Implement changes

Relevant for: Network operation users

This section explains how to implement changes specified by change requests.

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

Implementation process per request type

The following table describes how to implement changes, depending on the type of request you're working with.

Request type Description

Traffic change requests

  1. In the Implement stage of a traffic change request or rule removal request, FireFlow creates a work order consisting of a list of recommendations for implementing the requested change, and you can then edit the work order as needed.
  2. You then implement the suggested changes on the device according to the plan, either manually, or with ActiveChange.

Note: If the change request has multiple devices or policies, you must perform these steps separately for each device or policy.

Rule removal requests

Recertification requests

  1. In the Implement stage of an object change request or recertification request, FireFlow creates a work order consisting of a list of recommendations for implementing the requested change, and you can then edit the work order as needed.
  2. Next, you implement the requested changes on the security device according to plan.

Note: ActiveChange is supported on some device types for multi-device object change requests. For more details, see Implement changes with ActiveChange and the AlgoSec support matrix.

Object change requests (including multi device)
Rule modification requests
  1. When working with a rule modification request, FireFlow creates a work order consisting of a list of recommendations for implementing the requested change.
  2. If the rule has changed while the change request was being processed, re-plan the change request.
  3. You can then edit the work order as needed.
  4. Next, you implement the requested changes on the security device according to plan.
Web filtering change requests
  1. When working with a Web filtering change request, you must first choose an organizational methodology to use for implementing the requested change.
  2. FireFlow then creates a work order consisting of a list of recommendations for implementing the requested change, and you can then edit the work order as needed.

    For details, see Select an organization method and edit work orders for web filtering change requests.

  3. Finally, you implement the requested changes on the security device according to selected methodology and the work order.
Generic change requests

When working with a generic change request lifecycle, no work order is generated.

Instead, you immediately implement the requested changes on the security device according to plan.explain what plan - is it in the request?

Re-plan a rule modification request

If the rule has changed while the change request was being processed, re-plan the change request. Re-planning updates the current rule values in FireFlow.

Do the following:

  1. View the change request. For details, see View change requests.

  1. Click Re-Plan.

    You are prompted to compose an email, notifying the requestor that the change request needs to be re-planned.

  2. Complete the fields as needed. For details, see Respond to change requests.
  3. Click Next.

    The change request's status goes back to "Plan".

  4. Modify the change request as necessary. For details, see Manage rule modification requests.

Edit work orders for rule removal and object change requests

You can edit a work order by adding notes to the work order. For Amazon Web Services and Microsoft Azure, only removing rules (not disabling rules) is supported.

Note: In addition, you can change a rule removal request's action (disable or remove), by editing the change request's Device change > Rules Details area. For details, see The Advanced Editing wizard .

Do the following:

  1. View the change request. For details, see View change requests.

  2. At the top of the workspace, click Create Work Order.

    The Work Order appears.

    The Work Order area displays FireFlow's recommendations for implementing the change specified in the change request.

  3. In the Implementation Notes area, type your comments for implementing the change specified in the change request.

    This field is optional.

  4. Click Next.

The work order is saved.

The change request appears with the work order and notes.

Edit work orders for rule modification requests

You can edit a work order by adding notes to the work order.

Do the following:

  1. View the change request. For details, see View change requests.

  2. If the work order is not available, or the device policies have changed since the work order was created, refresh the work order by clicking Recalculate.

    FireFlow examines the relevant devices' saved policies, and the work order appears in the Work Order Recommendations area.

    The Work Order Recommendations area displays FireFlow's recommendations for implementing the change specified in the change request. Values to add to the rule are highlighted in yellow, and values to remove are crossed out.

    Note: For layer 3 protocols (non-TCP/UDP/ICMP), the work order only will recommend using services that are already defined on the device. FireFlow will not recommend adding a new service for these protocols. If the layer 3 protocol that was used in the change request is not found on the device, FireFlow issues a warning. For more details, see Change request field references.

  3. To add a comment regarding implementing the change specified in the change request, do the following:

    1. Click Edit in the Implementation Notes area. The Edit Implementation Notes window is displayed.
    2. In the Implementation Notes field, Type a comment regarding implementing the change specified in the change request.
    3. Click OK.

The work order is saved.

The change request appears with the work order and notes.

Edit work orders for recertification requests

You can edit a work order by adding notes to the work order.

Note: In order to implement changes for a request, you must perform this procedure for all of its devices and policies.

Do the following:

  1. View the change request. For details, see View change requests.

  2. If the change request has multiple devices or policies, click next to a device.

    The device's action buttons, and the Work Order Recommendations area appear below the device panel.

  3. If the work order is not available, or the device policies have changed since the work order was created, refresh the work order by clicking Recalculate.

    FireFlow examines the relevant devices' saved policies, and the work order appears in the Work Order Recommendations area.

    The Work Order Recommendations area displays FireFlow's recommendations for implementing the change specified in the change request. If the change request contains multiple requests, FireFlow provides a recommendation for each request. Note that the recommendation may be "No action required", if the requested traffic is already allowed by the device.

    For a “Modify rule” recommendation, values that should be added are highlighted in yellow, and values that should be deleted are highlighted in pink.

    Note: If FireFlow was configured to allow the user to choose to add a new rule instead of modifying an existing one, the New Rule button appears next to Recalculate. To manually force "Add rule" recommendations, click New Rule. Selecting Recalculate will prefer a "Modify rule" recommendation. If FireFlow was configured to always recommend adding a rule, the New Rule button will not appear, and FireFlow will always recommend adding a new rule.

  4. To view the query on which the recommendation is based, click .

    A new window opens displaying the query.

  5. In the Implementation Notes area, type your comments for implementing the change specified in the change request.

    This field is optional.

  6. Click Next.

The work order is saved.

The change request is displayed with the work order and notes.

Select an organization method and edit work orders for web filtering change requests

Do the following:

  1. View the change request. For details, see View change requests.

  2. At the top of the page, click Organize.

    The Organize Change Request page appears displaying the Web filtering change request.

  3. In the Organization Methodology list, specify the method to use for implementing the Web filtering change request, by doing one of the following:

    • Add a rule to the device's Web filtering policy. Select Add a Policy URL Rule.
    • Add a Web filtering category to the device. Select Add a Policy Category.

    For more details, see Change request wizards.

  4. Click Next.

    FireFlow examines the relevant devices' saved policies, and creates a work order that consists of a list of recommendations for implementing the requested change.

    The work order appears.

  5. In the Implementation Notes area, type your comments for implementing the change specified in the change request.

    This field is optional.

  6. Click Next.

The work order is saved.

The change request appears with the work order and notes.

The Advanced Editing wizard

The Advanced Editing wizard provides the ability to edit the source, destination, or service fields of a work order. By default, the Advanced Editing wizard provides the ability to replace these fields' content with the following options:

  • A new or existing object with the same definition as the field's current content.
  • An existing object with a wider definition as the field's current content.

Note: Replacing a field's content with an object with a wider definition can be disabled. For more details, see Edit work orders.

Do the following:

  1. In the source, destination or service field, click .

    The Advanced Editing wizard appears displaying the Exact Match tab.

  2. To select an object for the field that is an exact match for the content in the field, select an object from the list, and click Save.

    The selected object appears as the definition for the field in the work order.

  3. To create a new object for the field whose definition matches the content in the field, do the following:

    1. Click the New Object tab.

      The New Object tab appears.

    2. In the Name field, enter the object's new name, and click Save.

    The new object is created and appears as the definition for the field in the work order.

  4. To select an object for the field with a wider definition than the content currently in the field, do the following:

    1. Click the Wider Object tab.

      The Wider Object tab appears.

    2. To view an object's definition, click Show.

      The Object Content window appears, displaying the object's definition.

      Click OK to close the dialog.

    3. Select an object from the list.

      All of the objects listed in the Wider Object tab contain the field's current content.

    4. Click Save.

    Note: Choosing a wider object may introduce risks which were not assessed during the risk check.

    The Wider Object tab is only available for the source and destination fields.

The wider object appears as the definition for the field in the work order. Any objects in the work order that are wider than initially requested are indicated as such with the icon.

Implement changes manually

Note: In order to implement changes for a change request, you must perform this procedure for all of its devices and policies.

Do the following:

  1. Implement changes via the device's relevant management system (for example, Check Point Dashboard or Juniper NSM).

    Note: If you implement the changes even slightly different than the work order, Validation will fail.

    For example, if the work order specified one rule with multiple sources, and you added multiple rules (with one source each), Validation will fail.

    This is particularly relevant for Amazon Web Services because rules can only include one object per field.

  2. When you have completed implementation, do one of the following:
    • For a change request with no devices or policies, click Implementation Done.
    • For each device or policy:

      1. Display the device's change request information by clicking next to the device.

        The device's action buttons, and the Work Order Recommendations area appear below the device panel.

      2. Click Implementation Done.

    • For a request with multiple devices or policies, click Mark All Sub Requests As Implemented.

      In the confirmation message, click OK.

The change request proceeds to the Validate stage.

 

â See also: