Manage requestors

Relevant for: Administrators

This topic describes how to manage FireFlow requestors.

FireFlow requestors can be managed by FireFlow administrators from the FireFlow Configuration area and the requestors database, and by AFA administrators from the AFA Administration area. Requestors can also be created in LDAP.

Manage Requester Object Views: Watch to learn how to prevent requestors from seeing the list of suggested firewall objects.

Manage requestors from AFA

AFA administrators who are not FireFlow administrators can manage requestors via the AFA Web Interface. The procedure begins in AFA and you are transferred to FireFlow.

Do the following:

  1. In the AFA Administration area, click the Users / Roles tab.

    The User and Role Management page appears.

  2. Click Manage FireFlow requestors.

    The Select a user page appears, displaying the Requestors tab.

  3. Click + New.

    The Create Requestor dialog is displayed.

  4. Complete the fields as needed. For details, see Requestor field reference.

  5. Click OK.

Perform any of the following additional requestor management procedures, as needed:

Do the following:

  1. In the AFA Administration area, click the Users / Roles tab.

    The User and Role Management page appears.

  2. Click Manage FireFlow requestors.

    FireFlow opens displaying the Requestors tab of the Select a user page.

  3. To display disabled requestors, click the Show disabled link.

    To revert to a list which only displays enabled requestors, click the Hide disabled link.

  4. In the Type to filter your results field, type your search.

    The requestors which match your search appear in the Requestors area.

  5. In the Requestors area, click on the desired requestor's username.

    The Edit User dialog is displayed.

    Note: If the system is configured to import user information from an LDAP server upon each login, changes to these settings may be overridden the next time the user logs in. In this case, changes to user settings must be made in the LDAP server instead of in FireFlow.

  6. Complete the fields as needed. For details, see Requestor field reference.

  7. Click Save.

Disabled requestors remain configured in FireFlow.

Note: All requestor usernames and email addresses must be unique, including disabled users.

If you only disable a requestor instead of deleting it, you will not be able to use that email address or username again in FireFlow.

Do the following:

  1. In the AFA Administration area, click the Users / Roles tab.

    The User and Role Management page appears.

  2. Click Manage FireFlow requestors.

    FireFlow opens displaying the Requestors tab of the Select a user page.

  3. To display disabled requestors, click the Show disabled link.

    To revert to a list which only displays enabled requestors, click the Hide disabled link.

  4. In the Type to filter your results field, type your search.

    The requestors which match your search appear in the Requestors area.

  5. In the Requestors area, click on the desired requestor's username.

    The Edit User dialog is displayed.

  6. Clear the enabled check box.

  7. Click Ok.

The requestor is disabled.

Back to top

Manage requestors from FireFlow

This procedure describes how to manage requestor users from the FireFlow administration area.

Do the following:

  1. Log in to FireFlow for configuration purposes. For details, see Log in for configuration purposes.

  2. In the main menu, click Configuration.

    The FireFlow Configuration page appears.

  3. Click Users.

    The Select a user page appears, displaying the Requestors tab.

  4. Click + New.

    The Create Requestor dialog is displayed.

  5. Complete the fields as needed. For details, see Requestor field reference.

  6. Click OK.

Back to top

Requestor field reference

The following fields are available in either the AFAAdministration area or the FireFlowConfiguration area.

General fields

Username

Type the requestor's username.

Usernames can contain any alpha-numeric character and the following special characters: "@", "_", ".", or "-".

This field is required.

Email

Type the requestor's email address.

Full Name

Type the requestor's full name.

Language

Select the desired FireFlow interface language.

All fields will be displayed in the selected language.

Extra info

Type additional information about the requestor.

Enabled

Select this option to enable the requestor to access the Requestors Web Interface.

Access Control fields

Authentication

Select the type of authentication to use for this requestor:

  • Local: Authenticate the requestor against the local AFA user database.
  • Radius: Authenticate the requestor against a RADIUS server.
  • LDAP: Select this option to enable requestor authentication against an LDAP server.

New Password

Type a password for the requestor.

Passwords can contain any alpha-numeric character or any special character, excluding back ticks (`).

Retype Password

Re-type the same password you entered in the New Password field.

Location fields

Organization

Type the name of the requestor's organization.

Address 1

Type the requestor's primary mailing address.

Address 2

Type the requestor's secondary mailing address.

City

Type the requestor's city.

State

Type the requestor's state.

Zip

Type the requestor's zip code.

Country

Type the requestor's country.

Phone number fields

Home

Type the requestor's home telephone number.

Work

Type the requestor's work telephone number.

Mobile

Type the requestor's mobile telephone number.

Pager

Type the requestor's pager number.

Comment fields

Enter any additional comments about this requestor user.

Additional fields

If custom user fields are defined, this area displays the fields.

Complete the fields with the required information.

Back to top

Manage FireFlow requestors from the requestor database

FireFlow provides a requestor management tool that enables you to add new requestors and edit existing requestors directly in the Requestor Database. The tool uses a REST API to access the Requestor Database. This same tool can be used to export a list of requestors.

Tip: FireFlow administrators can also export the current data into a CSV file. For details, see Exporting the Requestors Database.

Do the following:

  1. Create a CSV file with which to update the Requestor Database.

    For each requestor, the file should include the fields specified in CSV File Fields (see CSV File Fields).

    Note: The fields are case-sensitive.

    Note: You can save the file anywhere on the server.

  2. Open a terminal, and log in using the username "root" and the related password.

  3. Enter the following command:

    /usr/share/fireflow/local/extras/update_requestors.pl  {-fCSVFile -uUsername-pPassword  [-t Timeout] [-sServerURL] | -iParametersFile}

    For information on the command's flags, see Requestor Database Script Flags (see Requestor Database Script Flags).

In this field...

Specify this...

UserName

The user's username.

Usernames can contain any alpha-numeric character and the following special characters: "@", "_", ".", or "-".

This field is required.

NewUserName

A new username for the user.

This field is only relevant when updating the Requestors Database.

Email

The user's email address.

Password

A password for the user.

Passwords can contain any alpha-numeric character or any special character, excluding back ticks (`).

FullName

The user's full name.

HomePhone

The user's home telephone number.

Comments

Comments about this user.

If the comments include a comma, line break, or quotation marks, you must enclose the comments in quotation marks.

Signature

A signature that should appear at the end of this user's messages.

Organization

The name of the user's organization.

Language

The desired FireFlow interface language.

All fields will be displayed in the selected language.

ExtraInfo

Additional information about the user.

WorkPhone

The user's work telephone number.

PagerPhone

The user's pager number.

Address1

The user's primary mailing address.

Address2

The user's secondary mailing address.

City

The user's city.

State

The user's state.

Zip

The user's zip code.

Country

The user's country.

Authentication

The type of authentication to use for this user. This can have the following values:

  • Local. Authenticate the user against the local AFA user database. If you select this option, you must include the Password field.
  • Radius. Authenticate the user against a RADIUS server.
  • LDAP. Authenticate the user against Microsoft Active Directory via LDAP.

MobilePhone

The user's mobile telephone number.

Disabled

Whether to enable the user to access the Requestors Web Interface. This can have the following values:

  • 0. Enable access to the Requestors Web Interface.
  • 1. Disable access to the Requestors Web Interface.

The default value is 0.

Flag

Description

-fCSVFile

The full path and name of the CSV input file.

This flag is relevant only when updating the Requestors Database.

-lCSVFile

The full path and name of the CSV output file.

This flag is relevant only when exporting the Requestors Database.

-uUsername

The user name of an AlgoSec administrator with permissions to manage requestors.

-pPassword

The password of an AlgoSec administrator with permissions to manage requestors.
-a

Display all users, including disabled ones, in the CSV output file.

This flag is relevant only when exporting the Requestors Database.

-t Timeout

The timeout in seconds for each HTTP request that the tool issues against the FireFlow server.

The default value is 90.

-s ServerURL

The FireFlow server URL.

The default value is https://localhost.

-iParametersFile

The parameters input file.

When this flag is used, the requestors management tool will refer to a parameters input file for all flags. This is useful if you want to avoid typing a password in the command line.

The parameters input file must be a text file, with each flag appearing on a different line.

You can use the requestor management tool to export a list of requestors from the Requestor Database into a CSV file.

Do the following:

  1. Open a terminal, and log in using the username "root" and the related password.

  2. Enter the following command:

    /usr/share/fireflow/local/extras/update_requestors.pl  {-lCSVFile -uUsername-pPassword  [-a] [-t Timeout] [-sServerURL] | -iParametersFile}

For information on the command's flags, see Requestor Database Script Flags (see Requestor Database Script Flags).

The CSV file is exported. For each requestor, the file includes the fields specified in CSV File Fields (see CSV File Fields).

Back to top

Manage FireFlow requestors from LDAP

This procedure describes how to manage FireFlow requestor users from LDAP. Only users who are not defined in AlgoSec Firewall Analyzer can be considered requestors by FireFlow.

Do the following:

  1. In AlgoSec Firewall Analyzer, go to the Administration page.
  2. Click the Options tab, then click the Authentication tab.
  3. Select LDAP as the Authentication Server.
  4. In the Permitted Users area, add the DN of the users in the Users Under Base DN field.

The LDAP field MemberOf associates the user with an AlgoSec Firewall Analyzer role. Any user for which the LDAP field MemberOf is empty is automatically considered a requestor by FireFlow.

Back to top