https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219818#M36624 <P>Depends on the audit. Both ways are good in my opinion.</P> <P>Clean them up makes the rulebase more clean and better overview.&nbsp;</P> <P>Also it is in general recommended to remove 0 hit or disabled rules and clean them up.</P> <P>But on the other side if traffic has been allowed in the past and you have to show the rule that allowed the traffic you need to still have it.&nbsp;</P> <P>You can put the expired time rules within a special section title. Then at least you have them in one spot and with one click you can hide them.&nbsp;</P> <P>Some audits require you to keep data for years so it all depends in the audit.&nbsp;</P> <P>Btw audits go hand in hand with the compliance blade. With this blade you can select certain ISO etc's you want to reflect and it will check the firewall setup. Most of them show that you have to clean disabled and 0 hit rules.&nbsp;</P> Fri, 05 Jul 2024 21:05:58 GMT Lesley 2024-07-05T21:05:58Z https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219695#M36604 <P>Hi All,</P><P>I'm interested in learning best practices for handling time-based firewall rules. In a scenario where a rule is set to automatically expire after a specific timeframe (e.g., 3 days), what's the recommended approach: deleting the rule or keeping it for audit purposes?</P><P>Thanks</P> Thu, 04 Jul 2024 11:23:15 GMT https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219695#M36604 Ihenock1011 2024-07-04T11:23:15Z https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219698#M36605 <P>I always advise people to disable it for the time being and push policy, so that way if audit happens, at least its there, but not active. Then, you can delete it afterwards.</P> <P>Andy</P> Thu, 04 Jul 2024 11:57:09 GMT https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219698#M36605 the_rock 2024-07-04T11:57:09Z https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219818#M36624 <P>Depends on the audit. Both ways are good in my opinion.</P> <P>Clean them up makes the rulebase more clean and better overview.&nbsp;</P> <P>Also it is in general recommended to remove 0 hit or disabled rules and clean them up.</P> <P>But on the other side if traffic has been allowed in the past and you have to show the rule that allowed the traffic you need to still have it.&nbsp;</P> <P>You can put the expired time rules within a special section title. Then at least you have them in one spot and with one click you can hide them.&nbsp;</P> <P>Some audits require you to keep data for years so it all depends in the audit.&nbsp;</P> <P>Btw audits go hand in hand with the compliance blade. With this blade you can select certain ISO etc's you want to reflect and it will check the firewall setup. Most of them show that you have to clean disabled and 0 hit rules.&nbsp;</P> Fri, 05 Jul 2024 21:05:58 GMT https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219818#M36624 Lesley 2024-07-05T21:05:58Z https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219839#M36625 <P>All valid points.</P> Sat, 06 Jul 2024 12:28:17 GMT https://community.checkpoint.com/t5/General-Topics/Best-Practice-for-Expired-rule/m-p/219839#M36625 the_rock 2024-07-06T12:28:17Z