Implement changes with ActiveChange

Use FireFlow's ActiveChange functionality to implement changes directly from FireFlow on any relevant devices.

Implement changes from FireFlow

Implementing changes on your devices directly from FireFlow is supported when all of the following conditions are met:

  • ActiveChange is supported for the device.

  • ActiveChange is enabled for the device in AFA.

  • The change request's workflow is supported for the device brand.

    All devices that support ActiveChange are supported for traffic and rule removal requests.

    Additionally, some device types support the multi-device object change requests.

For more details, see the Support Matrix on the AlgoSec portal.

Do one of the following:

Implement changes across all devices and policies

This procedure describes how to use ActiveChange to implement changes for all relevant devices and policies simultaneously.

Tip: Alternately, see Implement changes on a single device.

Do the following:

  1. Click Implement On All Devices.

    The View Status link appears.

  2. To view the implementation status, click View Status.

    The Implementation Status dialog is displayed.

    Each device will have one of the following statuses:

    In progress The implementation is in progress.
    Completed The implementation successfully completed.
    Failed The implementation failed.
    Not supported The device brand is not supported in the Implementation Status page.
    Inapplicable CLI command

    There is a problem with the CLI commands that were used to implement the changes on the device.

    Do any of the following:

    • Click Rollback procedure to display instructions for how to reverse the changes done to the device.
    • Click Details to display the device's response.
    • Click Error details to display a description of the error.
    • Filter the devices in the list by status by selecting a status in the Show only drop-down menu.

    Note: The Implementation Status dialog box only is relevant only for devices which Active Change supports. Other devices will appear, but their status will always be Not supported.

    Note: If implementation fails on a Juniper SRX or Netscreen, the changes are automatically rolled back, and a note in the status states the device has not been changed.

  3. If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually. For details, see Implement changes.
  4. If you implemented changes manually on any devices, click Mark All As Implemented.
  5. Click OK.

    The change is implemented on the device policy, and the change request proceeds to the Validate stage.

Implement changes on a single device

This procedure describes how to use ActiveChange to implement changes on a single device at a time.

Do the following:

  1. If you are working with a request with multiple devices or policies, click next to a device.

    The device's or policy's action buttons appear below the device or policy panel.

  2. Click Implement On Device.

    The View Status link appears. See above for more information.

  3. If the change request includes multiple devices or policies, repeat the previous step for each device.

    If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually. See Implement changes.

  4. If you implemented changes manually on any devices, click Mark All As Implemented.
  5. Click OK.

    The change is implemented on the device policy, and the change request proceeds to the Validate stage.

Back to top

Implement changes via CLI

If you don't want to implement the orders automatically on the device in FireFlow, you can manually implement them by copying the CLI commands to the CLI

FireFlow provides the recommended CLI commands for implementing work orders when Cisco or Juniper devices meet the following conditions:

  • The device is a Cisco or Juniper device that supports ActiveChange.

    For Juniper SRX and Netscreen devices, the device must be managed locally, and not by NSM or Space. This is true even if the device is defined directly in AFA, without the NSM or Space.

  • ActiveChange is enabled for the device in AFA

  • The change request is a traffic request or rule removal request.

  • For work orders with IPv6 traffic, you must attach the IPv6 ACL to an interface (access group syntax) before ASMS can generate the CLI commands.

Note: Do not make changes on the device policy after FireFlow generates the CLI commands but before implementing the recommended changes.

If changes may have been made, click Recalculate to recalculate the work order before implementing the recommended commands.

The CLI Recommendation area shows the series of CLI commands that represent the changes to make on your device.

For example:

Note: If ActiveChange is not enabled on the specific device, you will not get CLI commands with the work order recommendation.

Do the following:

(Optional) Edit the CLI commands:

  1. Click Modify in the Implementation Recommendation area.

    The Modify Implementation Recommendation window appears.

  2. In the Implementation Recommendation field, edit the CLI commands for your specific requirements.
  3. Click OK.

    The CLI commands are saved, and the work order is grayed out (because the work order does not reflect the CLI commands). In this case, the work order will be ignored during the Validate stage.

  4. To discard edits you have made and return to the CLI commands which reflect the work order, click Regenerate CLI.

Implement the CLI commands

  1. Copy the list of recommended CLI commands that appear in the Implementation Recommendation section of the work order, and then paste them to the device's command line.
  2. When you have completed implementation, do one of the following:

    Requests with multiple devices or policies

    Confirm implementation has been completed for every device/policy as follows:

    1. Click Mark All Sub Requests As Implemented.

      A confirmation message appears.

    2. Click OK.
    Requests with a single device or policy

    Confirm that implementation is completed as follows:

    1. Display the device's change request information by clicking next to the device.

      The device's action buttons, and the Work Order Recommendations area appear below the device panel.

    2. Click Implementation Done.
    Requests with no devices or policies

    Click Implementation Done.

Back to top