Change Control Workflow Overview

The Change Control workflow allows you to request an approval for changes to a firewall or a NAT policy. Currently, when a policy is published and/or updated, all the changes to the policy are published. You cannot select a subset of changes to publish. For example, suppose two rules, R1 and R2, are added to a policy. When the policy is published, both the rules are published. R1 and R2 rule additions cannot be published separately.

The Change Control workflow represents a set of changes made to a policy to achieve a logical goal (usually a request in an IT ticketing system). For example, a new finance user in a company requests access to the server that hosts the payroll management system. The user files a ticket requesting access. At this point, the requester creates a Change Request (CR). The approver can either approve or deny the CR, individually or as part of a batch. The Change Management workspace allows the requester (in this case, the firewall administrator) to create and update CRs and the approver to approve or deny CRs.

Table 232 describes the roles for the Change Control workflow.

Table 232: Predefined Roles in the Change Control Workflow

Role	Description
Security Director Change Control Requester	A user with access permission needed to make changes to designated policies; submit them for approval; and, once approved, update them to the network. For example, an administrator, who provides the required information about the change to the firewall or NAT policy.
Security Director Change Control Approver	A user with access permission needed to approve CRs from a requester. For example, a senior administrator or manager can act as an approver, after which a firewall administrator, acting as the requester, can update the changes to the appropriate firewall or NAT policy.

Role

Description

Security Director Change Control Requester

A user with access permission needed to make changes to designated policies; submit them for approval; and, once approved, update them to the network.

For example, an administrator, who provides the required information about the change to the firewall or NAT policy.

Security Director Change Control Approver

A user with access permission needed to approve CRs from a requester. For example, a senior administrator or manager can act as an approver, after which a firewall administrator, acting as the requester, can update the changes to the appropriate firewall or NAT policy.

The following sections provide more information about the change control workflow:

Benefits of a Change Control Workflow

The change control workflow provides the following benefits:

Provides a direct correlation to a change ticket ID and the details of the change to a firewall or NAT policy.
The policies that are modified within an activity (or configuration session) are locked from being modified within other activities. This prevents conflicting changes that could make a policy unstable. Additionally, the changes you make within an activity are visible only within the activity.
All activities are tracked within the workflow. You can use this information to determine what changes were made and by whom.
Allows you to approve and update the change requests to the network irrespective of the order in which they are created.

High-level Workflow of Change Control Workflow

Procedure

An administrator performs the following change control workflow tasks:

Opens a new session to modify the security and/or network environment using Security Director.
Configures security policy and application settings in Security Director.
Submits the completed session for approval.
A manager reviews the proposed modifications and either approves, denies the session, or returns it to the administrator with a request to make the proposed changes.
The administrator makes the requested changes and resubmits the session for approval, if the manager has denied the request initially and requested modifications.
The manager approves the request.
The administrator installs the policy for all approved sessions.

Note:

All sessions must be approved, before you can install a policy.
For legacy publish, there is a special capability in change request mode. If an user publishes any policy, all the CRs created for that policy are deleted and all the current changes on the policy are pushed to the device.

Setting Up Change Control Workflow

Procedure

To set up the change control flow:

Select Network Management Platform > Administration > Applications.
A page appears listing the available Network Management Platform applications.
Right-click Security Director and select Modify Application Settings.

Click Change-Control-Workflow and provide the information, as described in Table 233.

Table 233: Fields on the Change Control Workflow Setting Page

Option	Description
Enable Change Control Workflow	Enable this option to approve all firewall and NAT policy changes before updateing the policy changes. All Security Director users will be logged out after this option is selected.
Default approval days	Enter the number of days within which the request must be approved or denied. The default number of days is 7.
Default ticket field name	Enter the ticket field name for creating the change request. The default field name is Ticket Number.
Enable e-mail notifications	Enable this option to receive e-mail notifications when the CR is created, approved, or denied. The notification is sent to both the requester and the approver.
Maximum requests per policy	Enter the maximum number of outstanding CRs per policy. The default value is 10.

Note: If you disable the change control workflow, all the CRs created for firewall and NAT policies are deleted.

Change Control Workflow Overview

Benefits of a Change Control Workflow

High-level Workflow of Change Control Workflow

Procedure

Setting Up Change Control Workflow

Procedure

Related Documentation

Help us to improve. Rate this article.