// POLICY ANALYZER

See what your firewalls actually allow.

The SAMURAI Policy Analyzer is a self-hosted firewall policy analysis tool that resolves the effective permitted space across your rule base: not what a rule says, but what traffic really gets through once objects, groups, and NAT are resolved. It flags shadowed, redundant, and overly broad rules, scores every rule by exposure, and does it in one canonical model across Palo Alto, Cisco FTD, FortiGate, Juniper SRX, and Cisco ACI. Configuration analysis on real device data, not traffic logs.

Updated July 2026

What the Policy Analyzer computes

Effective access

End-to-end permitted space computed across the whole rule set, with address and service objects expanded recursively and NAT resolved, so you see what is really reachable.

Shadowed rule detection

Rules that can never match because an earlier rule already covers their traffic. Dead weight that hides intent and fails audits, surfaced automatically.

Redundant rule detection

Rules whose effect is already delivered by another rule. Removing them shrinks the rule base without changing what the firewall permits.

Overly broad rule detection

Any-any sources, wide CIDR ranges, and service "any" entries flagged so the widest-open rules are visible before an auditor finds them.

Per-rule risk scoring

Every rule ranked by exposure, so a 2,000-rule cleanup starts with the ten rules that matter instead of row one.

One model across vendors

Palo Alto, Cisco FTD, FortiGate, Juniper SRX, and ACI contracts normalized into a canonical policy view, analyzed with the same logic.

Policy analysis vs policy management

AlgoSec, Tufin, and FireMon are policy-management suites: recertification campaigns, approval workflows, change orchestration. The SAMURAI Policy Analyzer matches them on the analysis itself and lives inside a platform that also covers the routers, switches, fabrics, and hypervisors around your firewalls.

Analysis

SAMURAI Policy Analyzer

Effective access, shadowed/redundant/overly-broad detection, per-rule risk scoring

Policy management suites

Comparable analysis, plus usage-based cleanup from traffic hit counts

Workflows

SAMURAI Policy Analyzer

Not our focus: no recertification campaigns or approval orchestration

Policy management suites

Their core strength: rule lifecycle, approvals, provisioning

Scope

SAMURAI Policy Analyzer

Firewalls plus routers, switches, ACI fabrics, ISE, and vCenter in one view

Policy management suites

Firewall-centric

Deployment

SAMURAI Policy Analyzer

Single self-hosted Docker container, air-gap friendly, serving data in about five minutes

Policy management suites

Enterprise appliance or SaaS rollout

We'd rather be honest: if you need recertification campaigns and approval workflows, the policy suites earn their price. If you need to know what your firewalls actually allow, which rules are dead weight, and which are dangerously wide, self-hosted and across every vendor, that is what the Policy Analyzer is built for.

Frequently asked questions

What is a firewall policy analyzer?

A firewall policy analyzer reads firewall configuration (rules, objects, NAT) and computes what the rule base actually permits, then flags problems: shadowed rules that can never match, redundant rules that duplicate others, and overly broad rules that expose more than intended. It works from configuration state, unlike log analyzers, which work from traffic records.

What is a shadowed firewall rule?

A shadowed rule is one that can never match traffic because an earlier rule in the evaluation order already matches everything the shadowed rule would. Shadowed rules are dead configuration: they hide intent, confuse audits, and accumulate silently as rule bases grow. SAMURAI detects them automatically across the whole rule set.

What is a redundant firewall rule?

A redundant rule duplicates the effect of another rule: removing it would not change what the firewall permits or denies. Redundant rules bloat the rule base and make every audit slower. SAMURAI flags them so cleanup is a review task, not an archaeology project.

What does "effective access" mean?

Effective access is the set of traffic a rule base really permits end to end, computed with address and service objects expanded recursively and NAT resolved. A rule that says "web-servers to db-group" tells you nothing until the objects resolve; effective access tells you the actual IPs, protocols, and ports that get through.

Which firewalls does the Policy Analyzer support?

Palo Alto Networks (PAN-OS), Cisco Secure Firewall (FTD), Fortinet FortiGate (FortiOS), Juniper SRX (Junos OS), and Cisco ACI contracts, all normalized into one canonical policy model and analyzed with the same logic.

Does it use traffic logs or hit counts?

No. The Policy Analyzer works entirely from configuration state read over native APIs and SSH. That means it finds structural problems (shadowing, redundancy, over-breadth, risk) without needing log retention. What it does not do is usage-based cleanup ("this rule had zero hits in 90 days"), which requires traffic hit counts; dedicated policy suites cover that.

Does SAMURAI do firewall rule recertification?

No. Recertification campaigns, rule-owner attestation, and approval workflows are the domain of policy-management suites like AlgoSec, Tufin, and FireMon. SAMURAI gives you the analysis those workflows consume: effective access, hygiene findings, risk ranking, and a change timeline with admin attribution.

Can I try it on my own firewalls for free?

Yes. A free test license ships with the SAMURAI Docker image on Docker Hub, no email required. One docker run on a VM that can reach your firewalls, and the Policy Analyzer runs against your real rule base.

Find out what your rule base really permits.

Request a demoExplore the platform