View change requests
This topic describes the various procedures available to view change requests in FireFlow.
View open change requests
The Current Status of Open Change Requests list displays all of your change requests that have not yet been resolved, and allows you to track these change requests' statuses.
Click on the small arrow to the left of the text Current Status of Open Change Requests on the Home page of FireFlow to view a graphic representation of the number of open change requests in the each stage (status) of the change request workflow.
Click on the text Current Status of Open Change Requests on the Home page of FireFlow, to view a list of the open change requests to view the list of open change requests.
Note: Click a change request ID or subject to open the change request.
By default, statuses include the following:
plan |
The change request has been assigned an owner and is in the Plan stage. |
approve |
The change request is in the Approve stage and being checked for security risks. An information security user will decide whether to approve the change request, based on the check results. |
create work order |
The change request is now in the Implement stage, and the work order is being planned. |
implement |
The change request is now in the Implement stage, and the required change is being implemented. |
validate |
The change request is now in the Validate stage. |
user accept |
The change request is now in the Validate stage, and the requestor has been asked to verify implementation success. |
user disapproved |
The change request is now in the Validate stage, and the requestor has marked the change as not working, using the Change Doesn't Work button. |
These statuses can be changed / customized by FireFlow administrators.
View change requests awaiting various actions
From the FireFlow Home page you can open lists of requests waiting for various types of actions.
Change requests to :
-
Approve
-
Plan
-
Review (Operational Review)
-
Create Work Order
-
Implement
-
Validate, etc.
For example:
Note: Click a change request ID or subject to open the change request.
By default, statuses include the following:
plan |
The change request has been assigned an owner and is in the Plan stage. |
approve |
The change request is in the Approve stage and being checked for security risks. An information security user will decide whether to approve the change request, based on the check results. |
create work order |
The change request is now in the Implement stage, and the work order is being planned. |
implement |
The change request is now in the Implement stage, and the required change is being implemented. |
validate |
The change request is now in the Validate stage. |
user accept |
The change request is now in the Validate stage, and the requestor has been asked to verify implementation success. |
user disapproved |
The change request is now in the Validate stage, and the requestor has marked the change as not working, using the Change Doesn't Work button. |
For more details, see:
View change requests on your FireFlow home page
Your FireFlow Home page displays all of the recently updated change requests in the system, divided into lists according to their current lifecycle stage.
Note: By default, only lists that are relevant to your user role will appear in your Home page.
Tip: Customize this page
Do the following:
-
In the main menu, click Home.
The FireFlow Home Page is displayed.
-
Click a change request list to expand it and display the list of items.
Note: If the number of items in the list exceeds the configured maximum number of change requests to display per list, not all change requests in the change request list will be displayed.
In such cases, click the heading to view all items. A page listing the relevant change requests is displayed.
-
To sort the list according to a column, click the column heading.
To reverse the sort order, click the column heading again.
By default, the following change requests lists are displayed on your home page:
New Change Requests |
A list of change requests in the system that are new and still in the Request stage, and for which initial change planning has been completed. Note: Upon change request creation, FireFlow checks the traffic specified in the change request against devices. New change requests will not appear in this list until FireFlow has completed this task. This may take a few minutes. This list only appears for users with network operations or administrator role. |
Change Requests to Plan |
A list of change requests in the system that are currently in the Plan stage. This list only appears for users with network operations or administrator role. |
Change Requests to Approve |
A list of change requests in the system that are currently in the Check stage. This list only appears for users with information security or administrator role. |
Change Requests to Send Removal Notification to Rule Requestors |
A list of change requests in the system that are currently in the Approve stage, and for which a rule removal notification will be sent to the rule's traffic requestors. This list only appears for users with network operations user or administrator role. |
Change Requests Waiting for Removal Response from Rule Requestors |
A list of change requests in the system that are currently in the Approve stage and awaiting confirmation from the rule’s traffic requestors that the requested rule removals are approved. This list only appears for users with network operations user or administrator role. |
Change Requests to Create Work Order |
A list of change requests in the system that are currently in the Implement stage and awaiting a work order to be created. This list only appears for users with network operations or administrator role. |
Change Requests to Implement |
A list of change requests in the system that are currently in the Implement stage and awaiting implementation. This list only appears for users with network operations or administrator role. |
Change Requests to Validate |
A list of change requests in the system that are currently in the Validate stage. This list only appears for users with network operations or administrator role. |
Change Requests Waiting for Requestor's Response |
A list of change requests in the system that are currently in the Validate stage and awaiting the requestor's confirmation that the requested change was implemented successfully. This list only appears for users with network operations or administrator role. |
Change Requests that Received Requestor's Response |
A list of change requests in the system that are currently in the Validate stage, for which the requestor has confirmed that the requested change was implemented successfully. This list only appears for users with network operations or administrator role. |
Change Requests that Flagged by Requestor as "Change Does Not Work" |
A list of change requests in the system that have been flagged by the requestor as "Change Does Not Work". This list only appears for users with network operations or administrator role. |
Requests Pending Implementation |
A list of requests in the system that are currently in the Implement stage and awaiting implementation of their devices and policies. This list only appears for users with network operations or administrator role. |
Change Requests that are due to be recertified |
A list of traffic change requests in the system that expired, and which should be recertified. |
Change Requests to Expire in the Next 30 days |
A list of change requests in the system that will expire between today and 30 days from today. This list only appears for users with network operations or administrator role. |
Total New Change Requests |
A list of all change requests in the system that are new and still in the Request stage, including change requests whose traffic has not yet been checked against devices. |
Change Requests to Review |
A list of change requests in the system that use the Multi-Approval or Parallel-Approval workflow, and which are currently waiting for your review. This list only appears for users with controller role. |
Change Requests I own |
A list of change requests in the system that are owned by you. |
Change Requests Relevant to My Roles |
A list of change requests in the system that are relevant to the user roles you are assigned. |
Bookmarked Change Requests |
A list of change requests you bookmarked. |
View individual change requests
View a change request's details, including the change request's current lifecycle stage and basic information about the change request, such as the requestor, owner, original request details, and internal and external links. Additional information is provided depending on the change request's current lifecycle stage.
Do the following:
-
Browse to or search for a change request, and click the ID or subject to open it.
For details, see View change requests on your FireFlow home page and Search for change requests.
The change request is displayed.
This page displays the following details:
Change request title and ID View these at the top of the page. Change request lifecycle status bar View this status bar just under the title and ID.
The status bar maps the stages in the lifecylce from left to right.
- The current stage appears in blue, completed stages appear in green, and future stages appear in grey.
-
An empty flag indicates that the request is new; a checkered flag indicates that the request is resolved.
- Click a previous stage to display a read-only view of the request data for that stage.
For more details, see Change request statuses.
Relevant device or policy The device policy is displayed with the request's status, owner, and ID.
For Palo Alto and Check Point policies, the View Policy link appears.
For change requests that affect multiple devices or policies, each device appears in its own panel, and each panel contains all the information for the sub request. Clicking the panel reveals additional device information:
- IP. The device's IP address.
- Latest Report. The date of the device's latest AFA report, and a link to the report.
-
To view change request information for a device, click next to the desired device.
The change request information relevant to the device's stage is displayed below the device panel.
-
To view detailed information about the change request, click Details.
The Details area is displayed.
For information about fields, see Details Fields (see Details Fields).
Note: Click again on the Details button to close the Details section.
-
To view specific change request information relevant to the change request type, click the button to the right of the Details button.
For a traffic change request, this will be the Traffic button, for an object change request, this will be the Object button, for rule removal or modification request this will be the Rules button, and for a web filtering request, this will be the Web Filtering button.
The relevant information is displayed.
-
To view information about an AppViz application that is related to the change request, click Business Application Information. This includes the application diagram and the changes to the application flows which are being implemented with the change request. For details, see View business application details.
Note: The Business Application Information button only appears for traffic change requests which were opened for the sake of an application in AppViz. The Business Application Information button is disabled for users who do not have the AppViz permissions required to view this information about this application.
-
To view previously calculated information, do one of the following:
View work order, risk check results, or validation results To view the work order, risk check results and/or validation results for a device, do the following:
-
Click next to the desired device to display the device's change request information.
Immediately below the device panel, a set of buttons appears that is relevant to the device's calculated information. These buttons may include Work Order, Risk Check Results and/or Validation Results.
If the information has not been calculated, the button will be disabled.
-
Click the desired button.
A window appears with the calculated information for the desired device.
View initial planning results To view a change request's initial planning results in PDF format, do the following:
-
In the Change Request Lifecycle Status Bar, click Plan.
The read-only view of the Plan tab appears.
-
Click Initial Plan results.
The initial plan PDF appears.
Note: The Initial Plan results PDF will only appear for a change request once the Plan stage has been completed. The PDF file does not include the network map generated during Initial Planning.
The Initial Plan results PDF may not appear, depending on your FireFlow configuration.
-
-
To view information about the SLA, hover over .
The SLA information appears. For more details, see SLA Information Fields.
Note: If the SLA icon is orange, an active SLO is expired.
Individual change requests might have any of the following statuses:
plan |
The change request has been assigned an owner and is in the Plan stage. |
already works |
The requested change already exists, and there is therefore no need to implement the change request. |
approve |
The change request is in the Approve stage and being checked for security risks. An information security user will decide whether to approve the change request, based on the check results. |
approved |
The change request is in the Approve stage has been approved by an information security user. |
create work order |
The change request is now in the Implement stage, and the work order is being planned. |
implement |
The change request is now in the Implement stage, and the required change is being implemented. |
validate |
The change request is now in the Validate stage. |
user accept |
The change request is now in the Validate stage, and the requestor has been asked to verify implementation success. |
user confirmed |
The change request is now in the Validate stage, and the requestor has marked the change as working, using the Change Works button. Note: By default, the user confirmed status is not used, and when the requestor clicks the Change Works button, the change request automatically transitions to the pending match status. If desired, you can modify the workflow configuration to use this status. |
user disapproved |
The change request is now in the Validate stage, and the requestor has marked the change as not working, using the Change Doesn't Work button. |
requestor response |
The change request is in the Validate stage, and the requestor has reported the change implementation results via email. |
review |
The change request is in a second approval stage called “Review”. |
notify requestors |
The rule removal request is in the Approve stage, and a rule removal notification will be sent to the rule's traffic requestors. |
pending response |
The rule removal request is in the Approve stage and awaiting the requestor's confirmation (and possibly the confirmation of other users) that the requested rule removal is approved. |
pending match |
The change request has been resolved and is now in the Match stage. |
matched |
During auto matching, a device change was matched to the change request; however, matching is not yet complete. |
resolved |
Auto matching is complete. |
rejected |
The change request was rejected. |
certified |
The change request was certified. |
deleted |
The change request was deleted. |
Details Fields
Each change request includes the following details. The items displayed for you may differ, depending on your user permissions.
This area displays basic information about the change request.
Owner |
The change request owner's username and email address, in the format username <email>. For example, "bobsnetops<[email protected]>". If the change request has not yet been assigned an owner, this field displays "Not assigned yet". |
Status |
The change request's status. For details, see Change request statuses. |
Created |
The date and time when the change request was created. |
Requestor |
The usernames and email addresses of the requestors, in the format "username" <email>. For example, "johns" <[email protected]>. To view more information about the requestor, and links to other related change requests, click the More link. For information on the displayed areas and fields, see More Fields |
Updated |
The date and time when the change request was last updated, followed by the username of the person who last updated it. |
Due |
The date by which this change request should be resolved. This can be one of the following:
|
Priority |
A number indicating this request's priority, where 0 indicates lowest priority. |
CC |
Email addresses to which the FireFlow system will send copies of all email messages regarding this request. |
This area lists all devices relevant to the change requests and a link to all devices with the same policy.
For AWS and Azure, all containers and instances/VMs relevant to the security group in the change request are listed.
This area displays general information about the change request.
Expires |
The date on which the change request will expire. |
Owning Role |
The role to which the change request is currently attributed. |
All Responsible Roles |
All roles responsible for the change request in its current lifecycle stage. This field appears only for Parallel-Approval change requests, and only when there is more than one responsible role in the current lifecycle stage. |
Pending Responsible Roles |
The roles responsible for handling the change request in its current lifecycle stage, but which have not yet approved the change request. This field appears only for Parallel-Approval change requests, and only when there is more than one responsible role in the current lifecycle stage. |
If the change request is a recertification request, this area appears displaying related change requests.
Each change request is represented by its ID number, followed by its owner, relevant device, and current status. For details, see Change request statuses.
To view a change request, click on its ID number.
This area displays additional information about the change request.
From Template |
The template used for the request on which this change request is based. This field only appears if the Standard request template was not used. |
Change Request Template ID |
The ID of the change request's template. |
Workflow |
The workflow used for this change request. |
External change request id |
The ID number of a related change request in an external change management system that is integrated with FireFlow. |
Already Works Devices |
The devices on which the requested change is already implemented. For example, if the change request is to allow a certain type of traffic, this field will list the devices on which that traffic is already allowed. |
This area displays links between this change request and other change requests.
Refers to |
The ID numbers of change requests to which this change request refers, separated by spaces. This field is optional. |
Referred to by |
The ID numbers of change requests that refer to the change request, separated by spaces. This field is optional. |
This area displays the values specified in the original request.
These fields are read-only.
Source |
The IP address, IP range, network, or device object. |
Destination |
The IP address, IP range, network, or device object. |
Service |
The device service or port for the connection. |
User |
The user for the connection. This is only relevant for Check Point and Palo Alto devices. For all other devices, the field's value will always be Any. |
Application |
The network application for the connection. This is only relevant for Palo Alto Devices. For all other devices, the field's value will always be Any. |
Action |
The device action to perform for the connection. This can be either of the following:
|
Source NAT |
The source NAT value to which the connection's source should be translated. Note: If the Source after NAT field appears below this field, then this field displays the source NAT value before translation. |
Source after NAT |
The source NAT value after translation. |
Destination NAT |
The destination NAT value to which the connection's destination should be translated. Note: If the Destination after NAT field appears below this field, then this field displays the destination NAT value before translation. |
Destination after NAT |
The destination NAT value after translation. |
Port Translation |
The port value to which the connection's port should be translated. Note: If the Port after Translation field appears below this field, then this field displays the port value before translation. |
Port after Translation |
The port value after translation. |
NAT Type |
The type of NAT (Static or Dynamic). |
Requested action |
The requested action in a Rule Removal request (Disable Rule or Remove Rule). |
This area displays more details, such as about the requestor:
Full Name |
The requestor's full name. |
Mobile Phone |
The requestor's mobile telephone number. |
Home Phone |
The requestor's home telephone number. |
Work Phone |
The requestor's work telephone number. |
Pager Phone |
The requestor's pager telephone number. |
Email Address |
The requestor's email address. |
Comments about this user |
Comments about this requestor. |
This user's 10 highest priority change requests |
A list of the 10 highest priority change requests that this requestor created. Each change request is represented by its ID number, followed by its current status. For details, see Change request statuses. To view a change request, click on its number. |
View host vulnerabilities data
AlgoSec integrates with different industry leading vulnerabilities scanners. Admin users can take advantage of vulnerabilities and implications as part of the risk check in the traffic workflow approval stage.
For each host in the change request, a vulnerability score is displayed with a detailed breakdown of the risk statistics which make up the score.
If your vulnerabilities assessment scanner is not configured, see Manage vulnerability assessment scanners
View business application details
The Business Application Information button appears for traffic change requests which were opened for the sake of an application in AppViz.
Note: This button is disabled for users who do not have the AppViz permissions required to view this information about this application.
The application name is also a link to the application in AppViz. The Diagram tab displays the fully interactive application diagram.
Selecting the Changed Flow tab displays the changes to the application's flows which are being implemented with the change request.
Active SLA |
A list of currently active SLAs, including their names, due dates, and the amount of time elapsed so far. |
Completed SLA |
A list of completed SLAs, including their names, the amount of time it took to complete them, and their current status. |
Devices SLA |
Click any of the devices to display its SLA information. This field only appears for change requests that affect multiple devices. |
View change request histories
You can view a change request's history, including all comments and replies associated with the change request.
Do the following:
- View the change request. For details, see View individual change requests.
-
Do one of the following:
- Click to expand the History area. The history is displayed.
-
In the main menu on the left, click History under the change request number.
The Change Request History appears displaying all comments and replies associated with this change request.
For each comment/reply, the following information is displayed:
-
Brief header information, including the date and time at which the comment/reply was created, the name of the user who created it, and its subject line.
-
The full text of the comment/reply.
Note: The full text will not appear if you limited the length of displayed messages. For information on configuring this setting, see Customizing General FireFlow Settings.
- The size of the comment/reply in bytes.
- Click Full headers to display full header information for each comment/reply, at the top of the History area.
- Click Brief headers to display brief header information for each comment/reply, at the top of the History area.
- Click Download to view a comment/reply in plain text, next to the desired comment/reply.
- To view an automatically generated email sent by the FireFlow system, next to the desired "FireFlow_System - Outgoing email recorded" history item, click Show.
The email and its full header information appear in a new window.
Bookmark change requests
If you would like to keep track of a change request, you can bookmark it. The bookmarked change request will appear in your Home page's Bookmarked Change Requests list.
Do the following:
- View the change request. For details, see View individual change requests.
-
In the top-right corner of the workspace, click the icon.
The icon changes to .
You can now view the bookmarked change request in your Home page's Bookmarked Change Requests list. For details, see View change requests on your FireFlow home page.