Change Control Workflow Overview
The change control workflow allows you to request an approval for changes to a firewall or a NAT policy. Traditionally, when a policy is published and/or updated, all the changes to the policy are published. You cannot select a subset of changes to publish. For example, suppose two rules, R1 and R2, are added to a policy. When the policy is published, both the rules are published. R1 and R2 rule additions cannot be published separately.
The change control workflow represents a set of changes made to a policy to achieve a logical goal (usually a request in an IT ticketing system). For example, a new finance user in a company requests access to the server that hosts the payroll management system. The user files a ticket requesting access. At this point, the requester creates a change request. The approver can either approve or deny the change request, individually or as part of a batch. The Change Management workspace allows the requester (in this case, the firewall administrator) to create and update change requests and the approver to approve or deny change requests.
Table 1 describes the roles for the change control workflow.
Table 1: Predefined Roles in the Change Control Workflow
Security Director Change Control Requester
A user with access permission needed to make changes to designated policies; submit them for approval; and, once approved, update them to the network.
For example, an administrator can provide the required information about the change to the firewall or NAT policy.
Security Director Change Control Approver
A user with access permission needed to approve change requests from a requester. For example, a senior administrator or manager can act as an approver, after which a firewall administrator, acting as the requester, can update the changes to the appropriate firewall or NAT policy.
At a high level, the following change control workflow tasks, and who performs them, are described:
- The administrator opens a new session to modify the security or network environment, or both, by using Security Director.
- The administrator configures the security policy and application settings in Security Director.
- The administrator submits the completed session for approval.
- The manager reviews the proposed modifications and either approves or denies the request, or returns it to the administrator with a request to make the proposed changes.
- The administrator makes the requested changes and resubmits the session for approval, if the manager initially denied the request and requested modifications.
- The manager approves the request.
- The administrator installs the policy for all approved sessions.
Before you can install a policy, all sessions must be approved,
If a user publishes a policy, all change requests created for that policy are deleted and all current changes on the policy are pushed to the device.
The following sections provide more information about the change control workflow:
Benefits of the Change Control Workflow
The request resembles a request in an IT ticketing system. The approver can either approve changes to a firewall or NAT policy or deny the change request, individually or as part of batch.
The policies that are modified within an activity (or configuration session) are locked and thereby prevented from being modified within other activities. This prevents conflicting changes from being made.
Setting Up the Change Control Workflow
To set up the change control workflow:
- Select Network Management Platform > Administration > Applications.
A page appears listing the available Network Management Platform applications.
- Right-click Security Director and select Modify Application Settings.
- Click Change-Control-Workflow and provide the
information, as described in Table 2.
Table 2: Fields on the Change Control Workflow Setting Page
Enable Change Control Workflow
Approve all firewall and NAT policy changes before updateing the policy changes. All Security Director users will be logged out after this option is selected.
Default approval days
Number of days within which the request must be approved or denied. The default number of days is 7.
Default ticket field name
Ticket field name for creating the change request. The default field name is Ticket Number.
Enable e-mail notifications
Receive e-mail notifications when the change request is created, approved, or denied. The notification is sent to both the requester and the approver.
Maximum requests per policy
Maximum number of outstanding change requests per policy. The default value is 10.
If you disable the change control workflow, all the change requests created for firewall and NAT policies are deleted.