Why Do I Need to Optimize Security Policies?
Live-network services are complex, and a large number of security policies are deployed on a firewall. There is a high probability that security policy anomalies and redundant security policies exist. This not only affects the normal running of services, but also poses security risks and reduces firewall performance.
Security Policy Anomaly
The order of security policies is important. A Huawei firewall checks packets by matching them against security policies from top to bottom. Once a match is found, the firewall stops the check and processes packets based on the action specified in the matching security policy. If the matching conditions of two security policies do not overlap, it does not matter in which order the two policies are placed. Nevertheless, matching conditions usually overlap between security policies. In the circumstances, an inappropriate order of such security policies leads to anomalies. Impacts and handling suggestions vary according to the type of security policy anomaly. For details, see Appendix: What Are Security Policy Anomalies?
Outdated Security Policy
With service development and changing networks, security policies may be outdated. Such security policies are no longer used and will not be matched by any packet. These outdated security policies lengthen the matching process, deteriorate firewall performance, and increase management complexity.
Inaccurate Security Policy
Security policies must comply with the principle of least privilege and permit only legitimate traffic. When configuring a security policy, set matching conditions as accurate as possible. Exercise caution when using the "any" matching condition. Inaccurate security policies pose security risks.