Firewall rules intelligence

What is claimed is: 1. A system, comprising: a data storage storing a set of firewall rules for a network; a recommendation engine that: receives, from a log service, traffic logs detailing traffic for the network and firewall logs detailing usage of the set of firewall rules in response to the traffic for the network; accesses, from the data storage, the set of firewall rules for the network; processes the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and a front end API that provides data describing the one or more firewall rule recommendations to a user device, wherein the recommendation engine comprises a machine learned recommendation engine that: predicts a likelihood of at least one firewall rule of the set of firewall rules being hit during a future time period; and generates, in response to the likelihood, at least one of the one or more firewall rule recommendations. 2. The system of claim 1 , further comprising a network modeling engine and wherein the recommendation engine determines, based on the network modeling engine, whether the set of firewall rules preclude traffic flow from at least a pair of endpoints. 3. The system of claim 1 , further comprising a network modeling engine that performs a static analysis of endpoints in the network, the static analysis comprising: determining endpoints within the network based on network data; generating synthetic traffic for each endpoint; for each endpoint, determining firewall rules that apply to the endpoint and that are hit in response to the synthetic traffic; and logging each hit of a firewall rule in response to the synthetic traffic. 4. The system of claim 3 , wherein generating synthetic traffic for each endpoint includes generating synthetic traffic between endpoint pairs in the network. 5. The system of claim 1 , further comprising a network modeling engine that performs a dynamic analysis of endpoints in the network, the dynamic analysis comprising: determining endpoints within the network based on network data; access a network traffic log that logs historical network traffic for the network and replaying the historical network traffic against the firewall rules; for each endpoint, determining firewall rules that apply to the endpoint and that are hit in response to the replay of the historical network traffic; and logging each hit of a firewall rule in response to the reply of the historical network traffic. 6. The system of claim 1 , wherein determining the one or more firewall rule recommendations comprises: identifying a first firewall rule shadowing a second firewall rule; and recommending to adjust the first firewall rule that shadows the second firewall rule so that the second firewall rule is not shadowed by the first firewall rule. 7. The system of claim 1 , wherein determining the one or more firewall rule recommendations comprises: identifying a first firewall rule shadowing a second firewall rule; and recommending to delete the second firewall rule. 8. The system of claim 1 , wherein: each firewall rule is expressed as a combination of sub-rules; and for each sub-rule for a firewall rule, the recommendation engine predicts a likelihood of the sub-rule of the firewall rule being hit during a future time period; and generates for the firewall rule, in response to the likelihoods of each sub-rule, a recommendation for the firewall rule. 9. The system of claim 1 , wherein determining the one or more firewall rule recommendations comprises: identifying unused firewall rule; and recommending to adjust or delete the unused firewall rule. 10. A computer-implemented method, comprising: receiving, from a log service, traffic logs detailing traffic for a network and firewall logs detailing usage of a set of firewall rules in response to the traffic for the network; accessing the set of firewall rules for the network; processing the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations by: predicting a likelihood of a firewall rule being hit during a future time period; and generating, in response to the likelihood, at least one of the one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and providing data describing the one or more firewall rule recommendations to a user device. 11. The computer-implemented method of claim 10 , further comprising performing a static analysis of endpoints in the network, the static analysis comprising: determining endpoints within the network based on network data; generating synthetic traffic for each endpoint; for each endpoint, determining firewall rules that apply to the endpoint and that are hit in response to the synthetic traffic; and logging each hit of a firewall rule in response to the synthetic traffic. 12. The computer-implemented method of claim 11 , wherein generating synthetic traffic for each endpoint includes generating synthetic traffic between endpoint pairs in the network. 13. The computer-implemented method of claim 10 , further comprising performing a dynamic analysis of endpoints in the network, the dynamic analysis comprising: determining endpoints within the network based on network data; access a network traffic log that logs historical network traffic for the network and replaying the historical network traffic against the firewall rules; for each endpoint, determining firewall rules that apply to the endpoint and that are hit in response to the replay of the historical network traffic; and logging each hit of a firewall rule in response to the reply of the historical network traffic. 14. The computer-implemented method of claim 10 , wherein determining the one or more firewall rule recommendations comprises: identifying a first firewall rule shadowing a second firewall rule; and recommending to adjust the first firewall rule that shadows the second firewall rule so that the second firewall rule is not shadowed by the first firewall rule. 15. The computer-implemented method of claim 10 , wherein determining the one or more firewall rule recommendations comprises: identifying a first firewall rule shadowing a second firewall rule; and recommending to delete the second firewall rule. 16. The computer-implemented method of claim 10 , wherein determining the one or more firewall rule recommendations comprises: expressing each firewall rule as a combination of sub-rules; for each sub-rule for a firewall rule, predicting a likelihood of the sub-rule of the firewall rule being hit during a future time period; and generating for the firewall rule, in response to the likelihoods of each sub-rule, a recommendation for the firewall rule. 17. A non-transitory computer readable medium storing instructions executable by a data processing apparatus and that cause the data processing apparatus to perform operations comprising: receiving traffic logs detailing traffic for a network and firewall logs detailing usage of a set of firewall rules in response to the traffic for the network; accessing the set of firewall rules for the network; processing the set of firewall rules to evaluate the firewall rules against a set