Legacy firewall rule bases reveal a lot about a network, but rarely reflect a clean zone model. In hybrid IT/OT environments, simply deleting rules is not enough: rules must be understood, prioritised and reconciled against real communication requirements, DMZ boundaries and operational constraints.
Firewall rule cleanup in an IT/OT environment is not a cosmetic exercise. Legacy permits, any-rules, management exceptions, DMZ shortcuts and unclear object groups are direct indicators of where segmentation has eroded in practice. Just deleting risks outages. Tracing rules back to zones, legitimate flows and operational ownership creates maintainable boundaries that last.
The first step reads the existing setup: interfaces, zones, policies, objects and obvious gaps. The result is not yet a target design, but a reliable fact base that brings IT, OT and security onto the same page.
Not every legacy issue is equally critical. In step 2, any-rules, broad management permits, missing inspection and hard IT/OT exceptions are ranked by risk and feasibility. Below you can see a parser output from a sample FortiGate configuration.
Cleanup without a target design ends in exceptions again. In step 3, a reduced target rule set emerges from the zone model and communication matrix. Conduits document the permitted boundaries between IT, DMZ and OT.
The analysis delivers the fact base and prioritisation. Four implementation building blocks then bring target design, piloting and operating model together.
The analysis is turned into an approvable target design with zones, conduits and documented target flows for IT, DMZ, admin and OT.
Instead of a risky big bang, high-impact rules are bundled into pilot packages — with maintenance windows and fallback paths.
Legacy exceptions, broad objects and unresolved permits are not blindly deleted but cleanly migrated or deliberately removed.
Logging, responsibilities and recurring reviews ensure the new rule set does not erode again immediately after cleanup.
We show you which rules in your environment are critical, how a clean target rule set is derived and how cleanup across IT, DMZ and OT can be prioritised without flying blind.
Get in touch View Segmentation Toolbox and Matrix →No. In IT and OT networks, rules often represent real operational needs, workarounds or missing zones. Without communication and zone context, a seemingly unnecessary entry can be business- or production-critical.
The example shown uses the existing FortiGate configuration analysis. Methodically, the approach applies to other vendors as well: understand the rule base, derive zones, document communication requirements and develop the target rule set from there.
Through prioritisation and waves: critical any-rules first, accompanied by logging, piloting, maintenance windows and sign-off by IT, OT and service owners. Cleanup is not a one-off sprint but a managed transformation.
Cleanup reduces and organises the existing rule base. Redesign defines the target system. In brownfield projects you usually need both: first understand and untangle the existing rules, then establish a target rule set with zones and conduits.
IEC 62443 provides the principle: zones and conduits instead of uncontrolled lateral communication. The DMZ is a central boundary. Firewall rule cleanup is the operational step to make this architecture enforceable in a hybrid IT/OT environment.
Firewall rules control traffic between zones. VLANs and switch ACLs define which devices belong to a zone and what is permitted at Layer 2. Both go together: the firewall analysis reveals which zones actually exist. From there it becomes clear where VLANs are missing, poorly scoped or where ACLs on the switch need to follow.
NIS2 Art. 21(2) requires documented network security measures and regular effectiveness assessments. A firewall rule base with hundreds of undocumented legacy entries meets neither requirement. From the ten-measure catalogue (Section 30(2) BSIG), a cleanup directly covers four items: risk analysis (no. 1), effectiveness assessment (no. 6), cryptography (no. 8) and access control (no. 9). Cleanup provides the auditable foundation: documented zones, justified rules and a review process an auditor can verify.
Through a defined rule lifecycle: every new rule needs a request path, a responsible owner, a documented justification and an expiry date or review schedule. Regular audits verify whether rules still correspond to an active communication requirement. Especially for exceptions, the network or security team alone cannot decide whether a rule is still needed, because that requires process knowledge from operations. Without ownership and process, every rule base grows back to the same state within a few years.
