Implement changes with ActiveChange

Use FireFlow's ActiveChange functionality to implement changes directly from FireFlow on any relevant devices.

Implement changes from FireFlow

You can implement changes related to your device directly from FireFlow when these conditions are met:

  • FireFlow supports ActiveChange for the device

  • You have enabled ActiveChange in AFA Devices Setup

  • The device brand supports the change type’s workflow

All devices with ActiveChange support traffic change requests and rule removal requests.

Some device types support multi-device object change requests.

For more details, see the Support Matrix on the AlgoSec portal.

For Cisco and Juniper devices, ActiveChange generates CLI commands to implement the changes suggested in the work order.

FireFlow provides the opportunity to edit the CLI commands and then execute them on the device, pushing the changes directly to the device.

The following is relevant only to Cisco and Juniper devices:

  • You must ensure that no changes are made to the device between the time that ASMS generates the CLI commands and the time they are implemented on the device.

    If you suspect that changes may have been made, click Recalculate to update the work order before you implement the commands.

  • ActiveChange CLI generation is only supported for Juniper SRX and Juniper Netscreen when these devices are managed locally, not when they are managed by NSM or Space. This is true even if the devices are defined directly in AFA (without NSM or Space).
  • For work orders with IPv6 traffic, you must attach the IPv6 ACL (Access Control List) to an interface (access group syntax) before ASMS can generate the CLI commands.

Note: By default, any new rules are created with logging enabled, and logging is set to the default log level. For more details, see ActiveChange parameters.

Do one of the following:

Implement changes across all devices and policies

This procedure describes how to use ActiveChange to implement changes for all relevant devices and policies simultaneously.

Tip: Alternately, see Implement changes on a single device or multiple single devices.

Do the following:

  1. To edit your CLI commands, do the following:

    1. Click Modify in the Implementation Recommendation area.

      The Modify Implementation Recommendation window is displayed.

    2. In the Implementation Recommendation field, edit the CLI commands for your specific requirements.

    3. Click OK.

      The CLI commands are saved, and the work order is grayed out (because the work order does not reflect the CLI commands). In this case, the work order will be ignored during the Validate stage.

    4. To discard edits you have made and return to the CLI commands which reflect the work order, click Regenerate CLI.

    For more details, see Additional details for Cisco and Juniper devices.

  2. Click Implement On All Devices.

    The View Status link is displayed.

  3. To view the implementation status, click View Status.

    The Implementation Status dialog is displayed.

    Each device will have one of the following statuses:

    In progress The implementation is in progress.
    Completed The implementation successfully completed.
    Failed The implementation failed.
    Not supported The device brand is not supported in the Implementation Status page.
    Inapplicable CLI command

    There is a problem with the CLI commands that were used to implement the changes on the device.

    Do any of the following:

    • Click Rollback procedure to display instructions for how to reverse the changes done to the device.
    • Click Details to display the device's response.
    • Click Error details to display a description of the error.
    • Filter the devices in the list by status by selecting a status in the Show only drop-down menu.

    Note: The Implementation Status dialog is relevant only for devices with Active Change support. Other devices will be displayed, but their status will always be Not supported.

    Note: If implementation fails on a Juniper SRX or Juniper Netscreen device, the changes are automatically rolled back, and a note in the status states the device has not been changed.

  4. If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually. For details, see Implement changes.
  5. If you implemented changes manually on any devices, click Mark All As Implemented.

  6. Click OK.

    The change is implemented on the device policy, and the change request proceeds to the Validate stage.

Implement changes on a single device or multiple single devices

This procedure describes how to use ActiveChange to implement changes on a single device. Typically, you will implement changes on devices in a loop (refer to steps 2 and 3 below) when the change request includes multiple devices or policies.

Tip: Alternately, see Implement changes across all devices and policies.

Do the following:

  1. If you are working with a request with multiple devices or policies, click next to a device.

    The device's or policy's action buttons are displayed below the device or policy panel.

  2. Click Implement On Device.

    The View Status link is displayed. See above for more information.
    Important: If the change request includes multiple devices or policies, repeat the previous step for each device, before continuing to the next step.

  3. If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually, following the guidelines in the topic Implement changes. .
  4. If you implemented changes manually on any devices, click dMark All As Implemented.

  5. Click OK.

    The change is implemented on the device policy, and the change request proceeds to the Validate stage.

Back to top

Implement changes via CLI

When certain conditions are met, you can implement changes for your Cisco or Juniper device via the CLI, using CLI commands that FireFlow recommended and provides based on the relevant work orders.

The relevant Cisco and Juniper devices must meet these conditions:

  • The device is a Cisco or Juniper device that supports ActiveChange.

  • In the case of Juniper SRX and Netscreen devices, the device must be managed locally, and not by NSM or Space. This is true even if the device is defined directly in AFA, without the NSM or Space.

  • ActiveChange must be enabled for the device in AFA

  • The change request must be a traffic change request or a rule removal request.

  • For work orders with IPv6 traffic, you must attach the IPv6 ACL to an interface (access group syntax) before ASMS can generate the CLI commands.

Note: Do not make changes on the device policy after FireFlow generates the CLI commands but before implementing the recommended changes.

If changes may have been made, click Recalculate to recalculate the work order before implementing the recommended commands.

The CLI Recommendation area shows the series of CLI commands that can be used to make the requested changes on your device.

For example:

Note:ActiveChange must be enabled on the device for the CLI commands to be produced for the work order recommendation.

Do the following:

(Optional) Edit the CLI commands:

  1. Click Modify in the Implementation Recommendation area.

    The Modify Implementation Recommendation window is displayed.

  2. In the Implementation Recommendation field, edit the CLI commands acording to your requirements.

  3. Click OK.

    The CLI commands are saved, and the work order, which no longer reflects the original list of CLI commands, is grayed out. The work order will be ignored during the Validate stage.

  4. To discard edits you have made and return to the CLI commands which reflect the work order, click Regenerate CLI.

Implement the CLI commands

  1. Copy the list of recommended CLI commands that appear in the Implementation Recommendation section of the work order, and then paste them to the device's command line.

  2. When you have completed implementation, do one of the following:

    Requests with multiple devices or policies

    Confirm implementation has been completed for every device/policy as follows:

    1. Click Mark All Sub Requests As Implemented.

      A confirmation message is displayed.

    2. Click OK.
    Requests with a single device or policy

    Confirm that implementation is completed as follows:

    1. Display the device's change request information by clicking next to the device.

      The device's action buttons, and the Work Order Recommendations area appear below the device panel.

    2. Click Implementation Done.
    Requests with no devices or policies

    Click Implementation Done.

Back to top