The change control workflow allows you to request an approval for changes to a firewall or a NAT policy. Traditionally, when a policy is published and/or updated, all the changes to the policy are published. You cannot select a subset of changes to publish. For example, suppose two rules, R1 and R2, are added to a policy. When the policy is published, both the rules are published. R1 and R2 rule additions cannot be published separately.
The change control workflow represents a set of changes made to a policy to achieve a logical goal (usually a request in an IT ticketing system). For example, a new finance user in a company requests access to the server that hosts the payroll management system. The user files a ticket requesting access. At this point, the requester creates a change request. The approver can either approve or deny the change request, individually or as part of a batch. The Change Management workspace allows the requester (in this case, the firewall administrator) to create and update change requests and the approver to approve or deny change requests.
Table 278 describes the roles for the change control workflow.
Table 278: Predefined Roles in the Change Control Workflow
Role | Description |
|---|---|
Security Director Change Control Requester | A user with access permission needed to make changes to designated policies; submit them for approval; and, once approved, update them to the network. For example, an administrator can provide the required information about the change to the firewall or NAT policy. |
Security Director Change Control Approver | A user with access permission needed to approve change requests from a requester. For example, a senior administrator or manager can act as an approver, after which a firewall administrator, acting as the requester, can update the changes to the appropriate firewall or NAT policy. |
At a high level, the following change control workflow tasks, and who performs them, are described:
Note:
Before you can install a policy, all sessions must be approved,
If a user publishes a policy, all change requests created for that policy are deleted and all current changes on the policy are pushed to the device.
The following sections provide more information about the change control workflow:
The request resembles a request in an IT ticketing system. The approver can either approve changes to a firewall or NAT policy or deny the change request, individually or as part of batch.
The policies that are modified within an activity (or configuration session) are locked and thereby prevented from being modified within other activities. This prevents conflicting changes from being made.
To set up the change control workflow:
A page appears listing the available Network Management Platform applications.
Table 279: Fields on the Change Control Workflow Setting Page
Option | Description |
|---|---|
Enable Change Control Workflow | Approve all firewall and NAT policy changes before updateing the policy changes. All Security Director users will be logged out after this option is selected. |
Default approval days | Number of days within which the request must be approved or denied. The default number of days is 7. |
Default ticket field name | Ticket field name for creating the change request. The default field name is Ticket Number. |
Enable e-mail notifications | Receive e-mail notifications when the change request is created, approved, or denied. The notification is sent to both the requester and the approver. |
Maximum requests per policy | Maximum number of outstanding change requests per policy. The default value is 10. |
Note: If you disable the change control workflow, all the change requests created for firewall and NAT policies are deleted.
© 2018 Juniper Networks, Inc. All rights reserved