Manage object change requests

This topic describes how to manage single, multiple, and object removal change requests.

Manage single-device object change requests

This procedure describes how to manage a single-device object change request.

For more details, see Object change workflow.

Do the following:

User type Step Reference
Any privileged user

Do one of the following:

  • Submit an object removal request in AlgoSec Firewall Analyzer.
  • Create a change request using the 130: Object Change Request template.

Submit an object removal request from AFA

Request changes

Information security user

Search for rules that would be affected by the requested object change.

Find affected rules
Information security user

Do one of the following:

  • Approve the change request and send it on to the next stage.

    FireFlow creates a work order that consists of a list of recommendations for implementing the requested change.

  • Reject the change request.

    The change request returns to the Plan stage, and you can perform initial planning again.

  • Reject and close the change request.

    An email message is sent to the requestor, indicating that the request is denied. The change request's lifecycle is ended, and no further user action is required.

Approve planned changes
Network operations user

Edit the work order.

Edit work orders
Network operations user Implement the requested changes on the security device according to the work order, by using the relevant management system (for example, Check Point Dashboard or Juniper NSM) to implement the changes. Implement changes
Network operations user

FireFlow initiates validation of the implemented device policy changes against the change request.

Validate changes
Network operations user

If the implemented changes achieved the desired result specified in the change request, notify the requestor that the requested changes were implemented.

If the implemented changes achieved the desired result specified in the change request, notify the requestor that the requested changes were implemented.

If the implemented changes did not achieve the desired result specified in the change request, re-initiate the Implement stage and repeat change validation until the change is successful.

Notify change requestors

Resolve or return change requests

Network operations user Once the changes have been successfully validated, resolve the change request. Resolve or return change requests

Back to top

Manage multi-device object change requests

This procedure describes how to manage a multi-device object change request.

For more details, see Multi-device object change workflow.

Do the following:

User type Step Reference
Any privileged user

Do one of the following:

  • Submit a multi device object change request from the FireFlow REST API.
  • Submit a multi-device object change request by editing an object in AppViz.

Note: Editing an object in AppViz only opens a multi-device object change request when AppChange is licensed and this behavior is configured.

Create a device object change request

Manage network / service objects

Information security user

Search for rules that would be affected by the requested object change.

Find affected rules
Information security user

Do one of the following:

  • Approve the change request and send it on to the next stage.

    FireFlow creates a work order that consists of a list of recommendations for implementing the requested change.

  • Reject the change request.

    The change request returns to the Plan stage, and you can perform initial planning again.

  • Reject and close the change request.

    An email message is sent to the requestor, indicating that the request is denied. The change request's lifecycle is ended, and no further user action is required.

Approve planned changes
Network operations user

Edit the work order.

Edit work orders
Network operations user Implement the requested changes on the security device according to the work order, by using the relevant management system (for example, Check Point Dashboard or Juniper NSM) to implement the changes. Implement changes
Network operations user

FireFlow initiates validation of the implemented device policy changes against the change request.

Validate changes
Network operations user

If the implemented changes achieved the desired result specified in the change request, notify the requestor that the requested changes were implemented.

If the implemented changes achieved the desired result specified in the change request, notify the requestor that the requested changes were implemented.

If the implemented changes did not achieve the desired result specified in the change request, re-initiate the Implement stage and repeat change validation until the change is successful.

Notify change requestors

Resolve or return change requests

Network operations user Once the changes have been successfully validated, resolve the change request. Resolve or return change requests

Back to top

Submit an object removal request from AFA

When viewing the PolicyOptimization page of a device report in AFA, you can submit an Object Change request to remove unattached, empty, and unrouted objects within rules, in the device's policy.

Do the following:

  1. If you're currently in FireFlow, switch to AFA. For details, see Logins and other basics.
  2. Browse to and view your device's device report. For details, see View AFA device data.
  3. Click the PolicyOptimization tab.

    The Policy Optimization page is displayed.

    Click on one of the supported object categories (Unattached objects, Unattached global objects, Empty objects, and Unrouted object within rules).

    The objects in the selected category are displayed.

  4. Do one of the following:

    • In the first column, select the check boxes next to the objects you want to remove.
    • To select all objects, select the check box in the table heading.
  5. Click Remove Selected Objects.

    A confirmation message appears with a link to the change request.

    If desired, the change request's fields may be modified later on. For details, see Advanced change request edits.

    Note: When you remove more than one object, one change request is opened with multiple object lines.

  6. Click OK.

Back to top