Summary
The firewall-review skill asks reviewers to identify unused rules with zero hit counts, but it does not require enough evidence to prove that the counter window is reliable.
This can create false positives: hit counters may reset after policy install, device reboot, HA failover, or firewall reload. A zero-hit rule might be genuinely stale, or it might simply have a one-day counter baseline in a 90-day review.
Proposed improvement
Add unused-rule evidence gates that require reviewers to capture:
- hit count and last-hit timestamp
- counter baseline timestamp, firewall uptime, policy install time, and failover/reload history
- SIEM or flow-log cross-checks for seasonal, disaster recovery, failover, or batch traffic
- owner, change ticket, expiry date, and rollback plan before recommending production rule removal
- output table fields that classify evidence quality as reliable, weak, or not evaluable
Why this matters
Firewall cleanup based only on zero counters can remove valid low-frequency access or miss stale orphaned access when counters are too fresh. A small evidence matrix makes unused-rule findings more defensible and reduces noisy remediation advice.
Summary
The
firewall-reviewskill asks reviewers to identify unused rules with zero hit counts, but it does not require enough evidence to prove that the counter window is reliable.This can create false positives: hit counters may reset after policy install, device reboot, HA failover, or firewall reload. A zero-hit rule might be genuinely stale, or it might simply have a one-day counter baseline in a 90-day review.
Proposed improvement
Add unused-rule evidence gates that require reviewers to capture:
Why this matters
Firewall cleanup based only on zero counters can remove valid low-frequency access or miss stale orphaned access when counters are too fresh. A small evidence matrix makes unused-rule findings more defensible and reduces noisy remediation advice.