Match changes to requests

Relevant for: Information security users

This section describes how to manually match change requests to the actual changes made.

In most cases, once a change request has been resolved, the change is automatically matched to the relevant request, and no further action is required.

However, some workflows do not support auto-matching, and FireFlow may not be successful in finding a match for all changes.

We recommend checking weekly or monthly to verify that FireFlow matches the changes and change requests correctly.

Note: Auto Matching is not supported for the IPv6 traffic workflow. You must resolve change requests and changes for this workflow manually.

For more details, see:

Note: To determine a change request's stage, view the change request. The stage is indicated by the Change Request Lifecycle Status Bar. For details, see View change requests.

Auto-matching flow

FireFlow periodically checks for changes in device policy rules and tries to match them to FireFlow change requests.

If FireFlow detects that a device rule was added or modified, it checks the rule's comment to look for a change request ID, and then handles it as follows:

Change request ID found

If the comment contains a change request ID, FireFlow does the following:

  1. Associates the change with the relevant change request. This is called an ID match.

  2. Verifies that the added or modified rule allows the traffic that is approved in the change request, and nothing more or less.

  3. Defines the change and change requests matching state as either a Perfect Match, or an item with Action Required.

    Both types are listed in their relevant list on the Auto Matching page in FireFlow.

    other perfectly.

Note: For change requests with multiple traffic lines, FireFlow performs ID matches only.
No change request ID found

If the comment does not contain a change request ID, the change appears in the Auto Matching page's Action Required > Changes Without Request sub-list.

This list also includes changes where FireFlow detects that a device rule was deleted.

Rule comment requirements

Change request IDs in the rule's comment must match the Change Request ID format configured in the workflow options.

The default format is as follows:

Before:                 FireFlow #Change Request Id:      \d+After:                  (nothing)

This format requires that the rule comment for change request #375 include the following text:

"FireFlow #357"

Note: If the system is configured to use a 3rd party change management system, the change request ID must match the 3rd party system requirements.

Back to top