Request templates and workflows

The lifecycle of a FireFlow change request differs, depending on the request template used, and the workflow configured for that template.

This topic describes the lifecycles provided by the default request templates and workflows.

FireFlow administrators can also configure changes and create custom request templates and workflows. For more details, see Other workflow options and Manage request templates.

Default request templates

FireFlow provides the following request templates out-of-the box, each configured for one or more default workflows. The links in this section reference descriptions of the default stages included in each of these workflows.

For details about how to perform related procedures for each stage, see Default lifecycle stages.

Tip: Custom workflows can aso be configured for default templates as relevant. For details, see Other workflow options.

Requestor change requests

The following change request templates are open to all FireFlow users.

Name Description
Traffic change requests

Used to request changes in network traffic. By default, related to the following workflows:

  • Basic
  • Standard
  • Multi-Approval
  • Parallel-Approval
  • Automatic Traffic Change (Zero Touch)

See: 
a brief description of each of these workflows, at Traffic change workflows, below.
or
a detailed description of the Traffic change workflow stages.

IPv6 traffic change requests

Used to create traffic change requests for IPv6 traffic, for Cisco devices only.

By default, related to the Traffic Change Request (IPv6) workflow.

For details, see IPv6 traffic change workflow.

Multicast traffic change requests

Used to create multicast traffic change requests, for Cisco devices only.

By default, related to the Traffic Change Request (Multicast) workflow.

For details, see Multicast traffic change workflow.

Web filter change requests

Used to request changes in web filtering.

By default, related to the Web-Filter workflow.

For details, see Web filtering change workflow.

New device configuration change requests

Used to create requests for new device configurations.

By default, related to the New Device Configuration workflow.

For details, see Manage verbatim requests.

Generic change requests

Used to create generic change requests, unrelated to traffic changes, device/object changes, enabling or disabling device rules, or web filtering.

By default related to the Generic workflow.

For details, see Generic change workflow.

Privileged change request templates

The following change request templates are open to privileged users only.

Name

Description
Object Change (single device) requests

Used to create change requests for object changes on a single device.

By default, related to the Object Change workflow.

For details, see Object change workflow.

Object Change (multiple devices) requests

Used to create change requests for object changes on a multiple devices.

By default, related to the Object Change Multi Device workflow.

Supported only via API.

For details, see Multi-device object change workflow.

Rule Removal requests

Used to create change requests to remove a network policy rule.

By default, related to the Rule Removal workflow.

For details, see Rule removal workflow.

Rule Modification requests

Used to create change requests to modify a network policy rule.

By default, related to the Rule Modification workflow.

For details, see Rule modification workflow.

Recertification requests

Used to create requests to recertify Allow traffic added as the result of a traffic request.

Available only to network operations users only.

By default, related to the Request-Recertification workflow.

For details, see Re-certification workflow.

Default workflows

When a FireFlow user opens a new change request, FireFlow uses the workflow assigned to the request's configured template. If a request template has no workflow configured, FireFlow uses a set of rules to determine the workflow to use.

If these rules still cannot find the required workflow, FireFlow uses the Basic workflow by default.

The following tables describe FireFlow's built-in workflows, as they are configured out-of-the-box.

For more details, see Default templates and workflows.

Traffic change workflows

The following workflows are relevant for changes requested in traffic.

Workflow

Description

Basic

Based on the Basic Traffic Change template, this workflow is suitable for all traffic requests.

Default stages include: Request, Plan, Approve, Implement, Validate, Match, Resolved, and Audit.

This workflow varies slightly from the Standard Workflow in the transition between the validate and match stages.

Consult Visual Flow charts.

Standard

Default workflow, suitable for all traffic requests.

Default stages include: Request, Plan, Approve, Implement, Validate, Match, Resolved, and Audit.

This workflow varies slightly from the Basic Workflow in the transition between the validate and match stages.

Consult Visual Flow charts.

Multi-Approval

Used for traffic change requests that require sequential approval from multiple users, and includes the extra Review approval stage, performed by a controller user.

For more details, see Manage FireFlow users and roles.

Default stages include: Request, Plan, Approve, Review, Implement, Validate, Resolved, and Audit.

Parallel-Approval

Used for traffic change requests that require parallel approval from multiple users, and includes the extra Review approval stage, performed by a controller user.

For more details, see Manage FireFlow users and roles.

Default stages include: Request, Plan, Approve, Review, Implement, Validate, Resolved, and Audit.

IPv6-Traffic

Used for requests involving IPv6 traffic, for Cisco devices only.

Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit.

Request-Recertification

Used to determine whether Allow traffic added to a device policy as the result of an expired traffic change request is still relevant.

If the rule is no longer relevant, a Rule Removal change request is created to remove it.

Default stages include: Request, Certify, Implement, Validate, Resolved, and Audit.

Multicast-Traffic

Used for requests for Multicast traffic changes, for Cisco devices only.

Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit.

Automatic-Traffic-Change

Used for traffic requests with Allow traffic only. This change request type proceeds through its stages automatically.

Default stages include: Request, Plan, Approve, Implement, Validate, Match, Resolved, and Audit.

Device and rule change workflows

The following workflows are used for changes requested on devices or device rules.

Workflow

Description

Change-Object

Used for requests to add, remove, or modify device objects.

Default stages include: Request, Approve, Implement, validate, Resolved, and Audit.

Object-Change-Multi-Device

Used for requests to change device objects on multiple devices.

Available only for change requests opened via API.

Default stages include: Request, Plan, Approve*, Implement*, Validate, Resolved, and Audit.

 

*zero touch capabilities available

Rule-Removal

Used for requests to remove or disable device rules.

Default stages include: Request, Approve, Implement, Validate, Resolved, and Audit.

Rule-Modification

Used for requests to modify a rule's fields, such as source, destination, or service.

Default stages include: Request, Approve, Implement, Validate, Match, Resolved, and Audit.

Bulk-Rules-Addition

Used for requests to add many rules to a device.

Default stages include: Request, Plan, Implement, Resolved, Match, and Audit.

Other workflows

The following workflows are used on changes requested for anything other than traffic, device, or rules.

Workflow

Description

Generic

Used for requests not related to traffic.

No device change planning or matching device changes to the request are required.

Default stages include: Request, Approve, Implement, Validate, Resolved, and Audit.

Web-Filter

Used for requests to filter Web connections. Relevant for Symantec Blue CoatClosed As of A32.20 AlgoSec will no longer support adding new Symantec Blue Coat devices. Existing deployed Blue Coat devices will still be functional. devices only.

Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit.

Default lifecycle stages

The following table lists each default life-cycle stage with action items for users, and the types of FireFlow users who perform that stage.

Stage Description
Request

Performed by all FireFlow users.

For details, see Request changes.

Plan

Performed by network operators.

For details, see Initial planning.

Approve

Performed by network operators or information security officers.

For details, see Approve planned changes.

Review Performed by controllers only. For details, see Review change requests.
Implement Performed by network operators only. For details, see Implement changes.
Validate Performed by network operators only. For details, see Validate changes.
Match Performed by information security officers. For details, see Match changes to requests.
Resolved Performed by network operators only. For details, see Re-certify traffic.

Tip: FireFlow also enables you to perform more advanced operations, and also view data in reports and dashboards.

For details, see Advanced change request edits andReports, charts, and dashboards.