Rule ID,Rule Name,Source Zone,Source IP,Destination Zone,Destination IP,Service/Port,Protocol,Action,Hit Count (90 days),Last Hit Date,Priority,Created Date,Owner,Description
FW-001,Legacy VPN Full Access,External,any,DMZ,10.1.0.0/16,any,TCP/UDP,permit,142893,2026-03-28,10,2019-04-12,jmorris,Legacy VPN access for remote workforce
FW-002,SSH Management Access,External,any,Internal,10.10.50.0/24,TCP/22,TCP,permit,4721,2026-04-01,5,2021-06-15,admin,SSH access to management network
FW-003,Web Server Public Access,External,any,DMZ,10.1.5.10,TCP/443,TCP,permit,2847562,2026-04-02,3,2022-01-10,swalker,HTTPS to production web server
FW-004,Database Backup Transfer,Internal,10.10.20.15,Internal,10.10.30.50,TCP/5432,TCP,permit,720,2026-04-01,15,2023-03-22,dba-team,Nightly PostgreSQL replication
FW-005,Old Contractor VPN,External,203.0.113.0/24,Internal,10.10.0.0/8,any,TCP/UDP,permit,0,2025-06-14,20,2020-09-01,jmorris,Contractor network access - Project Orion
FW-006,SIEM Log Ingestion,Internal,10.10.0.0/16,Internal,10.10.40.20,TCP/514;TCP/6514,TCP,permit,9847210,2026-04-02,8,2022-05-19,soc-team,Syslog forwarding to Splunk HEC
FW-007,Temp Debug Access,Internal,10.10.10.50,DMZ,10.1.5.10,TCP/8080;TCP/9090;TCP/3000,TCP,permit,0,2025-01-03,50,2024-11-15,bchoe,Temporary debug ports for incident IR-2024-0892
FW-008,All Internal Traffic,Internal,10.10.0.0/8,Internal,10.10.0.0/8,any,TCP/UDP/ICMP,permit,48291044,2026-04-02,100,2018-02-03,admin,Allow all internal-to-internal communication
FW-009,DNS Resolution,Internal,10.10.0.0/16,External,any,UDP/53;TCP/53,UDP/TCP,permit,15738291,2026-04-02,2,2019-01-15,netops,Internal DNS forwarding to external resolvers
FW-010,RDP Jump Box,External,any,Internal,10.10.50.100,TCP/3389,TCP,permit,892,2026-03-30,7,2022-08-20,admin,RDP access to jump box from internet
FW-011,SMTP Outbound,Internal,10.10.25.10,External,any,TCP/25;TCP/587,TCP,permit,34210,2026-04-01,12,2020-03-08,mail-admin,Outbound email relay
FW-012,Vendor API Access,External,198.51.100.0/24,DMZ,10.1.5.20,TCP/443,TCP,permit,0,2025-09-22,18,2021-11-30,procurement,Vendor integration API - AcmeCorp contract
FW-013,Dev Environment Full Access,Internal,10.10.60.0/24,Internal,10.10.0.0/8,any,TCP/UDP,permit,287430,2026-04-01,30,2023-01-05,dev-lead,Development subnet unrestricted internal access
FW-014,CrowdStrike Sensor Comms,Internal,10.10.0.0/16,External,ts01-gyr-maverick.cloudsink.net,TCP/443,TCP,permit,7429103,2026-04-02,4,2022-04-14,security-ops,CrowdStrike Falcon sensor cloud communications
FW-015,Blocked Crypto Mining Pools,any,any,External,185.220.101.0/24;94.130.12.0/24,TCP/3333;TCP/8333;TCP/45560,TCP,deny,4218,2026-03-29,1,2023-06-01,soc-team,Block known cryptomining pool destinations
FW-016,Legacy App Server,Internal,10.10.70.15,DMZ,10.1.2.30,TCP/8443,TCP,permit,12,2026-01-15,25,2019-07-22,appdev,Legacy inventory application server access
FW-017,Okta SSO Traffic,Internal,10.10.0.0/16,External,*.okta.com,TCP/443,TCP,permit,1923847,2026-04-02,3,2021-09-10,identity-team,Okta authentication and SSO
FW-018,Guest WiFi Isolation,Guest,172.16.0.0/12,External,any,TCP/80;TCP/443,TCP,permit,892104,2026-04-02,6,2022-02-14,netops,Guest network internet-only access
FW-019,MySQL Admin Wide Open,External,any,Internal,10.10.30.0/24,TCP/3306,TCP,permit,37,2026-03-25,15,2020-12-01,dba-team,MySQL admin access - was supposed to be temporary
FW-020,Backup to Cloud Storage,Internal,10.10.35.0/24,External,*.blob.core.windows.net,TCP/443,TCP,permit,4892,2026-04-01,10,2023-08-15,infra-team,Azure Blob backup uploads
FW-021,Monitoring Stack,Internal,10.10.40.0/24,Internal,10.10.0.0/16,TCP/9090;TCP/9093;TCP/3000;TCP/9100,TCP,permit,28471093,2026-04-02,5,2022-06-30,sre-team,Prometheus/Alertmanager/Grafana/Node-exporter
FW-022,Old Pen Test Access,External,192.0.2.0/24,Internal,10.10.0.0/8,any,TCP/UDP,permit,0,2024-08-15,40,2024-08-10,security-ops,Penetration testing firm access - Assessment Q3-2024
FW-023,Splunk Forwarder to Indexer,Internal,10.10.0.0/16,Internal,10.10.40.20,TCP/9997,TCP,permit,8921847,2026-04-02,4,2022-05-19,soc-team,Splunk universal forwarder to indexer
FW-024,ServiceNow Integration,Internal,10.10.25.30,External,*.service-now.com,TCP/443,TCP,permit,52841,2026-04-02,8,2023-02-28,itsm-team,ServiceNow API and webhook integration
FW-025,Palo Alto Panorama Mgmt,Internal,10.10.50.5,Internal,10.10.50.1,TCP/3978;TCP/28443,TCP,permit,94021,2026-04-02,3,2021-03-20,netops,Panorama management connectivity to firewall
FW-026,Web Server HTTP Redirect,External,any,DMZ,10.1.5.10,TCP/80,TCP,permit,1247831,2026-04-02,3,2022-01-10,swalker,HTTP to HTTPS redirect for production web server
FW-027,All Outbound Permit,Internal,10.10.0.0/8,External,any,any,TCP/UDP,permit,92481037,2026-04-02,99,2018-02-03,admin,Allow all outbound internet traffic
FW-028,NTP Sync,Internal,10.10.0.0/16,External,pool.ntp.org,UDP/123,UDP,permit,482910,2026-04-02,2,2019-01-15,netops,Network time synchronization
FW-029,Deprecated WAF Bypass,External,any,DMZ,10.1.5.10,TCP/8080,TCP,permit,0,2025-03-12,35,2023-09-05,swalker,WAF bypass for legacy load testing - should have been removed
FW-030,Default Deny All,any,any,any,any,any,any,deny,7482910,2026-04-02,999,2018-02-03,admin,Implicit deny all unmatched traffic
FW-031,Jira Cloud Access,Internal,10.10.0.0/16,External,*.atlassian.net,TCP/443,TCP,permit,382910,2026-04-02,8,2021-07-12,dev-lead,Jira and Confluence cloud access
FW-032,Internal DNS Servers,Internal,10.10.0.0/16,Internal,10.10.1.10;10.10.1.11,UDP/53;TCP/53,UDP/TCP,permit,29481023,2026-04-02,1,2019-01-15,netops,DNS queries to internal resolvers
FW-033,FTP Legacy File Transfer,Internal,10.10.70.15,External,203.0.113.50,TCP/20;TCP/21,TCP,permit,0,2025-04-10,22,2019-11-18,appdev,FTP to vendor for EDI file exchange - migrated to SFTP
FW-034,ICMP Monitoring,Internal,10.10.40.0/24,Internal,10.10.0.0/16,ICMP,ICMP,permit,18492710,2026-04-02,5,2022-06-30,sre-team,ICMP ping for uptime monitoring
FW-035,Dev to Prod Database,Internal,10.10.60.0/24,Internal,10.10.30.0/24,TCP/5432;TCP/3306,TCP,permit,2847,2026-03-28,20,2023-07-14,dev-lead,Developer access to production databases
FW-036,VirusTotal API,Internal,10.10.40.25,External,www.virustotal.com,TCP/443,TCP,permit,12841,2026-04-02,6,2023-04-10,soc-team,VirusTotal threat intel API lookups
FW-037,Telnet Legacy Device Mgmt,Internal,10.10.50.5,Internal,10.10.80.0/24,TCP/23,TCP,permit,3,2026-02-10,30,2018-06-15,netops,Telnet management to legacy switches - SSH migration incomplete
FW-038,WiFi to Internal Servers,Guest,172.16.0.0/12,Internal,10.10.0.0/16,any,TCP/UDP,permit,0,1970-01-01,50,2023-04-22,netops,Guest WiFi to internal - created in error and never removed
FW-039,CDN Origin Pull,External,104.16.0.0/12,DMZ,10.1.5.10,TCP/443,TCP,permit,5829104,2026-04-02,3,2022-03-15,swalker,Cloudflare origin pull to web server
FW-040,Log Archive to S3,Internal,10.10.40.20,External,*.s3.amazonaws.com,TCP/443,TCP,permit,8291,2026-04-01,10,2023-09-01,soc-team,Splunk log archival to AWS S3