analyze_firewall_rule_overlap
Analyze a candidate firewall rule against an existing ruleset to detect overlaps including duplicates, shadowed rules, and conflicts. Supports vendor-native configs or pre-normalized JSON input.
Instructions
Analyze whether a candidate firewall rule overlaps with an existing ruleset. Detects exact duplicates, shadowed rules, action conflicts, and partial overlaps. Two input modes: (1) vendor-native configs via vendor + ruleset_payload + candidate_rule_payload, or (2) pre-normalized JSON via existing_rules + candidate_rule. Use parse_policy first to inspect parser output before analysis.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| vendor | No | Vendor identifier. One of: "panos", "asa", "ftd", "ios", "iosxr", "checkpoint", "juniper", "junos", "sros", "fortios". Required for Mode 1 (vendor-native). | |
| os_version | No | Optional OS version string for parser selection. | |
| candidate_rule | No | Single normalized rule object (same schema as existing_rules elements). Example: {"id": "candidate", "position": 1, "action": "permit", "source_addresses": ["10.20.35.76/32"], "destination_addresses": ["172.16.20.0/24"], "services": [{"protocol": "tcp", "ports": "6379"}]}. Required for Mode 2. | |
| existing_rules | No | Array of normalized rule objects from parse_policy output. Each object: {"id": "rule_1", "position": 1, "action": "permit"|"deny", "source_addresses": ["10.0.0.0/8"], "destination_addresses": ["any"], "services": [{"protocol": "tcp", "ports": "443"}], "source_zones": ["any"], "destination_zones": ["any"], "applications": ["any"]}. Required for Mode 2. | |
| context_objects | No | Optional JSON string with supplemental object definitions (address groups, service objects). | |
| ruleset_payload | No | Complete firewall config in vendor-native text format (e.g. full 'show access-lists' output for IOS). Required for Mode 1. | |
| candidate_position | No | Optional 1-based intended insertion position of the candidate rule. | |
| candidate_rule_payload | No | Single candidate rule in vendor-native text format (e.g. one ACL line for IOS). Required for Mode 1. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||