Clean up policies

Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).

Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.

This topic describes how to avoid policy bloat by identifying and then editing or deleting unused rules in your AWS SGs, Azure NSGs, Azure Firewalls, and Google Cloud Firewalls.

We recommend removing unused rules from your policy set to keep your network policies clean of irrelevant or outdated rules and avoid risk.

About CloudFlow unused rules

CloudFlow considers a rule to be unused when these criteria are met:

  • Flow logs / logs are enabled:

    • For AWS: VPC Flow Logs are enabled for the VPC that contains the rule. For more details, see Enable VPC flow logging.

    • For Azure: Flow Logs are enabled for the Azure Firewall / NSG that contains the rule. For more details see Enable Azure flow logs.

    • For Google Cloud: Firewall logs are enabled for the project (Inherited) or the individual (firewall) rules. For more details see Enable Google Cloud logs.

  • CloudFlow did not find a single hit for the rule during the configured inactivity period.

    Note: For more details on how CloudFlow determines what rules are considered inactive, see Set the inactivity period for calculating unused rules.

Note: The Unused rules list may be empty for any of the following reasons:

  • None of the target NSGs / Azure Firewalls / SGs have flow logs enabled.
  • There's a log collection failure.
  • Flow logs were properly enabled and collected, but no rule matches the unused rule criteria.
  • Some rules match the unused rule criteria, but are filtered out based on the search box filter.

View policy sets with unused rules only

By default, CloudFlow displays all rules in the device policy. Filter rules to identify inactive rules, allowing you to focus on potentially risky rules for modification or deletion as needed.

Note: For more details on how CloudFlow determines what rules are considered inactive, see Set the inactivity period for calculating unused rules.

Do the following:

  1. Click NETWORK POLICIES in the left navigation. Select AWS SG Policies, Azure Policies, or GCP Firewall Policies.

    • For Azure Policies: Select the Azure NSG tab or the Azure Firewall tab.

    • For GCP Firewall Policies: Select the Firewall Policies tab or the Inherited Policies tab.

  2. Select Unused rules from the Cleanup view filter at the top of the page.

    Only policy sets with unused rules are displayed.

    Tips:

    • If you do not see any unused rules, see Clean up policies.
    • Use the search box to filter the items further
    • While the Cleanup view is set to Unused rules, you can change the length of the inactivity period by clicking Modify at the right of the page. For more details, see Clean up policies.

Edit or delete unused rules

Examine each unused rule and consider editing or deleting it to keep your policy free from complicated noise. For more details, see Edit network policy rules.

Set the inactivity period for calculating unused rules

CloudFlow defines an unused rule as a rule that has not had any traffic for the configured inactivity period. You can modify the length of this inactivity period.

Note: We recommend setting a minimum of 30 days to confirm a rule doesn’t have hits before deleting it.

Note (for GCP): The same inactivity period is used for both Firewall Policies and Inherited Policies. Setting the inactivity for one policy type updates both policy types.

Do the following:

  1. Click NETWORK POLICIES in the left navigation. Select AWS SG Policies, Azure Policies, or GCP Firewall Policies.

    • For Azure Policies: Select the Azure NSG tab or the Azure Firewall tab.

    • For GCP Firewall Policies: Select the Firewall Policies tab or the Inherited Policies tab.

  2. Set the Cleanup view to Unused rules.

    The current length (in days) of the configurable inactivity period and an Edit button are displayed on the right of the screen.


  1. Click . The Set Unused Rules Period dialog appears.

  2. Enter length (in days) of the inactivity period.

  3. Click OK.

Export Unused Rules Report to a CSV file

You can export a list of unused rules to a CSV file according to selected entities in the tree and filters (Vendor, Account, VNet/VPC, etc.).

About the exported CSV file:

  • The first line of the CSV report shows metadata including information about any filters set when exporting the CSV .

  • The second line is the table column headers.

  • The pipe character (|) is used instead of comma

  • If you open the CSV in MS Excel, to make it human readable you need to make some adjustments for AWS. Format the account number cell and set the number of decimal places to 0.

Do the following:

  1. Click NETWORK POLICIES in the left navigation. Select AWS SG Policies, Azure Policies, or GCP Firewall Policies.

    • For Azure Policies: Select the Azure NSG tab or the Azure Firewall tab.

    • For GCP Firewall Policies: Select the Firewall Policies tab or the Inherited Policies tab.

  2. Set the Cleanup view filter to Unused rules.

  3. Filter the list of unused rules as required.

  4. Click .

  5. Give the exported report a Report Name.

  6. Click Export. The Unused Rules Report is downloaded to your local drive.