When analysis completes, select an access control policy to review the right-pane summary and click View analysis details and optimize.

Overall summary—provides insights on how many rules are healthy, disabled, expired, and contain anomalies, using a pie chart for the selected access control policy. You can also hover over the part of the pie to view the percentage of rules.

Rule usage history—shows how recently rules were used, with time periods.

Rules with Anomalies—provides insights on how many rules have anomalies.

Hits rules & dead rules—provides insights on hitcount of expired rules, for rule types including allow, block, monitor, and trust.

In remediation tabs such as Duplicate rules, Expired rules, Mergeable rules, Overlapping objects, and Policy insights you can select the check box next to a category to stage all observations in that category, or expand the category and select specific observations or rules. Available actions depend on the anomaly type.

The Duplicate Rules tab lists shadowed and redundant rules with anomalies:

• A Fully Shadowed rules is one that will never evaluate network traffic because another rule that precedes it over shadows this rule.

  

• A Fully Redundant rules is one that is just a part of another larger rule, such that removing this redundant rule does not have an impact on the network traffic, because the traffic evaluation that this rule must perform is already performed by another rule.

  

You can remediate all duplicate-rule observations in a category, selected fully shadowed or fully redundant observations, or individual rules within an expanded observation. For selected duplicate rules, choose Move to disabled state or Move to delete state. Disable rules first when you want to measure the impact before deleting them.

Note	Expand each observation to review the affected rules before you stage a remediation. Each rule in the list is displayed with a set of attributes; click the settings button on the top right to select which rule attributes you want to display along with the rule.

When duplicate-rule remediation removes shadowed or redundant rules and retains a base rule, Policy Analyzer and Optimizer adds a standardized comment to the retained rule. The comment identifies the retained rule and the removed rules, which helps you audit the cleanup.

After you stage the selected duplicate-rule remediations, you can still Undo them before clicking Apply Remediation. It is recommended that you disable rules first to measure the impact and delete them later, because deleting them permanently removes them.

You can enable the disabled rules any time by navigating to the Cloud-Delivered Firewall Management Center or the On-Premises Firewall Management Center on which the rules are present.

The Expired Rules tab lists rules that were configured with a time range and the time range has expired. You can also see rule information such as the date on which the rule expired, hit count, last hit time, and the time range.

You can remediate all expired-rule observations in the category, selected expired-rule observations, or selected expired rules. For selected expired rules, choose Move to disabled state or Move to delete state. Only selected rules are changed when you apply remediation.

The Mergeable Rules tab lists the rules that have similar allow and block settings and can be merged into a single rule.

Review the mergeable-rule observations and stage remediation for the entire category, selected observations, or individual rules within an expanded observation. Click Merge Selected to merge only the staged items. Unselected mergeable-rule observations remain unchanged until you stage and apply remediation for them.

Note

When you select individual rules to merge, select only consecutive rules. The first selected rule in the sequence is updated with the merged rule criteria, and the remaining selected rules are removed. You can start the merge from any rule in a consecutive set. The first rule in the observation does not need to be selected.

The Overlapping Objects tab lists objects that are either fully overlapping (the IP addresses or port numbers are either the same or a complete subset) or partially overlapping (some subset of IP addresses are repeated, but not all).

For example, if a rule contains an object for 192.168.1.1 and another for 192.168.1.0/24, the 192.168.1.1 object is fully overlapped by the other object and is not needed in the rule. For fully overlapped objects, you can remediate all fully overlapped observations in the category, selected observations, or selected rules. Click Remove All Fully Overlapped Objects from Rules to remove fully overlapped objects only from the staged items. For partial overlaps, evaluate each occurrence and edit the objects directly.

For partial overlaps, you need to evaluate each occurrence, determine if any changes can be made, and implement those changes directly by editing the objects.

The Policy Insights tab has a Hit Count section that initially lists any rules that have never been triggered (Never Hit Rules). The hit count information is from all devices that are assigned to the policy. You can change criteria and see other hit count information, for example, Not Hit Rules for the past six months, or Hit Rules over a selected time period. You can filter the rules using the actions set in the rules, hit information, and time period:

• Never Hit Rules—Rules that have never been hit from the time they were created.

• Hit Rules—Rules that have been hit in the selected time period.

• Not Hit Rules—Rules that have not been hit in the selected time period.

Select the rules that you want to disable or delete, and select Disable Rules or Delete Rules. These changes are staged until you select Apply Remediation. First, disable the rules when you want to measure their impact before deleting them.

The access control analysis report is a PDF summary of completed remediations for a selected policy. It includes only the remediation categories that apply to the changes you selected and applied. Each section lists the rule name, remediation action, and related comments. For example, if no duplicate rules were remediated, the report excludes the duplicate-rule remediation section.

The report includes only the remediation sections and rule details for remediations that you selected and applied. Unselected anomalies are not included in the report.

1. In the Policy Analyzer and Optimizer page, click Access control.

2. Select an access control policy, and in the right pane, click Download analysis report.

The report can include these sections:

• Remediation Summary

• Hit Count Remediation

• Expired Rules Remediation

• Duplicate Rules Remediation

• Mergeable Rules Remediation

Note

To determine whether a policy is remediated by the Policy Analyzer and Optimizer, navigate to Policies > Access Policies and edit a policy to view the rules in the Policy Editor. When a policy is remediated, a comment is added to the rules that are optimized. You can also filter all the optimized rules using "updated by Policy Analyzer and Optimizer" to view all the remediated rules. During duplicate rule remediation, the retained rule is updated with a comment specifying which rule was preserved and which were removed.