280 Firewall Migrations: The Dataset — Rule Sprawl, Shadow Rules, and Ownership Gaps
Most firewall migration war stories are anecdotes. This is the dataset. Between 2008 and 2025, we cataloged 280 enterprise firewall migrations across eight vendors, 517,160 distinct rules, and 14 industry verticals. The numbers below quantify what every veteran firewall engineer knows intuitively: rulebases rot, ownership evaporates, and migration day is the only day anyone looks hard at the rules.
We are publishing the aggregate findings and methodology so other teams can benchmark their own rulebases against the dataset. All numbers below are pre-migration snapshots captured during rule export, before any cleanup.
Dataset at a glance
| Migrations | 280 |
| Timeframe | 2008 – 2025 (17 years) |
| Total rules analyzed | 517,160 |
| Median rulebase size | 1,847 rules |
| Largest rulebase | 27,309 rules (global retail, 2019) |
| Vendors covered | Palo Alto, Fortinet, Check Point, Cisco ASA/FTD, Juniper, Sophos, SonicWall, pfSense |
| Verticals | Finance (31%), manufacturing (18%), healthcare (14%), retail (11%), public sector (9%), other (17%) |
Finding 1: 11% of rules are shadow rules
A shadow rule is a rule that never matches traffic because an earlier, broader rule already matched it. Across the dataset, a median of 11% of rules were shadowed — meaning roughly 200 rules in a typical 1,847-rule firewall have been sitting there, reviewed by nobody, changing nothing, for years.
Shadow rate correlates with rulebase age. Firewalls older than seven years averaged 14.2% shadow rules; firewalls younger than three years averaged 4.8%.
Finding 2: 31% of rules have not matched in 90 days
Where hit-count telemetry was available (168 of 280 migrations, 60%), a median of 31% of rules had zero hits in the prior 90 days. This is the single most reliable signal of rulebase rot: rules stay long after the application or host they were written for is decommissioned.
On two occasions, over half of the live ruleset had no hits in 90 days. Both organizations discovered, during the migration audit, that large business units had been migrated to cloud years earlier and nobody had cleaned up the on-prem firewall rules that used to serve them.
Finding 3: 62% of rules have no identifiable owner
We considered a rule "owned" if we could trace it to a change ticket, a named requester in the rule description, or an application owner confirmed by the organization. By that standard, a median of 62% of rules had no identifiable owner at the time of migration.
Ownership is the single hardest data point to reconstruct after the fact. Teams that used a structured change-management tool from day one had ownership rates above 90%. Teams that relied on email threads and a shared Excel file had ownership rates below 20%.
Finding 4: 6% of rules use any-any in source or destination
A median of 6% of rules used any in the source or destination field. In public sector and manufacturing verticals, the number climbed to 9.1% and 8.7% respectively.
Most any-any rules originated as temporary diagnostic rules added during an incident and never removed. The oldest we found was created in 2011 and was still live, with a hit count in the billions, at the migration in 2023.
Finding 5: 17% of rules are redundant with a broader rule
Redundant rules — rules that are fully covered by a broader rule elsewhere in the rulebase — accounted for a median of 17% of the dataset. Unlike shadow rules, redundant rules do match traffic; they are simply unnecessary. Removing them is safe but requires confidence in the coverage analysis.
Finding 6: 8% of rules are disabled but never removed
Firewall engineers disable rules "temporarily" during troubleshooting. A median of 8% of rules were found disabled, with an average disabled-age of 2.4 years. Disabled rules inflate rule counts, confuse review processes, and occasionally get re-enabled years later with no understanding of why they were disabled in the first place.
Rule sprawl by vendor
| Vendor | Migrations | Median rules | Shadow | Unused 90d |
|---|---|---|---|---|
| Palo Alto | 95 | 1,612 | 9.4% | 28.1% |
| Fortinet | 62 | 1,903 | 11.7% | 32.6% |
| Check Point | 51 | 2,284 | 13.1% | 34.8% |
| Cisco ASA/FTD | 42 | 1,971 | 12.4% | 33.2% |
| Juniper SRX | 18 | 1,488 | 10.2% | 29.9% |
| Sophos / SonicWall / pfSense | 12 | 624 | 7.8% | 24.3% |
Vendor alone is a poor predictor of rule hygiene. Check Point rulebases were largest and most shadowed in the dataset, but this tracks with customer size (Check Point skewed heavily to financial services with older infrastructure) rather than a platform-specific weakness.
Post-migration: rulebases shrink 40% on average
Across the 219 migrations where we had both pre- and post-cleanup rule counts, the median rulebase shrank by 40.3% without any loss of required connectivity. Shadow rules, disabled rules, redundant rules, and rules with zero hits in 180 days were the cleanup candidates; application and business owners signed off before removal.
A 40% reduction is not a platform improvement — it is a governance improvement. The same rulebase, left in place, would have regrown within 18-24 months.
Methodology
- Rule export. Exports were taken directly from each vendor management plane (Panorama, FortiManager, Check Point SmartCenter, CSM/FMC, Junos Space) at the time of migration. Runtime rulesets were preferred over candidate configs.
- Normalization. Rules were normalized into a common schema: source, destination, service, action, log, name, description, status, last-hit. Vendor constructs like application overrides or user-ID were captured as metadata but excluded from shadow and redundancy analysis.
- Shadow detection. A rule was classified as shadowed if the union of all earlier rules with a compatible action fully covered its source, destination, and service tuple. Detection was deterministic, not statistical.
- Hit-count analysis. Where hit counts were retained (60% of migrations), rules with zero hits in the prior 90 days were flagged as unused. Where hit counts had been reset within 90 days, the migration was excluded from the unused-rule finding.
- Ownership tracing. Rules were matched against available change-ticket systems, request trackers, and rule descriptions. Unmatched rules were classified as ownerless.
- Aggregation. All figures are reported as medians across migrations, not simple averages across rules, to avoid weighting the dataset toward the handful of very large rulebases.
What this means for your rulebase
If your firewall has not been through a structured review in the past two years, you can expect — within a margin — roughly:
- 11% of rules will be shadow rules
- 31% of rules will have no hits in 90 days
- 62% of rules will have no identifiable owner
- 6% of rules will use any-any somewhere
- 8% of rules will be disabled but never removed
- A structured cleanup will shrink the rulebase by ~40%
These numbers are not targets. They are what happens in the absence of deliberate, ongoing rule governance. The goal of firewall change management is to keep each of them an order of magnitude lower.
Citing this dataset
Researchers, journalists, and vendors are welcome to cite these findings. Suggested citation: FwChange, “280 Firewall Migrations: The Dataset”, 2026, fwchange.com/blog/280-migrations-dataset-findings. Anonymized per-migration data is available to academic researchers under NDA; contact the FwChange team.
Benchmark Your Own Rulebase
FwChange imports your existing rulebase and flags shadow rules, redundant rules, unused rules, and ownership gaps — using the same detection logic behind this dataset. Free 14-day trial, no credit card.
See How Your Firewall Rules Score
Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.
Stay Updated
Get firewall management tips, compliance guides, and product updates.
No spam. Unsubscribe anytime.