After writing about the hidden cost of network complexity, I want to offer a solution — one that, based on my experience, fits consistently well in real enterprise environments.

Firewall rule cleanup sounds straightforward until you try to do it in a real enterprise environment. Rules have history. Systems have dependencies. Ownership is unclear. And nobody wants to be responsible for breaking production.

"The goal isn't to delete rules aggressively. The goal is to reduce risk while increasing understanding."

Below is the process that has worked consistently in complex environments across projects I have previously worked on:

  • Ownership and System Context
  • Map Internal Knowledge — Honestly
  • Bring in External Context Where Needed
  • Build a Baseline of Assets and Communication Flows
  • Create a Delta Against Existing Firewall Rules
  • Challenge Insecure Patterns (Carefully)
  • Document Decisions and Changes
  • Build Continuous Improvement Into the Process

1 Start With Ownership and System Context

Before touching a single firewall rule, establish clear context around the systems involved. At a minimum, identify who owns the application or system, who operates the underlying infrastructure, what business function the system supports, and which environments are in scope — production, staging, IT, OT, and so on.

Equally important is having an accurate and up-to-date asset inventory. Every server, service, and endpoint consuming firewall access should be mapped to a system or application, a responsible owner, and a defined environment.

Without this baseline, firewall rules quickly become detached from the systems they were created to support. In many environments, rules exist that no one can confidently explain. When ownership is unclear, the default response is to keep everything "just in case." Many rules are introduced during migration projects and never revisited afterward — left behind with the intention of being cleaned up later, a cleanup that often never happens.

Another common challenge is that application owners are often hesitant to approve changes to firewall rules affecting their systems. This reluctance is usually not due to resistance, but to limited visibility into how their application actually communicates and what dependencies exist. Without that understanding, any change feels risky.

This is why cleanup must start with reconnecting rules to real systems and real owners, supported by a reliable asset inventory and open dialogue. When owners understand what their application does, what traffic it requires, and why, they are far more willing to participate in rationalising access and improving security.

2 Map Internal Knowledge — Honestly

Most organisations assume they know their environment well. In reality, knowledge is usually partial, fragmented, and distributed across teams and locations. Some applications have changed hands multiple times, were implemented years ago, or have undocumented dependencies. As a result, the true understanding of how systems communicate is rarely held by one team or one site.

At this stage, identify what the team genuinely understands, where knowledge gaps exist, and which systems are considered "untouchable" due to uncertainty. This is not about assigning blame — it is about understanding where decisions can be made safely and where further discovery is required.

It is also important to treat this as a global exercise, not a local one. In larger organisations, valuable knowledge often sits with teams in other sites, regions, or legacy project groups. Bringing these people together in a shared forum — even temporarily — can significantly accelerate clarity. A coordinated cleanup effort benefits from participation across infrastructure, security, application, and regional teams working toward a common objective.

Approached this way, the exercise does more than enable firewall cleanup. It strengthens collective understanding of the environment, improves supportability of applications, and creates the conditions needed to simplify both firewall policy and overall network design.

3 Bring in External Context Where Needed

When internal knowledge is limited, external support can accelerate clarity and reduce uncertainty. This may include vendors who know the application deeply, integrators involved in the original deployment, or security and network specialists who can map and validate traffic patterns.

Existing vendors can be engaged in two practical ways: by allocating a knowledgeable resource to participate directly in the cleanup effort, or by providing existing documentation and architecture references that the cleanup team can review, validate, and adjust based on current requirements.

The goal is not to outsource responsibility, but to close knowledge gaps so decisions can be made confidently. Engaging external parties in a structured way often helps teams validate what is truly required, retire outdated assumptions, and move forward with changes that are both safer and better understood.

4 Build a Baseline of Assets and Communication Flows

You cannot clean what you cannot see.

Once ownership and asset inventories are established, the next step is to build a baseline of real communication flows. At a minimum, this baseline should answer: which assets exist, which systems communicate, over which ports and protocols, and for what purpose. This creates a shared reference point for IT, security, and application teams, and turns firewall discussions into fact-based conversations rather than assumptions.

Common approaches include extracting firewall logs associated with those assets and performing packet captures to understand the flows being generated both to and from the subnet or VLAN where the systems reside. Packet captures are particularly useful when working toward microsegmentation, while firewall log analysis provides the visibility needed for perimeter or inter-zone cleanup.

From this initial dataset, the team should remove obvious noise traffic — for example broadcast traffic such as ARP requests — and compare observed flows against expected communication patterns derived from internal knowledge and vendor input. The objective is to separate legitimate application communication from historical or incidental traffic that no longer serves a purpose.

Once the expected baseline communication for each asset has been identified, cleaned, and validated with application owners, infrastructure teams, and where necessary vendors, the organisation has a reliable view of how systems actually interact. With that validated baseline in place, the cleanup effort can move forward to analysing the existing rule set.

5 Create a Delta Against Existing Rules — The Actual Cleanup

With a validated communication baseline in place, the next step is to compare what exists today against what is actually required. This delta analysis typically highlights obsolete rules, overly permissive access, duplicate entries, and temporary rules that quietly became permanent.

At this stage, the objective is understanding before action. The goal is to build confidence in what can be changed safely, not to remove rules aggressively. Using the expected baseline communication, the team can begin the actual firewall cleanup by identifying which rules can be removed, tightened, consolidated, or confirmed as still required.

This phase should be approached incrementally. Cleanup is best done in controlled stages to minimise operational risk. Even rules that appear unnecessary may still support edge cases, legacy integrations, or vendor-managed components. Vendors and internal teams can both make incorrect assumptions, so changes should be validated carefully.

A phased approach allows teams to test changes safely, monitor impact, roll back if needed, and build trust with application owners. By progressing in measured steps, organisations reduce the likelihood of disruption while steadily improving rule quality and reducing overall network exposure.

6 Challenge Insecure Patterns (Carefully)

Once firewall rules have been aligned to the validated baseline communication, the next step is to review the quality of that communication from a security perspective. Many legacy rules persist because applications were originally built with weaker assumptions around encryption, authentication, or network exposure.

At this stage, focus shifts from which traffic is needed to how that traffic is secured. For example:

  • Can HTTP be replaced with HTTPS?
  • Can legacy or unencrypted protocols be retired or upgraded?
  • Can broad access be reduced to specific hosts or service endpoints?
  • Can stronger authentication or certificate-based trust be introduced?

Often, the right improvement is not purely a firewall change but an application or system configuration update that enables tighter and more secure rules. Moving from unencrypted to encrypted protocols, or from wide network access to targeted communication, can significantly improve overall posture without disrupting functionality. This step requires close collaboration with system and application owners — with the baseline now clearly defined, conversations are grounded in facts rather than assumptions.

7 Document Decisions and Changes

Every removed, modified, or retained rule should have a clear justification, an identified owner, and a review timestamp. Documentation is what transforms a one-time cleanup effort into sustainable governance. Without it, complexity slowly reappears as institutional memory fades and decisions lose context.

Properly recorded changes ensure that when teams evolve — whether through growth, restructuring, or turnover — new members are not forced to rediscover historical decisions from scratch. Instead, they inherit structured knowledge that allows them to operate confidently and make informed changes.

Comprehensive documentation is also invaluable during audits. When rules are clearly mapped to business purpose, ownership, and review history, audit conversations shift from reactive justification to structured evidence of control and oversight.

8 Build Continuous Improvement Into the Process

Firewall cleanup is not a one-time project. It is an operational discipline.

Without ongoing governance, complexity will slowly return — new systems are introduced, migrations happen, temporary exceptions are granted, and over time the rule base begins to expand again. To prevent this, organisations should introduce structured rule lifecycle reviews including a formal decommissioning process, continuously track rule ownership, validate new rules against defined security standards before approval, and schedule periodic rationalisation exercises.

As a practical guideline, the rule base should be revalidated at least every six months to confirm that the defined communication is still relevant, ownership remains accurate, and access levels remain appropriate.

Equally important is a proper decommissioning process. When assets are added, migrated, or retired, those changes must be reflected in the firewall policy. If systems are removed but their rules remain, complexity accumulates silently. Small, continuous adjustments — aligned with asset lifecycle management — prevent the need for large, disruptive cleanups later.

"Over time, this approach shifts firewall management from reactive correction to controlled, predictable governance."

Final Thought

Effective firewall cleanup is not about deleting rules. It is about reconnecting network policy to real systems, real ownership, and real risk.

When organisations combine visibility, collaboration, and phased remediation, complexity begins to reduce naturally. Security improves, change becomes safer, and teams regain confidence in the network they operate.

The real success of a cleanup effort isn't measured by how many rules are removed. It's measured by how well the organisation understands — and can safely manage — the communication that remains.