Customize change request wizards

When defining traffic in a change request, FireFlow provides suggested sources, destinations, and services. FireFlow allows you to customize which objects appear as options.

Configure the suggested sources / destinations list

When defining traffic in a change request, the Source and Destination fields provide wizards which help you select network objects. By default, the suggested list of objects appears when the wizard opens. You can configure objects to appear in this list, for example "email server" or "my computer", enabling the user to specify a common source or destination without knowing its IP address.

Note: If desired, you can change the default list of objects for the choose source/destination wizard. For details, see Configuring the Default Network Object Category in the Choose Source/Destination Wizard .

Do the following:

  1. Log in to the FireFlow server using the username "root" and the related password.

  2. Under the directory /usr/share/fireflow/local/etc/, locate the file SuggestedAddressObjects_Config.xml.

    Note: This is the original suggested sources/destinations list file, and it can be used to revert to defaults, as needed. Do not modify this file.

  3. Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the original file into an override file that is also called SuggestedAddressObjects_Config.xml.

  4. Open the override file.

  5. To add a suggested source/destination to the list, add a new object tag inside the the objects tag.

    <object name="objectName" [ipversion="ipVersion"]>

        <value>objectValue</value>

    </object>

    Where:

    • objectName is the source/destination name that should appear in the suggested list.
    • objectValue is the value to which FireFlow should resolve the source/destination name. This can be a single IP address, an IP address range, or a network(CIDR).
    • ipVersion is ipv4 or ipv6.

      The default value is ipv4.

    Note: All optional elements of the tag appear in square brackets [ ]

    Note: The object "my computer" is a built-in suggested object. FireFlow resolves it to the IP address of the user's computer (the local host).

  6. To remove an object from the list, delete the relevant tags.

  7. Save the override file.

  8. Restart FireFlow. For details, see Restart FireFlow.

Configuring the Default Network Object Category in the Choose Source/Destination Wizard

The default network object category in the source/destination wizard is the list of suggested objects. If desired, you can configure a different category of network objects to be the default list.

Using the generic procedure for overriding system defaults, set the following configuration parameter. For details, see Override FireFlow system defaults.

Configuration Parameter Name Value
RequestedObjectsRepository

The desired default object repository. Possible values are the following:

  • all firewalls. All network objects defined on all existing devices.
  • The name of any group defined in AFA. All network objects defined on all devices in the group.

Define protocols

When defining traffic in a change request, the Service field provides a wizard which helps you select service objects. The common list of objects appears when the wizard opens. If desired, you can define additional services which will appear in this list.

Defining new protocols in this manner additionally enables you to manually add support for any layer 3 protocol. By default, FireFlow supports all standard services (TCP, UDP, and ICMP), as well as many layer 3 protocols. For more details, see Supported layer 3 protocols.

Do the following:

  1. Log into the AlgoSec server using the username "root" and the related password.

  2. Create a new file /home/afa/.fa/user_def.srv, and add the following to the file:

    ## User defined services declarations.#SERVICES {

     

    }

    If the above file already exists, go to the next step.

  3. Under the Services line (inside the brackets), add the service using the following syntax:

    xxx = { ##[*] }

    where xxx is the name of the service and ## is the protocol number.

    You can define groups using the following syntax:

    xxx = { #1[*] }

    yyy = { #2[*] }

    zzz = {xxx,yyy}

    where zzz is a service object containing xxx and yyy.

    Note: When defining groups, you must first define the content protocols of the group with names, and use the names of the content protocols when defining the group.

  4. Save the file.

  5. Restart FireFlow. For details, see Restart FireFlow.

Customize tabs for selecting objects

When defining traffic in a change request, the Source, Destination, and Service fields provide wizards which help you select network objects. By default, all tabs appear for authenticated users, and only the common tab appears for users using the No-Login Web Form.

For more details, see:

Note: All permissions granted to anonymous users are automatically granted to authenticated users. Granting permissions to anonymous users overrides any permissions denied per role.

Customize tabs for selecting objects per role

Note: Global configurations for anonymous users will override specific role permissions. For more details, see Customize tabs for selecting objects for anonymous sers .

Do the following:

  1. Log in to FireFlow for configuration purposes. For details, see Log in for configuration purposes.

  2. In the main menu, click Configuration.

    The FireFlow Configuration page appears.

  3. Click Roles.

    The Select a role page appears.

  4. Click the FireFlow Roles tab.

    The FireFlow Roles tab appears.

  5. (Optional) To display disabled roles, click the Show disabled link.

    To revert to a list which only displays enabled roles, click the Hide disabled link.

  6. (Optional) To search for the desired role, type your search in the Type to filter your results field.

    The roles which match your search appear in the Functional roles area.

  7. In the row of the relevant role, click .

    The Manage Permissions window for the role you desire appears.

    Note: For requestors, the relevant role is Unprivileged.

  8. Click next to Basic.

    The Basic sub-permissions appear.

  9. To allow users with this user role to view tabs, select any of the following permissions:

    • To allow users with this role to view the suggested tab when choosing sources or destinations, select the check box next to SeeSuggestedAddressObjects.
    • To allow users with this role to view device objects when choosing sources, destinations, or services select the check box next to SeeFirewallAddressObjects.
    • To allow users with this role to view the common tab when choosing services, select the check box next to SeeCommonServiceObjects.
  10. Click Save.

Customize tabs for selecting objects for anonymous sers

Note: These parameters configure both authenticated requests and requests from the No-Login Web Form. They override permissions for specific roles. For more details, see Customize tabs for selecting objects per role.

Do the following:

Using the generic procedure for overriding system defaults, set the following configuration parameter. For details, see Override FireFlow system defaults.

Configuration Parameter Name Description Value
AllowAnonymousUserSeeSuggestedAddressObjects

Controls whether the Suggested tab appears when choosing a source or destination.

1. To display the tab.

0. To not display the tab. (Default)

AllowAnonymousUserSeeFirewallAddressObjects

Controls whether device objects appear when choosing a source, destination, or service.

1. To display the tab.

0. To not display the tab. (Default)

AllowAnonymousUserSeeCommonServiceObjects

Controls whether the Common tab appears when choosing a service.

1. To display the tab. (Default)

0. To not display the tab.

AllowAnonymousUserSeeApplicationsObjects

Controls whether device objects appear when choosing applications.

1. To display the tab.

0. To not display the tab. (Default)

Note: After setting these parameters you must restart FireFlow for the changes to take affect. For details, see Restart FireFlow.

Configure object names to appear with device names

By default, the object names that appear as options do not specify which device they are defined on. If desired, you can configure FireFlow to display the device name for each object in the following format:

object_name:device_name

Do the following:

Using the generic procedure for overriding system defaults, set the following configuration parameter. For details, see Override FireFlow system defaults.

Configuration Parameter Name Value
StoreFirewallSuffixInHostGroup

0. To specify network objects should not appear with their device name. (Default)

1. To specify network objects should appear with their device name.

StoreFirewallSuffixInServiceGroup

0. To specify service objects should not appear with their device name. (Default)

1. To specify service objects should appear with their device name.

Note: After setting these parameters you must restart FireFlow for the changes to take affect. For details, see Restart FireFlow.