System, method and program product for managing a security policy of a firewall. The firewall receives a message packet addressed to a specified port of a destination IP address and determines that the firewall does not have a message flow rule which permits passing of the message packet to the port. The port is tested to determine if the port is open. If so, an administrator is queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. If not, an administrator is not queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. There may be first and second firewalls located between the source IP address and destination IP address. Before the port is tested, a central database is checked to learn if the central database has a record of whether the first firewall should have a message flow rule which permits passing of the message packet to the port. If not, and the port is found to be open, the central database is updated to indicate that both the first and second firewalls should have a message flow rule which permits passing of the message packet to the port. Also, the security policy of the first firewall is updated with a message flow rule which permits passing of the message packet to the port. The second firewall is not updated until it encounters a message packet addressed to the port.