Change request field references

Relevant for: All FireFlow users

This topic describes the fields available in FireFlowchange requests.

Generic change request fields

Name	Description
Subject	Type a title for your request and for the change request that will be generated. Note: This field is optional.
Due	Specify the date by which this change request should be resolved, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. You can use most relative and absolute formats, for example yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, “next week”, and “now + 3 days”. Note: This field is optional.
Describe the issue	Type a free text description of the issue. This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history. Note: This field is optional.
Attach File	To attach a file to your request, do one of the following: Type the path to the file in the field provided. Click Browse, browse to the desired file, and click Open. If you are using the 120: Generic Request template or any custom template that allows creating change requests from files, FireFlow will create a change request from an attached spreadsheet file. For more information on creating change requests from file, see Creating Change Requests from File. To add more files, click Add More Files. Note: This field is optional.
Requestor	In the Requestors Web Interface, this field displays your email address and is read-only. Note: In the No-Login Web Form, you must type your email address.
Expires	Specify the date on which this change request will expire, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. Note: This field is optional.
External change request id	If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number. The FireFlow change request generated for your request will be linked to the external system change request. Note: This field is optional.
Workflow	The change request's workflow. Note: This field is read-only.
From Template	The change request's template. Note: This field is read-only.

Traffic-based change request fields

Name	Description
Requestor	In the Requestors Web Interface, this field displays your email address and is read-only. Note: In the No-Login Web Form, you must type your email address.
Subject	Type a title for your request and for the change request that will be generated. Note: This field is optional.
Due	Specify the date by which this change request should be resolved, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. Note: This field is optional.
Expires	Specify the date on which this change request will expire, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. Note: This field is optional.
Request	Due to system customizations, this area may include fields that are not described below. Some possible additional fields are described below. For additional information, consult with your FireFlow administrator.
Source	Specify the traffic source(s). For details, see Change request wizards. Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.
User	Enter one or more (comma separated) user names and/or group names. The default value is Any. This field is only relevant for Check Point and Palo Alto devices. Notes: Only use existing users/groups. AFF doesn't support creating new ones (with ActiveChange): If a change request is submitted with a user or group name that doesn't exist on the target firewall, ActiveChange will implement the rule without a user/group configuration. No failure indication for this will be provided. The user/group names that you specify must exactly match the user/group names as configured on the target device.
Destination	Specify the traffic destination(s). For details, see Change request wizards. Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields.
Service	Specify the traffic service(s). For details, see Change request wizards. Note: You can optionally input variables into traffic fields, and these variables will be set to the desired value once you submit the change request. For details, see Variables in traffic fields. Note: For traffic that affects Check Point devices, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.
Application	Specify the application(s). For details, see Change request wizards. The default value is Any. This field is only relevant for Palo Alto devices.
Action	Choose the device action to perform for the connection. This can be either of the following: Allow: Allow the connection. Drop: Block the connection. Note: When using the Traffic Change Request (IPv6) workflow, only traffic with "Allow" actions is supported.
Show NAT	Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic. The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear.
Hide NAT	Click this option to hide the NAT and PAT fields.
Source NAT	Type the source NAT value, if the connection’s source should be translated.
Destination NAT	Type the destination NAT value, if the connection’s destination should be translated.
Port Translation	Type the port value, if the connection’s port should be translated. Note: If the Port after Translation field appears below this field, then you must type the port value before translation.
NAT Type	Specify the type of NAT (Static or Dynamic). Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.
Add More Traffic	To add more traffic to the request, click this option and complete the fields.
Set traffic values	Click this button to set traffic values for variables you have put in the source, destination or service fields. For details, see Variables in traffic fields.
Import traffic from csv	Click this link to import a CSV file of traffic lines. Select the CSV file from your computer. Required Headers: Source Destination Service Optional Headers: User. If this header is not present, the value defaults to "any". Application. If this value is not present, the value defaults to "any". Action. If this header is not present, the value defaults to "allow". Any other headers included in the CSV file are ignored. Note: All headers are not case sensitive. Multiple entries (such as IP addressees, ranges, or networks) that appear in a single cell must be separated by commas within the cell.
	To replicate a traffic line (add a new traffic line with the same traffic as in the current traffic line), click this option and modify the fields as desired.
	To remove additional traffic from the request, click this option next to the desired traffic.
More
External change request id	If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number. The FireFlow change request generated for your request will be linked to the external system change request. Note: This field is optional.

IPv6 traffic change request fields

Name	Description
Requestor	In the Requestors Web Interface, this field displays your email address and is read-only. Note: In the No-Login Web Form, you must type your email address.
Subject	Type a title for your request and for the change request that will be generated. Note: This field is optional.
Due	Specify the date by which this change request should be resolved, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. Note: This field is optional.
Expires	Specify the date on which this change request will expire, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. Note: This field is optional.
Request	Use this area to specify the traffic changes you would like. By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and . Due to system customizations, this area may differ in the following ways: NAT fields may not appear. The following additional NAT fields may appear: Source after NAT, Destination after NAT, Port after Translation. The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator. Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
Source	Do one of the following: Type the IP address, IP range, network, or device object. Use the Choose Source Wizard. For details, see Change request wizards. Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.
Destination	Do one of the following: Type the IP address, IP range, network, device object. Use the Choose Destination Wizard. For details, see Change request wizards. Note: Only IPv6 addresses are supported. You cannot mix IPv6 and IPv4 addresses in the same workflow.
Service	Do one of the following: Type the device service or port for the connection (for example "http" or "tcp/123"). For more details, see Traffic-based change request fields. For information on how to use non-TCP/UDP/ICMP protocols, Supported layer 3 protocols. Use the Choose Service Wizard. For details, see Change request wizards.
Action	Choose the device action to perform for the connection. This can be either of the following: Allow: Allow the connection. Drop: Block the connection.
Show NAT	Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic. The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear. Note: Depending on system customizations, the Source after NAT, Destination after NAT, and Port after Translation fields may appear as well.
Hide NAT	Click this option to hide the NAT and PAT fields.
Source NAT	Type the source NAT value, if the connection’s source should be translated. Note: If the Source after NAT field appears below this field, then you must type the source NAT value before translation.
Source after NAT	Type the source NAT value after translation, if the connection’s source should be translated.
Destination NAT	Type the destination NAT value, if the connection’s destination should be translated. Note: If the Destination after NAT field appears below this field, then you must type the destination NAT value before translation.
Destination after NAT	Type the destination NAT value after translation, if the connection’s destination should be translated.
Port Translation	Type the port value, if the connection’s port should be translated. Note: If the Port after Translation field appears below this field, then you must type the port value before translation.
Port after Translation	Type the port value after translation, if the connection’s port should be translated.
NAT Type	Specify the type of NAT (Static or Dynamic). Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.
Add More Traffic	To add more traffic to the request, click this option and complete the fields.
	To remove additional traffic from the request, click this option next to the desired traffic.
From Template	The change request's template. Note: This field is read-only.
Workflow	The change request's workflow. Note: This field is read-only.
External change request id	If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number. The FireFlow change request generated for your request will be linked to the external system change request. Note: This field is optional.
Describe the issue	Type a free text description of the issue. This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history. This field is optional.
Attach file	To attach a file to your request, do one of the following: Type the path to the file in the field provided. Click Browse, browse to the desired file, and click Open. To add more files, click Add More Files. Note: This field is optional.

MulticastTraffic change request fields

Name	Description
General	To close General section, click in the heading. To reopen, click again.
Owner	Owner of the request.
Requestor	In the Requestors Web Interface, this field displays your email address and is read-only. In the No-Login Web Form, you must type your email address.
Subject	Type a title for your request and for the change request that will be generated. This field is optional.
Due	Specify the date by which this change request should be resolved, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. This field is optional.
Expires	Specify the date on which this change request will expire, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. This field is optional.
Traffic	To close Traffic section, click in the heading. To reopen, click again.
Request	Use this area to specify the traffic changes you would like. By default, when submitting a traffic change request, this area includes the following fields for defining traffic: Source, Destination, Service, Action, Show NAT, Hide NAT, Source NAT, Destination NAT, Port Translation, NAT Type, Add More Traffic, and . Due to system customizations, this area may differ in the following ways: NAT fields may not appear. The Source, Destination, and/or Service fields may be followed by a custom field. For information about these fields, consult with your FireFlow administrator. Each row of traffic may be followed by a custom field. For information about these fields, consult with your FireFlow administrator.
Source	Do one of the following: Type the IP address, IP range, network, device object, or DNS name of the connection source. Use the Choose Source Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards). To enter multiple values, press Enter. A new field appears for this source. Note: You cannot mix regular traffic and multicast in the same workflow. When specifying Check Point traffic for which the User Authentication method is used, you can include the user group as part of the source, in the following format: `usergroup@host` Where: usergroup is the user group's name. You may use the Choose Source Wizard's Device Object tab to select the user group if desired. Note: LDAP user groups are only supported for devices configured to use OPSEC data collection. host is the IP address, IP range, network, device object, or DNS name of the connection source. For example: [email protected], group1@RNDNetwork, or group1@Any. Note: Specifying the user group is only supported if the FireFlow default authentication method is User Authentication. Ask your FireFlow administrator for further information.
Destination	Do one of the following: Type the IP address, IP range, network, device object, or DNS name of the connection destination. Use the Choose Destination Wizard, as described in Using the Choose Source/Destination Wizard (see Change request wizards). To enter multiple values, press Enter. A new field appears for this destination. Note: You cannot mix regular traffic and multicast in the same workflow.
Service/Application	Do one of the following: Type the device service or port for the connection (for example "http" or "tcp/123"). For details, see Supported layer 3 protocols. Type the name of an application as defined in your Palo Alto or Check Point device. Use the Choose Service Wizard. For details, see Change request wizards. To enter multiple values, press Enter. A new field appears for this service. Note: When configuring a change request for Check Point traffic, you must specify a service that is supported by the authentication method. For information on supported services for each method, refer to Check Point documentation.
Action	Choose the device action to perform for the connection. This can be either of the following: Allow: Allow the connection. Drop: Block the connection.
NAT settings	Click this option to display Network Address Translation (NAT) and Port Address Translation (PAT) for the defined traffic. The Source NAT, Destination NAT, Port Translation, and NAT Type fields appear. Click NAT settings again to hide the settings.
Source NAT	Type the source NAT value, if the connection’s source should be translated.
Destination NAT	Type the destination NAT value, if the connection’s destination should be translated.
Port Translation	Type the port value, if the connection’s port should be translated.
NAT Type	Specify the type of NAT (Static or Dynamic). Note: If you filled in the Source NAT, Destination NAT, and/or Port Translation fields, then you must specify the NAT type.
Add More Traffic	To add more traffic to the request, click this option and complete the fields.
	To remove additional traffic from the request, click this option next to the desired traffic.
More	To close the More section, click in the heading. To reopen, click again.
External change request id	If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number. The FireFlow change request generated for your request will be linked to the external system change request. This field is optional.
Device Name	Click in the Device Name box. The device selection dialog is displayed with a list of available Cisco devices. To filter, in the Filter By list, select Brand, Device, Policy, Device and Policy, or Selected. To select all devices for a brand, select the Brand check box. To select, click a device. The device will appear at the top of the box. Click another device to select it. There is no need to hold the CTRL key for multiple selections. To move forward and backward in the device list, click the and icons. Selected devices appear in the Device Name box. Click the up arrow to close the dialog box.
Change request justification	Type a free text description of the issue. This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history. This field is optional.
Attachments	To add attachments, click Add files. The Choose File to Upload dialog box opens. Browse to the desired file, and click Open. To select multiple files, press CTRL while selecting. This field is optional.

Web-filter change request fields

Name	Description
Requestor	In the Requestors Web Interface, this field displays your email address and is read-only. In the No-Login Web Form, you must type your email address.
Subject	Type a title for your request and for the change request that will be generated. This field is optional.
Due	Specify the date by which this change request should be resolved, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. This field is optional.
Expires	Specify the date on which this change request will expire, by doing one of the following: Click , and select the desired date in the calendar that appears. To navigate to different months in the calendar, click Prev and Next. Type the desired date in the field provided. FireFlow supports most relative and absolute formats, such as yyyy-mm-dd, mm/dd/yyyy, Mon dd yyyy, next week, or now + 3 days. This field is optional.
Request	Use this area to specify the connection you would like to filter.
User Group	Do one of the following: Type the name of the user or user group that should be allowed/denied access to a URL. Use the Choose User Group Wizard. For details, see Change request wizards.
URL	Type the URL to which to allow/deny access.
Category	Do one of the following: Type URL's Web filtering category. Use the Choose Category Wizard. For details, see Change request wizards. Note: When creating a change request via the Blue Coat Blocked page, this field is automatically filled in.
Action	Select the device action to perform for the connection. This can be any of the following: Allow: Allow the connection. Block: Block the connection.
Add More Web Filtering	To add more connections to the request, click this option and complete the fields.
	To remove additional connections from the request, click this option next to the desired traffic.
From Template	The change request's template. This field is read-only.
Workflow	The change request's workflow. This field is read-only.
External change request id	If you have already opened a change request for this request in an external change management system that is integrated with FireFlow, type the change request's ID number. The FireFlow change request generated for your request will be linked to the external system change request. This field is optional.
Describe the issue	Type a free text description of the issue. This description will be reviewed by the network operations and information security users who handle your change request. It will also be added to the change request history. This field is optional.
Attach file	To attach a file to your request, do one of the following: Type the path to the file in the field provided. Click Browse, browse to the desired file, and click Open. To add more files, click Add More Files. This field is optional.

Supported layer 3 protocols

This topic lists the non-TCP/UDP/ICMP protocols that FireFlow supports by default.

Protocol	FireFlow Defined Service Name	Protocol Number
IPsec (ESP)	ipsec_50	50
IPsec (AH)	ipsec_51	51
IPsec (ESP and AH)	ipsec	50 and 51
GRE	gre	47
IPv6-ICMP	icmp6	58
SKIP	skip	57
ETHERIP	etherip	97
PIM	pim	103

Note: When using layer 3 protocols in FireFlow, you must use the FireFlow defined service name, not the protocol number. In addition, you may use service objects which contain these protocols.

Tip: FireFlow enables administrators to define additional layer 3 protocols for FireFlow support. For more details, see Define protocols.

Variables in traffic fields

This procedure describes how to use variables when entering traffic details in a traffic change request.

Variables are supported in any of the traffic lines for the change request.

Do the following:

In the Source, Destination, Service, and/or Application field, enter one or more variables using the following syntax:

#{VariableName}

where, VariableName is the name you give the variable.

In the Traffic area, the Set traffic values button is enabled.
Click Set traffic values.

The Set traffic values dialog is displayed with all of the variables you have used listed under Traffic Parameter. For example:
Enter the values for each variable you want to use, and click Set Values.

When you submit the change request, each variable will be replaced with its designated value.

Change request field references

Generic change request fields

Traffic-based change request fields

IPv6 traffic change request fields

MulticastTraffic change request fields

Web-filter change request fields

Supported layer 3 protocols

Variables in traffic fields

Sorry about that

Great!