Policy analysis automatically scans your access control policies to identify invalid, redundant, risky, and misconfigured rules—before they become security incidents. Security administrators managing hundreds or thousands of policies can use this feature to detect problems systematically rather than through manual review.
Supported editions
Policy analysis is free for all Cloud Firewall editions. The following table shows the policy limit and covered borders per edition.
| Edition | Policy limit | Covered borders |
|---|---|---|
| Pay-As-You-Go | 2,000 | Internet Border, VPC Border, NAT Border, address books |
| Premium | 3,000 | Internet Border, NAT Border, address books |
| Enterprise | 5,000 | Internet Border, VPC Border, NAT Border, address books |
| Ultimate | 10,000 | Internet Border, VPC Border, NAT Border, address books |
The Premium Edition does not include VPC Border analysis.
What policy analysis detects
Each check item identifies a specific class of policy problem and the security risk it introduces if left unresolved.
| Check item | What it finds | Security risk if unresolved |
|---|---|---|
| Policies with no traffic hits | Rules that have never matched any traffic | Unused rules consume your specification quota and add noise to the policy list, obscuring real coverage gaps |
| Invalid policies (same source and destination) | Rules where source and destination are identical | These rules can never match real traffic and silently waste quota |
| Duplicate or redundant policies | Rules that fully overlap with higher-priority rules | Shadowed rules are never evaluated, creating a false sense of coverage |
| Business conflict policies | Rules that contradict each other | Conflicting rules produce unpredictable allow/deny decisions |
| Default policies not set to deny-all | Default rules that permit traffic instead of blocking it | Any traffic not matched by an explicit rule is allowed, expanding your attack surface |
| Risky policies allowing traffic on high-risk ports | Rules that permit inbound or outbound access on ports commonly targeted by attackers | Open high-risk ports increase exposure to known attack vectors and lateral movement |
| Control policies that are too loose | Overly broad rules that allow more traffic than necessary | Over-provisioned rules increase the blast radius of a compromise |
How specification usage is calculated
The number of specifications consumed by a policy analysis run is:
(Number of access control policies + Number of address books) × Number of check items
The Duplicate, Overlap, or Disperse IP Address Book check item does not support ECS tag-based address books. For example, if you have 10 IP address books and 5 ECS tag-based address books for IPv4, this check item counts 10 × 1 = 10 specifications used.
View specification usage
The Policy Analysis page shows your total policies checked, remaining quota, risks pending action, and a breakdown of risk types by border.
Run a policy analysis check
Cloud Firewall checks access control policies for the Internet Border, NAT Border, VPC Border, and address books.
Log on to the Cloud Firewall console.
In the left navigation pane, choose Prevention Configuration > Policy Optimizer.
On the Policy Analysis page, find the check item you want to run and click Check in the Operation column.
In the confirmation dialog box, click OK.
After the check completes, results appear on the Check Item Details page.
Review and resolve check results
Find a completed check item and click Details in the Operation column.
On the Check Item Details page, review the list of non-compliant policies.
For each non-compliant policy, decide whether it is intentional or needs correction:
If the policy is intentional, click Ignore. The policy will not be checked again.
If the policy needs correction, update it based on the suggestions, then click Handle to mark it as resolved.