FireFlow hooks

You can streamline the change request lifecycle, by using hooks to control certain parameters, such as the name of the workflow to assign the change request in the Request stage, or the device group against which to check traffic. FireFlow will extract the desired parameters on the fly.

This section explains how to use hooks with FireFlow.

FireFlow hook reference

It is possible to configure FireFlow to extract certain parameters on the fly, by using hooks. This helps streamline the change request lifecycle and is particularly helpful for managed security service providers (MSSPs).

For example, during the Initial Plan stage of the change request lifecycle, FireFlow checks the requested traffic against the ALL_FIREWALLS group, by default. If you have several customers, each of which is a large organization with numerous devices, checking traffic against all of the devices of each organization is unnecessary and time consuming. By using hooks, it is possible to configure FireFlow to check traffic only against the devices of the organization that issued the change request.

FireFlow supports the following hooks:

AllowZoneName Use to allow zone names instead of the AFF recommendation in the work order. controls the Source Zone and Destination Zone Fields in Palo Alto (Panorama) Work Orders.
EditRuleSectionHeader

Select the header under which a new rule is recommended to be added.

Relevant for change requests for Check Point R80 and R77 devices.

ExcludeAcl Sets which, if any, ACLs to exclude from the work order.
FilterInitialPlanResults Filter initial planning results to remove devices.
GetAdditionalRealGroupNames Retrieve the names of the additional responsible user roles for the change request in a lifecycle stage with parallel actions.
GetExternalRisks

Return detected risks and their details.

GetFirewallGroupName Retrieve the device group against which traffic should be checked in the Initial Plan stage.
GetRealGroupName Retrieve the name of the user role responsible for the change request in each lifecycle stage.
GetRequestorSearches Retrieve searches in the Requestors Web Interface.
GetWorkFlowName Retrieve the name of the workflow to assign the change request in the Request stage.
LoadConfigHook Save pre-calculated data or configurations to the FireFlow server in-memory configuration and retrieve the data later.
SuggestCommentSuffix Add suffixes to add to suggested rule comments in the work order.
SuggestGroupName Suggest group names to match groups of IP addresses or services with no associated group name in a work order.
SuggestHostName Suggest host names to match IP addresses with no associated hostname in a work order.
SuggestPropertyValue

Suggest new values for the rule properties for Palo Alto and Fortimanager device work orders.

SuggestRuleName

Suggest a name for a new rule that does not yet have a name.

Note: The SuggestRuleName hook is applicable only to brands that support setting rules' name.

SuggestSectionName Suggest a value for a section of a new rule when the work order suggests adding a new rule.
SuggestServiceName Suggest names to match services with no associated name in the work order.
ValidateTicket Validate a new or modified change request.
ValidateWorkOrderEdit Validate host names, groups, and comments in a manually edited work order.

Back to top

Use hooks to control parameters

Do the following:

  1. Log in to the FireFlow server using the username "root" and the related password.

  2. Under the /usr/share/fireflow/local/etc/site/lib directory, create a Perl pm file.

    The file can have any name.

    For example, you can create the file /usr/share/fireflow/local/etc/site/lib/MyHooks.pm, and should begin with the line:

    package FireFlow::Hooks;

  3. In the file you created, implement the desired hooking functions.

  4. Use the generic procedure for overriding system defaults in the CLI to set the configuration parameter HooksFileNames to the name of the Perl pm file you created. For details, see Override FireFlow system defaults.

    In the example above, the value would be MyHooks.

  5. Restart FireFlow. See Restarting FireFlow (see Restart FireFlow).

Back to top

Hook usage examples

For a comprehensive example, refer to the following files on the FireFlow server:

  • A sample Perl module is located under /usr/share/fireflow/local/Hooks/ExampleHooks.pm
  • The related XML data is located under /usr/share/fireflow/local/etc/site/Hooks/Example_Config.xml

Back to top