Firewall Rule Splitter (Policy Refactoring Tool)

Firewall Rule Splitter

Remove selected flows from SRC x DST x SERVICE and generate minimal resulting rules.

Privacy mode: Local. Inputs stay in your browser and are not sent to the server.

How data is handled now

  • Split calculation is performed in your browser in Offline mode.
  • Inputs are not sent to server in Offline mode.
  • Local share link stores data in URL hash (#...). Keep link private.
  • If you switch to Server mode, inputs are sent to server for processing/session.

Human-readable rules

JSON

CSV / vendor export

Firewall Rule Splitter

A professional tool for safely splitting firewall rules and removing a specific network interaction without breaking other allowed traffic.

What This Tool Does

  • Expands a rule into Sources × Destinations × Services
  • Subtracts selected network flows mathematically
  • Rebuilds a minimal and safe set of new rules
  • Generates structured JSON for automation

Why It Matters

A single firewall rule may represent dozens of real network permissions. Editing it manually often leads to accidental over-permission or broken production traffic.

Why Editing One Firewall Rule Is Risky

In most NGFW systems, a single rule effectively equals: 

Sources × Destinations × Services

For example: 2 sources × 2 destinations × 3 services = 12 allowed flows.

Common manual mistakes:
  • Removing a service globally instead of selectively
  • Adding deny rules that create policy conflicts
  • Creating unintended new permissions
  • Overcomplicating rule sets

How the Firewall Rule Splitter Works

The algorithm performs safe set subtraction: 

ALLOW  = S × D × V
RESULT = ALLOW − REMOVE
Security Guarantee: The resulting rules are always a subset of the original rule. No new permissions are introduced.

Real-World Example

Original Rule

Sources: Office_LAN, IT_Admins

Destinations: App_Server, DB_Server

Services: tcp/80, tcp/443, tcp/3389

Remove: Office_LAN → DB_Server : tcp/3389

Result

  • Office_LAN → App_Server : 80,443,3389
  • Office_LAN → DB_Server : 80,443
  • IT_Admins → App_Server : 80,443,3389
  • IT_Admins → DB_Server : 80,443,3389

Smart Rule Optimization

The tool automatically selects the optimal grouping strategy:

  • Service-first grouping (group by service + destination)
  • Source-destination grouping (merge services per pair)

The strategy that produces fewer rules without compromising security is automatically chosen.

Supported Input Formats

  • IPv4 addresses
  • CIDR networks
  • any
  • tcp/443, udp/53
  • Port ranges (tcp/1000-2000)

JSON Output for Automation

{
  "schema_version": "1.0",
  "engine_version": "1.0",
  "rules": [...],
  "removed_flows": [...]
}

This enables:

  • Integration with Ansible and Python
  • Git version control for firewall changes
  • Future export to UserGate and ViPNet
  • CI/CD policy management

Who Should Use This Tool?

  • Network engineers
  • Security administrators
  • DevOps teams
  • NGFW integrators
  • UserGate and ViPNet administrators

Safely modify your firewall policies

Use Firewall Rule Splitter to eliminate manual risk and prepare your infrastructure for future automation and SaaS integration.