Change request field references

Relevant for: All FireFlow users

This topic describes the fields available in FireFlowchange requests.

Generic change request fields

Name

Description

Subject

Type a title for your request and for the change request that will be generated.

Note: This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. You can use most relative and absolute formats, for example yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, “next week”, and “now + 3 days”.

Note: This field is optional.

Describe the issue

Type a free text description of the issue.

This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

Note: This field is optional.

Attach File

  • To attach a file to your request, do one of the following:

    • Type the path to the file in the field provided.

    • Click Browse, browse to the desired file, and click Open.

      If you are using the 120: Generic Request template or any custom template that allows creating change requests from files, FireFlow will create a change request from an attached spreadsheet file. For more information on creating change requests from file, see Creating Change Requests from File.

    • To add more files, click Add More Files.

    Note: This field is optional.

    Requestor

    In the Requestors Web Interface, this field displays your email address and is read-only.

    Note: In the No-Login Web Form, you must type your email address.

    Expires

    Specify the date on which this change request will expire, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided.

      FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    Note: This field is optional.

    External change request id

    If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

    The FireFlow change request generated for your request will be linked to the external system change request.

    Note: This field is optional.

    Workflow

    The change request's workflow.

    Note: This field is read-only.

    From Template

    The change request's template.

    Note: This field is read-only.

    Back to top

    Traffic-based change request fields

    Name

    Description

    Requestor

    In the Requestors Web Interface, this field displays your email address and is read-only.

    Note: In the No-Login Web Form, you must type your email address.

    Subject

    Type a title for your request and for the change request that will be generated.

    Note: This field is optional.

    Due

    Specify the date by which this change request should be resolved, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided.

      FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    Note: This field is optional.

    Expires

    Specify the date on which this change request will expire, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    Note: This field is optional.

    Request

    Due to system customizations, this area may include fields that are not described below. Some possible additional fields are described below. For additional information, consult with your FireFlow administrator.

    Source

    Specify the traffic source(s). For details, see Change request wizards.

    Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

    User

    Enter one or more (comma separated) user names and/or group names. The default value is Any.

    This field is only relevant for Check Point and Palo Alto devices.

    Notes:

    1. Only use existing users/groups. AFF doesn't support creating new ones (with ActiveChange): If a change request is submitted with a user or group name that doesn't exist on the target firewall, ActiveChange will implement the rule without a user/group configuration. No failure indication for this will be provided.

    2. The user/group names that you specify must exactly match the user/group names as configured on the target device.

    Destination

    Specify the traffic destination(s). For details, see Change request wizards.

    Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

    Service

    Specify the traffic service(s). For details, see Change request wizards.

    Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

    Note: For traffic that affects Check Point devices, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.

    Application

    Specify the application(s). For details, see Change request wizards.

    The default value is Any.

    This field is only relevant for Palo Alto devices.

    Action

    Choose the device action to perform for the connection. This can be either of the following:

    • Allow: Allow the connection.
    • Drop: Block the connection.
    • Note: When using the Traffic Change Request (IPv6) workflow, only traffic with "Allow" actions is supported.

    Show NAT

    Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

    The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

    Depending on system customizations, the Source after NAT, Destination after NAT, and Port after Translation fields may appear as well.

    Hide NAT

    Click this option to hide the NAT and PAT fields.

    Source NAT

    Type the source NAT value, if the connection’s source should be translated.

    Note: If the Source after NAT field appears below this field, then you must type the source NAT value before translation.

    Source after NAT

    Type the source NAT value after translation, if the connection’s source should be translated.

    Destination NAT

    Type the destination NAT value, if the connection’s destination should be translated.

    Note: If the Destination after NAT field appears below this field, then you must type the destination NAT value before translation.

    Destination after NAT

    Type the destination NAT value after translation, if the connection’s destination should be translated.

    Port Translation

    Type the port value, if the connection’s port should be translated.

    Note: If the Port after Translation field appears below this field, then you must type the port value before translation.

    Port after Translation

    Type the port value after translation, if the connection’s port should be translated.

    NAT Type

    Specify the type of NAT (Static or Dynamic).

    Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

    Add More Traffic

    To add more traffic to the request, click this option and complete the fields.

    Set traffic values

    Click this button to set traffic values for variables you have put in the source, destination or service fields.

    For details, see Variables in traffic fields.

    Import traffic from csv

    Click this link to import a CSV file of traffic lines. Select the CSV file from your computer.

    Required Headers:
    • Source
    • Destination
    • Service
    Optional Headers:
    • User. If this header is not present, the value defaults to "any".
    • Application. If this value is not present, the value defaults to "any".
    • Action. If this header is not present, the value defaults to "allow".

    Any other headers included in the CSV file are ignored.

    Note: All headers are not case sensitive.

    Multiple entries (such as IP addressees, ranges, or networks) that appear in a single cell must be separated by commas within the cell.

    To replicate a traffic line (add a new traffic line with the same traffic as in the current traffic line), click this option and modify the fields as desired.

    To remove additional traffic from the request, click this option next to the desired traffic.

    More

    External change request id

    If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

    The FireFlow change request generated for your request will be linked to the external system change request.

    Note: This field is optional.

    Back to top

    IPv6 traffic change request fields

    Name

    Description

    Requestor

    In the Requestors Web Interface, this field displays your email address and is read-only.

    Note: In the No-Login Web Form, you must type your email address.

    Subject

    Type a title for your request and for the change request that will be generated.

    Note: This field is optional.

    Due

    Specify the date by which this change request should be resolved, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    Note: This field is optional.

    Expires

    Specify the date on which this change request will expire, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    Note: This field is optional.

    Request

    Use this area to specify the traffic changes you would like.

    By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and .

    Due to system customizations, this area may differ in the following ways:

    • NAT fields may not appear.
    • The following additional NAT fields may appear: Source after NAT, Destination after NAT, Port after Translation.
    • The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
    • Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.

    Source

    Do one of the following:

    • Type the IP address, IP range, network, or device object.
    • Use the Choose Source Wizard. For details, see Change request wizards.

    Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.

    Destination

    Do one of the following:

    • Type the IP address, IP range, network, device object.
    • Use the Choose Destination Wizard. For details, see Change request wizards.

    Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.

    Service

    Do one of the following:

    Action

    Choose the device action to perform for the connection. This can be either of the following:

    • Allow: Allow the connection.
    • Drop: Block the connection.

    Show NAT

    Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

    The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

    Note: Depending on system customizations, the Source after NAT, Destination after NAT, and Port after Translation fields may appear as well.

    Hide NAT

    Click this option to hide the NAT and PAT fields.

    Source NAT

    Type the source NAT value, if the connection’s source should be translated.

    Note: If the Source after NAT field appears below this field, then you must type the source NAT value before translation.

    Source after NAT

    Type the source NAT value after translation, if the connection’s source should be translated.

    Destination NAT

    Type the destination NAT value, if the connection’s destination should be translated.

    Note: If the Destination after NAT field appears below this field, then you must type the destination NAT value before translation.

    Destination after NAT

    Type the destination NAT value after translation, if the connection’s destination should be translated.

    Port Translation

    Type the port value, if the connection’s port should be translated.

    Note: If the Port after Translation field appears below this field, then you must type the port value before translation.

    Port after Translation

    Type the port value after translation, if the connection’s port should be translated.

    NAT Type

    Specify the type of NAT (Static or Dynamic).

    Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

    Add More Traffic

    To add more traffic to the request, click this option and complete the fields.

    To remove additional traffic from the request, click this option next to the desired traffic.

    From Template

    The change request's template.

    Note: This field is read-only.

    Workflow

    The change request's workflow.

    Note: This field is read-only.

    External change request id

    If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

    The FireFlow change request generated for your request will be linked to the external system change request.

    Note: This field is optional.

    Describe the issue

    Type a free text description of the issue.

    This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

    This field is optional.

    Attach file

    To attach a file to your request, do one of the following:

    • Type the path to the file in the field provided.
    • Click Browse, browse to the desired file, and click Open.

    To add more files, click Add More Files.

    Note: This field is optional.

    Back to top

    MulticastTraffic change request fields

    Name

    Description

    General

    To close General section, click in the heading. To reopen, click again.

    Owner

    Owner of the request.

    Requestor

    In the Requestors Web Interface, this field displays your email address and is read-only.

    In the No-Login Web Form, you must type your email address.

    Subject

    Type a title for your request and for the change request that will be generated.

    This field is optional.

    Due

    Specify the date by which this change request should be resolved, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    This field is optional.

    Expires

    Specify the date on which this change request will expire, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    This field is optional.

    Traffic

    To close Traffic section, click in the heading. To reopen, click again.

    Request

    Use this area to specify the traffic changes you would like.

    By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and .

    Due to system customizations, this area may differ in the following ways:

    • NAT fields may not appear.
    • The following additional NAT fields may appear: Source after NAT, Destination after NAT, Port after Translation.
    • The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
    • Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.

    Source

    Do one of the following:

    • Type the IP address, IP range, network, device object, or DNS name of the connection source.
    • Use the Choose Source Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards).

    To enter multiple values, press Enter. A new field appears for this source.

    Note: You cannot mix regular traffic and multicast in the same workflow.

    When specifying Check Point traffic for which the User Authentication method is used, you can include the user group as part of the source, in the following format:

    usergroup@host

    Where:

    • usergroup is the user group's name. You may use the Choose Source Wizard's Device Object tab to select the user group if desired.

      Note: LDAP user groups are only supported for devices configured to use OPSEC data collection.

    • host is the IP address, IP range, network, device object, or DNS name of the connection source.

    For example: [email protected], group1@RNDNetwork, or group1@Any.

    Note: Specifying the user group is only supported if the FireFlow default authentication method is User Authentication. Ask your FireFlow administrator for further information.

    Destination

    Do one of the following:

    • Type the IP address, IP range, network, device object, or DNS name of the connection destination.
    • Use the Choose Destination Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards).

    To enter multiple values, press Enter. A new field appears for this destination.

    Note: You cannot mix regular traffic and multicast in the same workflow.

    Service/Application

    Do one of the following:

    • Type the device service or port for the connection (for example "http" or "tcp/123"). For details, see Supported layer 3 protocols.
    • Type the name of an application as defined in your Palo Alto or Check Point device.
    • Use the Choose Service Wizard. For details, see Change request wizards.

    To enter multiple values, press Enter. A new field appears for this service.

    Note: When configuring a change request for Check Point traffic, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.

    Action

    Choose the device action to perform for the connection. This can be either of the following:

    • Allow: Allow the connection.
    • Drop: Block the connection.

    NAT settings

    Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

    The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

    Depending on system customizations, the Source after NAT, Destination after NAT, and Port after Translation fields may appear as well.

    Click NAT settings again to hide the settings.

    Source NAT

    Type the source NAT value, if the connection’s source should be translated.

    Note: If the Source after NAT field appears below this field, then you must type the source NAT value before translation.

    Source after NAT

    Type the source NAT value after translation, if the connection’s source should be translated.

    Destination NAT

    Type the destination NAT value, if the connection’s destination should be translated.

    Note: If the Destination after NAT field appears below this field, then you must type the destination NAT value before translation.

    Destination after NAT

    Type the destination NAT value after translation, if the connection’s destination should be translated.

    Port Translation

    Type the port value, if the connection’s port should be translated.

    Note: If the Port after Translation field appears below this field, then you must type the port value before translation.

    Port after Translation

    Type the port value after translation, if the connection’s port should be translated.

    NAT Type

    Specify the type of NAT (Static or Dynamic).

    Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

    Add More Traffic

    To add more traffic to the request, click this option and complete the fields.

    To remove additional traffic from the request, click this option next to the desired traffic.

    More

    To close the More section, click in the heading. To reopen, click again.

    External change request id

    If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

    The FireFlow change request generated for your request will be linked to the external system change request.

    This field is optional.

    Device Name

    Click in the Device Name box. The device selection dialog box appears with a list of available Cisco devices.

    • To filter, in the Filter By list, select Brand, Device, Policy, Device and Policy, or Selected.
    • To select all devices for a brand, select the Brand check box.
    • To select, click a device. The device will appear at the top of the box. Click another device to select it. There is no need to hold the CTRL key for multiple selections.
    • To move forward and backward in the device list, click the and icons.

    Selected devices appear in the Device Name box.

    Click the up arrow to close the dialog box.

    Change request justification

    Type a free text description of the issue.

    This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

    This field is optional.

    Attachments

    To add attachments, click Add files. The Choose File to Upload dialog box opens.

    Browse to the desired file, and click Open. To select multiple files, press CTRL while selecting.

    This field is optional.

    Back to top

    Web-filter change request fields

    Name

    Description

    Requestor

    In the Requestors Web Interface, this field displays your email address and is read-only.

    In the No-Login Web Form, you must type your email address.

    Subject

    Type a title for your request and for the change request that will be generated.

    This field is optional.

    Due

    Specify the date by which this change request should be resolved, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    This field is optional.

    Expires

    Specify the date on which this change request will expire, by doing one of the following:

    • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
    • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

    This field is optional.

    Request

    Use this area to specify the connection you would like to filter.

    User Group

    Do one of the following:

    • Type the name of the user or user group that should be allowed/denied access to a URL.
    • Use the Choose User Group Wizard. For details, see Change request wizards.

    URL

    Type the URL to which to allow/deny access.

    Category

    Do one of the following:

    Note: When creating a change request via the Blue Coat Blocked page, this field is automatically filled in.

    Action

    Select the device action to perform for the connection. This can be any of the following:

    • Allow: Allow the connection.
    • Block: Block the connection.

    Add More Web Filtering

    To add more connections to the request, click this option and complete the fields.

    To remove additional connections from the request, click this option next to the desired traffic.

    From Template

    The change request's template.

    This field is read-only.

    Workflow

    The change request's workflow.

    This field is read-only.

    External change request id

    If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

    The FireFlow change request generated for your request will be linked to the external system change request.

    This field is optional.

    Describe the issue

    Type a free text description of the issue.

    This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

    This field is optional.

    Attach file

    To attach a file to your request, do one of the following:

    • Type the path to the file in the field provided.
    • Click Browse, browse to the desired file, and click Open.

    To add more files, click Add More Files.

    This field is optional.

    Back to top

    Supported layer 3 protocols

    This topic lists the non-TCP/UDP/ICMP protocols that FireFlow supports by default.

    Protocol

    FireFlow Defined Service Name

    Protocol Number

    IPsec (ESP)

    ipsec_50

    50

    IPsec (AH)

    ipsec_51

    51

    IPsec (ESP and AH)

    ipsec

    50 and 51

    GRE

    gre

    47

    IPv6-ICMP

    icmp6

    58

    SKIP

    skip

    57

    ETHERIP

    etherip

    97

    PIM

    pim

    103

    Note: When using layer 3 protocols in FireFlow, you must use the FireFlow defined service name, not the protocol number. In addition, you may use service objects which contain these protocols.

    Tip: FireFlow enables administrators to define additional layer 3 protocols for FireFlow support. For more details, see Define protocols.

    Back to top

    Variables in traffic fields

    This procedure describes how to use variables when entering traffic details in a traffic change request.

    Variables are supported in any of the traffic lines for the change request.

    Do the following:

    1. In the Source, Destination, Service, and/or Application field, enter one or more variables using the following syntax:

      #{VariableName}

      where, VariableName is the name you give the variable.

      In the Traffic area, the Set traffic values button is enabled.

    2. Click Set traffic values.

      The Set traffic values dialog box appears with all of the variables you have used listed under Traffic Parameter. For example:

    3. Enter the values for each variable you want to use, and click Set Values.

    When you submit the change request, each variable will be replaced with its designated value.

    Back to top