Firewall Change Validation with AI Agents
Every firewall rule change simulated against real traffic patterns before it ships, using Batfish and your production flow logs.
Batfish
Palo AltoThe problem today
A change to a firewall rule looks harmless in isolation: 'remove this one allow rule, it's been there since 2019 and nobody remembers why'. You push it. At 03:17 a batch job fails because it was the only thing still using that path. The person who added the rule left the company. The runbook doesn't mention it. The rollback is easy; the trust lost with the finance team over the failed batch is not.
How AI agents solve it
The Network Validation Agent cross-references the proposed firewall change against your actual VPC flow logs from the last 30 days. If any real traffic matched the rule you're removing, the agent flags it with the source, destination, and last-seen time. The Security Agent then checks whether the traffic was legitimate or should have been blocked anyway, so you know if the rule was load-bearing or dead.
Who this is for: Network security engineers managing firewall rulesets across hybrid environments
Manual workflow vs. Network Validation Agent
Manual workflow
- Firewall rules changed based on comments and tribal knowledge
- Rules removed that 'nobody remembers why they exist'
- Breakage discovered when a batch job or cron fails hours later
- Original rule author has left the company
- Rollback is fast; trust with affected teams is slow to rebuild
With the Network Validation Agent
- Every rule change validated against 30 days of real flow logs
- Evidence-based decisions: real traffic, real timestamps
- Load-bearing rules protected even without their original author
- Dead rules confidently removed with supporting data
- Zero 'nobody remembers why' postmortems
How the Network Validation Agent runs this
- 01
Network Validation Agent intercepts every firewall rule PR
- 02
Load VPC flow logs / firewall audit logs from the last 30 days
- 03
Simulate the proposed change against the historical traffic
- 04
Flag any traffic that would now be blocked (source, destination, service)
- 05
Security Agent classifies each flagged flow as legitimate or shouldn't-have-matched
- 06
Generate a PR comment with the evidence: real traffic, real timestamps
- 07
Block merge if legitimate traffic would break; allow with rationale if not
Measurable impact
Eliminates firewall-change-caused outages from load-bearing dead rules
Reduces firewall rule bloat by confidently removing dead rules
Builds evidence-based change decisions that survive team turnover
Cuts firewall PR review time by replacing speculation with data
Agents involved
Governed by the AI Gateway
Every agent action in this use case is audited, policy-checked, and cost-tracked
Structura's AI Gateway sits between every agent and the underlying LLM providers. Every decision made during this use case. Every plan review, every policy check, every fix PR, is routed through guardrails, logged to an immutable audit trail, and evaluated against NIST AI RMF and AIUC-1 controls.
Learn about the AI GatewayRelated use cases
Keep automating
Pre-Deployment Network Validation with AI Agents
Batfish-powered reachability and ACL testing before any network change reaches production, catching breakage before it ships.
Build a Network Digital Twin with AI Agents
A continuously-updated Batfish digital twin of your production network. Test changes safely, simulate failures, and validate before you ship.
Network Operational State Validation with PyATS
Continuously validate operational state (BGP neighbors, OSPF adjacencies, interface counters, route tables) against intent, using PyATS and Genie.
See this use case in a live demo
We'll walk you through exactly how the Network Validation Agent handles this in a real environment with your stack, your policies, and your constraints.