Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Change Control Workflow Overview

The Change Control workflow allows you to request an approval for changes to a firewall or a NAT policy. Currently, when a policy is published and/or updated, all the changes to the policy are published. You cannot select a subset of changes to publish. For example, suppose two rules, R1 and R2, are added to a policy. When the policy is published, both the rules are published. R1 and R2 rule additions cannot be published separately.

The Change Control workflow represents a set of changes made to a policy to achieve a logical goal (usually a request in an IT ticketing system). For example, a new finance user in a company requests access to the server that hosts the payroll management system. The user files a ticket requesting access. At this point, the requester creates a Change Request (CR). The approver can either approve or deny the CR, individually or as part of a batch. The Change Management workspace allows the requester (in this case, the firewall administrator) to create and update CRs and the approver to approve or deny CRs.

Table 232 describes the roles for the Change Control workflow.

Table 232: Predefined Roles in the Change Control Workflow



Security Director Change Control Requester

A user with access permission needed to make changes to designated policies; submit them for approval; and, once approved, update them to the network.

For example, an administrator, who provides the required information about the change to the firewall or NAT policy.

Security Director Change Control Approver

A user with access permission needed to approve CRs from a requester. For example, a senior administrator or manager can act as an approver, after which a firewall administrator, acting as the requester, can update the changes to the appropriate firewall or NAT policy.

The following sections provide more information about the change control workflow:

Benefits of a Change Control Workflow

The change control workflow provides the following benefits:

High-level Workflow of Change Control Workflow


An administrator performs the following change control workflow tasks:

  1. Opens a new session to modify the security and/or network environment using Security Director.
  2. Configures security policy and application settings in Security Director.
  3. Submits the completed session for approval.
  4. A manager reviews the proposed modifications and either approves, denies the session, or returns it to the administrator with a request to make the proposed changes.
  5. The administrator makes the requested changes and resubmits the session for approval, if the manager has denied the request initially and requested modifications.
  6. The manager approves the request.
  7. The administrator installs the policy for all approved sessions.


  • All sessions must be approved, before you can install a policy.
  • For legacy publish, there is a special capability in change request mode. If an user publishes any policy, all the CRs created for that policy are deleted and all the current changes on the policy are pushed to the device.

Setting Up Change Control Workflow


To set up the change control flow:

  1. Select Network Management Platform > Administration > Applications.

    A page appears listing the available Network Management Platform applications.

  2. Right-click Security Director and select Modify Application Settings.
  3. Click Change-Control-Workflow and provide the information, as described in Table 233.

    Table 233: Fields on the Change Control Workflow Setting Page



    Enable Change Control Workflow

    Enable this option to approve all firewall and NAT policy changes before updateing the policy changes. All Security Director users will be logged out after this option is selected.

    Default approval days

    Enter the number of days within which the request must be approved or denied. The default number of days is 7.

    Default ticket field name

    Enter the ticket field name for creating the change request. The default field name is Ticket Number.

    Enable e-mail notifications

    Enable this option to receive e-mail notifications when the CR is created, approved, or denied. The notification is sent to both the requester and the approver.

    Maximum requests per policy

    Enter the maximum number of outstanding CRs per policy. The default value is 10.

Note: If you disable the change control workflow, all the CRs created for firewall and NAT policies are deleted.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support