Paste your firewall rules and get an instant NIS2 compliance gap analysis. Detect shadow rules, redundant policies, overlaps, and security issues in seconds.
Drag & drop a file here, or click to browse
Supports JSON, CSV, and text files (max 1MB)
Your rules are analyzed in memory only. We never store your configuration data.
Don't have rules handy?
Find rules that never match traffic because earlier rules already handle it.
Identify duplicate or near-identical rules that can be consolidated.
Detect rules with overlapping criteria that may cause unexpected behavior.
Find rules with matching criteria but different actions (allow vs deny).
Supports Palo Alto, Fortinet, Check Point, Cisco ASA, and OPNsense.
Rules are analyzed in memory only. We never store your configuration data.
Firewall rulebases grow over time as networks evolve, applications change, and team members come and go. Without regular auditing, rule bloat introduces security risks, performance degradation, and compliance gaps. Here is what our scanner detects and why each issue matters.
A shadow rule is a firewall rule that never matches any traffic because a broader rule earlier in the policy already handles all matching packets. Shadow rules are the most common issue in enterprise firewall rulebases, often accounting for 10-30% of all rules in environments that have not been audited in the past year.
Example: Rule 50 allows TCP/443 from 10.0.0.0/8 to any. Rule 200 allows TCP/443 from 10.1.0.0/16 to any. Rule 200 is shadowed — it will never match because Rule 50 already permits all traffic from the broader 10.0.0.0/8 range.
Redundant rules are duplicates or near-duplicates that perform the same function. While not a direct security risk, they increase rulebase complexity, slow down firewall processing, and make change management harder. Every redundant rule is a rule that must be reviewed during compliance audits, maintained during migrations, and tested after changes.
Impact: Large rulebases with redundant rules can slow packet processing by 5-15%. Consolidating redundant rules reduces audit scope and simplifies troubleshooting.
Overlapping rules have partially intersecting criteria — they match some of the same traffic but not all of it. This creates ambiguity about which rule takes precedence and can lead to unintended access. Overlaps are particularly dangerous when one rule permits traffic and the other denies it, as the effective policy depends entirely on rule ordering.
Compliance note: PCI-DSS Requirement 1.2.1 requires that firewall rules are documented and justified. Overlapping rules often indicate undocumented exceptions that auditors will flag.
Conflicting rules have identical or near-identical matching criteria but different actions — one allows the traffic while the other denies it. The effective behavior depends on which rule the firewall evaluates first, making the policy unpredictable. Conflicts are the highest-severity finding because they indicate a clear policy error.
How we detect them: Our scanner compares source, destination, service, and action across all rule pairs, checking for both exact matches and partial overlaps with opposing actions.
Upload your firewall rule export (JSON, CSV, or text format) and our analysis engine processes it entirely in memory. We support Palo Alto, Fortinet, Check Point, Cisco ASA, and OPNsense rule formats. No account required, no data stored.
FwChange provides continuous firewall monitoring, change management, compliance reporting, and JIRA integration.
