Clean up policies

Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).

Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.

This topic describes how to avoid policy bloat by identifying and then editing or deleting unused rules in your AWS SGs, Azure NSGs, Azure Firewalls (except  Azure Firewall (classic)), and Google Cloud Firewalls.

We recommend removing unused rules from your policy set to keep your network policies clean of irrelevant or outdated rules and avoid risk.

About AppViz unused rules

AppViz considers a rule to be unused when these criteria are met:

  • Flow logs / logs are enabled:

    • For AWS: VPC Flow Logs are enabled for the VPC that contains the rule. For more details, see Enable AWS VPC flow logging.

    • For Azure: Flow Logs are enabled for the Azure Firewall / NSG that contains the rule. For more details see Enable Azure flow logs.

    • For Google Cloud: Firewall logs are enabled for the project (Hierarchical) or the individual (firewall) rules. For more details see Enable Google Cloud logs.

  • AppViz did not find a single hit for the rule during the configured inactivity period.

    Note: For more details on how AppViz determines what rules are considered inactive, see Set the inactivity period for calculating unused rules.

Note: The Unused rules list may be empty for any of the following reasons:

  • None of the target NSGs / Azure Firewalls / SGs have flow logs enabled.
  • There's a log collection failure.
  • Flow logs were properly enabled and collected, but no rule matches the unused rule criteria.
  • Some rules match the unused rule criteria, but are filtered out based on the search box filter.

View policy sets with unused rules only

By default, AppViz displays all rules in the device policy. Filter rules to identify inactive rules, allowing you to focus on potentially risky rules for modification or deletion as needed.

Note: For more details on how AppViz determines what rules are considered inactive, see Set the inactivity period for calculating unused rules.

Do the following:

  1. Click NETWORK POLICIES in the left navigation. Select AWS SG Policies, Azure Policies, or GCP Firewall Policies.

    • For Azure Policies: Select the Azure NSG tab or the Azure Firewall tab.

    • For GCP Firewall Policies: Select the Firewall Policies tab or the Hierarchical Policies tab.

  2. Select Unused rules from the Cleanup view filter at the top of the page.

    Only policy sets with unused rules are displayed.

    Tips:

Edit or delete unused rules

Examine each unused rule and consider editing or deleting it to keep your policy free from complicated noise. For more details, see Edit network policy rules.

Set the inactivity period for calculating unused rules

AppViz defines an unused rule as a rule that has not had any traffic for the configured inactivity period. You can modify the length of this inactivity period.

Note: We recommend setting a minimum of 30 days to confirm a rule doesn’t have hits before deleting it.

Note (for Google Cloud): The same inactivity period is used for both Firewall Policies and Hierarchical Policies. Setting the inactivity for one policy type updates both policy types.

Do the following:

  1. Click NETWORK POLICIES in the left navigation. Select AWS SG Policies, Azure Policies, or GCP Firewall Policies.

    • For Azure Policies: Select the Azure NSG tab or the Azure Firewall tab.

    • For GCP Firewall Policies: Select the Firewall Policies tab or the Hierarchical Policies tab.

  2. Set the Cleanup view to Unused rules.

    The current length (in days) of the configurable inactivity period and an Edit button are displayed on the right of the screen.


  1. Click . The Set Unused Rules Period dialog appears.

  2. Enter length (in days) of the inactivity period.

  3. Click OK.