Reuse of groups in security policy

We claim: 1. A method for modifying a firewall rule of a security policy implemented in a network, the method comprising: identifying a set of compute machines to be added to a match condition for the firewall rule, wherein the match condition is expressed using one or more groups of compute machines; selecting a set of groups for the identified set of compute machines from a plurality of existing groups of compute machines based on a user-specified threshold indicating tolerance for inclusion of compute machines that are not in the identified set of compute machines in the selected groups; and using the selected set of groups for the match condition of the firewall rule; wherein the user-specified threshold balances use of existing groups against inclusion in the match condition of compute machines that are not in the identified set of compute machines. 2. The method of claim 1 , wherein the identified set of compute machines are based on observed flows in a network that do not match the firewall rule. 3. The method of claim 1 , wherein a higher threshold excludes groups with fewer compute machines that are not in the identified set of compute machines. 4. The method of claim 1 , wherein the set of compute machines is a set of network addresses and each group is a different collection of network addresses. 5. The method of claim 1 , wherein using the selected set of groups comprises presenting the selected set of groups as a recommendation to a user for modifications to the match condition for the firewall rule. 6. The method of claim 1 , wherein the match condition is one of source addresses of flows and destination addresses of flows. 7. The method of claim 1 , wherein the user-specified threshold specifies a minimum percentage of the compute machines in a group that are required to be in the identified set of compute machines for the group to be included in the selected set of groups. 8. The method of claim 7 , wherein the selected set of groups comprises, for each compute machine in the identified set of compute machines, at least one group that includes the compute machine unless there are no groups in the plurality of existing groups that include the compute machine. 9. The method of claim 8 , wherein selecting the set of groups comprises creating a new group for any compute machines that are not included in any of the existing groups. 10. A non-transitory machine readable medium storing a program which when executed by at least one processing unit modifies a firewall rule of a security policy implemented in a network, the program comprising sets of instructions for: identifying a set of compute machines to be added to a match condition for the firewall rule, wherein the match condition is expressed using one or more groups of compute machines; selecting a set of groups for the identified set of compute machines from a plurality of existing groups of compute machines based on a user-specified threshold indicating tolerance for inclusion of compute machines that are not in the identified set of compute machines in the selected groups; and using the selected set of groups for the match condition of the firewall rule; wherein the user-specified threshold balances use of existing groups against inclusion in the match condition of compute machines that are not in the identified set of compute machines. 11. The non-transitory machine readable medium of claim 10 , wherein the identified set of compute machines are based on observed flows in a network that do not match the firewall rule. 12. The non-transitory machine readable medium of claim 1 , wherein a higher threshold excludes groups with fewer compute machines that are not in the identified set of compute machines. 13. The non-transitory machine readable medium of claim 10 , wherein the set of compute machines is a set of network addresses and each group is a different collection of network addresses. 14. The non-transitory machine readable medium of claim 10 , wherein the set of instructions for using the selected set of groups comprises a set of instructions for presenting the selected set of groups as a recommendation to a user for modifications to the match condition for the firewall rule. 15. The non-transitory machine readable medium of claim 10 , wherein the match condition is one of source addresses of flows and destination addresses of flows. 16. The non-transitory machine readable medium of claim 10 , wherein the user-specified threshold specifies a minimum percentage of the compute machines in a group that are required to be in the identified set of compute machines for the group to be included in the selected set of groups. 17. The non-transitory machine readable medium of claim 16 , wherein the selected set of groups comprises, for each compute machine in the identified set of compute machines, at least one group that includes the compute machine unless there are no groups in the plurality of existing groups that include the compute machine. 18. The non-transitory machine readable medium of claim 17 , wherein the set of instructions for selecting the set of groups comprises a set of instructions for creating a new group for any compute machines that are not included in any of the existing groups.