Change request parameters for policy-based devices
In this topic:
Configuring Device-Based Change Requests for Policy-Based Devices
If desired, you can configure FireFlow to create device-based change requests for these devices. The change request will modify the policy from the perspective of each relevant device, where each rule added to the policy will only be installed on a single device. Note that this behavior may cause the same rule to be added to a policy multiple times (once per relevant device).
Note: Policy-based change requests are not supported for Palo Alto Firewalls or Fortinet FortiGate devices defined in AFA directly (not via Panorama or FortiManager).
Note: When using policy-based change requests, you do have the option to specify that the change should only be installed on the specific devices relevant to the change (and not every device with the policy). See Configuring Policy-Based Work Orders to Recommend Installing Rules Only on Relevant Devices (see Configuring Policy-Based Work Orders to Recommend Installing Rules Only on Relevant Devices).
| Configuration Parameter Name | Value |
|---|---|
| PolicyBasedRequestFMGR |
Policy. All change requests will be policy-based. (Default) None. All change requests will be device-based. |
| PolicyBasedRequestForCheckPoint |
Policy. All change requests will be policy-based. (Default) None. All change requests will be device-based. |
| PolicyBasedRequestForPanorama |
DeviceGroup. All change requests will be policy-based. (Default) None. All change requests will be device-based. |
Configuring Policy-Based Work Orders to Recommend Installing Rules Only on Relevant Devices
By default, FireFlow policy-based change requests will always recommend installing new rules for a policy on every device with the policy. FireFlow identifies the devices relevant to the requested change in Initial Planning, and the work order will suggest installing the new rules on every device with the same policy as the devices that were identified as relevant. This behavior is true for all policy-based change requests.
If desired, you can configure FireFlow to suggest changing only the devices relevant to the change request. When a policy-based change request work order suggests adding a new rule to a policy, the suggested rule's "install on" field will include only the devices Initial Planning identified as relevant to the change request. This will be the behavior for all policy-based devices.
By default, if more than 5 specific devices are identified as relevant, FireFlow will suggest installing the rule on every device with the policy. If desired, you can customize this threshold.
Note: This configuration option is only relevant when FireFlow manages Palo Alto Networks Panorama, Check Point, and Fortinet Fortimanager devices with policy-based changes requests (this is the default behavior). This is not relevant if FireFlow is configured to manage policy-based devices with device-based change requests. For more information, see Configuring Device-Based Change Requests for Policy-Based Devices (see Configuring Device-Based Change Requests for Policy-Based Devices).
| Configuration Parameter Name | Value |
|---|---|
| ApplyPolicyOnSuggestedDevices |
1. To configure FireFlow to suggest new rules be installed on only the relevant devices. 0. To configure FireFlow to suggest new rules be installed on all devices with the policy. (Default) |
| MaxTargetThreshold |
The maximum number of specific devices to install a rule on without installing the rule on every device with the policy. (Only relevant when ApplyPolicyOnSuggestedDevices is set to 1.) The default value is 5. |
â See also:
Yes 
No 
