Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.