Initial planning parameters

Configuring Initial Planning

By default, FireFlow performs initial planning in the following manner:

Immediately upon creation of a change request, FireFlow performs initial planning by comparing the traffic specified in the change request to the policies of relevant devices, using the most recent device configuration available on the AlgoSec server (made available via the real-time monitoring mechanism). If the traffic already works (meaning traffic is allowed for all routing devices in case of an 'allow' request, and possibly is not routed at all), then FireFlow automatically closes the change request and sends the requestor an email indicating that the change request was closed.

You can change this behavior in the following ways:

  • Configure FireFlow to perform initial planning at the end of the Plan stage, instead of at the end of the Request stage.
  • Configure FireFlow to use the periodic AFA device reports when performing initial planning, instead of using the real-time monitoring data.
  • Disable automatic closing of change requests whose traffic already works.
  • Configure Fireflow to calculate the initial plan phase in AFF on a Device Group rather than on All Firewalls.

Note: New change requests appear in the Home page's New Change Requests list once initial planning is complete or when ten minutes have elapsed since the change request's creation, whichever occurs first. Therefore, when initial planning occurs at the end of the Request stage, new change requests appear in the Home page as soon as traffic checking is done; however, when traffic checking occurs at the end of the Plan stage, ten minutes will pass before new change requests appear in the Home page.

Note: In order to cause new change requests to appear in the Home page immediately, regardless of when traffic checking occurs, customize the Network Operations role's Home page as follows: Remove the "N" New Change Requests element, and add the "N" Total New Change Requests element. New change requests will appear in the Home page's Total New Change Requests list immediately upon change request creation.

Note: For more details, see Customize the FireFlow Home page.

Configuration Parameter Name Value
CallInitialPlanAsync

0. To configure FireFlow to perform initial planning at the end of the Plan stage.

1. To configure FireFlow to perform initial planning at the end of the Request stage. (Default)

AutomaticCheckAlreadyWorks

0. To disable automatic closing of change requests that are already allowed.

1. To enable automatic closing of change requests allowed on the firewall that are not routed (Default).

2. To enable automatic closing of change requests allowed on the firewall that are routed.

FAQueryDefaultGroup

Name of AFA group for Planning Assistant group query. Must be defined in AFA with an updated report.

Default value "ALL_FIREWALLS"

Back to top

Enabling/Disabling Displaying the Policy Name in Initial Planning

By default, the policy name is displayed in the initial planning results table and in the initial planning table of all devices (for manually adding additional relevant devices). If desired, you can disable this.

Configuration Parameter Name Value
DisplayFirewallPolicyInInitialPlan

0. To disable displaying the policy name in initial planning.

1. To enable displaying the policy name in initial planning. (Default)

Back to top

Configuring the Initial Plan Expiration Period

By default, an initial plan will expire 2 days after it was calculated. If desired, you can change the expiration period. If you increase the expiration period, you additionally need to increase the expiration period for the data.

Configuration Parameter Name Value
InitialPlanResultValidityPeriod

The desired expiration period for initial plan results, in seconds.

The default value is 172800 (2 days).

Work_Expiration_Hours_Time

The same time period as the value for InitialPlanResultValidityPeriod , but set in hours.

For example, if you set InitialPlanResultValidityPeriod to 259200 (3 days in seconds), set Work_Expiration_Hours_Time to 72 (3 days in hours).

Ony set this parameter if you configured the expiration period (InitialPlanResultValidityPeriod) to a value greater than 172800 seconds.

Back to top

Enabling/Disabling the Initial Plan PDF

By default, FireFlow creates a PDF with initial plan results that is accessible from the Web Interface. If desired, you can disable this.

Configuration Parameter Name Value
CreateInitialPlanPDF

0. To disable creation of the initial plan PDF.

1. To enable creation of the initial plan PDF. (Default)

Back to top

Enabling/Disabling Inclusion of Initial Plan Information in Flat Tickets

By default, FireFlow does not include initial plan information in the XML of a change request (a flat ticket). If desired, you can change this.

Configuration Parameter Name Value
IncludeInitialPlanResultInXML

0. To disable inclusion of initial plan information in flat tickets. (Default)

1. To enable inclusion of initial plan information in flat tickets.

Back to top

Enabling/Disabling Storing Allowing Rules from the Initial Plan Query

By default, FireFlow does not store the allowing rules that AFA finds in the initial plan query. If desired, you can change this. FireFlow will store the allowing rules in the Initial Plan Results custom field.

Configuration Parameter Name Value
ReturnAllowingRulesInQuery

0. To disable storing allowing rules from the initial plan query. (Default)

1. To enable storing allowing rules from the initial plan query.

Back to top

Configuring Automatic Device Selection for Initial Plan Results

During initial planning, FireFlow automatically selects devices that are relevant to the request. By default, FireFlow will only automatically select Analysis and Monitoring supported devices. If desired, you can configure FireFlow to also select monitoring only devices. Optionally, you can disable automatic device selection completely.

Configuration Parameter Name Value
AutoCheckAEFInInitialPlan

0. To allow automatic selection of only Analysis and Monitoring supported devices, during initial planning. (Default)

1. To allow automatic selection of Monitoring only devices during initial planning.

UncheckDevicesAfterInitialPlanning

0. To enable automatic device selection during initial planning. (Default)

1. To disable automatic device selection during initial planning..

Back to top

Configuring Initial Plan Results for F5 BIG-IP

Note: This parameter is only relevant for F5 Big-IP devices defined in AFA as "F5 Big-IP LTM only" devices. This certainly includes all Analysis and Monitoring supported F5 devices which were defined in AFA before version 2018.2. This parameter is irrelevant to F5 Big-IP devices defined in AFA from version 2018.2 as "F5 Big-IP LTM and AFM".

For F5 BIG-IP devices that were defined in AFA as "F5 Big-IP LTM only", you must set the following configuration parameter if these devices are in fact using AFM. If these devices are in fact using AFM, AFA traffic simulation query results are inconclusive because AFM may either allow or block the traffic. This affects Initial Plan, Work Order, and Change Validation results because they are all based on the AFA traffic simulation query.

When this parameter indicates that the devices are using AFM, this tells FireFlow that the AFA traffic simulation results may not be accurate. Consequently, FireFlow will provide relevant notifications and recommendations.

Configuration Parameter Name Value
IsF5AfmExist

0. If using F5 BIG-IP LTM Only (Default)

1. If using F5 BIG-IP LTM with AFM

Back to top