Approve planned changes

Relevant for: Privileged users

This topic describes the procedures you may perform during the a change request's Approve stage.

Note: At several points, you may need to notify requestors about updates made.

For details, see Manage requestor notifications.

Find affected rules

This procedure explains how information security users can find device rules that are affected by a change request.

This may be performed as part of the Plan or Approve stage, depending on whether the change request is for single or multiple devices.

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

Do the following:

  1. View the change request. For details, see View change requests.

  2. Do one of the following:

    • For single device object change requests, at the top of the page, click Find Affected Rules.
    • For multi-device object change requests, click Find Affected Rules for every sub request.

    The Affected Rules page appears displaying the number of device rules affected, as well as the affected rules per object.

    Note: For Check Point devices, FireFlow finds affected rules on all devices where the object exists. Specifically, object change requests for objects defined on the CMA show affected rules on all policies of devices below that CMA, and object change requests for objects defined on the MDSM show affected rules on all policies of devices below any of the CMAs.

    For Multi Device Object Change requests, the Affected Rules area displays full details about the rules.

  3. To view the affected rules' details when using the single device object change workflow, in the Affected Rules area, click the Details link.

    A window opens displaying the rules' details.

    • Yellow highlighting indicates which objects contain the object(s) relevant to the change request.
    • Light-blue highlighting indicates where an object slated to be deleted will be replaced by "Any". Examine rules with objects highlighted in light-blue to prevent security holes.

    Note: Light-blue highlighting is only relevant when deleting objects from Check Point devices.

  4. In the Affected Rules page, click Next.

To continue with the change request, see Approve, reject, or return to planning.

Certify or plan traffic removal

Once you have received responses from the related change requestors, you must decide whether to certify the Allow traffic or plan its removal.

This topic describes how network operation users can certify or plan traffic removal for recertification requests in the Approve stage.

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

Do one of the following:

Perform a manual risk check

This section explains how information security users can perform a manual risk check for generic change requests in the Approve stage.

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

After a generic change request has been created, it starts the Approve stage of the FireFlow change request lifecycle. In this stage, you perform a manual check for risks entailed in implementing the requested change.

You must then decide whether to return the change request to the Plan stage for further planning, reject and close the change request, or approve it.

Do the following:

  1. View the change request. For details, see View change requests.

  2. At the top of the page, click Manual Check.

    A confirmation message appears.

  3. Click OK.
  4. Examine the change request, and determine whether implementing it would involve risks.

Approve, reject, or return to planning

This topic explains network operation or information security users can approve, reject, or return a change request to the Plan stage.

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

Request handling per request type

The following table describes how you might want to handle requests of different types at the Approve stage in your workflow.

Change request type Description

Object change requests, including multi-device

Traffic change requests with drop actions only

When working with an object change request or a traffic change request with only "Drop" action(s), once you have examined the affected rules results or notified requestors of related change requests, you must decide whether to:

  • Return the change request to the Plan stage for further planning
  • Reject and close the change request
  • Approve the change request
Traffic change requests with an allow action

When working with a traffic change request with an "Allow" action (with the exception of IPv6 traffic), you must examine the risk check results before you approve the change request.

Examining the risk check will:

  • Follow initial planning if the change request you are working with has only "Allow" actions
  • Follow notifying requestors of related change requests if the change request you are working with also has "Drop" action(s)

After you have examined the risks, you must decide whether to:

  • Return the change request to the Plan stage for further planning
  • Reject and close the change request
  • Approve the change request
IPv6 traffic change requests

When working with IPv6 traffic change requests you must decide whether to:

  • Reject and close the change request
  • Approve the change request
Rule removal requests

When working with a rule removal request, once you have received responses from the related change requestors, you must decide whether to:

  • Reject and close the change request
  • Approve the change request

Rule modification requests

When working with a rule modification request, you must first decide whether to modify the change request. If you decide to do so, you must examine the risk check results.

You must then decide whether to:

  • Reject and close the change request
  • Approve the change request

Web filtering change request

When working with a Web filtering change request, you must decide whether to:

  • Return the change request to the Plan stage
  • Approve the change request

Do any of the following:

 

â See also: