Implement changes with ActiveChange
Use FireFlow's ActiveChange functionality to implement changes directly from FireFlow on any relevant devices.
Implement changes from FireFlow
Implementing changes on your devices directly from FireFlow is supported when all of the following conditions are met:
-
ActiveChange is supported for the device.
-
ActiveChange is enabled for the device in AFA.
-
The change request's workflow is supported for the device brand.
All devices that support ActiveChange are supported for traffic and rule removal requests.
Additionally, some device types support the multi-device object change requests.
For more details, see the Support Matrix on the AlgoSec portal.
Additional details for Cisco and Juniper devices
For Cisco and Juniper devices, ActiveChange generates CLI commands to implement the changes suggested in the work order.
The following is relevant only to Cisco and Juniper devices:
-
You must ensure that no changes are made to the device between the time that ASMS generates the CLI commands and implements them on the device.
If you find that changes may have been made, click Recalculate to recalculate the work order before you implement the commands.
- ActiveChange CLI generation is only supported for Juniper SRX and Netscreen when the device is managed locally, not when the device is managed by NSM or Space. This is true even if the device is defined directly in AFA (without the NSM or Space).
- For work orders with IPv6 traffic, you must attach the IPv6 ACL to an interface (access group syntax) before ASMS can generate the CLI commands.
Note: By default, any new rules are created with logging enabled, and logging is set to the default log level.
Do one of the following:
Implement changes across all devices and policies
This procedure describes how to use ActiveChange to implement changes for all relevant devices and policies simultaneously.
Tip: Alternately, see Implement changes on a single device.
Do the following:
-
Optional, Cisco / Juniper only: Edit the CLI commands
To edit your CLI commands, do the following:
-
Click Modify in the Implementation Recommendation area.
The Modify Implementation Recommendation window appears.
- In the Implementation Recommendation field, edit the CLI commands for your specific requirements.
-
Click OK.
The CLI commands are saved, and the work order is grayed out (because the work order does not reflect the CLI commands). In this case, the work order will be ignored during the Validate stage.
- To discard edits you have made and return to the CLI commands which reflect the work order, click Regenerate CLI.
For more details, see Additional details for Cisco and Juniper devices.
-
-
Click Implement On All Devices.
The View Status link appears.
-
To view the implementation status, click View Status.
The Implementation Status dialog is displayed.
Each device will have one of the following statuses:
In progress The implementation is in progress. Completed The implementation successfully completed. Failed The implementation failed. Not supported The device brand is not supported in the Implementation Status page. Inapplicable CLI command There is a problem with the CLI commands that were used to implement the changes on the device.
Do any of the following:
- Click Rollback procedure to display instructions for how to reverse the changes done to the device.
- Click Details to display the device's response.
- Click Error details to display a description of the error.
- Filter the devices in the list by status by selecting a status in the Show only drop-down menu.
Note: The Implementation Status dialog box only is relevant only for devices which Active Change supports. Other devices will appear, but their status will always be Not supported.
Note: If implementation fails on a Juniper SRX or Netscreen, the changes are automatically rolled back, and a note in the status states the device has not been changed.
- If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually. For details, see Implement changes.
- If you implemented changes manually on any devices, click Mark All As Implemented.
-
Click OK.
The change is implemented on the device policy, and the change request proceeds to the Validate stage.
Implement changes on a single device
This procedure describes how to use ActiveChange to implement changes on a single device at a time.
Tip: Alternately, see Implement changes across all devices and policies.
Do the following:
-
If you are working with a request with multiple devices or policies, click
next to a device.The device's or policy's action buttons appear below the device or policy panel.
-
Click Implement On Device.
The View Status link appears. See above for more information.
-
If the change request includes multiple devices or policies, repeat the previous step for each device.
If devices that are not supported for automatic implementation are included in the change request, implement changes on these devices manually. See Implement changes.
- If you implemented changes manually on any devices, click Mark All As Implemented.
-
Click OK.
The change is implemented on the device policy, and the change request proceeds to the Validate stage.
Implement changes via CLI
If you don't want to implement the orders automatically on the device in FireFlow, you can manually implement them by copying the CLI commands to the CLI
FireFlow provides the recommended CLI commands for implementing work orders when Cisco or Juniper devices meet the following conditions:
-
The device is a Cisco or Juniper device that supports ActiveChange.
For Juniper SRX and Netscreen devices, the device must be managed locally, and not by NSM or Space. This is true even if the device is defined directly in AFA, without the NSM or Space.
-
ActiveChange is enabled for the device in AFA
-
The change request is a traffic request or rule removal request.
- For work orders with IPv6 traffic, you must attach the IPv6 ACL to an interface (access group syntax) before ASMS can generate the CLI commands.
Note: Do not make changes on the device policy after FireFlow generates the CLI commands but before implementing the recommended changes.
If changes may have been made, click Recalculate to recalculate the work order before implementing the recommended commands.
The CLI Recommendation area shows the series of CLI commands that represent the changes to make on your device.
For example:
Note: If ActiveChange is not enabled on the specific device, you will not get CLI commands with the work order recommendation.
Do the following:
(Optional) Edit the CLI commands:
-
Click Modify in the Implementation Recommendation area.
The Modify Implementation Recommendation window appears.
- In the Implementation Recommendation field, edit the CLI commands for your specific requirements.
-
Click OK.
The CLI commands are saved, and the work order is grayed out (because the work order does not reflect the CLI commands). In this case, the work order will be ignored during the Validate stage.
- To discard edits you have made and return to the CLI commands which reflect the work order, click Regenerate CLI.
- Copy the list of recommended CLI commands that appear in the Implementation Recommendation section of the work order, and then paste them to the device's command line.
-
When you have completed implementation, do one of the following:
Requests with multiple devices or policies Confirm implementation has been completed for every device/policy as follows:
-
Click Mark All Sub Requests As Implemented.
A confirmation message appears.
- Click OK.
Requests with a single device or policy Confirm that implementation is completed as follows:
-
Display the device's change request information by clicking
next to the device.The device's action buttons, and the Work Order Recommendations area appear below the device panel.
- Click Implementation Done.
Requests with no devices or policies Click Implementation Done.
-
Yes 
No 
