The basic idea of firewall conflict detection is to first detect all pairs of rules that conflict, and then the firewall designer manually examines every pair of conflicting rules to see whether the two rules need to be swapped or a new rule needs to be added. Similar to conflict detection, six types of socalled “anomalies” were defined in [Al-Shaer and Hamed (2003a,b, 2004)]. Examining each conflict or anomaly is helpful in reducing errors; however, the number of conflicts in a firewall is usually large, and the manual checking of each conflict or anomaly is unreliable because the meaning of each rule depends on the current order of the rules in the firewall, which may be incorrect.