An any-any-any firewall rule permits traffic with very little meaningful control. In some environments it may have been added during troubleshooting, migration, or emergency access work, but leaving it in place can quietly undermine the rest of the firewall policy.
The risk is not only that too much traffic is allowed. The bigger problem is that broad rules make intent unclear. Engineers cannot easily tell which application, user group, network, or service the access was supposed to support, which makes safe removal harder later.
The better approach is to replace broad access with scoped source networks, specific destinations, required services, logging, ownership notes, and an expiry or review process where appropriate. ConfigSentry can help surface these rules so they are not missed during routine review.