[RayPesek]

What business are you in, and if you're in the US, are you a public company? Regulatory constraints can tell you just how particular you have to be.

Scan the rulebase and eliminate as many uses of "any" in the source, destination and service cells that you can, and forbid people from using it. It's one of the biggest places to make a serious mistake.

Rules *should* be organized by usage, with higher usage rules at the top to assure maximum performance. I actually have methods other than this one, though.

Group rules by source when a source has access to a lot of destinations. That way you can tell who is going to what.

Group rules by destination when a destination has a lot of sources. That way you can tell what is getting hit a lot.

Group all DMZ rules for a particular DMZ together.

Group all "source Internet" rules together.

Use section titles to define what each grouping is for and it makes it a lot easier to keep track of them.

>> Are we being too granular by worrying about Client A accessing Server B when they might not have any actual need to do so?

No, you are not. Default deny is always the best approach and you never know who is going to turn malicious.

250 is a lot of rules for only 150 servers. Try moving them around to group like sources or like destinations together and then look at them that way. You'll undoubtedly find there are a lot that you can combine. When you do combine them, disable the old ones but leave them in place for a couple of weeks just in case.

HTH,

Ray