Change request field references

Relevant for: All FireFlow users

This topic describes the fields available in FireFlow change requests.

Generic change request fields

Name

Description
Owner When creating the change request, the owner is the requestor.

As the change request moves through the stages of the workflow, the owner changes. For details, see Generic change workflow
cc List of email addresses to be informed of the change request's progress.

Subject

Type a title for your request and for the change request that will be generated.

Note: This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. You can use most relative and absolute formats, for example yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, “next week”, and “now + 3 days”.

Note: This field is optional.
Priority Type a number indicating the change requests' priority, where 0 indicates lowest priority.

Describe the issue

Type a free text description of the issue.

This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

Note: This field is optional.

Refers to Type the ID numbers of change requests to which the selected change requests refer, separated by spaces.
Referred to by Type the ID numbers of change requests that refer to the selected change requests, separated by spaces.

Attach File

To attach a file to your request, do one of the following:

  • Type the path to the file in the field provided.

  • Click Browse, browse to the desired file, and click Open.

    If you are using the 120: Generic Request template or any custom template that allows creating change requests from files, FireFlow will create a change request from an attached spreadsheet file. For more information on creating change requests from file, see Change request creation from an attached file.

 

Note: Create Change Requests from File field has the value "Yes", the attached file will be used for creating change requets. If it is set to "No", you cannot create change requests from the attached file.

Expires

Specify the date on which this change request will expire, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.

  • Type the desired date in the field provided.

    FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

Note: This field is optional.

Requestor

In the Requestor's Web Interface, this field displays the requestor's email address and is read-only.

Note: In the No-Login Web Form, you must type your email address.
Create Change Requests from File

The value of this field is "Yes" or "No" and it cannot be changed while you are editing the request.
It determines whether the attached file can be used to create change requests.

 

External change request ID

If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

The FireFlow change request generated for your request will be linked to the external system change request.

Note: This field is optional.

Workflow

The change request's workflow - (Generic)

Note: This field is read-only.

From Template

The change request's template. - (120: Generic request)

Note: This field is read-only.

Traffic-based change request fields

Name

Description

Requestor

In the Requestor's Web Interface, this field displays your email address and is read-only.

Note: In the No-Login Web Form, you must type your email address.

Subject

Type a title for your request and for the change request that will be generated.

Note: This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.

  • Type the desired date in the field provided.

    FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

Note: This field is optional.

Expires

Specify the date on which this change request will expire, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.

  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

Note: This field is optional.

Request

 Due to system customizations, this area may include fields that are not described below. Some possible additional fields are described below. For additional information, consult with your FireFlow administrator.

Source

Specify the traffic source(s). For details, see Change request wizards.

Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

User

Enter one or more (comma separated) user names and/or group names. The default value is any.

This field is only relevant for Check Point, Fortinet, and Panorama devices.

Notes:

  1. Only use existing users/groups. AFF doesn't support creating new ones (with ActiveChange): If a change request is submitted with a user or group name that doesn't exist on the target firewall, ActiveChange will implement the rule without a user/group configuration. No failure indication for this will be provided.

  2. The user/group names that you specify must exactly match the user/group names as configured on the target device.

Destination

Specify the traffic destination(s). For details, see Change request wizards.

Tip: For Panorama devices, in the destination field you can enter URL Categories or select them from the dropdown. See Working with Panorama URL Categories.

Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

Service

Specify the traffic service(s). For details, see Change request wizards.

Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.

Note: For traffic that affects Check Point devices, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.

Application

Specify the application(s). For details, see Change request wizards.

The default value is Any.

This field is only relevant for Palo Alto and Cisco Firepower devices.

Action

Choose the device action to perform for the connection. This can be either of the following:

  • Allow: Allow the connection.
  • Drop: Block the connection.
  • Note: When using the Traffic Change Request (IPv6) workflow, only traffic with "Allow" actions is supported.

Show NAT

Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

Hide NAT

Click this option to hide the NAT and PAT fields.

Source NAT

Type the source NAT value, if the connection’s source should be translated.

Destination NAT

Type the destination NAT value, if the connection’s destination should be translated.

Port Translation

Type the port value, if the connection’s port should be translated.

NAT Type

Specify the type of NAT (Static or Dynamic).

Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

Add More Traffic

To add more traffic to the request, click this option and complete the fields.

Set traffic values

Click this button to set traffic values for variables you have put in the source, destination or service fields.

For details, see Variables in traffic fields.

Import traffic from csv

Click this link to import a CSV file of traffic lines. Select the CSV file from your computer.

Required Headers:
  • Source
  • Destination
  • Service
Optional Headers:
  • User. If this header is not present, the value defaults to "any".
  • Application. If this value is not present, the value defaults to "any".
  • Action. If this header is not present, the value defaults to "allow".

Any other headers included in the CSV file are ignored.

Note: All headers are not case sensitive.

Multiple entries (such as IP addressees, ranges, or networks) that appear in a single cell must be separated by commas within the cell.

To replicate a traffic line (add a new traffic line with the same traffic as in the current traffic line), click this option and modify the fields as desired.

To remove additional traffic from the request, click this option next to the desired traffic.
More

External change request id

If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

The FireFlow change request generated for your request will be linked to the external system change request.

Note: This field is optional.

IPv6 traffic change request fields

Name

Description

Requestor

In the Requestors Web Interface, this field displays your email address and is read-only.

Note: In the No-Login Web Form, you must type your email address.

Subject

Type a title for your request and for the change request that will be generated.

Note: This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

Note: This field is optional.

Expires

Specify the date on which this change request will expire, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

Note: This field is optional.

Request

Use this area to specify the traffic changes you would like.

By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and .

Due to system customizations, this area may differ in the following ways:

  • NAT fields may not appear.
  • The following additional NAT fields may appear: Source after NAT.
  • The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
  • Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.

Source

Do one of the following:

  • Type the IP address, IP range, network, or device object.
  • Use the Choose Source Wizard. For details, see Change request wizards.

Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.

Destination

Do one of the following:

  • Type the IP address, IP range, network, device object.
  • Use the Choose Destination Wizard. For details, see Change request wizards.

Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.

Service

Do one of the following:

Action

Choose the device action to perform for the connection. This can be either of the following:

  • Allow: Allow the connection.
  • Drop: Block the connection.

Show NAT

Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

Note: Depending on system customizations, the Source after NAT field may appear as well.

Hide NAT

Click this option to hide the NAT and PAT fields.

Source NAT

Type the source NAT value, if the connection’s source should be translated.

Source after NAT

Type the source NAT value after translation, if the connection’s source should be translated.

Destination NAT

Type the destination NAT value, if the connection’s destination should be translated.

Port Translation

Type the port value, if the connection’s port should be translated.

NAT Type

Specify the type of NAT (Static or Dynamic).

Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

Add More Traffic

To add more traffic to the request, click this option and complete the fields.

To remove additional traffic from the request, click this option next to the desired traffic.

From Template

The change request's template.

Note: This field is read-only.

Workflow

The change request's workflow.

Note: This field is read-only.

External change request id

If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

The FireFlow change request generated for your request will be linked to the external system change request.

Note: This field is optional.

Describe the issue

Type a free text description of the issue.

This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

This field is optional.

Attach file

To attach a file to your request, do one of the following:

  • Type the path to the file in the field provided.
  • Click Browse, browse to the desired file, and click Open.

To add more files, click Add More Files.

Note: This field is optional.

MulticastTraffic change request fields

Name

Description
General

To close General section, click in the heading. To reopen, click again.

Owner

Owner of the request.

Requestor

In the Requestors Web Interface, this field displays your email address and is read-only.

In the No-Login Web Form, you must type your email address.

Subject

Type a title for your request and for the change request that will be generated.

This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

This field is optional.

Expires

Specify the date on which this change request will expire, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

This field is optional.
Traffic

To close Traffic section, click in the heading. To reopen, click again.

Request

Use this area to specify the traffic changes you would like.

By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and .

Due to system customizations, this area may differ in the following ways:

  • NAT fields may not appear.
  • The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
  • Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.

Source

Do one of the following:

  • Type the IP address, IP range, network, device object, or DNS name of the connection source.
  • Use the Choose Source Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards).

To enter multiple values, press Enter. A new field appears for this source.

Note: You cannot mix regular traffic and multicast in the same workflow.

When specifying Check Point traffic for which the User Authentication method is used, you can include the user group as part of the source, in the following format:

usergroup@host

Where:

  • usergroup is the user group's name. You may use the Choose Source Wizard's Device Object tab to select the user group if desired.

    Note: LDAP user groups are only supported for devices configured to use OPSEC data collection.

  • host is the IP address, IP range, network, device object, or DNS name of the connection source.

For example: [email protected], group1@RNDNetwork, or group1@Any.

Note: Specifying the user group is only supported if the FireFlow default authentication method is User Authentication. Ask your FireFlow administrator for further information.

Destination

Do one of the following:

  • Type the IP address, IP range, network, device object, or DNS name of the connection destination.
  • Use the Choose Destination Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards).

To enter multiple values, press Enter. A new field appears for this destination.

Note: You cannot mix regular traffic and multicast in the same workflow.

Service/Application

Do one of the following:

  • Type the device service or port for the connection (for example "http" or "tcp/123"). For details, see Supported layer 3 protocols.
  • Type the name of an application as defined in your Palo Alto or Check Point device.
  • Use the Choose Service Wizard. For details, see Change request wizards.

To enter multiple values, press Enter. A new field appears for this service.

Note: When configuring a change request for Check Point traffic, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.

Action

Choose the device action to perform for the connection. This can be either of the following:

  • Allow: Allow the connection.
  • Drop: Block the connection.

NAT settings

Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic.

The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.

Click NAT settings again to hide the settings.

Source NAT

Type the source NAT value, if the connection’s source should be translated.

Destination NAT

Type the destination NAT value, if the connection’s destination should be translated.

Port Translation

Type the port value, if the connection’s port should be translated.

NAT Type

Specify the type of NAT (Static or Dynamic).

Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.

Add More Traffic

To add more traffic to the request, click this option and complete the fields.

To remove additional traffic from the request, click this option next to the desired traffic.
More

To close the More section, click in the heading. To reopen, click again.

External change request id

If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

The FireFlow change request generated for your request will be linked to the external system change request.

This field is optional.

Device Name

Click in the Device Name box. The device selection dialog is displayed with a list of available Cisco devices.

  • To filter, in the Filter By list, select Brand, Device, Policy, Device and Policy, or Selected.
  • To select all devices for a brand, select the Brand check box.
  • To select, click a device. The device will appear at the top of the box. Click another device to select it. There is no need to hold the CTRL key for multiple selections.
  • To move forward and backward in the device list, click the and icons.

Selected devices appear in the Device Name box.

Click the up arrow to close the dialog box.

Change request justification

Type a free text description of the issue.

This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

This field is optional.

Attachments

To add attachments, click Add files. The Choose File to Upload dialog box opens.

Browse to the desired file, and click Open. To select multiple files, press CTRL while selecting.

This field is optional.

Web-filter change request fields

Name

Description

Requestor

In the Requestors Web Interface, this field displays your email address and is read-only.

In the No-Login Web Form, you must type your email address.

Subject

Type a title for your request and for the change request that will be generated.

This field is optional.

Due

Specify the date by which this change request should be resolved, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

This field is optional.

Expires

Specify the date on which this change request will expire, by doing one of the following:

  • Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next.
  • Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days.

This field is optional.

Request

Use this area to specify the connection you would like to filter.

User Group

Do one of the following:

  • Type the name of the user or user group that should be allowed/denied access to a URL.
  • Use the Choose User Group Wizard. For details, see Change request wizards.

URL

Type the URL to which to allow/deny access.

Category

Do one of the following:

Note: When creating a change request via the Blue CoatClosed As of A32.20 AlgoSec will no longer support adding new Symantec Blue Coat devices. Existing deployed Blue Coat devices will still be functional. Blocked page, this field is automatically filled in.

Action

Select the device action to perform for the connection. This can be any of the following:

  • Allow: Allow the connection.
  • Block: Block the connection.

Add More Web Filtering

To add more connections to the request, click this option and complete the fields.

To remove additional connections from the request, click this option next to the desired traffic.

From Template

The change request's template.

This field is read-only.

Workflow

The change request's workflow.

This field is read-only.

External change request id

If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number.

The FireFlow change request generated for your request will be linked to the external system change request.

This field is optional.

Describe the issue

Type a free text description of the issue.

This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history.

This field is optional.

Attach file

To attach a file to your request, do one of the following:

  • Type the path to the file in the field provided.
  • Click Browse, browse to the desired file, and click Open.

To add more files, click Add More Files.

This field is optional.

Supported layer 3 protocols

This topic lists the non-TCP/UDP/ICMP protocols that FireFlow supports by default.

Protocol

FireFlow Defined Service Name

Protocol Number

IPsec (ESP)

ipsec_50

50

IPsec (AH)

ipsec_51

51

IPsec (ESP and AH)

ipsec

50 and 51

GRE

gre

47

IPv6-ICMP

icmp6

58

SKIP

skip

57

ETHERIP

etherip

97

PIM

pim

103

Note: When using layer 3 protocols in FireFlow, you must use the FireFlow defined service name, not the protocol number. In addition, you may use service objects which contain these protocols.

Tip: FireFlow enables administrators to define additional layer 3 protocols for FireFlow support. For more details, see Define protocols.

Variables in traffic fields

This procedure describes how to use variables when entering traffic details in a traffic change request.

Variables are supported in any of the traffic lines for the change request.

Do the following:

  1. In the Source, Destination, Service, and/or Application field, enter one or more variables using the following syntax:

    #{VariableName}

    where, VariableName is the name you give the variable.

    In the Traffic area, the Set traffic values button is enabled.

  2. Click Set traffic values.

    The Set traffic values dialog is displayed with all of the variables you have used listed under Traffic Parameter. For example:

  3. Enter the values for each variable you want to use, and click Set Values.

When you submit the change request, each variable will be replaced with its designated value.