rules, i had 10 rules thate were&nbsp;required&nbsp;to put back; some legacy traffic users were not aware of.</P> <P>You might be able to use PAN migration tool to upload firewall config and see if any duplication is showing.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 07 Dec 2015 22:01:30 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69107#M40170 Kalemegdan 2015-12-07T22:01:30Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69189#M40192 <P>Well the migration was complete a couple of months ago and I have been using the method that you mentioned but I was also told there is software out there that would be able to do some of that work for me. So I just thought I would see waht people are using and how they like it. So far the only suggestion I have had is firemon, I am probably going to download a trial of that and see what it does, but would love more suggestions&nbsp;</P> Tue, 08 Dec 2015 15:40:02 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69189#M40192 jdprovine 2015-12-08T15:40:02Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69218#M40208 <P>If you dont mind, once you downlaod and test software could you post your findings?&nbsp;</P> Tue, 08 Dec 2015 21:20:37 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69218#M40208 Kalemegdan 2015-12-08T21:20:37Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69226#M40215 <P>I can try it may not be something that can easlily be posted verbatim and it may take quite some time to complete the testing</P> Tue, 08 Dec 2015 22:08:30 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rule-optimization/m-p/69226#M40215 jdprovine 2015-12-08T22:08:30Z