Request templates and workflows
The lifecycle of a FireFlow change request differs, depending on the request template used, and the workflow configured for that template.
This topic describes the lifecycles provided by the default request templates and workflows.
FireFlow administrators can also configure changes and create custom request templates and workflows.
Default request templates
FireFlow provides the following request templates out-of-the box, each configured for one or more default workflows. The links in this section reference descriptions of the default stages included in each of these workflows.
For details about how to perform related procedures for each stage, see Default lifecycle stages.
Tip: Custom workflows can aso be configured for default templates as relevant.
Requestor change requests
The following change request templates are open to all FireFlow users.
Name | Description |
---|---|
Traffic change requests |
Used to request changes in network traffic. By default, related to the following workflows:
For details, see Traffic change workflow. |
IPv6 traffic change requests |
Used to create traffic change requests for IPv6 traffic, for Cisco devices only. By default, related to the Traffic Change Request (IPv6) workflow. For details, see IPv6 traffic change workflow. |
Multicast traffic change requests |
Used to create multicast traffic change requests, for Cisco devices only. By default, related to the Traffic Change Request (Multicast) workflow. For details, see Multicast traffic change workflow. |
Web filter change requests |
Used to request changes in web filtering. By default, related to the Web-Filter workflow. For details, see Web filtering change workflow. |
New device configuration change requests |
Used to create requests for new device configurations. By default, related to the New Device Configuration workflow. For details, see Manage verbatim requests. |
Generic change requests |
Used to create generic change requests, unrelated to traffic changes, device/object changes, enabling or disabling device rules, or web filtering. By default related to the Generic workflow. For details, see Generic change workflow. |
Privileged change request templates
The following change request templates are open to privileged users only.
Name |
Description |
---|---|
Object Change (single device) requests |
Used to create change requests for object changes on a single device. By default, related to the Object Change workflow. For details, see Object change workflow. |
Object Change (multiple devices) requests |
Used to create change requests for object changes on a multiple devices. By default, related to the Object Change Multi Device workflow. Supported only via API. For details, see Multi-device object change workflow. |
Rule Removal requests |
Used to create change requests to remove a network policy rule. By default, related to the Rule Removal workflow. For details, see Rule removal workflow. |
Rule Modification requests |
Used to create change requests to modify a network policy rule. By default, related to the Rule Modification workflow. For details, see Rule modification workflow. |
Recertification requests |
Used to create requests to recertify Allow traffic added as the result of a traffic request. Available only to network operations users only. By default, related to the Request-Recertification workflow. For details, see Re-certification workflow. |
Default workflows
When a FireFlow user opens a new change request, FireFlow uses the workflow assigned to the request's configured template. If a request template has no workflow configured, FireFlow uses a set of rules to determine the workflow to use.
If these rules still cannot find the required workflow, FireFlow uses the Basic workflow by default.
The following tables describe FireFlow's built-in workflows, as they are configured out-of-the-box.
For more details, see Default templates and workflows.
Traffic change workflows
The following workflows are relevant for changes requested in traffic.
Workflow |
Description |
---|---|
Standard |
Default workflow, suitable for all traffic requests. Default stages include: Request, Plan, Approve, Implement, Validate, Match, Resolved, and Audit. |
Multi-Approval |
Used for traffic change requests that require sequential approval from multiple users, and includes the extra Review approval stage, performed by a controller user. For more details, see Manage FireFlow users and roles. Default stages include: Request, Plan, Approve, Review, Implement, Validate, Resolved, and Audit. |
Parallel-Approval |
Used for traffic change requests that require parallel approval from multiple users, and includes the extra Review approval stage, performed by a controller user. For more details, see Manage FireFlow users and roles. Default stages include: Request, Plan, Approve, Review, Implement, Validate, Resolved, and Audit. |
IPv6-Traffic |
Used for requests involving IPv6 traffic, for Cisco devices only. Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit. |
Request-Recertification |
Used to determine whether Allow traffic added to a device policy as the result of an expired traffic change request is still relevant. If the rule is no longer relevant, a Rule Removal change request is created to remove it. Default stages include: Request, Certify, Implement, Validate, Resolved, and Audit. |
Multicast-Traffic |
Used for requests for Multicast traffic changes, for Cisco devices only. Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit. |
Automatic-Traffic-Change |
Used for traffic requests with Allow traffic only. Lifecycle changes proceed automatically. Default stages include: Request, Plan, Approve, Implement, Validate, Match, Resolved, and Audit. |
Device and rule change workflows
The following workflows are used for changes requested on devices or device rules.
Workflow |
Description |
---|---|
Change-Object |
Used for requests to add, remove, or modify device objects. Default stages include: Request, Approve, Implement, validate, Resolved, and Audit. |
Object-Change-Multi-Device |
Used for requests to change device objects on multiple devices. Available only for change requests opened via API. Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit. |
Rule-Removal |
Used for requests to remove or disable device rules. Default stages include: Request, Approve, Implement, Validate, Resolved, and Audit. |
Rule-Modification |
Used for requests to modify a rule's fields, such as source, destination, or service. Default stages include: Request, Approve, Implement, Validate, Match, Resolved, and Audit. |
Bulk-Rules-Addition |
Used for requests to add many rules to a device. Default stages include: Request, Plan, Implement, Resolved, Match, and Audit. |
Other workflows
The following workflows are used on changes requested for anything other than traffic, device, or rules.
Workflow |
Description |
---|---|
Generic |
Used for requests not related to traffic. No device change planning or matching device changes to the request are required. Default stages include: Request, Approve, Implement, Validate, Resolved, and Audit. |
Web-Filter |
Used for requests to filter Web connections. Relevant for Symantec Blue Coat devices only. Default stages include: Request, Plan, Approve, Implement, Validate, Resolved, and Audit. |
Default lifecycle stages
The following table lists each default lifecycle stage with action items for users, and the types of FireFlow users who perform that stage.
Stage | Description |
---|---|
Request |
Performed by all FireFlow users. For details, see Request changes. |
Plan |
Performed by network operators. For details, see Initial planning. |
Approve |
Performed by network operators or information security officers. For details, see Approve planned changes. |
Review | Performed by controllers only. |
Implement | Performed by network operators only. |
Validate | Performed by network operators only. |
Match | Performed by information security officers. |
Resolved | Performed by network operators only. |
Tip: FireFlow also enables you to perform more advanced operations, and also view data in reports and dashboards.
For details, see