AlgoSec FireFlow v6.3 Advanced Configuration Guide

7/17/2019 AlgoSec FireFlow v6.3 Advanced Configuration Guide

http://slidepdf.com/reader/full/algosec-fireflow-v63-advanced-configuration-guide 1/280

Printed on 2 September, 2012

AlgoSec FireFlow

Advanced Configuration GuideRelease 6.3



Copyright © 2003-2012 AlgoSec Systems Ltd. All rights reserved

AlgoSec and FireFlow are registered trademarks of AlgoSec Systems Ltd. and/or its affiliates in the U.S.and certain other countries.

Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient,

SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard,SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartViewReporter, SmartView Status, SmartViewTracker, UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks orregistered trademarks of Check Point Software Technologies Ltd. or its affiliates.

Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, are trademarks or registered trademarks of Cisco Systems, Inc.and/or its affiliates in the U.S. and certain other countries.

Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks ofJuniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks ofJuniper Networks, Inc.

All other product names mentioned herein are trademarks or registered trademarks of their respectiveowners.

Specifications subject to change without notice.

Limited L iability Statement

In no event will AlgoSec Systems Ltd be liable for any loss of data; lost opportunity for profits; cost ofcover; or special, incidental, consequential or indirect damages arising from the use of this software.

Proprietary & Confidential Information

This document contains proprietary information. Neither this document nor said proprietary informationshall be published, reproduced, copied, disclosed, or used for any purpose other than the review and

consideration of this material without written approval from AlgoSec Systems Ltd., 1900 CampusCommons Drive, Suite 100, Reston, VA 20191.

The software contains proprietary information of AlgoSec Systems Ltd; it is provided under a licenseagreement containing restrictions on use and disclosure and is also protected by copyright law. Reverseengineering of the software is prohibited.

Due to continued product development this information may change without notice. The information andintellectual property contained herein is confidential between AlgoSec Systems Ltd. and the client andremains the exclusive property of AlgoSec Systems Ltd. If you find any problems in the documentation,

please report them to us in writing. AlgoSec Systems Ltd. does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or byany means, electronic, mechanical, photocopying, recording or otherwise without the prior written

permission of AlgoSec Systems Ltd.

AlgoSec Systems Ltd.1900 Campus Commons Drive, Suite 100Reston, VA 20191



Contents

Intr oduction ................................................................................................................................................... 1

FireFlow Advanced Configuration ............................................................................................................................................... 1

Configuration Options ................................................................................................................................................................. 1

Advanced Configuration Options ................................................................................................................................................ 2

Advanced Configuration Tools .................................................................................................................................................... 3

Consulting Log Files ................................................................................................................................................................... 4

Contacting Technical Support ..................................................................................................................................................... 5

Logging in for Advanced Configuration Purposes .................................................................................... 7

Restar ting FireFlow..................................................................................................................................... 11

Customizing the FireFlow Home Page ...................................................................................................... 13

Overview ................................................................................................................................................................................... 13

Customizing the Home Page Globally ...................................................................................................................................... 14

Customizing the Home Page per Group ................................................................................................................................... 18

Customizing Pre-defined Search Results ................................................................................................................................. 22

Customizing the Appearance of Pre-defined Search Results ........................................................................................... 22

Adding the "Certify Change Requests" Button to Pre-Defined Search Results ................................................................. 23

Work ing wi th Users ..................................................................................................................................... 25

Disabling Privileged Users ........................................................................................................................................................ 25

Enabling Privileged Users ......................................................................................................................................................... 27

Work ing wi th User Groups ......................................................................................................................... 29

Adding User Groups ................................................................................................................................................................. 29

Editing User Groups .................................................................................................................................................................. 32

Managing Group Members ....................................................................................................................................................... 33

Assigning Global and Queue Rights to User Groups................................................................................................................ 35

Configuring a Group's Global and Queue Rights .............................................................................................................. 35

Configuring Group Rights for Custom Fields ............................................................................................................................ 36

Configuring Group Rights for User-Defined Custom Fields ............................................................................................... 37

Configuring Group Rights for FireFlow Fields ................................................................................................................... 39

Disabling User Groups .............................................................................................................................................................. 41

Enabling User Groups ............................................................................................................................................................... 41

Work ing wi th Custom Fields ...................................................................................................................... 43

Overview ................................................................................................................................................................................... 43

Adding User-Defined Custom Fields ......................................................................................................................................... 44

Editing User-Defined Custom Fields ......................................................................................................................................... 49

Editing FireFlow Fields .............................................................................................................................................................. 49

Disabling User-Defined Custom Fields ..................................................................................................................................... 51

Enabling User-Defined Custom Fields ...................................................................................................................................... 51



AlgoSec FireFlow Release 6.3

Configuring the Order of User-Defined Custom Fields ............................................................................................................. 52

Customizing the Source, Destination, and Service Wizards ................................................................... 55

Customizing the Suggested Sources/Destinations List ............................................................................................................ 55

Customizing the Common Services List ................................................................................................................................... 56 Controlling Whether Wizard Tabs Appear ................................................................................................................................ 57

Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors .............................................................. 57

Controlling Whether Wizard Tabs Appear in the No-Login Form ...................................................................................... 60

Configuring Change Reques t Creat ion from File ..................................................................................... 61

Overview ................................................................................................................................................................................... 61

Configuring Change Request Creation from File ...................................................................................................................... 62

Disabling Change Request Creation from File.......................................................................................................................... 64

Modi fying FireFlow Email Templates ........................................................................................................ 65

Overview ................................................................................................................................................................................... 65 Modifying Email Templates ....................................................................................................................................................... 66

Work ing wi th Work flows in VisualFlow ..................................................................................................... 71

Overview ................................................................................................................................................................................... 71

About VisualFlow ...................................................................................................................................................................... 73

Getting Started with VisualFlow ................................................................................................................................................ 74

Accessing VisualFlow ........................................................................................................................................................ 74

The VisualFlow User Interface .......................................................................................................................................... 75

Viewing Workflow Layouts................................................................................................................................................. 76

Accessing Online Help ...................................................................................................................................................... 78

Exiting VisualFlow ............................................................................................................................................................. 78

Adding Workflows ..................................................................................................................................................................... 78 Workflow Condition Syntax ....................................................................................................................................................... 81

Supported Fields ............................................................................................................................................................... 81

Supported Boolean Operators ........................................................................................................................................... 86

Comprehensive Example .................................................................................................................................................. 86

Editing Workflows ..................................................................................................................................................................... 87

Working with Statuses .............................................................................................................................................................. 87

Adding Statuses ................................................................................................................................................................ 87

Editing Statuses................................................................................................................................................................. 93

Reordering Statuses .......................................................................................................................................................... 94

Deleting Statuses .............................................................................................................................................................. 94

Working with Actions ................................................................................................................................................................. 95

Adding Actions................................................................................................................................................................... 95

Action Condition Syntax .................................................................................................................................................. 105

Adding Parallel Action Logic ............................................................................................................................................ 126

Editing Actions ................................................................................................................................................................. 127

Reordering Actions .......................................................................................................................................................... 128

Deleting Actions............................................................................................................................................................... 128

Working with SLAs .................................................................................................................................................................. 129

Adding SLOs ................................................................................................................................................................... 129

Editing SLOs.................................................................................................................................................................... 132

Deleting SLOs ................................................................................................................................................................. 132

Reordering Workflows ............................................................................................................................................................. 133



Contents

Setting the Default Workflow ................................................................................................................................................... 133

Deleting Workflows ................................................................................................................................................................. 133

Viewing the Workflow XML ..................................................................................................................................................... 134

Viewing Individual Workflows' XML Files ........................................................................................................................ 134

Viewing the Workflow Configuration File ......................................................................................................................... 134

Installing Workflows ................................................................................................................................................................ 134

Discarding Workflow Changes ................................................................................................................................................ 135

Examples ................................................................................................................................................................................ 136

Example: Removing the Notify Requestor Stage ............................................................................................................ 136

Example: Allowing the Network Group to Approve Change Requests ............................................................................ 137

Example: Adding Another Approve Stage ....................................................................................................................... 139

Work ing wi th Work flows via XML ............................................................................................................ 143

Editing the Workflow Configuration File .................................................................................................................................. 143

Workflow Configuration File Structure ............................................................................................................................. 144

Workflow Tag Attributes .................................................................................................................................................. 144

Condition Tag Syntax ...................................................................................................................................................... 145

Comprehensive Example ................................................................................................................................................ 146

Adding Workflows ................................................................................................................................................................... 146

Workflow File Structure ................................................................................................................................................... 148

Action Tag Attributes ....................................................................................................................................................... 149

Status Tag Attributes ....................................................................................................................................................... 160

Condition Tag Attributes and Syntax ............................................................................................................................... 163

Modifying Workflows ............................................................................................................................................................... 164

Disabling Workflows ................................................................................................................................................................ 165

Deleting Workflows ................................................................................................................................................................. 165

Reverting to the System Default Workflow via XML ............................................................................................................... 166

Using Hooks .............................................................................................................................................. 167

Overview ................................................................................................................................................................................. 167

Using Hooks to Control Parameters ....................................................................................................................................... 167

Hook Functions ....................................................................................................................................................................... 169

GetExternalRisks ............................................................................................................................................................. 169

GetFirewallGroupName ................................................................................................................................................... 170

GetRealGroupName ........................................................................................................................................................ 171

GetRequestorSearches ................................................................................................................................................... 172

GetWorkFlowName ......................................................................................................................................................... 174

SuggestCommentSuffix ................................................................................................................................................... 174

SuggestHostName .......................................................................................................................................................... 175

ValidateTicket .................................................................................................................................................................. 175 ValidateWorkOrderEdit .................................................................................................................................................... 176

Comprehensive Example ........................................................................................................................................................ 176

Work ing wi th Righ ts ................................................................................................................................. 177

Overview ................................................................................................................................................................................. 177

Configuring Global Rights for Groups ..................................................................................................................................... 178

Configuring Global Built-in Rights for Groups.................................................................................................................. 178

Configuring Global User-Defined Rights for Groups ....................................................................................................... 181

Configuring Global Rights for Users ....................................................................................................................................... 181

Configuring Global Built-in Rights for Users .................................................................................................................... 181

Configuring Global User-Defined Rights for Users .......................................................................................................... 182




Configuring Queue Rights for Groups ..................................................................................................................................... 183

Configuring Queue Built-in Rights for Groups ................................................................................................................. 183

Configuring Queue Rights for Users ....................................................................................................................................... 186

Configuring Queue Built-in Rights for Users .................................................................................................................... 186

Work ing wi th SLA Noti ficat ions ............................................................................................................... 189

Overview ................................................................................................................................................................................. 189

Adding SLA Notifications ........................................................................................................................................................ 189

Editing SLA Notifications ......................................................................................................................................................... 194

Managing Email Subscriptions to SLA Notifications ............................................................................................................... 196

Deleting SLA Notifications ...................................................................................................................................................... 197

Overr iding FireFlow System Defaul ts ..................................................................................................... 199

Overriding System Default Settings ........................................................................................................................................ 199

Overriding Specific System Default Settings .......................................................................................................................... 200

Configuring the Maximum Rows Displayed in Home Page Lists..................................................................................... 200

Configuring the Change Request History Order .............................................................................................................. 200 Configuring the Maximum Rows Displayed in Auto Matching Page Sub-Lists................................................................ 201

Configuring the Time Frame for Items Displayed in Auto Matching Page Lists .............................................................. 201

Enabling/Disabling Multiple Traffic Rows in Change Requests ....................................................................................... 202

Hiding Change Request Fields ........................................................................................................................................ 202

Enabling/Disabling Sub-Request Traffic Modification...................................................................................................... 203

Configuring Whether Traffic Fields Are Mandatory ......................................................................................................... 203

Enabling/Disabling Traffic Field Validation ...................................................................................................................... 204

Configuring Work Order Creation for "No Action Required" Change Requests .............................................................. 204

Enabling/Disabling Translation of Object IP Addresses and Ports in Work Orders......................................................... 205

Configuring Automatic Initial Planning ............................................................................................................................. 205

Configuring the Risk Check Method for Change Requests with Multiple Devices .......................................................... 207

Configuring the Date Format ........................................................................................................................................... 210

Configuring Whether the Standard Template Appears in the Request Templates Page ................................................ 210

Enabling/Disabling Automatic Creation of Requestors upon Authentication ................................................................... 211

Configuring the No-Login Web Form's Requestor Field as Read-Only ........................................................................... 212

Configuring Automatic Approval of Minor Rule Changes ................................................................................................ 212

Configuring the "From" Address in Dashboard Emails .................................................................................................... 213

Configuring the Default Due Date for Rule Removal Requests....................................................................................... 213

Configuring How Long the Device Objects List Is Stored in Cache ................................................................................. 214

Configuring Whether Emails to Related Change Requestors Include the Rule to be Removed ..................................... 214

Configuring the Default Due Date for Change Requests Marked for Future Recertification ........................................... 215

Configuring the Default Due Date for Recertification Requests ...................................................................................... 215

Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields in Flat Tickets ....................................................... 216

Configuring the List of User Properties ............................................................................................................................ 216

Replacing the Logo.......................................................................................................................................................... 218

Configuring FireFlow's Default Interface Language ........................................................................................................ 220

Modifying FireFlow Interface Text ................................................................................................................................... 222 Adding/Removing Standard NAT Fields in Change Requests ........................................................................................ 223

Adding/Removing Optional NAT Fields in Change Requests ......................................................................................... 226

Configuring the Default Authentication Action ................................................................................................................. 226

Enabling/Disabling User Group Authentication during Initial Planning ............................................................................ 227

Configuring the Handling of NAT-Only Traffic Changes .................................................................................................. 227

Automatically Sending Work Orders to an Implementation Team ................................................................................... 228

Reverting to System Defaults ................................................................................................................................................. 231



Contents

Import ing User Data f rom an LDAP Server ............................................................................................. 233

Integrating FireFlow with External Change Management Systems ...................................................... 235

Overview ................................................................................................................................................................................. 235

Integrating FireFlow via the REST Interface ........................................................................................................................... 235

REST Interface Integration Steps .................................................................................................................................... 236

Configuring Authentication to FireFlow ............................................................................................................................ 236

Creating Change Requests via the REST Interface ........................................................................................................ 237

Integrating FireFlow via a CMS's Web Service ....................................................................................................................... 239

Web Service Integration Steps ........................................................................................................................................ 239

Configuring FireFlow to Use a Web Service .................................................................................................................... 240

Integrating FireFlow via Email ................................................................................................................................................. 244

Email Integration Steps ................................................................................................................................................... 244

Preparation ...................................................................................................................................................................... 245

Configuring FireFlow for Use with Remedy ..................................................................................................................... 245

Configuring the Remedy Incoming Mailbox ..................................................................................................................... 246

Configuring the Remedy Outgoing Mailbox ..................................................................................................................... 247

Configuring Remedy Email Security ................................................................................................................................ 248

Configuring the Remedy Filter ......................................................................................................................................... 249

Remedy Filter Text .......................................................................................................................................................... 252

Configuring the Fir eFlow Web Service ................................................................................................... 255

Overview ................................................................................................................................................................................. 255

FireFlow Services ................................................................................................................................................................... 255

FireFlowAuthenticateRequest ......................................................................................................................................... 255

FireFlowCreateTicketRequest ......................................................................................................................................... 256

FireFlowTerminateSessionRequest ................................................................................................................................ 257

FireFlowAuthenticationResponse .................................................................................................................................... 257

FireFlowCreateTicketResponse ...................................................................................................................................... 258

FireFlowTerminateSessionResponse.............................................................................................................................. 258

Data Types .............................................................................................................................................................................. 259

Ticket ............................................................................................................................................................................... 259 TrafficLine ........................................................................................................................................................................ 260

TrafficAddress ................................................................................................................................................................. 260

TrafficService................................................................................................................................................................... 261

TrafficNAT ....................................................................................................................................................................... 261

CustomField .................................................................................................................................................................... 261

Using the AlgoSec FireFlow Copy Customization Utility ...................................................................... 263

Overview ................................................................................................................................................................................. 263

Database Entities ............................................................................................................................................................ 263

Configuration Files........................................................................................................................................................... 265

Translation Files .............................................................................................................................................................. 266

Upload Change Requests from File Scripts .................................................................................................................... 266

Hook Files........................................................................................................................................................................ 266

Web Service Clients ........................................................................................................................................................ 266

Creating a Customizations File ............................................................................................................................................... 266

Loading a Customizations File to the Target Site ................................................................................................................... 267




Index........................................................................................................................................................... 269



1

This section introduces the AlgoSec®

FireFlow™ advanced configuration options and tools, as well as thisguide.

In This Chapter

FireFlow Advanced Configuration .................................... . 1Configuration Options ....................................................... . 1Advanced Configuration Options ...................................... . 2Advanced Configuration Tools ......................................... . 3Consulting Log Files ......................................................... . 4Contacting Technical Support ........................................... . 5

FireFlow Advanced ConfigurationFireFlow comes with several built-in advanced configuration options. For example, it is possible tocustomize FireFlow's look and feel or integrate FireFlow with other change management systems.

This guide discusses the various advanced configuration options available and the tools used to implementthem. It is intended for professional integrators and other technical users.

Configuration OptionsYou can perform the following customizations of FireFlow:

Adding, editing, and delet ing requestors

Refer to the AlgoSec FireFlow User Guide, Managing Requestors in the Web Interface and ManagingRequestors in the Requestor Database.

Adding, editing, and delet ing users

Refer to the AlgoSec FireFlow User Guide, Managing Privileged Users.

Adding, editing, and delet ing user groups

See Working with User Groups (on page 29).

Adding, editing, and delet ing custom f ields See Working with Custom Fields (on page 43).

Adding, editing, and delet ing SLA not if ications

See Working with SLA Notifications (on page 189).

C H A P T E R 1

Introduction




2

Advanced Configuration OptionsYou can perform the following advanced customizations of FireFlow:

Customizing the FireFlow Home page

See Customizing the FireFlow Home Page (on page 13).

Customizing the Source, Destination, and Services wizards

See Customizing the Source, Destination, and Service Wizards (on page 55).

Configuring change request creation from spreadsheet files attached to change requests

See Configuring Change Request Creation from File (on page 61).

Modifying existing email templates

See Modifying FireFlow Email Templates (on page 65).

Adding, editing, and deleting work flows

A change request's workflow determines which lifecycle stages it will pass through. You can customizechange request lifecycles, by creating new workflows, and by disabling or deleting the built-inworkflows. Furthermore, you can modify the set of conditions determining when each workflow should

be assigned.

You can modify workflows via the VisualFlow interface or via XML files. See Working withWorkflows in VisualFlow (on page 71) and Working with Workflows via XML (on page 143).

Customizing the FireFlow r isk check

The FireFlow default traffic change request lifecycle includes the Approve stage, in which a risk checkis performed to determine whether implementing the change specified in a change request wouldintroduce risks. The risk check is based on device analyses produced by AlgoSec Firewall Analyzer(AFA), a comprehensive device analysis solution that is a companion product of FireFlow.

It is possible to customize the FireFlow risk check, by configuring AFA to treat certain types of traffic asnon-threatening trusted traffic when it produces the devices analyses. This enables you to eliminatefalse-alarms triggered by traffic that is necessary for the organization. In addition, you can create RiskProfiles that specify the severity level of individual risks. FireFlow risk check will then use your customRisk Profiles to detect risks of your preferred risk level classification.

For information on configuring trusted traffic and Risk Profiles in AFA, refer to the AlgoSec Firewall

Analyzer User Guide.

Using hooks to con trol FireFlow parameters

You can streamline the change request lifecycle, by using hooks to control certain parameters, such asthe name of the workflow to assign the change request in the Request stage, or the device group againstwhich to check traffic. FireFlow will extract the desired parameters on the fly.

See Using Hooks (on page 167).

Configuring rights

See Working with Rights (on page 177).

Overriding FireFlow system defaults

See Overriding FireFlow System Defaults (on page 199).

Replacing the logo and/or texts in the FireFlow user interface

You can replace the logo in the FireFlow user interface with the organization's logo. See Replacing the Logo (on page 218).



Introduction

3

In addition, you can replace the text that appear throughout the FireFlow user interface, either withcustom texts, or with translations into any language. See Modifying FireFlow Interface Text (on page222).

Integrating FireFlow with a third-party Change Management System

See Integrating FireFlow with External Change Management Systems (on page 235).

Using the FireFlow Web service

See Configuring the FireFlow Web Service (on page 255).

Configuring the import of user data from an LDAP server into FireFlow

See Importing User Data from an LDAP Server (on page 233).

Performing change request migration

AlgoSec provides an API for performing a one-time migration of historic change requests from anexisting Change Management System to FireFlow. For further information, contact AlgoSec.

Customizing the incoming email parsing fo rmat

In organizations where submitting requests to FireFlow via email is supported, all request emails mustconfirm to the following format by default:

Sour ce: <sour ce>

Dest i nat i on: <dest i nat i on>

Ser vi ce: <ser vi ce>

Act i on: <act i on>

where:

<source>is the IP address, IP range, network, device object, or DNS name of the connectionsource.

<dest i nati on>is the IP address, IP range, network, device object, or DNS name of theconnection destination.

<ser vi ce>is the device service or port for the connection.

<act i on>is the device action to perform for the connection. This can be either of the following: al l ow - Allow the connection.

drop - Block the connection.

If desired, you can change the required format for request emails. For further information, contactAlgoSec.

Advanced Configuration ToolsAdvanced FireFlow customization is performed using the following tools:

FireFlow user i nterface In order to perform advanced configurations via the FireFlow user interface, you must log in as aFireFlow configuration administrator . See Logging in for Advanced Configuration Purposes (on page7).

Original and override configuration files




4

FireFlow includes a set of original configuration files that contain various FireFlow default settings. Inorder to modify the default settings in a particular file, you create an override configuration file whosecontent is copied from the original file and modified to suit your needs. If the override file exists,FireFlow ignores the original file and refers only to the override file.

In order to access original and override files, you must log in to the FireFlow server via SSH with theusername "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is"algosec".

FireFlow restart utility

FireFlow includes a utility for restarting it after certain configuration changes are made. In order to usethis utility, you must log in to the FireFlow server via SSH with the username "root". The default

password for this user on an AlgoSec Hardware Appliance or a VM is "algosec". For furtherinformation, see Restarting FireFlow (on page 11).

AlgoSec Firewall Analyzer user in terface

In order to perform advanced configurations via the AlgoSec Firewall Analyzer user interface, you mustlog in as an AFA administrator . For information on logging in to AlgoSec Firewall Analyzer, refer to the AlgoSec FireFlow User Guide, Logging into the AlgoSec Firewall Analyzer Web Interface, or the

AlgoSec Firewall Analyzer User Guide.

Consulting Log FilesYou can download a ZIP containing all FireFlow log files.

If desired, you can also access the following log files directly:

/usr/share/fireflow/var/log/fireflow.log . The main FireFlow log file.

/usr/share/fireflow/local/VisualFlow/log/production.log. The VisualFlow log file.

/var/log/httpd/error_log . The Apache error log file.

Note: In order to access these log files directly, you must log in to the FireFlow server via SSH with theusername "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is"algosec".

To download FireFlow logs

1 Log in to FireFlow.

2 In the toolbar, click Info.

The Info dialog box opens.



Introduction

5

3 Click Download Support Zip.

A ZIP file called Fi r eFl ow_suppor t . zi p is downloaded to your computer.

4 Click OK.

Contacting Technical Support

To contact AlgoSec Technical Support

1 Open any Web browser, and navigate to:

http://www.algosec.com/en/support/submit_service_request.php

2 Open a ticket.

3 Attach relevant logs to the ticket:

AFA or FireFlow logs, if the ticket concerns these products

HA logs, if the ticket concerns HA-related issues. For information on collecting these logs, refer to

the AlgoSec Hardware Appliance User Guide.





7

You can perform advanced configurations via the FireFlow user interface, when logged in as a FireFlow

configuration administrator . A FireFlow configuration administrator is a privileged user with FireFlow Administ rator - Al low Fi reFlow Advanced Configurat ion permissions. These permissions are granted inAlgoSec Firewall Analyzer. For information, refer to the AlgoSec FireFlow User Guide, Adding andEditing Users.

Note: After completing initial configuration, it is recommended to revoke FireFlow Admini strator - AllowFireFlow Advanced Configuration permissions for all users, in order to avoid accidental changes to theconfiguration.

To log into FireFlow for advanced configuration purposes1 In your browser's Address field, type ht t ps: / / <al gosec_ser ver >/ al gosec/ where

<al gosec_ser ver >is the AlgoSec server URL.

The AlgoSec Secur ity Suite page appears.

2 Click FireFlow.

C H A P T E R 2

Logging in for Advanced Configuration

Purposes




8

The FireFlow Login page appears.

3 Enter your username and password in the fields provided.

4 If the Domain field appears, type the name of the domain.

This field only appears when domains are enabled.

To login as management do not enter a domain name.

5Click Login.



Chapter 2 Logging in for Advanced Configuration Purposes

9

The FireFlow Home Page appears.

Advanced configuration settings can be accessed by clicking the Configuration and AdvancedConfiguration main menu items. When domains are enabled, domain level administrators will not see the

Advanced Configurat ion option in the main menu.





11

After making certain FireFlow configuration changes, it is necessary to restart all FireFlow workers that arerunning background tasks, as well as restart Apache. The FireFlow restart utility enables you to perform allthe necessary restart actions with a single command.

Note: The procedures that require restarting FireFlow are marked as such in this guide.

To restart FireFlow

1 Log in to the FireFlow server using the username "root" and the related password.

2 Enter the following command:

restart_fireflow

All FireFlow workers that are currently running background tasks are restarted.

Apache is restarted.

C H A P T E R 3

Restarting FireFlow





13

This section explains how to customize the FireFlow Home page.

In This Chapter

Overview........................................................................... . 13Customizing the Home Page Globally .............................. . 14Customizing the Home Page per Group............................ . 18Customizing Pre-defined Search Results .......................... . 22

OverviewIf desired, you can customize the Home page on any of the following levels:

Globally

Global customization affects the Home page of all users. It enables adding or removing any screenelement.

See Customizing the Home Page Globally (on page 14).

Per group

Per-group customization affects the Home page of all users belonging to a specific user group. It enablesadding screen elements to the Home page, but not removing those that were added via globalcustomization.

See Customizing the Home Page per Group (on page 18). Per user

Per-user customization affects the Home page of a specific user only. It enables adding screen elementsto the Home page, but not removing those that were added via global or per-group customization.

Refer to the AlgoSec FireFlow User Guide, Customizing the FireFlow Home Page.

Elements that can be added to the Home page include the following:

Pre-defined search results

FireFlow includes a set of pre-defined search results that you can include on the Home page. If desired,you can customize them as described in Customizing Pre-defined Search Results (on page 22).

Custom search results

In order to include custom search results, you must save them under "FireFlow's saved searches" . Forinformation on saving search results, refer to the AlgoSec FireFlow User Guide, Saving Searches.

Charts

In order to include a chart, you must save it under "FireFlow's saved searches" . For information onsaving charts, refer to the AlgoSec FireFlow User Guide, Saving Charts.

Refresh fields

C H A P T E R 4

Customizing the FireFlow Home Page




14

Customizing the Home Page GloballyBy default, the Home page is globally configured to include the Change Request I own pre-defined searchresults and a Refresh field. If desired, you can add or remove elements.

Note: Elements that are added to the Home page via global customization cannot be removed via per-groupor per-user customization.

Note: When domains are enabled, domain level administrators will not see the Advanced Configurat ion option in the main menu. To login as management do not enter a domain name.

To customize the Home page globally

1 Log in to FireFlow for advanced configuration purposes.

See Logging in for Advanced Configuration Purposes (on page 7).2 In the main menu, click Advanced Configurat ion.

The Advanced Configurat ion page appears.

3 Click Global.



Chapter 4 Customizing the FireFlow Home Page

15

The Admin/Global configurat ion page appears.

4 Click FireFlow Home Page.

The FireFlow Home Page appears.

5 For each element you want to add to the Home page, do the following:

a)

In the Available list box, select the element you want to add.




16

For information on each element, see the following table.

b) Click .

The selected element moves to the right list box. The order that the elements appear in the boxrepresents the order in which they will appear in the Home page.

c) To move the element up or down in the box, select the element and click the or buttons.

d)

To delete the element, select it and click Delete.

Your changes are saved.

Home Page Elements

Select this element... To add this to the Home page...

"N" Soon to be due changerequests

Pre-defined search results consisting of a list of open change requests in the systemthat have a due date that has passed, that is the current date, or that is the day after the

current date."N" Change Requests owned

by Controllers groupPre-defined search results consisting of a list of change requests in the system thatare owned by the Controllers group.

"N" Change Requests owned by Network group

Pre-defined search results consisting of a list of change requests in the system thatare owned by the Network group.

"N" Change Requests owned by Security group

Pre-defined search results consisting of a list of change requests in the system thatare owned by the Security group.

"N" Change Requests Relevantto My Groups

Pre-defined search results consisting of a list of change requests in the system thatare relevant to the user groups to which you belong.

"N" Change Requests that aredue to be recertified

Pre-defined search results consisting of a list of traffic change requests in the systemthat expired, and which should be recertified.

"N" Change Requests Flagged by Requestor as "Change Does Not Work"

Pre-defined search results consisting of a list of change requests in the system thathave been flagged by the requestor as "Change Does Not Work".

"N" Change Requests thatReceived Requestor'sResponse

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage and received the requestor's confirmation that therequested change was implemented successfully.

"N" Change Requests toApprove

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Approve stage.

"N" Change Requests to CreateWork Order

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Implement stage and awaiting a work order to be created.

"N" Change Requests toExpire in the Next 30 days

Pre-defined search results consisting of a list of change requests in the system thatwill expire within the next 30 days.

"N" Change Requests toImplement

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Implement stage and awaiting implementation.

"N" Change Requests to Plan Pre-defined search results consisting of all change requests in the system that arecurrently in the Plan stage.

"N" Change Requests toReview

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Review stage and awaiting a controller's review.




17

"N" Change Requests to SendRemoval Notification to RuleRequestors

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Approve stage, and for which a rule removal notification will besent to the rule's traffic requestors.

"N" Change Requests toValidate

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage.

"N" Change Requests Waitingfor Removal Response fromRule Requestors

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Approve stage and awaiting confirmation from the rule’s trafficrequestors that the requested rule removal is approved.

"N" Change Requests Waitingfor Requestor's Response

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage and awaiting the requestor's confirmation that therequested change was implemented successfully.

"N" New Change Requests Pre-defined search results consisting of a list of change requests in the system thatare new and still in the Request stage, and whose traffic has already been checkedagainst devices.

"N" New RecertificationRequests

Pre-defined search results consisting of a list of recertification requests in the systemthat are new and still in the Request stage.

"N" Open Change Requests Pre-defined search results consisting of a list of change requests in the system thatare currently open.

"N" Parent RecertificationRequests Pending SubRequests Implementation

Pre-defined search results consisting of a list of parent recertification request in thesystem that are currently in the Implement stage and awaiting implementation of therelevant sub-requests.

"N" Parent Requests PendingSub Request Implementation

Pre-defined search results consisting of a list of parent requests in the system that arecurrently in the Implement stage and awaiting implementation of the relevantsub-requests.

"N" Recertification Requeststo Create Work Order

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Implement stage and awaiting a work order to be created.

"N" Recertification Requeststo Implement

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Implement stage and awaiting implementation.

"N" Recertification Requeststo Plan

Pre-defined search results consisting of all recertification requests in the system thatare currently in the Plan stage.

"N" Recertification Requeststo Send Recertify Notificationto Traffic Requestors

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Approve stage, and for which a recertification notificationwill be sent to the traffic requestors.

"N" Recertification Requeststo Validate

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Validate stage.

"N" Recertification RequestsWaiting for RecertifyResponse from Traffic

Requestors

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Approve stage and awaiting confirmation from the trafficrequestors that the requested recertification is approved.

"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system thatwere rejected.

"N" Resolved ChangeRequests

Pre-defined search results consisting of a list of change requests in the system thathave been resolved.

"N" Total New ChangeRequests

Pre-defined search results consisting of a list of all change requests in the system thatare new and still in the Request stage, including change requests whose traffic hasnot yet been checked against devices.




18

Bookmarked Change Requests A list of change requests that the user bookmarked.

My Change Requests Pre-defined search results consisting of a list of change requests in the system thatare owned by you.

RefreshHomepage Controls for refreshing the page.

Unowned Change Requests Pre-defined search results consisting of a list of change requests in the system thatcurrently have no owner.

Saved Search Name A custom search that was saved under "FireFlow's saved searches", and which isavailable to your user role.

For information on saving searches, see Saving Searches.

Chart Name A chart that was saved under "FireFlow's saved searches", and which is available toyour user role.

For information on saving charts, see Saving Charts.

Search for chart Chart Name A custom search on which a certain chart is based.

Customizing the Home Page per GroupBy default, the Home page for a user group is configured to include certain pre-defined search results, aswell as the globally configured elements. If desired, you can add or remove elements.

Note: Elements that were added to the Home page via global customization cannot be removed via per-groupcustomization. Likewise, elements that are added to the Home page via per-group customization cannot beremoved via per-user customization.

To customize the Home page for a specific user group


See Logging in for Advanced Configuration Purposes (on page 7).

2 In the main menu, click Configuration.




19

The FireFlow Configuration page appears.

3 Click Groups.

The Select a group page appears.

4 (Optional) To search for the desired group, do the following:




20

a)

In the Find groups whose area, select the desired options in the drop-down lists, and type the searchstring in the field provided.

b)

To include disabled groups in the search, select the Include disabled groups i n listing check box.

c) Click Go.

The groups matching the search criteria are displayed.5 Click the desired group's name.

The Editing membership for group page appears.

6 In the main menu, click FireFlow Home Page.




21

The FireFlow Home Page for the selected group appears.

7 For each element you want to add to the Home page, do the following:

a)


For information on each element, see Home Page Elements (page 16).

b) Click .

The selected element moves to the right list box. The order that the elements appear in the boxrepresents the order in which they will appear in the Home page.

Note: All custom elements will appear above the globally added pre-defined search results in theHome page.

c)

To move the element up or down in the box, select the element and click the or buttons.

d)

To delete the element, select it and click Delete.


8 To reset the page's fields to their default values, click Reset to default.




22

Customizing Pre-defined Search ResultsThe pre-defined search results described in Home Page Elements (page 16) represent specific savedsearches. For example, "N" New Change Requests represents an advanced search for all change requestswith the status "New", and it displays search results in descending order sorted according to the LastUpdatedcolumn.

If desired, you can customize the pre-defined search results' appearance, so as to include different columns,sort order, number of results rows, and so on. See Customizing the Appearance of Pre-defined Search

Results (on page 22).

You can also add the Certify Change Requests button to pre-defined search results that consist of resolvedtraffic change requests, so as to enable users to create recertification requests. See Adding the "CertifyChange Requests" Button to Pre-Defined Search Results (on page 23).

Customizing the Appearance of Pre-defined Search Results

To customize pre-defined search results' appearance



2 In the main menu, click Advanced Search.

The Query Builder page appears.

3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant pre-defined search.




23

4 Click Load.

The search is loaded.

5 In the Display Columns area, modify the search results' appearance as desired.

For information, refer to the AlgoSec FireFlow User Guide, Column Format Fields.

6 Click Save.The pre-defined search's definition is modified.

Adding the "Certify Change Requests" Button to Pre-Defined SearchResults

To customize pre-defined search results' appearance



2 In the main menu, click Advanced Search.

The Query Builder page appears.3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant

pre-defined search.

4 Click Load.

The search is loaded.

5 In the main menu, click Edit Search - Advanced.

6 In the Format field, add:

/ ALLOW_RECERTI FI CATI ON

7 Click Apply.

The Query Builder page reappears with your changes.

8 Click Save.The pre-defined search's definition is modified.





25

This section explains how to enable and disable privileged users in FireFlow. For information on adding,editing, and deleting privileged users, refer to the AlgoSec FireFlow User Guide, Managing PrivilegedUsers.

In This Chapter

Disabling Privileged Users ................................................ . 25Enabling Privileged Users ................................................. . 27

Disabling Privileged UsersIf desired, you can disable a privileged user, so that they no longer appears in the FireFlow interface.

Note: Values that were entered for a user before they were disabled are retained in the FireFlow database.

Note: Users that are deleted from AlgoSec Firewall Analyzer and FireFlow are demoted to requestors anddisabled. Refer to the AlgoSec FireFlow User Guide, Deleting Users.

To disable a privileged user




C H A P T E R 5

Working with Users




26


3 Click Users.

The Select a user page appears.

4 (Optional) To search for the desired user, do the following:



Chapter 5 Working with Users

27

a) In the Find all users whose area, select the desired options in the drop-down lists, and type the searchstring in the field provided.

b)

Click Go.

The users matching the search criteria are displayed.

5 Click on the desired user's name.The Modify the user page appears.

6 Clear the User enabled check box.

7 Click Save.

The user is disabled.

Enabling Privi leged UsersYou can re-enable a disabled user.

To enable a privi leged user








28

3 Click Users.

The Select a user page appears.

4 Search for the desired user, by doing the following:

a)

In the Find all users whose area, select the desired options in the drop-down lists, and type the search

string in the field provided. b) Select the Include disabled users in search check box.

c)

Click Go.

The users matching the search criteria are displayed.

5 Click on the desired user's name.

The Modify the user page appears.

6 Select the User enabled check box.

7 Click Save.

The user is enabled.



29

This section explains how to add user groups to FireFlow. It also describes how to edit and disable usergroups.

In This Chapter

Adding User Groups .......................................................... . 29Editing User Groups .......................................................... . 32Managing Group Members ............................................... . 33Assigning Global and Queue Rights to User Groups......... 35Configuring Group Rights for Custom Fields .................... 36Disabling User Groups ...................................................... . 41Enabling User Groups ....................................................... . 41

Adding User Groups

To add a user group




C H A P T E R 6

Working with User Groups




30


3 Click Groups.


4 In the main menu, click Create.



Chapter 6 Working with User Groups

31

The Create a new group page appears.

5 Complete the fields using the information in Group Fields (page 31).

6 Click Save.

7 Specify which users and groups should be members in the new user group.

See Managing Group Members (on page 33).

Note: If desired, this step can be skipped and performed later on, as described in the AlgoSec FireFlow

User Guide, Adding Users to FireFlow User Groups.

8 If you did not copy settings from another group, or if you copied settings and would like to modify them,do the following:

a)

Customize the group's Home page.

See Customizing the Home Page per Group (on page 18).

b)

Assign global and queue rights to the user group.

See Assigning Global and Queue Rights to User Groups (on page 35).

c) Configure the group's rights for each custom field.

See Configuring Group Rights for Custom Fields (on page 36).

Group Fields

In this field... Do this ...

Name Type a name for the group.

Description Type a description of the group.

Group LDAP DN Type the DN of the group in the LDAP server.

For example: "cn=network_users,ou=organization,o=mycompany,c=us"




32

Enabled Select this option.

Copy Group Rights andHome Page Settings fromgroup

To assign this group the same settings as another group, select the group from which tocopy settings.

The following settings will be copied from the selected group:

Group rights Global permissions

Queue permissions

Rights for custom fields

Home page settings

Note: It is recommended to select this option when creating a new group, as itsignificantly shortens the group creation process.

Revoke rights which werenot granted to this group

To revoke any group rights that were assigned to this group, but which are not assignedto the group in the Copy Group Rights and Home Page Settings from group field, selectthis option.

This field only appears when editing a user group.

Editing User Groups

Note: Do not change any of the pre-defined Admin user group's settings. This group consists of the AlgoSecadministrators and is only used by FireFlow internally.

Note: If you change the name of a pre-defined user group (Network, Security, Controllers, or Read-Only),you must also change the group's name in all workflows. For information, see Working with Workflows in

VisualFlow (on page 71).

To edit a user group

1 Log in to FireFlow for advanced configuration purposes.See Logging in for Advanced Configuration Purposes (on page 7).

2 To edit the group's name, description, and whether it should inherit its settings from another group, dothe following:

a)

In the main menu, click Configuration.


b) Click Groups.


c) (Optional) To search for the desired group, do the following:

1.

In the Find groups whose area, select the desired options in the drop-down lists, and type the

search string in the field provided.2.

To include disabled groups in the search, select the Include disabled groups in listing check box.

3. Click Go.

The groups matching the search criteria are displayed.

d) Click the desired group's name.


e)

In the main menu, click Basics.




33

f) The Modify the group page appears.

Complete the fields using the information in Group Fields (page 31).

g)

Click Save.

3 To edit the group's members, see Managing Group Members (on page 33).

4 To customize the group's Home page, see Customizing the Home Page per Group (on page 18).5 To assign global and queue rights to the group, see Assigning Global and Queue Rights to User Groups

(on page 35).

6 To configure the group's rights for custom fields, see Configuring Group Rights for Custom Fields (on page 36).

Managing Group Members

To manage a group's members





3 Click Groups.



a)


b)


c)

Click Go.


5 Click the desired group's name.




34


6 To add users and/or groups:

a)

In the Add members area, select the desired users and groups.

b) Click Save.

The users and/or groups are added to the user group and appear in the Current members area.

Note: Members of this user group will see the Home page elements configured for this user group.

7 To remove users and/or groups:

a)

In the Current members list, select the check boxes next to the desired users and/or groups.

b) Click Save.

The users and/or groups are removed from the new user group and appear in the Add members area.

8 To specify the group member to which change requests should automatically be assigned, when they aresent to this user group:

a)

In the Group Default Assignee area, click Change.

The Select Default Assignee window opens.

b) Select the desired group member.

c)

Click OK.




35

Note: If you do not specify a user, then the first member of the group will become the default assignee.

9 Click Save.

Assigning Global and Queue Rights to User GroupsA user group can be assigned global rights, which are rights for actions that can be performed on all changerequests or actions that are not related to change requests, and queue rights, which are rights for actions thatcan only be performed on change requests belonging to a certain queue.

FireFlow allows you to assign these rights to a user group in the following ways:

By viewing a single user group and then assigning it the desired global and queue rights

See Configuring a Group's Global and Queue Rights (on page 35).

By viewing all global rights and then assigning them to the desired user group

See Configuring Global Rights for Groups (on page 178).

By viewing all queue rights and then assigning them to the desired user groupSee Configuring Queue Rights for Groups (on page 183).

Configuring a Group's Global and Queue Rights

To configure a user group's global and queue rights





3 Click Groups.The Select a group page appears.


a) In the Find groups whose area, select the desired options in the drop-down lists, and type the searchstring in the field provided.

b)


c)

Click Go.




6 In the main menu, click Rights.




36

The Editing rights for group page appears.

The Editing Rights on Global actions area enables you to grant rights for global actions, and the EditingRights on Queue actions area enables you to grant rights for queue rights.

7 To assign rights, do the following in the relevant area:

a)

In the New rights list box, select the rights you want to assign this group.To select multiple rights, press Ctrl while you click on the desired rights.

b) Click Modify Rights.

The selected rights appear in the Current rights area.

8 To revoke rights, do the following in the relevant area:

a)

In the Current rights area, select the check boxes next to the rights you want to revoke.

b)

Click Modify Rights.

The selected rights are removed from the Current rights area.

Configuring Group Rights for Custom FieldsYou can configure group rights for the following types of custom fields:

User-defined custom fields

See Configuring Group Rights for User-Defined Custom Fields (on page 37).

FireFlow fields

See Configuring Group Rights for FireFlow Fields (on page 39).




37

For information on both types of custom fields, see Working with Custom Fields (on page 43).

Configuring Group Rights for User-Defined Custom Fields

To configure a group's rights for a user-defined custom field1 In the main menu, click Configuration.


2 Click User Defined Custom Fields.

The Select a Custom Field page appears.

3 Click on the desired custom field's name.




38

The Editing Custom Field page appears.

4 In the main menu, click Group Rights.

The Modify group rights for custom field page appears.




39

5 Complete the fields using the information in Modify Group Rights Fields (page 39).

6 Click Submit.

Modify Group Rights Fields


System groups In this area, select the level of rights that each system (built-in) group should have forthis field.

The system groups are:

Everyone. Represents all users, including both privileged and unprivileged users.

Privileged. Represents all information security and network operations users, aswell as any user-defined user groups.

Unprivileged . Represents requestors.

The available levels of rights are:

AdminCustomField. Users in this group can view and modify the field'sdefinition (for example, they can modify the field's name, disable it, and so on).

ModifyCustomField. Users in this group can modify the field's value, but cannotview the field.

SeeCustomField. Users in this group can view the field, but cannot modify itsvalue.

(no value). Users in this group cannot view or modify the field.

User defined groups In this area, select the level of rights that each user-defined user group should havefor the field.

The available levels of rights are:

AdminCustomField. Users in this group can view and modify the field'sdefinition (for example, they can modify the field's name, disable it, and so on).

ModifyCustomField. Users in this group can modify the field's value, but cannot

view the field. SeeCustomField. Users in this group can view the field, but cannot modify its

value.

(no value). Users in this group cannot view or modify the field.

Reset Click this button to remove all your unsaved modifications to the fields on this page.

Configuring Group Rights for FireFlow Fields

To configure a group's rights for a FireFlow field

1 In the main menu, click Advanced Configurat ion.




40


2 Click FireFlow Fields.

The Select a FireFlow Field page appears.

3 Click on the desired FireFlow field's name.




41




5 Complete the fields using the information in Modify Group Rights Fields (page 39).

6 Click Submit.

Disabling User GroupsIf desired, you can disable a user group, so that it no longer appears in the FireFlow interface.

Note: Values that were entered for the user group before it was disabled are retained in the FireFlowdatabase.

To disable a user group





3 Click Groups.



a) In the Find groups whose area, select the desired options in the drop-down lists, and type the searchstring in the field provided.

b)

Click Go.




6 In the main menu, click Basics.

The Modify the group page appears.

7 Clear the Enabled check box.

8 Click Save.

Enabling User GroupsYou can re-enable a disabled user group.

To enable a user group





3 Click Groups.




42


4 Search for the desired group, by doing the following:

a)


b)

Select the Include disabled groups in listi ng check box.c) Click Go.




6 In the main menu, click Basics.

The Modify the group page appears.

7 Select the Enabled check box.

8 Click Save.



43

This section explains how to work with custom fields.

In This Chapter

Overview........................................................................... . 43Adding User-Defined Custom Fields ................................ . 44Editing User-Defined Custom Fields ................................ . 49Editing FireFlow Fields ..................................................... . 49Disabling User-Defined Custom Fields............................. . 51Enabling User-Defined Custom Fields .............................. . 51Configuring the Order of User-Defined Custom Fields..... 52

OverviewFireFlow includes two types of custom fields:

User-defined custom fields

You can define custom fields and add them to change requests, users, or user groups throughout theFireFlow user interface. For example, you can add a budget number field in change requests or anextension number field for users. In addition, it is possible to add custom fields to a change request'straffic fields.

Custom fields can also be added to object changes in a change request.

You can edit, disable, configure the order of, and configure groups rights for custom fields. Forinformation on configuring a custom field's group rights, see Configuring Group Rights forUser-Defined Custom Fields (on page 37).

FireFlow fields

C H A P T E R 7

Working with Custom Fields




44

FireFlow comes with a set of built-in custom fields called FireFlow fields. You can modify the displayname and description of such fields. In addition, you can configure groups rights for them, as describedin Configuring Group Rights for FireFlow Fields (on page 39).

Adding User-Defined Custom FieldsNote: You cannot add user-defined custom fields that have the same name as a built-in FireFlow field. Toview a list of built-in FireFlow fields, click Advanced Configurat ion > FireFlow Fields.

To add a user-defined custom field








Chapter 7 Working with Custom Fields

45



The Create a Custom Field page appears.

5 Complete the fields using the relevant information in Custom Field Page Fields (page 46).

6 Click Create.

Additional fields appears.




46

7 Complete the fields using the relevant information in Custom Field Page Fields (page 46).

8 Click Save.

If the new field is a list (that is, you chose one of the "Select" options in the Type field), and you chose tospecify which values should be included in the list in the Values area of this page (that is, you choseProvide list of values below

in theField values source

field), additional fields appear in theValue

area.Do any of the following:

To add more values to the list, do the following for each value you want to add:

1.

Complete the new fields using the relevant information in Create a Custom Field Page Fields (page 46).

2.

Click Save.

The value is added, and additional fields appear in the Value area.

To delete existing values from the list, do the following:

1.

Select the check box next to each value you want to delete.

2.

Click Save.

The specified values are deleted.The new field appears throughout the FireFlow user interface.

Note: By default, all user groups (including the Unprivileged group) are granted SeeCustomField andModifyCustomField rights for the new custom field, except for the Read-Only group, which is granted onlySeeCustomField rights. The Admin group is also granted AdminCustomField rights for the new customfield. If you would like to modify group rights for the new custom field, see Configuring Group Rights for

User-Defined Custom Fields (on page 37).

Custom Field Page Fields


Name Type a name to represent the field internally.

This field is mandatory and must be filled in with a unique value containing any of thefollowing: letters, digits, hyphen, underscore, dots, and spaces.

Note that this is not the name that users will see in the FireFlow interface.

Description Type a description of the field.

This description will appear as a tooltip, when you mouse-over the custom field's namein the Create Change Request page.

Display Name Type the name that should represent the field in the FireFlow interface.

Category Select the field's category. This can be any of the following:

additional . Allows creating a custom field for change requests, users, or user groups.

additional for object. Allows creating a custom field for each object change in anobject change request. For example, select this category if you want to add acomment field to each object change in a change request.

additional for traffic. Allows creating a custom field for each traffic change in atraffic change request. For example, select this category if you want to add acomment field to each line of traffic in a change request.

additional for source. Allows creating a custom field that appears below a trafficchange request's Source field. For example, select this category if you want to add acomment field next to a traffic source.




47

additional for destination. Allows creating a custom field that appears below a trafficchange request's Destination field. For example, select this category if you want toadd a comment field next to a traffic destination.

additional for service. Allows creating a custom field that appears below a trafficchange request's Service field. For example, select this category if you want to add a

comment field next to a traffic service.Type Select the field's type. This can be any of the following:

Fill in one wikitext area. Allows entering multi-line blocks of wikitext

Upload one image. Allows uploading one image file

Upload multiple images. Allows uploading multiple image files

Select date. Allows selecting a date

Upload one file. Allows uploading one file

Upload multiple files. Allows uploading multiple files

Text-1. Allows entering a large block of text

Select on e value. Allows selecting one value from a list

Enter one value. Allows entering one line of text in the field

Enter multiple values (one per line). Allows entering multiple values in the field,each one on a separate line

Select or enter one value. Allows selecting one value from a list or entering onevalue

Select one value from drop down. Allows selecting one values from a drop-down list

Select multiple values using control key. Allows selecting multiple values from alist, by pressing Ctrl while clicking on the desired values

Enter one value with autocompletion. Allows entering one value that is automaticallycompleted

Enter mult iple values with autocompletion. Allows entering multiple values that areautomatically completed

Field values source If the new field is a list (that is, you chose one of the "Select" options in the Type field),

select the source of the values that should appear in the list. This can be any of thefollowing:

Provide list of values below. The list of values specified in the Value area at the bottom of this page

Firewall names

Firewall hostgro up names

Firewall service group names

Available Workf lows

Applies To Select one of the following:

Change Requests. The custom field should appear in change requests.

Users. The custom field should appear for users.

Groups . The custom field should appear for user groups.




48

Link values to If you want the field's value to link to a Web page, enter the URL that should open uponclicking the link.

The URL can include parameters, which FireFlow will replace as follows:

FireFlow wil l replace this parameter... With this ...

__id__ The record ID

__CustomField__ The custom field's value

For example, if you specify the URLht t ps: / / Thi r d- par t y_syst em/ show_t i cket ?i d=__Cust omFi el d__ ,then the field's value will be a link. If the field's value for a specific change request is“123”, then clicking on the link will open a browser displaying the Web pageht t ps: / / 3r d_part y_syst em/ show_t i cket ?i d=123.

Include page If you want the field to display a Web page, enter the URL of the desired Web page.

The URL can include the same parameters as Link values to.

For example, if you specify the URLht t ps: / / Thi r d- par t y_syst em/ show_t i cket ?i d=__Cust omFi el d__ ,and the field's value for a specific change request is “123”, then the field will display theWeb page ht t ps: / / 3r d_par t y_syst em/ show_t i cket ?i d=123.

Default Value Type a default value for the field.

Note: FireFlow does not check whether the specified default value is valid for the field.

Validation Select the form of validation to perform for this field. This can be any of the following:

(?#Mandatory). The field is mandatory. FireFlow will require this field to be filledin.

(?#Digits).^[d\.]+$. The field's value must be a number.

(?#Year).^[12]\d{3}$. The field's value must be a year.

None. To specify that FireFlow should not perform validation for the field, do notselect a value.

Hide custom field if it hasempty value

Select this option to indicate that the custom field should only appear in the FireFlowinterface if it has a value.

Enabled Select this check box to enable the field.

If you do not enable the field, it will not appear in the FireFlow user interface.

Values If the new field is a list (that is, you chose one of the "Select" options in the Type field),and you chose to specify which values should be included in the list in the Values area ofthis page (that is, you chose Provide list of values below in the Field v alues sourc e field),then specify the desired values using the fields in this area.

Sort Type a whole number indicating the value's position in the list. For example, if the valueshould appear first in the list, type 1.

Name Type the name of the value.

Description Type a description of the value.




49

Editing User-Defined Custom Fields

To edit an existing user-defined custom field







4 Click on the desired field's name.


5 Modify the fields as desired, using the information in Custom Field Page Fields (page 46).

6 Click Save.

Editing FireFlow FieldsFor the FireFlow fields, you may change only the display name and description. Any other change willcause FireFlow to behave unpredictably.

To edit a FireFlow field






50



3 Click FireFlow Fields.





51

4 Click on the desired custom field's name.


5 In the Description field, type a description of the custom field.

This description will appear as a tooltip, when you mouse-over the custom field's name in the Create

Change Request page.6 In the Display Name field, type the name that should represent the field in the FireFlow interface.

7 Click Save.

Disabling User-Defined Custom FieldsIf desired, you can disable a user-defined custom field, so that it no longer appears in the FireFlow interface.

Note: Values that were entered for a custom field before it was disabled are retained in the FireFlowdatabase.

To disable an existing user-defined custom field







4 (Optional) To filter the displayed fields, do the following:

a)

In the Only show custom fields for area, select the desired option in the drop-down list.

b)

Click Go.

The fields matching the filter criteria are displayed.

5 Click on the desired field's name.


6 Clear the Enabled check box.

7 Click Save.

Enabling User-Defined Custom FieldsYou can re-enable a disabled user-defined custom field.

To enable a user-defined custom field










52

4 Select the Include disabled custom fi elds in listing check box.

5 (Optional) To filter the displayed fields, in the Only show custom fields for area, select the desired optionin the drop-down list.

6 Click Go.

7 Click on the desired field's name.The Editing Custom Field page appears.

8 Select the Enabled check box.

9 Click Save.

Configuring the Order of User-Defined Custom FieldsWhen multiple user-defined custom fields are defined for change requests, you can configure the order inwhich they should appear in change requests.

To configure the order of user-defined custom fields in change requests1 Log in to FireFlow for advanced configuration purposes.






4 In the main menu, click Order .

The Order Custom Fields page appears with all user-defined custom fields, divided according tocategory: custom fields for change requests, services, traffic requests, object requests, users, and groups.




53

Within each category, the fields are listed in the order that they will appear in the FireFlow Webinterface.

5 In each category, do one or more of the following:

To move a change request up in the list, click Move up next to it.

To move a change request down in the list, click Move down next to it.Note: These links only appear when there is more than one custom field in the category.

The fields will appear in the specified order.





55

When defining traffic in a request or change request, users can select objects in the Source Wizard,Destination Wizard, and Service Wizard. This section explains how to customize these wizards in thefollowing ways:

Customize the list of suggested sources/destinations in the Source Wizard/Destination Wizard'sSuggested tab

Customize the list of common services in the Service Wizard's Common tab

Control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and theServices Wizard's Common tab appear for different types of users

In This ChapterCustomizing the Suggested Sources/Destinations List ...... 55Customizing the Common Services List ........................... . 56Controlling Whether Wizard Tabs Appear ....................... . 57

Customizing the Suggested Sources/Destinations ListWhen defining traffic in a request or change request, double-clicking in the Source or Destination field

opens the Choose Source Wizard or Choose Destination Wizard. The Suggested tab of these wizards displaysa list of suggested sources/destinations, for example "email server" or "my computer", enabling the user tospecify a source/destination without knowing its IP address.

You can customize this list as desired, and even remove the Suggested tab entirely.

To customize the suggested sources/destinations list


2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / , locate the fileSuggest edAddr essObj ect s_Conf i g. xml .

C H A P T E R 8

Customizing the Source, Destination, and

Service Wizards




56

Note: This is the original suggested sources/destinations list file, and it can be used to revert to defaults,as needed. Do not modify this file.

3 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , copy the contents of the originalfile into an override file that is also called Suggest edAddr essObj ect s_Conf i g. xml .

4 Open the override file.5 To add a suggested source/destination to the list, add the following tags, anywhere between <obj ect s>

and </ obj ect s>:

<obj ect name="obj ect Name">

<val ue>obj ect Val ue</ val ue>

</ obj ect >

Where:

obj ect Name is the source/destination name that should appear in the Suggested list.

obj ect Val ue is the value to which FireFlow should resolve the source/destination name.

For example, to add the source/destination "lab", which FireFlow should resolve to IP address

192. 168. 2. 0/ 24, add the following:<obj ect name=" l ab">

<val ue>192. 168. 2. 0/ 24</ val ue>

</ obj ect >

Note: The source/destination "my computer" is built-in. FireFlow resolves it to the IP address of theuser's computer, which FireFlow automatically detects from the browser.

6 To remove a suggested source/destination from the list, delete the relevant tags.

7 To remove the Suggested tab from the wizards, delete the contents of this file.

8 Save the override file.

9 Restart FireFlow.

See Restarting FireFlow (on page 11).

Customizing the Common Services ListWhen defining traffic in a request or change request, double-clicking in the Choose Service field opens theService Wizard. The Common tab of this wizard displays a list of common services suggestedsources/destinations, for example "http" or "all_tcp_ports", enabling the user to specify a service withoutknowing its protocol or port.



Chapter 8 Customizing the Source, Destination, and Service Wizards

57

You can customize this list as desired, by adding, editing, and deleting custom services in AlgoSec FirewallAnalyzer. For instructions, refer to the AlgoSec Firewall Analyzer User Guide.

Control ling Whether Wizard Tabs AppearYou can control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and theServices Wizard's Common tab appear for various types of users, including:

Privileged users

See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).

Requestors

See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).

Anonymous users using the No-Login Web form

See Controlling Whether Wizard Tabs Appear in the No-Login Form (on page 60).

By default, these tabs appear for all types of users.

Controlling Whether Wizard Tabs Appear for Privileged Users andRequestors

To control whether tabs appear for privileged users and requestors







58


3 Click Global.


4 Click Group Rights.



Chapter 8 Customizing the Source, Destination, and Service Wizards

59

The Modify global group rights page appears.

5 Locate the desired user group.

Note: For requestors, the relevant group is Unprivileged.

6 To allow users in this user group to view tabs, do any of the following in the New righ ts list box next tothe group:

To allow users in this group to view the Source/Destination Wizard's Suggested tab, selectSeeSuggestedAddressObjects .

To allow users in this group to view the Source/Destination Wizard's Firewall Object tab, selectSeeFirewallAddressObjects .

To allow users in this group to view the Services Wizard's Common tab, selectSeeCommonServiceObjects.

To select multiple rights, press Ctrl while you click on the desired rights.

7 To prevent users in this user group from viewing tabs, do any of the following in the Current rights areaunder the group:

To prevent users in this group from viewing the Source/Destination Wizard's Suggested tab, selectthe SeeSuggestedAddressObjects check box.

To prevent users in this group from viewing the Source/Destination Wizard's Firewall Object tab,select the SeeFirewallAddressObjects check box.

To prevent users in this group from viewing the Services Wizard's Common tab, select theSeeCommonServiceObjects check box.

8 Click Modify Group Rights.




60

Controlling Whether Wizard Tabs Appear in the No-Login Form

To control whether wizard tabs appear in the No-Login Web form


2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / , open the file Fi r eFl ow_Conf i g. pm.

Note: This is the original system settings file, and it is required for reverting to system default settings.Do not modify this file.

3 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , open theFi r eFl ow_Si t eConf i g. pmoverride file.

Note: If this file does not exist, create it as described in Overriding System Default Settings (on page199).

4 Copy the following configuration items from the Fi r eFl ow_Conf i g. pm file into theFi r eFl ow_Si t eConf i g. pmfile:

To control whether the Source/Destination Wizard's Suggested tab appears, copy the configurationitem Al l owAnonymousUser SeeSuggest edAddr essObj ect s .

To control whether the Source/Destination Wizard's Firewall Object tab appears, copy theconfiguration items Al l owAnonymousUser SeeFi r ewal l Addr essObj ect s .

To control whether the Services Wizard's Common tab appears, copy the configuration itemAl l owAnonymousUser SeeCommonSer vi ceObj ect s.

5 In the Fi r eFl ow_Si t eConf i g. pmfile, set these configuration items' values to one of the following:

1 - Display this tab. This is the default.

0 - Do not display this tab.

For example, to remove the Common tab, set the configuration item as follows:

Set ( $Al l owAnonymousUser SeeCommonSer vi ceObj ect s, 1) ;

6 Close the file Fi r eFl ow_Conf i g. pm.

Note: Do not save changes to this file.

7 Save the file Fi r eFl ow_Si t eConf i g. pm.

8 Restart FireFlow.




61

This section explains how to configure change request creation from file.

In This Chapter

Overview........................................................................... . 61Configuring Change Request Creation from File ............... 62Disabling Change Request Creation from File ................... 64

OverviewRequestors can create new change requests from files attached to change requests. The process is as follows:

1 The requestor chooses a request template that supports creating change requests from file, such asFireFlow's built-in sample template "240: Sample - Upload change requests from Excel". The requestorthen attaches a file specifying the desired change's details.

Note: In order to support creating change requests from file, a request template's Create change requestsfrom file field must be set to "Yes", and the Request Type field must be set to "Traffic Change".

2 The requestor submits the change request.

3 FireFlow runs a parsing script that converts the attached file to XML format.If the parsing script is configured for single change request creation, then all traffic lines in the file areinterpreted as multiple traffic lines in a single change request. If the script is configured for multiplechange request creation, then each traffic line in the file is interpreted as a separate change request, (andthe change requests will all be linked to each other via their Depends On field).

4 FireFlow converts the XML to one or more change requests.

By default, FireFlow uses an out-of-the-box parsing script,/ usr / shar e/ f i r ef l ow/ l ocal / bi n/ par se_excel _exampl e. pl , which supports creating multiplechange requests from file, where all of the change request data is on a single worksheet and the file format isone of the following:

xls (Microsoft Excel up to 2003)

xlsx (Microsoft Excel 2007 and up) sxc (OpenOffice 1.0 Spreadsheet)

ods (OpenOffice Spreadsheet)

csv (Coma-separated text values)

If desired, you can configure change request creation from file in the following ways:

Enable the creation of change requests from files in additional formats

Configure whether multiple or single change requests are created from each file

C H A P T E R 9

Configuring Change Request Creation

from File




62

Enable/disable file validity enforcement

By default, FireFlow automatically checks uploaded files for errors. If an error is detected in a file,FireFlow alerts the requestor and halts change request creation for this file, until the error has been fixed.If desired, you can disable validity enforcement, in which case change requests will be created only fromvalid lines in the file.

Enable/disable automatic change request creation

By default, FireFlow automatically creates change requests from uploaded files. If desired, you canrequire change request creation to be triggered manually later in the change request workflow, when acertain button is clicked. For information on how to perform this customization, contact AlgoSecSupport.

Disable change request creation from file (both automatic and manual)

You can view a sample worksheet filled with data that is expected by the out-of-the-box parsing script under/ usr / shar e/ f i r ef l ow/ l ocal / ext r as/ Fi r ewal l Rul es Request Exampl e. xl s .

Configuring Change Request Creation from FileNote: If you are using multiple parsing scripts, you must perform this procedure for each script.

To configure change request creation from fi le

1 To enable the creation of change requests from files in a format that is not supported by the default parsing script, obtain a custom parsing script from AlgoSec Professional Services.


3 Do one of the following:

To work with the default parsing script, copy parse_excel _exampl e. pl from/ usr / share/ f i ref l ow/ l ocal / bi n/ to / usr / share/ f i ref l ow/ l ocal / etc / s i te/ bi n/ .

To work with a custom parsing script, save the custom script under/ usr / share/ f i ref l ow/ l ocal / etc / s i te/ bi n.

4 Give the parsing script execute permissions, by running the following command:

chmod a+x [script-name]

Where script-name is the name of the parsing script.

5 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , openFi r eFl ow_Si t eConf i g. pm.

6 Locate the configuration item At t achment Par si ngScr i pt s , and set it to the path of the parsingscript.

For example:

Set ( $At t achment Par si ngScr i pt s, {"/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ si t e/ bi n/ custom_par si ng_scr i pt 1. pl " =>["x l s" , "xl sx" , " sxc" , "ods" , "csv" ] , }) ;

If you have multiple parsing scripts, add them as follows:

Set ( $At t achment Par si ngScr i pt s, {"/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ si t e/ bi n/ custom_par si ng_scr i pt 1. pl " =>["x l s" , "xl sx" , " sxc" , "ods" , "csv" ] ,"/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ si t e/ bi n/ custom_par si ng_scr i pt 2. pl " =>[ "xml "] , }) ;



Chapter 9 Configuring Change Request Creation from File

63

7 To enable/disable automatic creation of change requests from files, do the following:

a)

Add the configuration item AutoCr eat eTi cket sFr omAt t achment s .

b) Do one of the following:

To enable automatic creation of change requests from uploaded files, set the configuration item's

value to 1.This is the default value.

To require manual triggering of change request creation from uploaded files, set theconfiguration item's value to 0.

For example, the following enables automatic creation of change requests from file:

Set( $Aut oCr eateTi cket sFr omAt t achment s, ' 1' ) ;

8 To enable/disable validity enforcement for uploaded files, do the following:

a)

Add the configuration item For ceVal i dAt t achment sBef oreCr eat eTi cket s .

b)

Do one of the following:

To enable validity enforcement of uploaded files, set the configuration item's value to 1.

This is the default value. To disable validity enforcement of uploaded files, set the configuration item's value to 0.

For example, the following enables validity enforcement of uploaded files:

Set ( $For ceVal i dAt t achment sBef or eCr eat eTi cket s, ' 1' ) ;

9 Save the file.

10 To configure whether multiple change requests or a single change request is created from a file, do thefollowing:

a) Under / usr / share/ f i ref l ow/ l ocal / etc / s i te/ bi n/ , open the parsing script.

b)

Locate the following lines:

# I n t hi s exampl e: Mul t i pl e t i cket s mode

my $mode = $MULTI PLE_TI CKETS_MODE; # Set mode t o $SI NGLE_TI CKETS_MODE i f you wi sh t o work i n si ngl e t i cket mode

# my $mode = $SI NGLE_TI CKETS_MODE;

c) Uncomment the my $mode line that reflects the mode you want to use, and comment the my $mode line that reflects the mode you do not want to use.

d)

For example, to create a single change request from file, modify the lines as follows:

# I n t hi s exampl e: Mul t i pl e ti cket s mode

# my $mode = $MULTI PLE_TI CKETS_MODE;

# Set mode t o $SI NGLE_TI CKETS_MODE i f you wi sh t o work i n si ngl e t i cket mode

my $mode = $SI NGLE_TI CKETS_MODE;

11 Save the script.

12 Restart FireFlow.





64

Disabling Change Request Creation from File

To disable change request creation from fi le



3 Locate the configuration item At t achment Par si ngScr i pt s , and remove the parsing script(s) fromit, as follows:

For example:

Set ( $At t achment Par si ngScr i pt s, {}) ;

4 Save the file.

5 Restart FireFlow.




65

This section explains how to modify the email templates on which FireFlow bases the emails it sends tousers.

In This Chapter

Overview........................................................................... . 65Modifying Email Templates .............................................. . 66

OverviewFireFlow sends emails to users upon various events in the change request lifecycle. It uses the following aset of templates to create the emails' content.

FireFlow Templates

This template... Is used to send emails to... And is used when...

Transaction Change request owners A reply is written for an item in a changerequest's history.

A comment is written for an item in achange request's history.

A change request's owner is changed.

Correspondence Requestors A reply is written for an item in a changerequest's history.

Resolved Requestors A change request is resolved.

Autoreply Requestors A new change request is created.

Notify External System TicketClose

An external Change ManagementSystem (CMS)

A change request is resolved.

If desired, you can modify these templates.

Note: Other templates appear in the FireFlow interface; however, they are not used for FireFlow emails andshould therefore be ignored.

Note: It is possible to customize which events trigger email sending and to whom the emails are sent. Forfurther information, contact AlgoSec.

C H A P T E R 1 0

Modifying FireFlow Email Templates




66

Modifying Email Templates

To modify an email template





3 Click Global.



Chapter 10 Modifying FireFlow Email Templates

67


4 Click Email Templates.




68

The Modify templates wh ich apply t o all queues page appears.

5 Click on the name of the desired template.



Chapter 10 Modifying FireFlow Email Templates

69

The Modify template page appears.

6 In the Content field, type the template's content.

You can use variables in the template. For a list of popular variables and their explanations, see Email

Template Variables (page 69).

Note: Do not modify the Name and Description fields.

Note: The email template variables that include Perl code (appearing in curly braces {}) are subject toPerl syntax.

7 To reset the template to its default settings, click Reset.

8 Click Update.

Email Template Variables

This variable... Represents... For example...

{$Ticket->id} The change request ID number 364

{$Ticket->Subject} The change request subject Need to open device ports for projectArmageddon

{$Ticket->Status} The change request status plan

{$Ticket->RequestorAddresses} The requestor's email address [email protected]

{$Ticket->OwnerObj->Name} The change request owner's username ned.netop

{$Ticket->getTicketAsXML()} The change request in XML format (aflat ticket)

See Flat Ticket Example (on page 116).




70

{$RT::WebURL}Ticket/Display.html?id={$Ticket->id}

The URL at which the change requestis displayed

https://fireflow-demo.algosec.com/FireFlow/Ticket/Display.html?id=136

{$Transaction->CreatedAsString} The date and time at which the emailis sent

Mon Nov 17 16:58:44 2008



71

This section explains how to add, edit, and delete workflows in VisualFlow. It also explains how to modifythe set of conditions determining when each workflow should be assigned.

VisualFlow is the new and recommended method of working with workflows.

In This Chapter

Overview........................................................................... . 71About VisualFlow ............................................................. . 73Getting Started with VisualFlow ....................................... . 74Adding Workflows ............................................................ . 78Workflow Condition Syntax ............................................. . 81

Editing Workflows ............................................................ . 87Working with Statuses....................................................... . 87Working with Actions ....................................................... . 95Working with SLAs .......................................................... . 129Reordering Workflows ...................................................... . 133Setting the Default Workflow ........................................... . 133Deleting Workflows .......................................................... . 133Viewing the Workflow XML ............................................ . 134Installing Workflows......................................................... . 134Discarding Workflow Changes ......................................... . 135Examples ........................................................................... . 136

OverviewFireFlow assigns each change request to a workflow that controls the change request's lifecycle, includingthe actions that can be performed on the change request, the behavior associated with each action, and the

possible change request statuses. In order to determine which workflow to use for a change request,FireFlow performs the following steps:

1 FireFlow refers to the template that the requestor selected for the change request.

2 If the template specifies a workflow, FireFlow assigns the change request to that workflow.

3 If the template does not specify a workflow, then FireFlow refers to a set of conditions that determine

which workflow should be assigned.4 If FireFlow fails to assign a workflow based on the set of conditions, then FireFlow assigns the change

request to the default workflow (which, by default, is the Standard workflow).

C H A P T E R 1 1

Working with Workflows in VisualFlow




72

FireFlow comes with the following set of built-in workflows, located under/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ Wor kf l ows/ :

Built-In Workflows

Workflo w File Name Descripti on Lifecyc le Stages

Standard St andard_Conf i g. xml This is the default workflow,resulting in the default changerequest lifecycle. Used by trafficchange requests.

Request

Plan

Approve

Implement

Validate

Match

Resolved

Audit

Generic Gener i c_Conf i g. xml This workflow is used for changerequests that are not related to

traffic. As such, no device change planning or matching of devicechanges to the change request arerequired, and these stages (Planand Match) are omitted.

Request

Approve

Implement Validate

Resolved

Audit

Multi-Approval Mul t i - Appr oval _Conf i g. xml

This workflow is used for changerequests that require approvalfrom multiple users. It thereforeincludes an extra stage (Review)that is performed by a controlleruser.

Request

Plan

Approve

Review

Implement

Validate

Match

Resolved Audit

Parallel-Approval

Par al l el - Appr oval _Conf i g. xml

This workflow is used for changerequests that require approvalfrom two users in parallel. Ittherefore includes an extra changerequest approval stage calledReview that is performed by acontroller.

Request

Plan

Approve

Review

Implement

Validate

Resolved

Audit

Change-Object Change- Obj ect _Conf i

g. xml

This workflow is used for change

requests for modifying deviceobjects.

Request

Approve Implement

Validate

Resolved

Audit

Rule-Removal Rul e- Removal _Conf i g. xml

This workflow is used for changerequests that are for removingdevice rules.

Request

Approve

Implement



Chapter 11 Working with Workflows in VisualFlow

73

Validate

Resolved

Web-Filter Web- Fi l t er _Conf i g. xml

This workflow is used for changerequests that are for filtering Webconnections. It is relevant for Blue

Coat devices only.

Request

Plan

Approve

Implement

Validate

Match

Resolved

Audit

Request-Recertif ication

Request - Recer t i f i cat i on_Conf i g. xml

This workflow is used todetermine whether an Allow rulethat was added to a device policyas the result of an expired trafficchange request is still relevant. Ifthe rule is no longer relevant, arule removal request is created toremove it.

Request

Approve

Implement

Validate

Resolved

Audit

You cannot modify the built-in workflows; however, you can create new ones as desired. For youconvenience, FireFlow allows you to create variations of existing workflows (both built-in and customones), by duplicating the relevant workflow and then modifying it.

Furthermore, you can modify the set of conditions determining which workflow should be assigned, whenthe template does not specify a workflow.

You can work with workflows in the following ways:

By using VisualFlow, an interface that is accessible from FireFlow (highly recommended)

By working directly with workflow XML files (not recommended, as manual changes may be

overwritten by VisualFlow, if performed incorrectly)This section explains how to work with workflows using VisualFlow. For information on working withworkflows via XML, see Working with Workflows via XML (on page 143).

About VisualFlowVisualFlow enables you to add, edit, and delete custom workflows in a Web interface, without any need tomanually edit the workflow XML files.

All workflow changes are saved locally as drafts. In order for the changes to take effect, you must install theworkflows on FireFlow. The changes are exported to the workflow XML files (overwriting the existingsettings), which are then imported to FireFlow. See Installing Workflows (on page 134).

If you have not yet installed your changes, you can choose to discard them. VisualFlow will be refreshedfrom the existing workflow XML files. See Discarding Workflow Changes (on page 135).




74

Getting Started with VisualFlowThis section contains all the information you need in order to get started using VisualFlow.

Accessing VisualFlow To access VisualFlow





3 Click VisualFlow.




75

VisualFlow opens in a new browser tab, displaying the List of Workflows page.

The VisualFlow User InterfaceThe VisualFlow user interface consists of the following major elements:

Main menu. Used for navigating between the VisualFlow pages.

Workspace. Displays the VisualFlow page selected in the main menu. When viewing a specificworkflow, the workspace includes the workflow's layout. See Viewing Workflow Layouts (on page 76).When domains are enabled, there is a Domains column in the workflows list.




76

Toolbar . Displays your username and a link to information about the VisualFlow version.

Viewing Workflow LayoutsA workflow's layout is a graph that includes all actions and statuses in the workflow, each of which can beclicked for further viewing and editing.

To view a workflow layout

1 In the VisualFlow main menu, click Workflows.

The List of Workflows page appears.


Click on the desired workflow's name.

Next to the desired workflow, click Edit.The Edit Workflow page opens with the workflow's details, and the Layout area displays the workflow'slayout.




77

For information on the various layout elements, click Show legend or see the following table.

3 To zoom in, click the icon.

The workflow layout is magnified. Use the scroll bar to view the desired part of the layout.

4 To zoom out, click the icon.

The workflow layout returns to its regular size.

5 To print the workflow layout:

a) Click .

The workflow layout opens in a new tab.

b) Use your browser's Print button to print the layout.

6 To view only the layout elements that are related to a specific action or status, click on the desiredaction/status.

The Edit Action or Edit Status page appears, and the Layout area displays only those elements that are

directly related to the selected action/status.

Workflow Layout Elements

This element ... Represents...

A single workflow stage.

A status.

Click to edit the status's details.

A status that is currently being edited.

An action.

An action that is currently being edited.

Indicates that an action can be clicked for editing.

Indicates that an action cannot be clicked for editing.




78

A conditional action.

A parallel action.

Accessing Online Help

To access online help

At the top of the workspace, click Help.

The online help opens.

Exiting VisualFlow

To exit VisualFlow

Close the browser tab.

Adding WorkflowsAdding new workflows is done by creating a copy of an existing workflow and then modifying the copy.

To add a custom workflow


The List of Workflows page appears. When domains are enabled, there is a Domains column in theworkflows list.

2 Next to an existing workflow on which you would like to base the new workflow, click Duplicate.

A confirmation message appears.

3 Click OK.

A new workflow appears at the bottom of the workflows list. Its name isOriginalWorkflow-Copy- Number , where:

OriginalWorkflow is the name of the workflow you copied.

Number is a number used to differentiate between copies of the duplicated workflow.




79

For example, if you duplicated the Standard workflow, and there is already a workflow calledStandard-Copy-1, then the new workflow will be called Standard-Copy-2.

A message at the top of the screen informs you that changes have been made to the workflows.


Next to the new workflow, click Edit.

Click on the workflow's name.




80

The Edit Workflow page opens with the workflow's details.

5 In the Edit workflow details area, complete the fields using the information in Workflow Details Fields (page 80).

When domains are enabled, there is a Domains selection box in the Edit workflow details area.

6 Click Save Draft.

7 Add, edit, and delete workflow statuses as desired.

See Working with Statuses (on page 87).

8 Add, edit, and delete workflow actions as desired.

See Working with Actions (on page 95).

9 Add, edit, and delete SLOs in the workflow's SLA as desired.

See Working with SLAs (on page 129).

Workflow Details Fields


Name Type a name for the workflow.

Domains Specify the domains in which the workflow should be available, by doing one of thefollowing:

To specify that the workflow should be available in all domains, select the Al l check box.

To specify that the workflow should be available only in specific domains, clear the Al l check box, then hold down the Ctrl key while clicking on the desired domains'




81

names.

Description Type a description of the workflow.

Configuration File Type a prefix for the workflow file name associated with this workflow. The workflowfile is named Prefix _Conf i g. xml , where Prefix is the string you enter in this field.

By default, the prefix is the workflow's name.

Enabled Specify whether this workflow should be enabled, by choosing one of the following:

Yes. The workflow is enabled and will appear in the FireFlow interface.

No. The workflow is disabled. It will not appear in the FireFlow interface, and nochange requests will have this workflow.

The default value is Yes.

Condition Type the condition under which a workflow should be assigned to change requests,when the change request's template does not specify a workflow.

For information on the required syntax, see Workflow Condition Syntax (on page 81).

Workflow Condition SyntaxA workflow's Condition field contains a query that specifies the condition under which the workflow should

be assigned to change requests. The query is composed of pairs in the following format:

f i el d = ' val ue'

Where f i el d is a supported field in FireFlow, and val ue is the field's value. For information on supportedfields, see Supported Fields (on page 81). For example, the following query specifies that the changerequest status must be "new":

Stat us = ' new'

You can use ! = to indicate "not". For example, the following query specified that the change request mustnot be "new":

St atus ! = ' new'

It is possible to use Boolean operators between field-value pairs. For a list of supported operators, seeSupported Boolean Operators (on page 86). For example, the following query specifies that the changerequest status must be "new", and the owner must be John Smith:

Stat us = ' new' AND Owner = ' J ohn Smi t h'

For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,the following query specifies that the change request status must be "new" or "plan", and the owner must be

John Smith or Sue Michaels.( Stat us = ' new' OR St at us = ' pl an' ) AND ( Owner = ' J ohn Smi t h' OR Owner = ' SueMi chael s' )

Supported FieldsThere are two types of supported fields:

Standard fields




82

These fields should be written as they appear in Standard Fields (page 82). For example:

Subj ect = ' Al l ow Web Access'

Custom fields

These fields include those listed in Custom Fields (page 84), as well as any fields added by users. They

should be used in the following format:' CF. { field }'

Where field is the name of the custom field.

For example:

' CF. {Fi r ewal l Br and}' = ' Check Poi nt '

Standard Fields

Field Description

Id The change request ID number.

Subject The change request subject.

Content Text that appears in the original change request description or in a comment or replyadded to the change request.

Content-Type The file type of an attachment attached to the change request.

Filename The filename of an attachment for the change request.

Status The change request status.

Owner The user who is the current change request owner.

Creator The user who is the change request creator.

LastUpdatedBy The user who last updated the change request.

Requestor.EmailAddress The requestor's email address.

Requestor.Name The requestor's username.

Requestor.RealName The requestor's full name.

Requestor.Nickname The requestor's nickname.

Requestor.Organization The requestor's organization.

Requestor.Address1 The requestor's primary mailing address.

Requestor.Address2 The requestor's secondary mailing address.

Requestor.WorkPhone The requestor's office telephone number.

Requestor.HomePhone The requestor's home telephone number.

Requestor.MobilePhone The requestor's mobile telephone number.Requestor.PagerPhone The requestor's pager telephone number.

Requestor.id The requestor's ID.

Cc.EmailAddress The email address of a user who receives copies of email messages for the changerequest.

Cc.Name The username of a user who receives copies of email messages for the changerequest.




83

Cc.RealName The full name of a user who receives copies of email messages for the changerequest.

Cc.Nickname The nickname of a user who receives copies of email messages for the changerequest.

Cc.Organization The organization of a user who receives copies of email messages for the changerequest.

Cc.Address1 The primary mailing address of a user who receives copies of email messages for thechange request.

Cc.Address2 The secondary mailing address of a user who receives copies of email messages forthe change request.

Cc.WorkPhone The office telephone number of a user who receives copies of email messages for thechange request.

Cc.HomePhone The home telephone number of a user who receives copies of email messages for thechange request.

Cc.MobilePhone The mobile telephone number of a user who receives copies of email messages for

the change request.

Cc.PagerPhone The pager telephone number of a user who receives copies of email messages for thechange request.

Cc.id The ID of a user who receives copies of email messages for the change request.

Owner.EmailAddress The owner's email address.

Owner.Name The owner's username.

Owner.RealName The owner's full name.

Owner.Nickname The owner's nickname.

Owner.Organization The owner's organization.

Owner.Address1 The owner's primary mailing address.

Owner.Address2 The owner's secondary mailing address.

Owner.WorkPhone The owner's office telephone number.

Owner.HomePhone The owner's home telephone number.

Owner.MobilePhone The owner's mobile telephone number.

Owner.PagerPhone The owner's pager telephone number.

Owner.id The owner's ID.

Created The date on which the change request was created.

Resolved The date on which the change request was resolved.

Last.Updated The date on which the change request was last updated.

Due The change request's due date.

Priority The change request's priority.

RefersTo The ID numbers of change requests to which this change request refers, separated byspaces.




84

ReferredToBy The ID numbers of change requests that refer to this change request, separated byspaces.

Custom Fields

Field Description

Expires The date on which this change request will expire.

Requested Source The IP address, IP range, network, device object, or DNS name of the connectionsource, as specified in the original request.

Requested Destination The IP address, IP range, network, device object, or DNS name of the connectiondestination, as specified in the original request.

Requested Service The device service or port for the connection, as specified in the original request.

Requested Action The device action to perform for the connection, as specified in the original request.

Requested Source NAT The source NAT value to which the connection's source should be translated, asspecified in the original request.

Ticket Template Name The name of the change request's template.

Requested Destination NAT The destination NAT value to which the connection's destination should betranslated, as specified in the original request.

Requested Port Translation The port value to which the connection's port should be translated, as specified in theoriginal request.

Workflow The workflow assigned to the change request.

Owning Group The user group that currently owns the change request.

Requested NAT Type The type of NAT (Static or Dynamic), as specified in the original request.

CMS ticket id The ID number of a related change request in an external change managementsystem that is integrated with FireFlow.

Firewall Name The name of the device.

Firewall IP Address The IP address of the device.

Firewall Brand The device vendor.

Firewall Management Server The device management server name.

Firewall Policy The device security policy.

Firewall Last Report The last report generated for the device.

Firewall Last Report Date The date and time at which the last report for this device was generated.

Change Description The change description.

Change Source The IP address, IP range, network, device object, or DNS name of the connectionsource, as planned during the Plan stage.

Change Destination The IP address, IP range, network, device object, or DNS name of the connectiondestination, as planned during the Plan stage.

Change Service The device service or port for the connection, as planned during the Plan stage.

Change Action The device action to perform for the connection, as planned during the Plan stage.




85

Change Source NAT The source NAT value to which the connection's source should be translated, as planned during the Plan stage.

Change Destination NAT The destination NAT value to which the connection's destination should betranslated, as planned during the Plan stage.

Change Port Translation The port value to which the connection's port should be translated, as planned duringthe Plan stage.

Change NAT Type The type of NAT (Static or Dynamic), as planned during the Plan stage.

Change Implementation Notes The words that appear in the change request's implementation notes, if the changerequest has completed the Implement stage.

Request Risk Check Result The number and/or and severity of risks that implementation of the planned changewould entail.

Initial Plan Result The results of initial planning.

Form Type The type of form used for the change request (Traffic Change, Object Change, or Generic Change).

Change Validation Result The results of change validation.Risks Number The number of risks detected for the planned change, if the change request has

completed the risk check in the Approve stage.

Risks Details Details about the risks detected for the planned change, if the change request hascompleted the risk check in the Approve stage.

Translated Source The change request's source, as translated to IP addresses.

Requested Object Action The requested action for an object change request ( AddIPsToObject /RemoveIPsFromObject / NewObject / DeleteObject ).

Translated Destination The change request's destination, as translated to IP addresses.

Change Object Action The action for an object change request, as specified during the Plan stage( AddIPsToObject / RemoveIPsFromObject / NewObject / DeleteObject ).

Translated Service The change request's service, as translated to ports.

Requested Object Name An object's name, as specified in the original object change request.

Automatically Implemented An indication of whether the requested change should be automaticallyimplemented.

Change Object Name An object's name, as specified for an object change request in the Plan stage.

Already Works Firewalls The devices on which the requested change already works.

Requested IPs To Add The IP addresses to add to an object, as specified in the original object changerequest.

Change IPs To Add The IP addresses to add to an object, as specified for an object change request in the

Plan stage.Requested IPs To Remove The IP addresses to remove from an object, as specified in the original object change

request.

Change IPs To Remove The IP addresses to remove from an object, as specified for an object change requestin the Plan stage.

Requested Object Scope The object scope, as specified in the original object change request.

Change Object Scope The object scope, as specified for an object change request in the Plan stage.




86

Is Work Order Editable An indication of whether the work order is editable.

Is Active Change Applicable An indication of whether ActiveChange can be used to implement the requestedchange.

Object Change Validation

Result

The results of object change validation.

Create tickets from attachment An indication of whether the change request was created from a file.

Affected Rules Result The device rules that are affected by a suggested object change request.

Firewall Provider-1 The name or IP address of the Provider-1 managing the device.

This field is relevant for Check Point devices only.

Supported Boolean Operators


Operator DescriptionAND Both of the field-value pairs joined by this operator must be true.

In the following example, the condition is only met for new change requests owned by John Smith:


OR One or both of the field-value pairs joined by this operator must be true.

In the following example, the condition is met for change requests that are new,change requests that are owned by John Smith, and new change requests owned byJohn Smith:

Stat us = ' new' OR Owner = ' J ohn Smi t h'

Comprehensive ExampleIn the following example, the workflow will be assigned when the change request's template does notspecify a workflow, and one of the following conditions are met:

The change request's priority is greater than 7.

The requestor's email address includes the string "company.com".

The value of the custom field called "Project" is "Infrastructure".

( Pri or i t y > 7) OR ( Request or. Emai l Addr ess LI KE ' company. com' ) OR ( ' CF. {Proj ect }'= ' I nf rast ructure' )




87

Editing Workflows

Note: You can edit the workflow details of built-in workflows; however, you cannot change their statusesand actions.

To edit an existing workflow




Next to the new workflow, click Edit.



3 To edit the workflow's details, do the following:

a)

In the Edit workflow details area, complete the fields using the information Workflow Details Fields (page 80).

When domains are enabled, there is a Domains selection box in the Edit workflow details area.

b)

Click Save Draft.


4 To add, edit, and delete workflow statuses, see Working with Statuses (on page 87).

5 To add, edit, and delete workflow actions, see Working with Actions (on page 95).

6 To add, edit, and delete SLOs in the workflow's SLA, see Working with SLAs (on page 129).

Working with StatusesYou can add, edit, reorder, and delete statuses in a workflow.

Adding Statuses To add a status



2 Next to the desired workflow, click Edit.

The Edit Workflow page opens with the workflow's details.3 In the VisualFlow main menu, click Statuses.




88

The Available statuses page appears.

4 Click New Status.




89

The Edit Status page appears.

5 Complete the fields using the information in Status Fields (page 91).




90

If you expanded the Advanced area, additional fields appear.

6 Click Save Draft.

The status is added to the workflow's list of available statuses and to the workflow.




91

The Outbound Actions and Inbound Actions areas appear.

7 Add, edit, or delete actions for this status.

See Working with a Status's Actions.

8 Click Save Draft.

The status is added to the workflow's list of available statuses and to the workflow.

Status Fields


Name Type the name of the status as it appears in the FireFlow interface. This is also a unique

key.The name can include up to 50 characters of Latin character set. Spaces are allowed.

This field is mandatory.

Note: Some statuses cannot be renamed. When editing such a status, this field isread-only.

Stage The name of the image used in the lifecycle diagram at the top of the change request page.





92

Responsible group Select the single user group responsible for change requests in this status.

Note: Usually, this group is configured to see these change requests in its Home page(see Customizing the Home Page per Group (on page 18)).

When an action is performed on the change request, and the action transitions thechange request to a new status for which the change request owner is not responsible, the

change request is re-assigned to the default assignee of the new status’s responsiblegroup, and the current user is re-directed to their Home page.

If you want to designate a new responsible group for the status, first create the group inthe FireFlow Configuration page, then access VisualFlow again. The new group willappear in this list, and you can select it.


Additional responsiblegroups

DD - Needs further

explanation for groups

under domains

All user groups that are responsible for change requests in this status, other than thegroup specified in the Responsible group field.

This field is read-only, and it only appears for statuses that are the source status of a parallel action.

Enabled Specify whether this status should be enabled, by choosing one of the following: Yes. The status is enabled and will appear in the FireFlow interface.

No. The status is disabled. It will not appear in the FireFlow interface, and no changerequests will have this status.


Note: Some statuses cannot be disabled. When editing such a status, this field either doesnot appear or is read-only.

Advanced Expand this area to display the Advanced fields.

Allow editing traffic fields Specify whether it is possible to plan the change when a change request is in this status.Planning the change involves modifying any of the following fields:

Source

Destination Service

Action

NAT

Choose one of the following:

Yes. These fields can be modified.

No. These fields cannot be modified.

The default value is No.

Next status when mail orcomment is received fromrequestor

Select the next status to assign the change request, when incoming correspondence fromthe change request’s unprivileged requestor to the change request occurs.

If this field is not set, then the change request status will not change upon incoming

correspondence.This field only appears for statuses where an email response is possible.

Await Requestor'sResponse

Specify whether a change request should appear in the Change Requests AwaitingResponse page for unprivileged users.





93

Mark change request asclosed

Specify whether a change request in this status is considered "closed", by choosing oneof the following:

Yes. Consider the change request "closed", and display it in the Closed ChangeRequests tab in the FireFlow requestor interface.

No. Do not consider the change request "closed".


This field does not appear for the "new" status.

Stage still incomplete Specify whether there are additional statuses that a change request must achieve beforecompleting the stage, by choosing one of the following:

Yes. There are additional statuses that a change request must achieve beforecompleting this stage.

No. This is the last status in the stage. The stage will be marked with a check mark.


This field must be set to No for exactly one status per stage.

Status after new Select the status to which the change request should transition after it has been assignedan owner.

This field only appears for the "new" status.

Editing Statuses

To edit statuses





Next to the desired workflow, click Edit.



To go directly to the desired status, click the status in the workflow layout.

To select the status from a list of statuses:

1. In the VisualFlow main menu, click Statuses.


2.

Next to the desired status, click Edit.

The Edit Status page appears.

4 Complete the fields using the information in Status Fields (page 91).

If you expanded the Advanced

area, additional fields appear.5 Add, edit, or delete actions for this status.

See Working with a Status's Actions.

6 Click Save Draft.




94

Reordering StatusesYou can control the order in which statuses appear in a workflow's list of available statuses.

To reorder statuses1 In the VisualFlow main menu, click Workflows.






3 In the VisualFlow main menu, click Statuses.


4 In the list of statuses, click next to a status you want to move, and drag it to the desired location in

the list.

Deleting Statuses To delete a status






The Edit Workflow page opens with the workflow's details.3 In the VisualFlow main menu, click Statuses.


4 Next to the desired status, click Delete.

Note: Some statuses cannot be deleted. These statuses do not have a Delete link next to them.

Note: If a status is the source or target of an action, or if the status is used in one or more SLOs, you mustdisassociate those actions/SLOs from the status before you can delete it. See Deleting Actions (on page128) and Editing SLOs (on page 132).


5 Click OK.

The status is deleted from the workflow's list of available statuses and from the workflow.




95

Working with Actions

Adding Actions To add an action








In the VisualFlow main menu, click Actions.

The Available act ions page appears with a list of actions used in the workflow.

In the workflow layout, click on a status to which you want to add an action.




96

The Edit Status page appears with a list of inbound and outbound actions for the status.


To add a new action from scratch, in the New Action drop-down list, select the new action's type.

An action's type describes what it does. For information on available action types, see Action Types (page 100).

To add a new action that is based on an existing action:

1.

Next to the desired existing action, click Duplicate.


2.

Click OK.

The new action is named OriginalAction-Copy- Number , where:

OriginalAction is the name of the action you copied.

Number is a number used to differentiate between copies of the duplicated action.

For example, if you duplicated an action called Risk Check, and there is already an action called

Risk Check-Copy-1, then the new action will be called Risk Check-Copy-2.




97

The Edit Action page appears.

5 Complete the fields using the information in Action Fields (page 101).




98





99




100

6 If you set the Parallel field to Yes, set the action's responsible groups by doing the following:

a)

Click the Set responsible groups link.

The Responsib le groups dialog box appears.

The Responsible group field displays the user group responsible for change requests in this status.

b) In the Addi tional responsible groups list, select the additional user groups responsible for changerequests in this status.

To select multiple user groups, press Ctrl while you click on the desired user groups.c)

Click OK.

7 Click Save Draft.

The action is added to the list of actions.

Action Type

This action type... Does this...

Change status Changes the status of the change request

Internal comment Adds a comment to the change request that is hidden from the requestor.

Reply to user Adds a comment to the change request that is seen by the requestor. Includes sending anemail to the requestor. Includes sending an email to the requestor.

Modify custom field Allows a user to modify one or more custom fields.

Take ownership Assigns the user ownership of a change request.

Assign Allows a user to assign ownership of a change request to another user.

Initial plan Performs initial planning. Relevant only for traffic change requests.

It is recommended to consult with AlgoSec before using this action type.

Risk check Performs a risk check. Relevant only for traffic change requests.


Implementation plan Creates a work order.


Manual reconcile Opens a dialog box that allows a user to manually match the change request with achange record. Relevant only for traffic change requests.


No change record Opens a dialog box that allows a user to manually match the change request, whilespecifying that there is no associated change record. Relevant only for traffic changerequests.




101


Change validation Performs validation of a traffic change request. Relevant only for traffic changerequests.


Review work order Enables a user to view an existing work order and edit it. Relevant controls will appearin UI only for Check Point and Juniper devices. Relevant only for traffic changerequests.


Active change Enables a user to implement planned changes via ActiveChange. Relevant controls willappear in UI only for Check Point devices using OPSEC. Relevant only for trafficchange requests.


Object change validation Performs validation of an object change request. Relevant only for object changerequests.


Affected rules Finds affected rules for an object change request. Relevant only for object changerequests.


Related tickets Finds change requests that are related to a change request. Relevant only for ruleremoval requests.


Notify requestors Enables a user to notify other users regarding the impending removal/disablement of adevice rule. Relevant only for rule removal requests.


View correspondence Allows a user to view correspondences with other users regarding the impendingremoval/disablement of a device rule. Relevant only for rule removal requests.


Rule removal validation Performs validation of a rule removal request. Relevant only for rule removal requests.


Action Fields


Name A unique key value for the action. Used when the action's behavior is to be overriddenfor a specific status.

This field is mandatory. It is only available when working with a workflow's list ofactions.

Type Select the action's type, which describes what it does. See Action Types (page 100).

This field is mandatory. It is only available when working with a workflow's list ofactions.

Category Type the action's category.

You can create categories and assign similar actions to them. When editing an action,the Edit action details area will display links to other actions belonging to the samecategory.




102

Source status Use the fields in this area to specify the status or statuses from which the change requestmust transition, before this action can be performed.

Target status Use the fields in this area to specify the status or statuses to which the change requestwill transition when the action is performed.

Required action right Specify whether the user must be granted a specific right, in order for the action toappear in the Other drop-down list, by selecting the relevant right.

Note: This is a cosmetic issue only. Actions that require the user to have a specific rightwill not succeed if the user does not have the right.

Return to homepage Specify whether the user should be re-directed to the Home page after executing theaction, by choosing one of the following:

Yes. Redirect the user to the Home page.

No. The user should remain on the current page.


Enabled Specify whether this action should be enabled, by choosing one of the following:

Yes. The action is enabled and will appear in the FireFlow interface.

No. The action is disabled and will not appear in the FireFlow interface.The default value is Yes.

Display action button Specify whether the action should be available via an explicit button next to the Otherdrop-down list, by choosing one of the following:

Yes. Make the action available via a button. The button will always be visible,unless the Display action button when field is empty field is set to a field name.

No. Do not make the action available via a button.


Advanced Expand this area to display the Advanced fields.

Conditional target status Use the fields in this area to specify a set of conditional target statuses that the changerequest can transition to.

FireFlow will check the conditions in the order listed; therefore, if the first condition ismet, FireFlow will not check the second condition, and so on.

If none of the conditions are met, the change request will transition to the statusspecified in the Edit action details area's Target status field, by default.

Target status Select a new status that the change request should transition to when the action is performed, if the condition(s) in the Condition field are met.

Condition Type an XQL query specifying the conditions under which the change request willtransition to the status specified in the Target Status field.

For example, to specify the condition that the number of risks must be zero, type: Ti cket [ Ri sksNumber = " 0"]

For information on the required query syntax, see Action Condition Syntax (on page

105).

Message to user Type a message that should appear onscreen when transitioning to the new status.

+ Click this button to add another conditional target status.




103

Parallel Specify whether the action will be performed in parallel to a second, identical action.Choose one of the following:

Yes. The action will be performed in parallel to a second, identical action.

No. The action will be performed sequentially to all other actions.


It is possible to add more parallel action logic. See Adding Parallel Action Logic (on page 126).

This field is enabled only for statuses of the following types: Change status, Internalcomment, and Reply to user .

action completed when The strategy used to determine whether the parallel action has been completed.

To specify that the action should be considered completed only when all responsiblegroups have performed it, select all .

If desired, you can configure other strategies. For example, you can configure a strategyspecifying that if a specific group performs the action, then the action should beconsidered completed; otherwise, FireFlow should wait for all other groups to performthe action. For information on configuring additional strategies, contact AlgoSec.

Display action button whenfield is empty

Specify whether the action should be available via an explicit button next to the Otherdrop-down list only if a specific change request field is empty, by selecting the relevantchange request field.

Display action button whencurrent user is not theowner

Specify whether the action should be available via an explicit button next to the Otherdrop-down list only if the current user is not the change request's owner. Choose one ofthe following:

Yes. Display the action button if the current user is not the change request's owner.

No. Do not make displaying the action button dependent on whether the current useris the change request's owner.


Display action button when

change request isunassigned

Specify whether the action should be available via an explicit button next to the Other

drop-down list only if the change request is not assigned to a user. Choose one of thefollowing:

Yes. Display the action button if the change request is not assigned to a user.

No. Do not make displaying the action button dependent on whether the changerequest is assigned to a user.


Display action button whenfield value is true

Specify whether the action should be available via an explicit button next to the Otherdrop-down list only if a specific change request field's value is "true", by selecting therelevant change request field.

This is useful for actions that are restricted to certain devices types. For example, editinga work order can only be done for is Check Point devices; therefore, this action shouldonly be available if a custom field called "Check Point" is set to "true".

Modify Field Title Type the message that should appear when this action is performed, instructing the userto complete the field specified in the Field Name field.

This field is only relevant if the Type field's value is Modify custom field.

Field Name If the action requires a field's value as input, select the field's name.

To select multiple fields, hold down the CTRL key while clicking on the desired fields.

This field is only relevant if the Type field's value is Modify custom field.




104

Display in workflow layout Specify whether the action should be displayed in the workflow layout when viewing aworkflow, by choosing one of the following:

Yes. Display the action in the workflow layout.

No. Do not display the action in the workflow layout.


Note: When viewing a status for which this action is an outbound action, the action will be displayed in the workflow layout, regardless of this attribute's value.

Applies to change requestsof type

Select the check boxes next to the types of change requests for which the action isrelevant, and for which the action should appear.

This can be one or more of the following:

Regular . The action is relevant to regular change requests.A regular change request is relevant to only one device.

Parent. The action is relevant to parent requests.A parent request is relevant to multiple devices and has a sub-request for eachdevice.

Sub request. The action is relevant to sub-requests. A sub-request is relevant to one

device, out of the multiple devices that are relevant to its parent request.If you do not select any of the check boxes, the action will be relevant to all changerequest types.

User confirmation needed Specify whether a confirmation message should appear when a user performs the action, by choosing one of the following:

Yes. Display a message when the action is performed.

No. Do not display a message when the action is performed.


Mail content Type the default text that will appear in the main message box when commenting on achange request or replying to the user.

This field is relevant only for actions of the type Reply to user and Internal comment.

Set 'auto-matching status' Specify whether after the action is performed, the change request's "auto-matchingstatus" should be set to a specific value, and the change request should be displayed inthe Auto Matching page, by selecting the relevant status.


Traffic fields required Specify whether certain change request fields are mandatory, in which case if the fieldsare not filled in when the action is performed, a message will appear prompting the userthe fill them in. The fields in question are:

Source

Destination

Service

Action

FirewallChoose one of the following:

Yes. These fields are mandatory.

No. These fields are optional.





105

Hide from 'Other' actionsmenu

Specify whether the action should not appear in the Other drop-down list, if it is not

available via an explicit button next to the Other drop-down list. Choose one of thefollowing:

Yes. Hide this action in the Other drop-down list, if it does not appear via an explicit button.

No. Display this action in the Other drop-down list, regardless of whether itappears via an explicit button,


Allow this action forunprivileged users

Specify whether unprivileged users should be allowed to perform this action, bychoosing one of the following:

Yes. Allow unprivileged users to perform this action.

No. Do not allow unprivileged users to perform this action.


Return to homepage anddisplay sub requests

Specify whether after the action is performed on a parent request, the user should beredirected to the Home page, which displays a list of the parent request's sub-requests.Choose one of the following:

Yes. Redirect the user to the Home page with a list of the parent request'ssub-requests.



This field is relevant only for actions of the type Change status, Reply to user andInternal comment.

Return to parent request Specify whether after the action is performed on a sub-request, the user should beredirected to the parent request, by choosing one of the following:

Yes. Redirect the user to the parent request.



Action Condition SyntaxIn order to specify a condition under which a change request will transition to a new status when an action is

performed, you must compose an XQL query. The XQL query can include the following:

Elements

An element may be any node in the XML of a change request, called a flat ticket . A flat ticket's root nodeis <Ti cket >, which is written in an XQL query as Ti cket .

In order to specify a sub-node, use "/". For example, to specify a flat ticket's <Fi r ewal l >node, write:

Ti cket / Fi r ewal l

You can use an asterisk "*" to specify a wildcard. For example, to specify any sub-node of Fi r ewal l ,write:

Ti cket / Fi r ewal l / *

For information about available flat ticket nodes, see Flat Ticket Nodes (on page 106). For an exampleof a flat ticket, see Flat Ticket Example (on page 116).

Filters

In order to apply a condition to an element, use square brackets "[ ]" in the following format:

El ement [ condi t i on]




106

Where condi t i on is a sub-query specifying the desired condition.

For example, to specify that the device brand must be Juniper Netscreen, write the following:

Ti cket / Fi r ewal l [ Br and = " J uni per Net scr een"]

Comparison operators

Elements in a sub-query may be compared via comparison operators in the following format:el ement operat or "val ue"

Where oper at or is a supported comparison operator, and val ue is the element's desired value.

In the previous example, the sub-query used the = operator as follows:

Br and = " J uni per Net scr een"

For a list of supported comparison operators, see Supported Comparison Operators (on page 125).

Boolean operators

It is possible to use Boolean operators between sub-queries. For example, the following query specifiesthat the change request must be assigned to the Standard workflow, and the status must be "new":

Ti cket [ Wor kf l ow = "St andar d"] $and$ Ti cket [ St at us = " new"]

For more intricate queries, you can use parentheses to group sub-queries. For example, the followingquery specifies that the change request must be assigned to the Standard workflow, and the changerequest status must be "new" or "plan".

Ti cket [ Wor kf l ow = "St andar d"] $and$ ( Ti cket [ St at us = ' new' ] $or$ Ti cket [ St at us = ' pl an' ] )

For a list of supported Boolean operators, see Supported Boolean Operators (on page 126).

Flat Ticket Nodes

The following table lists the standard flat ticket nodes in alphabetical order.

Note: These nodes represent the various change request fields.

If you configured custom fields, there will also be a node for each custom field, and those nodes can be usedas elements in XQL queries.

Flat Ticket Nodes

Node Descripti on Sub-nodes

Action The action to perform for the connection.

Sub-node of Pl annedTr af f i c and Request edTraf f i c.

If inclusion of user-defined customtraffic fields in flat tickets is enabled,then this node will have the followingsub-nodes:

Value.

A node for each custom field. Each

such node will have its own Valuesub-node.

See Enabling/Disabling Inclusion of

User-Defined Custom Traffic Fields in Flat Tickets (on page 216).




107

AffectedRulesResult The device rules that will be affected by therequested change.

Sub-node of Ti cket .

Relevant for object change requests only.

None

AlreadyWorksFirewalls The names of devices on which therequested change already works.


Relevant for traffic change requests only.

None

AutomaticallyImplemented Indicates whether the requested changeshould be automatically implemented.



None

Brand The device vendor.

Sub-node of Fi r ewal l .

None

Cc Email addresses to which the FireFlowsystem will send copies of all emailmessages regarding this request.


None

ChangeFullData The change description.


None

ChangeImplementationNotes

The change request's implementation notes,if the change request has completed theImplement stage.



None

City The city in which the change request owneror requestor is located, depending on the

parent node.

Sub-node of Owner and Request or .

None

ClosedAt The date and time when the change requestwas closed.


None

CMSticketid The ID number of a related change request inan external change management system thatis integrated with FireFlow.


None

code The code number of a risk.

Sub-Node of Ri sk.


None

Country The country in which the change requestowner or requestor is located, depending onthe parent node.


None




108

Created The date and time when the change requestwas created.


None

Createticketsfromattachmen

t

Indicates whether the change request was

created from a file.Sub-node of Ti cket .

None

Description The description of the change request.


None

description The description of a risk.

Sub-Node of Ri sk.


None

Destination The IP address, IP range, network, deviceobject, or DNS name of the connectiondestination.

Sub-node of Pl annedTr af f i c and RequestedTraf f i c.



Value.

A node for each custom field. Eachsuch node will have its own Valuesub-node.



Due The date by which this change requestshould be resolved.


None

EmailAddress The email address of the change request

owner or requestor, depending on the parentnode.


None

Expires The date on which this change request willexpire.


None

Firewall Information about the device on which thechange will be implemented, if the changerequest has completed the Plan stage.


Brand

IPAddress

LastReport

LastReportDate

ManagementServer

Name Policy

FormType The change request's form type (TrafficChange / Object Change / Generic Change).


None




109

HomePhone The home telephone number of the changerequest owner or requestor, depending on the

parent node.


None

Id The ID number of the change request or thechange request owner, depending on the parent node.

Sub-node of Ti cket and Owner .

None

ImplementaionDate The date on which the change request wasimplemented.


None

InitialPlanStartTime The amount of time that has elapsed sinceinitial planning, in UNIX time.


None

IPAddress The IP address of the device.


None

IPsToAdd The IP addresses to add to the device object.



None

IPsToRemove The IP addresses to remove from the deviceobject.



None

IsActiveChangeApplicable Indicates whether ActiveChange can be usedto automatically implement the requestedchange.



None

IsWorkOrderEditable Indicates whether the work order is editable.


None

LastReport The last report generated for the device.


None

LastReportDate The date and time at which the last report forthis device was generated.


None

LastUpdated The date and time when the change requestwas last updated.


None

LastUpdatedBy The username of the person who last updatedthe change request.


None




110

ManagementServer The name of the device's managementserver.


None

Name The name of the device.


None

name The name of a risk.

Sub-Node of Ri sk.


None

New Indicates whether the change request is new.


None

ObjectChangeValidationResult

The results of object change validation.



None

ObjectName The name of the device object.

Sub-node of Pl annedTr af f i c and RequestedTr af f i c.


None

Organization The organization to which the changerequest owner or requestor belongs,depending on the parent node.


None

Owner The change request owner's username andemail address.


City

Country

EmailAddress

HomePhone

Id

Organization

RealName

OwningGroup The name of the user group that currentlyowns the change request.


None




111

PlannedTraffic The changes planned during the Plan stage.


Action

Destination

IPsToRemove

IPsToAdd

ObjectName

Requestedaction

RuleDisplayId

RuleId

RuleRemovalRelatedTickets

RuleRemovalRelatedTicketsRequestors

RuleRemovalRuleAction

RuleRemovalUserstoNotify

Scope

Service

Source

Policy The device security policy.


None

Priority A number indicating this request's priority,where 0 indicates lowest priority.


None.

RealName The full names of the change request owneror requestor, depending on the parent node.


None

Requestedaction The action the user selected to perform onthe rule (remove or disable).

Sub-node of Pl annedTr af f i c andRequestedTr af f i c.

Relevant for rule removal requests only.

None

RequestedTraffic The changes requested during the Requeststage.


Action

Destination

IPsToRemove

IPsToAdd

ObjectName

Requestedaction

RuleDisplayId

RuleId

RuleRemovalRelatedTickets


RuleRemovalRuleAction

RuleRemovalUserstoNotify

Scope

Service

Source




112

Requestor Information about the requestor.


City

Country

EmailAddress

HomePhone

Organization

RealName

Risk A risk that implementation of the plannedchange would entail.

Sub-node of Ri skDet ai l s .


code

description

name

severity

RisksDetails The results of the risk check, if the changerequest has completed the Check stage.



Risk

RisksNumber The total number of risks that

implementation of the planned changewould entail.



None

RuleDisplayId The rule ID as displayed to users.

Sub-node of Pl annedTr af f i c andRequest edTr af f i c.


None

RuleId The rule ID as displayed in reports.

Sub-node of Pl annedTr af f i c andRequest edTr af f i c.


None

RuleRemovalRelatedTickets FireFlow change requests with traffic thatintersects that of the rule slated to beremoved/disabled.

Sub-node of Pl annedTr af f i c andRequest edTraf f i c.


None


The requestors of FireFlow change requestswith traffic that intersects that of the ruleslated to be removed/disabled.

Sub-node of Pl annedTr af f i c and

Request edTraf f i c.


None

RuleRemovalRuleAction The action to perform on the rule in thedevice policy (for example, allow or drop).



None




113

RuleRemovalUserstoNotify FireFlow users to notify regarding the rule'supcoming removal/disablement.



None

Scope The scope of the change (Local / Global).



None

Service The device service or port for theconnection.




Value.

A node for each custom field. Eachsuch node will have its own Value

sub-node.See Enabling/Disabling Inclusion of

User-Defined Custom Traffic Fields in

Flat Tickets (on page 216).

severity The severity of a risk.

Sub-Node of Ri sk.


None

Source The IP address, IP range, network, deviceobject, or DNS name of the connectionsource.

Sub-node of Pl annedTr af f i c and

Request edTr af f i c. Relevant for traffic change requests only.


Value. A node for each custom field. Each

such node will have its own Valuesub-node.



Status The change request's status.


None

Subject The change request's subject.


None

Ticket The root node of a flat ticket.

AffectedRulesResult

AlreadyWorksFirewalls

AutomaticallyImplemented

Cc

ChangeFullData

ChangeImplementationNotes

ClosedAt

CMSticketid




114

Createticketsfromattachment

Description

Due

Expires

Firewall

FormType

Id

ImplementaionDate

InitialPlanStartTime

IsActiveChangeApplicable

IsWorkOrderEditable

LastUpdated

LastUpdatedBy

New

ObjectChangeValidationResult

Owner

OwningGroup Planned Traffic

Priority

RequestedTraffic

Requestor

RiskDetails

RisksNumber

Status

Subject

TicketTemplateName

TrafficChangeTime

TranslatedDestination TranslatedService

TranslatedSource

Workflow

TicketTemplateName The name of the change request's template.


None

TrafficChangeTime The amount of time that has elapsed sincethe traffic was changed, in UNIX time.



None

TranslatedDestination The change request's destination, as

translated to IP addresses.



None

TranslatedService The change request's destination, astranslated to ports.



None




115

TranslatedSource The change request's source, as translated toIP addresses.



None

Value The value of this node's parent node.Sub-node of Act i on, Dest i nat i on,Ser vi ce, and Sour ce.

Relevant only when inclusion ofuser-defined custom traffic fields in flattickets is enabled. See Enabling/Disabling

Inclusion of User-Defined Custom Traffic

Fields in Flat Tickets (on page 216).

None

Workflow The change request's assigned workflow.


None




116

Flat Ticket Example

A flat ticket is a change request in XML format.

Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Enabled)

<Ti cket >

<Addi t i onal Responsi bl eGr oups></ Addi t i onal Responsi bl eGr oups>

<Af f ectedRul esResul t ></ Af f ectedRul esResul t >

<Al r eadyWorksFi r ewal l s></ Al r eadyWorksFi r ewal l s>

<Appl i cat i onDef aul t Ser vi ces>t cp/ 21/ *</ Appl i cat i onDef aul t Ser vi ces>

<Aut omat i cal l yI mpl ement ed>No</ Automat i cal l yI mpl ement ed>

<CMSt i cket i d></ CMSt i cket i d>

<Cat egor yt oUpdat e></ Cat egor yt oUpdat e>

<Cc></ Cc>

<ChangeCat egor y></ ChangeCat egor y>

<ChangeFul l Data>{&quot ; zoneSpanni ng&quot ; : nul l , &quot ; acl &quot ; : nul l , &quot ; f r omZone&quot ; : nul l , &quot ; r ecommendat i on_new_f ormat&quot ; : 1, &quot ; r epor t &quot ; : &quot ; el i ezer- 13656&quot ; , &quot ; or i gRul eScr i pt &quot ; : &quot ; f wr ul es51" , &quot ;f i r ewal l &quot ; : &quot ; f w3&quot ; , &quot ; t upl es&quot ; : {&quot ; t upl e- 1&quot ; : {&quot ;or i g_r ul es" : &quot ; or i g_r ul es. ht ml &quot ; , &quot ; suggest i ons&quot ; : {&quot ; add&quot ; : [ {&quot ; sour ce&quot ; : [ &quot ; 192. 168. 3. 186&quot ; ] , &quot ; sourceReq&quot ;: &quot ; 192. 168. 3. 186&quot ; , &quot ; data_t i me&quot ; : &quot ; saved- 2012- 04- 01- 133038&quot ; , &quot ; dest i nati on&quot ; : [ &quot ; 10. 10. 10. 2- 10. 10. 10. 3" ] , &quot ; st at us&quot ; : &quot ; N/ A&quot ; , &quot ; sr vReq&quot ; : &quot ; f t p&quot ; , &quot ; servi ce&quot ;: [ &quot ; t cp/ 21&quot ; ] , &quot ; dest Req&quot ; : &quot ; 10. 10. 10. 2, 10. 10. 10. 3&quot ; , &q

uot ; t upl es&quot ; : &quot ; 1&quot ; }] }, &quot ; noAct i onRequi r ed&quot ; : 1}}, &quot ; act i on&quot ; : [ &quot ; Al l ow&quot ; ] , &quot ; queryURL&quot ; : &quot ; ht t ps: / / 192. 168. 2. 245: 443/ ~el i ezer/ al gosec/ sessi on- 1802f 5044f f e48d097279d515a6f a864/ work/ f w3- 18947/ query- 18947/ query. ht ml &quot ; , &quot ; t i cket &quot ; : &quot ; 1320&quot ; , &quot ; t oZone&quot ; : nul l }</ ChangeFul l Dat a>

<ChangeI mpl ementat i onNot es></ ChangeI mpl ementat i onNot es>

<ChangeURL></ ChangeURL>

<ChangeUser Gr oup></ ChangeUser Gr oup>

<ChangeWebAct i on>Al l ow</ ChangeWebAct i on>

<Cl osedAt ></ Cl osedAt >

<Cr eat ed>Sun Apr 01 13: 46: 28 2012</ Cr eat ed>

<Cr eat et i cket sf r omat t achment >No</ Cr eat et i cket sf r omat t achment >

<Cust omer >Exampl e Cust omer </ Cust omer >

<Descr i pt i on></ Descr i pt i on>

<Due>Sun Apr 01 2012</ Due>

<Expi r es>Tue May 01 2012</ Expi r es>

<Fi r ewal l >




117

<Brand>Check Poi nt 

10. 132. 32. 1

<Last Report >el i ezer - 13656</ Last Report >

<Last Repor t Dat e>2012- 03- 31 21: 34: 09</ Last Repor t Dat e>

<Management Ser ver >m_10_132_31_1</ Management Ser ver >

<Name>f w3</ Name>

<Pol i cy>yaara_10. W</ Pol i cy>

</ Fi r ewal l >

<For mType>Tr af f i c Change</ For mType>

1320

1333277359. 81826

1

t r ue

<Last Updat ed>Sun Apr 01 13: 54: 55 2012</ Last Updat ed>

<Last Updat edBy>el i ezer . wei ss+l ocadmi n@al gosecl abs. com</ Last Updat edBy>

<Moshe></ Moshe>

<Obj ectChangeVal i dat i onResul t ></ Obj ectChangeVal i dat i onResul t >

<Or gani zat i onMet hodol ogy></ Or gani zat i onMet hodol ogy>

<Owner >

<Ci t y>t el avi v</ Ci t y>

<Count r y></ Count r y>

<Emai l Addr ess>el i ezer . wei ss+l ocnet@al gosecl abs. com</ Emai l Addr ess>

<HomePhone></ HomePhone>

67

<Or gani zat i on>Al gosec</ Or gani zat i on>

<Real Name>l ocal net wor k</ Real Name>

</ Owner >

<Owni ngGr oup>Net wor k</ Owni ngGr oup>

<Pendi ngResponsi bl eGr oups></ Pendi ngResponsi bl eGr oups>

<Pl annedTr af f i c>

<Act i on> <Val ue>Al l ow</ Val ue>

</ Act i on>

<Dest i nat i on>

<Val ue>10. 10. 10. 2</ Val ue>

</ Dest i nat i on>

<Dest i nat i on>




118

<Val ue>10. 10. 10. 3</ Val ue>

</ Dest i nat i on>

<Dest i nat i onNAT>165. 13. 12. 11</ Dest i nat i onNAT>

<NATType>St at i c</ NATType>

<Por t Tr ansl at i on>t cp/ 8080</ Por t Transl ati on>

<Ser vi ce/ Appl i cat i on>

<Val ue>t cp/ 21</ Val ue>

</ Ser vi ce/ Appl i cat i on>

<Sour ce>

<Val ue>192. 168. 3. 186</ Val ue>

</ Source>

<SourceNAT>178. 16. 1. 18</ SourceNAT>

<appl i cat i on>mai l server</ appl i cat i on>

</ Pl annedTr af f i c>

<Pr i or i t y>0</ Pr i or i t y>

<Recer t i f i cat i onCandi dat eDevi ces></ Recer t i f i cat i onCandi dat eDevi ces>

<Recer t i f i cat i onRel at edTi cket sCal cul at i onDat e></ Recer t i f i cat i onRel at edTi cket sCal cul at i onDat e>

<Recer t i f i cat i onSt at us>St and by</ Recer t i f i cat i onSt at us>

<Recer t i f i edTr af f i cTi cket ></ Recer t i f i edTr af f i cTi cket >

<RecommendRei mpl ement ></ RecommendRei mpl ement >

<Request edCat egory></ Request edCat egory> <Request edTraf f i c>

<Act i on>

<Val ue>Al l ow</ Val ue>

</ Act i on>

<Dest i nat i on>

<Val ue>10. 10. 10. 2</ Val ue>

</ Dest i nat i on>

<Dest i nat i on>

<Val ue>10. 10. 10. 3</ Val ue>

</ Dest i nat i on>

<Dest i nat i onNAT>165. 13. 12. 11</ Dest i nat i onNAT>

<NATType>St at i c</ NATType>

<Por t Tr ansl at i on>t cp/ 8080</ Por t Tr ansl at i on>

<Ser vi ce/ Appl i cat i on>




119

<Val ue>f t p</ Val ue>

</ Ser vi ce/ Appl i cat i on>

<Sour ce>

<Val ue>192. 168. 3. 186</ Val ue>

</ Source>

<SourceNAT>178. 16. 1. 18</ SourceNAT>

<appl i cat i on>mai l server</ appl i cat i on>

</ Request edTr af f i c>

<Request edURL></ Request edURL>

<Request edUser Gr oup></ Request edUser Gr oup>

<Request edWebAct i on>Al l ow</ Request edWebAct i on>

<Request or >

<Ci t y></ Ci t y>


<Emai l Address>el i ezer . wei ss+l ocadmi n@al gosecl abs. com</ Emai l Addr ess>


65

<Or gani zat i on>Al gosec</ Or gani zat i on>

<Real Name>Local Fi r eFl ow admi n</ Real Name>

</ Request or>

<Ri skLevel >No Ri sk</ Ri skLevel >

<Ri sksDetai l s></ Ri sksDet ai l s>

<Ri sksNumber >0</ Ri sksNumber >

<St atus>val i date</ St atus>

<Subj ect >FTP access t o mai l ser ver s</ Subj ect >

<Ti cketTempl at eI D></ Ti cket Templ ateI D>

<Ti cket Templ at eName></ Ti cket Templ at eName>

<Tr af f i cChangeTi me></ Traf f i cChangeTi me>

<Tr ansl atedDest i nat i on>10. 10. 10. 2- 10. 10. 10. 3</ Transl atedDest i nat i on>

<Transl atedServi ce>t cp/ 21</ Transl atedServi ce>

<Transl at edSour ce>192. 168. 3. 186</ Transl atedSour ce>

<Wor kf l ow>Standar d- Wi t h- SLA</ Wor kf l ow>

<r epor t pdf >6208</ r epor t pdf >

</ Ti cket >

Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Disabled)




120

<Ti cket >

<AddTraf f i c>Yes</ AddTraf f i c>

<Cc></ Cc>


<Cr eat ed>Mon J un 28 07: 21: 13 2010</ Cr eat ed>


<Due></ Due>

<Fi r ewal l >

 J uni per Net scr een

100. 0. 0. 1

<Last Repor t >mi chal - 8247</ Last Repor t >


<Name>192_168_2_53_r oot </ Name>

<Pol i cy>192_168_2_53_r oot . nsc</ Pol i cy>

</ Fi r ewal l >

1567

1277717369. 39996

<Last Updat ed>Mon J un 28 09: 33: 08 2010</ Last Updat ed>

<Last Updat edBy>a123@al gosec. com</ Last Updat edBy>

<Owner >

<Ci t y></ Ci t y>


<Emai l Addr ess>a123@al gosec. com</ Emai l Addr ess>


25

<Or gani zat i on></ Or gani zat i on>

<Real Name>J ohnSmi t h</ Real Name>

</ Owner >


<Act i on>Al l ow</ Act i on>

<Dest i nat i on>*</ Dest i nat i on> <Servi ce>*</ Servi ce>

<Sour ce>*</ Source>



<Request edTraf f i c>

<Act i on>Al l ow</ Act i on>




121

<Dest i nat i on>*</ Dest i nat i on>

<Servi ce>ssh</ Servi ce>

<Sour ce>*</ Source>


<Request or >

<Ci t y></ Ci t y>





<Real Name>J aneBr own</ Real Name>

</ Request or >

<Ri sksDet ai l s>

<Ri sk>

<code>I 01</ code>

<descr i pt i on>&quot ; Any&quot ; ser vi ce can ent er yournet wor k</ descr i pt i on>

<name>I 01- i nbound- any</ name>

<sever i t y>hi gh</ sever i t y>

</ Ri sk>

</ Ri sksDet ai l s>

<Ri sksNumber >3</ Ri sksNumber >

<Stat us>check</ St at us>

<Subj ect ></ Subj ect >

<Tr af f i cChangeTi me>1277717369. 02893</ Tr af f i cChangeTi me>

<Wor kf l ow>St andar d</ Wor kf l ow>

<Cust omFi el d1>1</ Cust omFi el d1>

</ Ti cket >

Object Change Flat Ticket

<Ti cket >

<Af f ect edRul esResul t >The change wi l l af f ect 1 r ul es: 12 i n devi ceKar t i v</ Af f ect edRul esResul t >

<Al r eadyWorksFi r ewal l s></ Al r eadyWorksFi r ewal l s>

<Automat i cal l yI mpl ement ed></ Automat i cal l yI mpl ement ed>

<CMSt i cket i d></ CMSt i cket i d>

<Cc></ Cc>




122

<ChangeFul l Dat a></ ChangeFul l Dat a>

<ChangeI mpl ementat i onNot es></ ChangeI mpl ementat i onNot es>


<Cr eat ed>Mon Feb 14 08: 22: 13 2011</ Cr eat ed>

<Cr eat et i cket sf r omat t achment >No</ Cr eat et i cket sf r omat t achment >


<Due></ Due>

<Expi r es></ Expi r es>

<Fi r ewal l >

 Check Poi nt 





<Name>Kar t i v</ Name>

<Pol i cy>St andard. W</ Pol i cy>

</ Fi r ewal l >

<For mType>Obj ect Change</ For mType>

2128





1

t r ue

<Last Updat ed>Mon Feb 14 08: 22: 52 2011</ Last Updat ed>

<Last Updat edBy></ Last Updat edBy>

<New></ New>

<Obj ectChangeVal i dat i onResul t ></ Obj ectChangeVal i dat i onResul t >

<Owner >

<Ci t y></ Ci t y>


<Emai l Addr ess>a123@al gosec. com</ Emai l Addr ess> <HomePhone></ HomePhone>

25


<Real Name>m</ Real Name>

</ Owner >





123


<Act i on>Remove I Ps f r om Obj ect </ Act i on>

10. 10. 17. 3

<Obj ect Name>a_10. 10. 17. 2- 3</ Obj ect Name>

<Scope>Local </ Scope>




10. 40. 17. 0- 10. 40. 17. 255

<Obj ect Name>Remot eAccess</ Obj ect Name>

<Scope>Gl obal </ Scope>





10. 10. 17. 3

<Obj ect Name>a_10. 10. 17. 2- 3</ Obj ect Name>

<Scope>Local </ Scope>




10. 40. 17. 0- 10. 40. 17. 255

<Obj ect Name>Remot eAccess</ Obj ect Name>

<Scope>Gl obal </ Scope>


<Request or >

<Ci t y></ Ci t y>




<Or gani zat i on></ Or gani zat i on> <Real Name>m</ Real Name>

</ Request or >

<Ri sksDet ai l s></ Ri sksDet ai l s>

<Ri sksNumber ></ Ri sksNumber >

<Stat us>i mpl ement</ Stat us>

<Subj ect >For NZ</ Subj ect >




124

<Ti cket Templ at eName>130: Obj ect Change Request </ Ti cket Templ at eName>

<Traf f i cChangeTi me></ Tr af f i cChangeTi me>

<Transl atedDest i nat i on></ Transl atedDest i nat i on>

<Transl atedServi ce></ Transl atedServi ce>

<Transl atedSour ce></ Transl at edSour ce>

<Wor kf l ow>Change- Obj ect </ Wor kf l ow>

</ Ti cket >

Rule Removal Flat Ticket

<Ti cket >

<Fi r ewal l >

 Check Poi nt 





<Name>Kar t i v</ Name>

<Pol i cy>St andard. W</ Pol i cy>

</ Fi r ewal l >

<For mType>Rul e Removal </ For mType>

2128

 

t r ue

<Last Updat ed>Mon Feb 14 08: 22: 52 2011</ Last Updat ed>

<Last Updat edBy></ Last Updat edBy>

<New></ New>

<Owner >

<Ci t y></ Ci t y>


<Emai l Addr ess>a123@al gosec. com</ Emai l Addr ess> <HomePhone></ HomePhone>

25


<Real Name>m</ Real Name>

</ Owner >





125


<Request edact i on>Remove Rul e</ Request edact i on>



<Request edact i on>Remove r ul e</ Request edact i on>

<Rul eDi spl ayI d>1</ Rul eDi spl ayI d>

<Rul eI d>57E7BF23- D6BD- 498A- 9DDA- 9071ECC47E46</ Rul eI d>

<Rul eRemoval Rel at edTi cket s>748</ Rul eRemoval Rel at edTi cket s>




<Rul eRemoval Rel at edTi cket sRequesot r s>65</ Rul eRemoval Rel at edTi cket sRequesot r s>

<Rul eRemoval Rel at edTi cket sRequesot r s>37</ Rul eRemoval Rel at edTi cket sRequesot r s>

<Rul eRemoval Rul eAct i on>accept </ Rul eRemoval Rul eAct i on>

<Rul eRemoval User st oNot i f y>65</ Rul eRemoval User st oNot i f y>

<Rul eRemoval User st oNot i f y>37</ Rul eRemoval User st oNot i f y>


<Wor kf l ow>Rul e- Removal </ Wor kf l ow>

</ Ti cket >

Supported Comparison Operators

Supported Comparison Operators

Operator Description

= Equal

!= Not equal

=~ Contains

!~ Does not contain

< Less than> Greater than




126



Operator Description$and$ Both of the sub-queries joined by this operator must be true.

In the following example, the condition is only met for new change requests with theStandard workflow:

Ti cket [ Wor kf l ow = "St andar d"] $and$ Ti cket [ St at us = "new"]

$or$ One or both of the sub-queries pairs joined by this operator must be true.

In the following example, the condition is met for change requests that are new,change requests owned by John Smith, and new change requests owned by JohnSmith:

Ti cket [ St at us = "new"] $or$ Ti cket / Owner [ Real Name = "J ohnSmi t h"]

Comprehensive Example

The following XQL query specifies that one of the following must be true, in order for the condition to besatisfied.




Ti cket [ ( Pr i or i t y > 7) ] $or$ Ti cket / Request or [ Emai l Address =~ " company. com"] $or $ Ti cket [ Pr oj ect = " I nf r ast r uct ur e"]

Adding Parallel Action LogicBy default, FireFlow allows you to specify whether an action will be performed in parallel to a second,identical action.

If desired, you can add more logic for parallel actions. For example, you can add the following parallelaction logic:

50% of the responsible groups must meet certain criteria, in order to trigger this action.

The "Managers" user group must meet certain criteria in order to trigger this action.

To add parallel action logic


2 Under the directory usr / share/ f i ref l ow/ l ocal / et c / s i t e/ l i b/ , open the fileParal l el Logi c. pm.

3 For each parallel logic you want to configure, add the following lines to the file:

sub par al l el _ logicName

{

my $addi t i onal Gr oups = shi f t ;




127

my $pendi ngGr oups = shi f t ;

}

Where logicName is the name of the parallel logic. This can be any string.

The function will receive the following parameters as input:

$addi t i onal Gr oups - The additional responsible groups field after update $pendi ngGr oups - The pending responsible groups field after update

The function will return a Boolean value:

1 - The logic is satisfied, and the action will be triggered.

0 - The logic is not satisfied, and the action is still in parallel status.

4 Save the file.

5 Restart FireFlow.


Editing ActionsEditing an action will modify the action's default settings throughout all statuses in the workflow.

To edit an action








In the VisualFlow main menu, click Actions.The Available act ions page appears with a list of actions used in the workflow.

In the workflow layout, click on a status that uses the desired action as an inbound or outboundaction.


4 Click Edit next to the desired action.

The Edit Action page appears.

5 Complete the fields using the information in Action Fields (page 101).


6 If you set the Parallel field to all, set the action's responsible groups by doing the following:

a)

Click the Click here to set the action's responsible groups link.

The Responsible groups dialog box appears.

The Responsible group field displays the user group responsible for change requests in this status.

b)

In the Addi tional responsible groups list, select the additional user groups responsible for changerequests in this status.

To select multiple user groups, press Ctrl while you click on the desired user groups.

c)

Click OK.




128

7 Click Save Draft.

Reordering ActionsYou can control the order in which actions appear in a workflow's list of actions.

To reorder actions







3 In the VisualFlow main menu, click Actions.

The Available act ions page appears.

4 In the list of actions, click next to an action you want to move, and drag it to the desired location inthe list.

Deleting Actions To delete an action





Next to the desired workflow, click Edit.The Edit Workflow page opens with the workflow's details.


In the VisualFlow main menu, click Actions.

The Available act ions page appears with a list of actions used in the workflow.

In the workflow layout, click on a status that uses the desired action as an inbound or outboundaction.


4 Next to the desired action, click Delete.


5 Click OK.The action is deleted from the list.




129

Working with SLAsFireFlow enables you to configure a Service Level Agreement (SLA) per workflow. An SLA is a formaldefinition of the logical workflow stages that comprise a change request's lifecycle and, optionally, theamount of time allotted for completing each of these stages and the change request lifecycle as a whole.Hence, a separate SLA must be defined for each workflow.

In an SLA, each of the workflow stages is represented by a Service Level Objectives (SLO). An SLOspecifies the following:

The stage's starting point, which is when the change request enters a certain status

The stage's ending point, which is when the change request leaves a certain status

The stage's name

FireFlow uses the information specified in an SLO to measure the amount of time spent on the relevantstage; and once the change request has completed its lifecycle, FireFlow can use all of the SLA's SLOs

together to calculate the amount of time spent on the entire lifecycle.

FireFlow then uses the calculated SLA information to generate reports on change requests that meet certaincriteria (for example, change requests in which have spent more than a certain number of days in a particularstage), and display those reports in searches, charts, and dashboards. For information on configuring SLAnotifications, see Working with SLA Notifications (on page 189).

Adding SLOs To add an SLO to a workflow's SLA


The List of Workflows page appears.2 Next to the desired workflow, click Edit.


3 In the VisualFlow main menu, click SLA .




130

The Available SLA page appears with all of the SLOs comprising the workflow's SLA.

4 Click New SLO.




131

The Edit SLO page appears.

5 Complete the fields using the information in SLO Fields (page 131).

6Click Save Draft.The new SLO is added to the workflow's SLA.

SLO Fields


Name Type the name of the SLO.


Enabled Specify whether this SLO should be enabled, by choosing one of the following:

Yes. The SLO is enabled and will be used for SLA calculations.

No. The SLO is disabled. It will not be used for SLA calculations.


Statuses Select one or more statuses that represent the starting point for the workflow stagerepresented by this SLO. To select multiple statuses, hold down the Ctrl key whileclicking on the desired statuses. The selected statuses are highlighted in the diagram atthe top of the workspace.

Alternatively, click Enable visual edit, and then click on the desired statuses in thediagram at the top of the workspace. The selected statuses appear in green. Whenfinished, click Finish visual edit.




132

Time limit To configure a time limit for the workflow stage represented by this SLO, type in thenumber of time units in the field provided, and select the type of time unit in thedrop-down list.

Expiration target status Select the status to which the change request should transition, when the specified timelimit has been exceeded.

This field is only enabled, if you configured a time limit for the SLO.

Clear on revisit Specify whether when re-visiting the SLO or one of its statuses, the time counter should be reset to zero, by choosing one of the following:

Yes. Reset the time counter, then begin timing from zero.

No. Resume timing, without resetting the time counter.


End trigger Specify what event should trigger the end of the SLO, by choosing one of the following:

Change request leaves the status. End the SLO, when the change request leaves thestatus.

Parallel action do ne by group. End the SLO, when a parallel action is performed by acertain responsible group. You must select the desired responsible group in thedrop-down list provided.

This field appears only for SLOs that contain a status with a parallel action.

Editing SLOs To edit an SLO in a workflow's SLA





3 In the VisualFlow main menu, click SLA .The Available SLA page appears with all of the SLOs comprising the workflow's SLA.

4 Next to the desired SLO, click Edit.

The Edit SLO page appears.

5 Complete the fields using the information in SLO Fields (page 131).

6 Click Save Draft.

Deleting SLOs To delete an SLO from a workflow's SLA

1 In the VisualFlow main menu, click Workflows.The List of Workflows page appears.



3 In the VisualFlow main menu, click SLA .

The Available SLA page appears with all of the SLOs comprising the workflow's SLA.

4 Next to the desired SLO, click Delete.




133


5 Click OK.

The SLO is deleted.

Reordering WorkflowsYou can control the order in which workflows appear in VisualFlow.

To reorder workflows



2 In the list of workflows, click next to a workflow you want to move, and drag it to the desiredlocation in the list.

Setting the Default WorkflowWhen FireFlow fails to assign a workflow based on a change request’s template or workflow conditions, itautomatically uses the default workflow.

Only one workflow can be the set as the default workflow. By default, the Standard workflow is the defaultworkflow.

To set the default workflow



2 Next to the desired workflow, click Set as default.


The workflow is marked as the default workflow in the Default column.

Deleting Workflows

Note: You cannot delete built-in workflows. For a list of built-in workflows, see Overview (on page 71).

Important: If you delete a workflow, then any change requests that are assigned to that workflow will bere-assigned to the default workflow the next time they are accessed. Furthermore, if their current status does

not exist in the default workflow, the change requests will transition to the "new" status.

To delete an existing workflow



2 Next to the desired workflow, click Delete.


3 Click OK.




134

The workflow is deleted.


Viewing the Workflow XMLYou can view changes to workflows, as they appear in the individual workflows' XML files and in theworkflow configuration file, Workf l ows_Conf i g. xml .

Viewing Individual Workflows' XML Files To view an individual workflow's XML file







3 Click View XML.

The workflow's XML file opens in a new tab.

For information on structure of workflows' XML files, see Workflow File Structure (on page 148).

Viewing the Workflow Configuration File To view the workflow configuration file



2 Click View XML.

The workflow configuration file opens in a new tab.

For information on the structure of the workflow configuration file, see Workflow Configuration File

Structure (on page 144).

Installing Workflows

Installing workflows imports all workflow changes into FireFlow.

To install workflows


In the VisualFlow main menu, click Workflows.


In the VisualFlow main menu, click Workflow Installation.




135

The Workflow Installation page appears.

2 Click Install All Workflows.


3 Click OK.

A backup of the previous workflows configuration is saved to/ usr / shar e/ f i r ef l ow/ l ocal / et c/ si t e/ backup/ YYYY_MM_DD_hh- mm- ss , where YYYY_MM_DD_hh- mm- ss is a timestamp. For example: 2011_01_21_10-30-00

All workflow changes are imported into FireFlow.The message informing you that changes have been made to the workflows disappears.

4 Restart FireFlow.


Discarding Workflow ChangesYou can discard all workflow changes that have not yet been installed. This will reload the XML workflowfiles that are currently in use by FireFlow into VisualFlow.

To discard workflow changes1 In the VisualFlow main menu, click Workflow Installation.



2 Click OK.

3 Click Refresh Workflows.

All workflow changes are discarded.




136

The message informing you that changes have been made to the workflows disappears.

Examples

Example: Removing the Notify Requestor StageThe following comprehensive example describes how to modify a copy of the Standard workflow, so thatFireFlow does not wait for user acceptance after implementing change request.

Once implementation is complete, the Network user can simply resolve the change request (or re-implementit, if an error was detected). Notification is only sent to the user upon the resolve action.

To configure this example



2 Access VisualFlow.

See Accessing VisualFlow (on page 74).

3 Add a new workflow based on the Standard workflow.

See Adding Workflows (on page 78).

The workflow "Standard-Copy-# " is created, where # represents the copy's number.

4 Edit the new workflow as follows:

Set the Name field to the workflow's name. For example, "MyStandard".

Set the Configuration File field to workflow's configuration file. For example, "MyStandard".

Set the Default field to yes .

See Editing Workflows (on page 87).

5 Delete the workflow's "Notify Requestor" action.See Deleting Actions (on page 128).

6 Edit the workflow's "Resolve" action as follows:

Set the Type field's to Reply to user , so that mail can be sent to the requestor.

Set the Mail content field to "Your request has been implemented. It will be closed now.".

See Editing Actions (on page 127).

7 Add a "resolve" outbound action to the workflow's "Validate" status as follows:

Set the Display action button field to Yes, so that the "Resolve" button will appear for changerequests in the "Validate" stage.

Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in

the workflow layout.See Adding Actions (on page 95).

8 Install the workflow.

See Installing Workflows (on page 134).

9 Log in to the FireFlow server via SSH, using the username "root" and the related password.






137

Example: Allowing the Network Group to Approve Change RequestsThe following comprehensive example describes how to modify a copy of the Standard workflow, to allow

Network users to approve change requests.

After initial planning, the change request achieves the new status "pre-check". Network users can thendecide whether to approve the change request, not approve it, or send it to a Security user.





See Accessing VisualFlow (on page 74).

3 Add a new workflow based on the Standard workflow.


The workflow "Standard-Copy-# " is created, where # represents the copy's number.4 Edit the new workflow as follows:





5 Add a new status to the workflow as follows:

Set the Name field to "pre-check".

Set the Stage field to approve.

Set the Responsible group field to Network.

Set the Al low ed it ing traf fic f ields field to yes . Set the Stage still incomplete field to yes .

See Adding Statuses (on page 87).

6 Reorder the statuses so that the new "pre-check" status appears immediately before the "approve" status.

See Reordering Statuses (on page 94).

7 Add a new action to the workflow as follows:

Set the Name field to "send_to_security".

Set the Type field to Change status.

Set the Display Name field to "Send to Security".

Set the Target status field to approve.

Set the Required action ri ght field to UserDefinedRight01.

Set the Appl ies to change requests of type field to Parent and Regular .

Set the Traffic fields required field to yes .

See Adding Actions (on page 95).

8 Reorder the actions so that the new "Send to Security" action appears immediately after the "RiskCheck" action.

See Reordering Actions (on page 128).




138

9 Edit the "Initial Plan" action to transition the change request to the new "pre-check" status as follows:

Set the Target status field to pre-check.


10 Edit the "Risk Check" action to transition the change request to the new "pre-check" status as follows:

Set the Target status field to pre-check.See Editing Actions (on page 127).

11 Add a "risk_check" outbound action to the "pre-check" status as follows:

Set the Display action button when field is empty field to Request Risk Check Result , so that the "RiskCheck" button will appear for change requests in the "pre-check" stage when this field is empty.

Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow inthe workflow layout.


12 Add a "send_to_security" outbound action to the "pre-check" status as follows:

Set the Display action button field to Yes, so that the "Send to Security" button will appear for change

requests in the "pre-check" stage.



13 Add an "approve" outbound action to the "pre-check" status as follows:

Set the Display action button field to Yes, so that the "Approve" button will appear for changerequests in the "pre-check" stage.



14 Add a "re_plan" outbound action to the "pre-check" status as follows:

Set the Display Name field to "Not Approve", so that this button's name will appear for changerequests in the "pre-check" stage.

Set the Display action button field to Yes, so that the "Not Approve" button will appear for changerequests in the "pre-check" stage.


Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?" pop-up for change requests in "pre-check" stage.

Set the Mail content field to "Your request has not been approved and needs to be re-planned", so thatthis text will appear in emails sent to the requestor for change requests in "pre-check" stage.

See Adding Actions

(on page 95).15 Add a "re_implement" outbound action to the "pre-check" status as follows:

Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?" pop-up for change requests in "pre-check" stage.


16 Delete the "Risk Check" outbound action from the "approve" status, so that the risk check button willnot appear for change requests in "Approve" stage.

See Deleting Actions (on page 128).




139

17 Assign the UserDefinedRight01 global right to the Network user group.


Members of the Network group can now perform the "Send to Security" action.


See Installing Workflows (on page 134).19 Log in to the FireFlow server via SSH, using the username "root" and the related password.



Example: Adding Another Approve StageThe following comprehensive example describes how to modify a copy of the Standard workflow, byadding a second Approve stage to the lifecycle.

A new status, "second check", will be achieved after the first approve action. The second approve must then be performed by the new "High Level Security" user group.




2 Add a user group as follows:

Set the Name field to "High Level Security".

Set the Description field to "High Level Security".

Set the Copy Group Rights and Home Page Settings from group field to Security .

See Adding User Groups (on page 29).


See Accessing VisualFlow (on page 74).4 Add a new workflow based on the Standard workflow.


The workflow "Standard-Copy-# " is created, where # represents the copy's number.

5 Edit the new workflow as follows:





6 Add a new status for the workflow as follows:

Set the Name field to "second check".

Set the Stage field to approve.

Set the Responsibl e group field to High Level Security.

Set the Al low ed it ing traf fic fields field to yes.

Set the Stage still incomplete field to yes.

See Adding Statuses (on page 87).




140

7 Reorder the statuses so that the new "second check" status appears immediately after the "approve"status.

See Reordering Statuses (on page 94).

8 Add an "approve" outbound action to the "second check" status as follows:

Set the Display action button field to Yes, so that the "Approve" button will appear for changerequests in the "second check" stage.



9 Add a "re-plan" outbound action to the "second check" status as follows:

Set the Display Name field to "Reject", so that this button's name will appear for change requests inthe "second check" stage.

Set the Display action button field to Yes, so that the "Reject" button will appear for change requestsin the "second check" stage.

Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in

the workflow layout. Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"

pop-up for change requests in "second check" stage.

Set the Mail content field to "Your request has been rejected and needs to be re-planned", so that thistext will appear in emails sent to the requestor for change requests in "second check" stage.


10 Add a "re-implement" outbound action to the "second check" status as follows:

Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?" pop-up for change requests in "second check" stage.


11Add a new action to the workflow as follows:

Set the Name field to "first_approve".

Set the Type field to Internal comment.

Set the Display Name field to "First Approve".

Set the Target s tatus field to second check.

Set the Required action r ight field to UserDefinedRight02.

Set the Appl ies to change requests of type field to Parent and Regular .

Set the Traffic fields required field to yes .


12 Reorder the workflow's actions, so that the new "First Approve" action immediately after the "Risk

Check" action.See Reordering Actions (on page 128).

13 Edit the "Approve" action as follows:

Set the Display Name field to "Final Approve".


14 Add a "first_approve" outbound action to the "approve" status as follows:




141

Set the Display action button field to Yes, so that the "First Approve" button will appear for changerequests in the "approve" stage.



15 Delete the "Final Approve" outbound action from the approve status.

See Deleting Actions (on page 128).

16 Assign the UserDefinedRight02 global right to the Security user group.


Members of the Security group can now perform the "First Approve" action.


See Installing Workflows (on page 134).

18 Log in to the FireFlow server via SSH, using the username "root" and the related password.







143

This section explains how to add, edit, and delete workflows by working directly with the workflow XMLfiles. It also explains how to modify the set of conditions determining when each workflow should beassigned.

Warning: Working directly with workflow XML files is not recommended, as manual changes to the filesmay be overwritten by VisualFlow if not performed correctly. VisualFlow is the recommended method ofworking with workflows. For information on using VisualFlow, see Working with Workflows in

VisualFlow (on page 71).

For an overview of how FireFlow uses workflows and for information about built-in workflows, seeOverview (on page 71).

In This ChapterEditing the Workflow Configuration File ......................... . 143Adding Workflows ............................................................ . 146Modifying Workflows ....................................................... . 164Disabling Workflows ........................................................ . 165Deleting Workflows .......................................................... . 165Reverting to the System Default Workflow via XML ....... 166

Editing the Workflow Configuration FileThe workflow configuration file, Workf l ows_Conf i g. xml , determines the following:

Which workflow should be assigned by default, when FireFlow fails to assign a workflow based on theconditions

Whether a given workflow is enabled in FireFlow

The conditions in which a workflow should be assigned, when the change request's template does notspecify a workflow

To edit the workflow configuration file

1 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / , locate the fileWorkf l ows_Conf i g. xml .

Note: This is the original system settings file, and it is required for reverting to system default settings.Do not modify this file.

2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , copy the contents of the originalfile into an override file that is also called Workf l ows_Conf i g. xml .

3 Open the override file.

4 Modify the workf l ow tags as desired.

See Workflow Tag Attributes (on page 144) for information on the workf l ow tag attributes.

C H A P T E R 1 2

Working with Workflows via XML




144

5 Add or modify condi t i on tags to specify the conditions in which a workflow should be assigned, inthe event that the change request's template does not specify a workflow.

See Condition Tag Syntax (on page 145) for information on the condi t i on tag's syntax.

6 Save the override file.

7 Restart FireFlow.See Restarting FireFlow (on page 11).

Workflow Configuration File StructureThe workflow configuration file has an XML structure that is defined by XML schema fileWorkf l ows_Conf i g. xsd, located under / usr / share/ f i ref l ow/ l ocal / et c/ . The main structure ofthe workflow configuration file is:

<Wor kf l owsConf i g>

<workf l ows> <! - - each workf l ow t ag def i nes a workf l ow t hat can be assi gned t o changer equest s - - >

<wor kf l ow name="wor kf l ow_name_here">

<! - - t he condi t i on t ag def i nes t he condi t i on f or assi gni ng t he wor kf l owt o change r equest s - - >

<condi t i on><! [ CDATA[ condi t i on_her e] ] ></ condi t i on>

</ workf l ow>

</ workf l ows>

</ Workf l owsConf i g>

Workflow Tag AttributesEach workf l ow tag in the XML file defines a workflow that can be assigned to change requests. Thefollowing table explains each workf l ow tag attribute.

Workflow Tag Attributes

Name Descripti on Possibl e Values Permitted Change

name The name of the workflow as it

should appear in the FireFlowinterface.

This attribute is mandatory.

Any short phrase Any

description A description of the workflow.

Appears in the FireFlowinterface, in change requests thatare assigned to this workflow.





Chapter 12 Working with Workflows via XML

145

filename_prefix The name of the workflow fileassociated with this workflow,without the file suffix.


The workflow file name,without the "_Config.xml" filesuffix.

For example, when workingwith the the Standard workflow,

the associated workflow file isStandard_Config.xml.Therefore, this attribute's valueshould be "Standard".

There is no reason tochange this attribute. Ifyou do change it, then youmust ensure consistencythroughout the XML file.

default Indicates whether the workflowshould be assigned by default,when FireFlow fails to assign aworkflow based on theconditions.

This attribute must be used inexactly one workflow tag. Bydefault, it is used in the Standardworkflow's workflow tag.

This can be one of thefollowing:

1. This is the defaultworkflow.

0. This is not the defaultworkflow.

Any

enabled Indicates whether the workflowis enabled.

This attribute is optional.


1. The workflow is enabled.

0. The workflow isdisabled.

The default value is 1.

Any

Condition Tag SyntaxThe condi t i on tag in the XML file defines the condition under which the workflow specified in the parent

workf l ow tag should be assigned to change requests. The condi t i on tag's syntax is as follows:<condi t i on><! [ CDATA[ condition] ] ></ condi t i on>

Where condition is a query specifying the desired condition. This query is composed of pairs in thefollowing format:

f i el d = ' val ue'

Where f i el d is a supported field in FireFlow, and val ue is the field's value. For information on supportedfields, see Supported Fields (on page 81). For example, the following query specifies that the changerequest status must be "new":

Stat us = ' new'

You can use ! = to indicate "not". For example, the following query specified that the change request mustnot be "new":

St atus ! = ' new'

It is possible to use Boolean operators between field-value pairs. For a list of supported operators, seeSupported Boolean Operators (on page 86). For example, the following query specifies that the changerequest status must be "new", and the owner must be John Smith:





146

For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,the following query specifies that the change request status must be "new" or "plan", and the owner must beJohn Smith or Sue Michaels.

( Stat us = ' new' OR St at us = ' pl an' ) AND ( Owner = ' J ohn Smi t h' OR Owner = ' SueMi chael s' )

Comprehensive ExampleIn the following example, the Special workflow will be assigned when the change request's template doesnot specify a workflow, and one of the following conditions are met:




<workf l ow name="Speci al " descr i pt i on="Ti cket s requi r i ng speci al t r eat ment "f i l ename_pr ef i x="Speci al " enabl ed="1" >

<condi t i on><! [ CDATA[ ( Pr i ori t y > 7) OR ( Request or. Emai l Addr ess LI KE' company. com' ) OR ( ' CF. {Pr oj ect }' = ' I nf r ast r uct ur e' ) ] ] ></ condi t i on>

</ workf l ow>

Adding Workflows

To add a custom workflow


2 Create the custom workflow, by doing the following:

a) Under the directory / usr / share/ f i ref l ow/ l ocal / et c/ s i t e/ Workf l ows/ , create a newXML file with the required structure.

See Workflow File Structure (on page 148).

b)

Add actions and statuses to the change request lifecycle.

See Action Tag Attributes (on page 149) and Status Tag Attributes (on page 160) for informationon the relevant tag attributes.

c)

Save the file.

3 Add the custom workflow to the workflow configuration file, by doing the following:

a)

Under the directory / usr / share/ f i ref l ow/ l ocal / etc / , locate the file

Workf l ows_Conf i g. xml .Note: This is the original system settings file, and it is required for reverting to system defaultsettings. Do not modify this file.

b)

Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i te/ , copy the contents of theoriginal file into an override file that is also called Workf l ows_Conf i g. xml .

c)

Open the override file.

d) Add a workf l ow tag for the new workflow.




147

See Workflow Tag Attributes (on page 144) for information on the relevant tag attributes.

e) Save the override file.

4 Restart FireFlow.


5 Specify when the custom workflow should be used, by doing one or more of the following:

To assign change requests to the new workflow when a specific template is used, do one of thefollowing:

Modify an existing template to specify the new workflow.

Add a new template that specifies the new workflow.

For information on working with templates, refer to the AlgoSec FireFlow User Guide, ManagingRequest Templates.

To assign change requests to the new workflow based on the workflow conditions, edit theworkflow configuration file and specify the conditions in which the workflow should be used.

See Editing the Workflow Configuration File (on page 143).




148

Workflow File StructureWorkflow files have an XML structure that is defined by XML schema file Ti cket Li f eCycl e_Conf i g. xsd located under / usr/ shar e/ f i r ef l ow/ l ocal / et c/ Wor kf l ows/ .

The main structure of workflow files is:

<Ti cket St at usConf i g>

<act i ons>

<! - - each act i on t ag def i nes a gl obal act i on t hat can be perf ormed on t hechange r equest - - >

</ act i ons>

<st at uses>

<st at us name="st at us_name_her e">

<act i ons> <! - - each act i on t ag def i nes t he way i n whi ch t he gl obal act i on’ sdef aul t behavi or i s over r i dden when t he change request has t hi s st atus - - >

</ act i ons>

</ st at us>

<! - - mor e st at us val ues - - >

</ st atuses>

<condi t i ons>

<! - - each condi t i on t ag def i nes a condi t i on f or t he change r equest t ot r ansi t i on t o a par t i cul ar st at us, when an act i on i s per f or med - - >

<condi t i on condi t i onKey="uni que_key_here"GoToStat us="t ar get _s t at us_her e" msgToUser ="message_t o_user _her e">

<check><! [ CDATA[ XQL_quer y] ] ></ check>

</ condi t i on>

<! - - mor e condi t i ons - - >

</ condi t i ons>

</ Ti cket St at usConf i g>




149

Action Tag AttributesEach act i on tag in the XML file configures an action's behavior. The following table explains eachact i on tag attribute.

Action Tag Att ributes


title The name of the action as itappears in the FireFlow interface.



type The action's type, whichdescribes what it does.



change_status. Changes thestatus of the change request

internal_comment . Adds acomment to the changerequest that is hidden fromthe requestor.

reply_to_user . Adds acomment to the changerequest that is seen by therequestor. Includes sendingan email to the requestor.

initial_plan. Performs initial planning. Relevant only fortraffic change requests.

risk_check. Performs a risk

check. Relevant only fortraffic change requests.

implementation_plan .Creates a work order.

manual_reconcile . Opens adialog box that allows auser to manually match thechange request with achange record. Relevantonly for traffic changerequests.

no_change_record. Opens adialog box that allows a

user to manually match thechange request, whilespecifying that there is noassociated change record.Relevant only for trafficchange requests.

change_validation .Performs validation of atraffic change request.

Actions of thei nternal _comment type can be changed to ther epl y_t o_user orchange_st atus type

and vice versa.

No other changes are permitted to pre-definedactions.




150

Relevant only for trafficchange requests.

object_change_validation .Performs validation of anobject change request.

Relevant only for objectchange requests.

affected_rules. Findsaffected rules for an objectchange request. Relevantonly for object changerequests.

review_work_order . Enablesa user to view an existingwork order and edit it.Relevant controls willappear in UI only for CheckPoint devices. Relevant

only for traffic changerequests.

active_change. Enables auser to implement plannedchanges via ActiveChange.Relevant controls willappear in UI only for CheckPoint devices usingOPSEC. Relevant only fortraffic change requests.

modify_custom_field.Allows a user to modify aspecific custom field.

take_ownership . Assignsthe user ownership of achange request.

assign. Allows a user toassign ownership of achange request to anotheruser.

organize. Enables the userto choose an organizationmethodology. Relevant onfor Blue Coat-relatedrequests.

related_tickets. Enables the

user to search for changerequests whose trafficintersects that of the ruleselected forremoval/disablement.Relevant only for ruleremoval and recertificationrequests.

notify_requestors. Enables




151

the user to notify therequestors of related changerequests that the rule isslated forremoval/disablement.Relevant only for ruleremoval and recertificationrequests.

view_correspondence.Enables the user to viewresponses received fromrequestors. Relevant onlyfor rule removal andrecertification requests.

rule_removal_validation .Enables the user to validatethe implemented ruleremoval/disablement

against the change request.Relevant only for ruleremoval requests.

recertification_validation.Enables the user toRelevant only forrecertification requests.

plan_removal. Enables theuser to plan the removal ofAllow traffic. Relevant onlyfor recertification requests.

recertify. Enables the user torecertify a request. Relevant

only for traffic requests.enabled Indicates whether this action is

enabled in the FireFlow interface.This can be one of thefollowing:

true

1

false

0

The default value is t rue.

Any

key A unique key value for theaction. Used when the action's

behavior is to be overridden for a

specific status.This attribute is mandatory.

A short alpha-numeric stringthat is unique to the XML file

There is no reason tochange this attribute. Ifyou do change it, then you

must ensure consistencythroughout the XML file.

category The action's category.

You can create categories andassign similar actions to them.

Any string Any




152

transition_to_status The new status that the changerequest will transition to whenthe action is performed.

This attribute can be used toremove statuses from the

lifecycle. It is also importantwhen adding statuses in themiddle of the lifecycle (see theexample in Example: AddingAnother Approve Stage).

If thet ransi t i on_to_condi t i on attribute is set, then thisattribute represents the status thatthe change request will transitionto if all conditions int ransi t i on_to_condi t i on are false.


Any status name as defined inthe <st at uses>node

Change is permitted withthe following limitations:

Do not remove thefollowing statusesfrom the lifecycle:

new, open, resolved,rejected, deleted.

Do not change thisvalue so that the statusorder is switched.For example, thechange request mustnot transition from"new" to "implement"to "check".

ticket_member_type

The types of change requests forwhich the action is relevant, andfor which the action shouldappear.


This can be one or more of thefollowing:

Regular . The action isrelevant to regular changerequests.A regular change request isrelevant to only one device.

Parent. The action isrelevant to parent requests.A parent request is relevantto multiple devices and has

a sub-request for eachdevice.

SubTicket. The action isrelevant to sub-requests. Asub-request is relevant toone device, out of themultiple devices that arerelevant to its parentrequest.

The default value is no value, inwhich case the action will berelevant to all change requesttypes.

Multiple values must beseparated by commas.

Relevant only for traffic changerequests. (Object changerequests do not havesub-requests.)

There is no reason tochange this attribute.

recommend Indicates whether the action is"recommended". Recommended


Any




153

actions are available via anexplicit button next to the Otherdrop-down list.


true

1

false

0

The default value is f al se.

recommend_if_custom_field_empty

Indicates that the action should be "recommended" (seer ecommend) only if a specificchange request field is empty.


The name of a change requestfield.

Popular fields that may be usedare:

Request Risk Check Result .The risk check's output

Firewall Name. The name ofthe device assigned to thechange request

CMS ticket id. The ID of anexternal ChangeManagement System (ifapplicable)

Expires. The changerequest's expiration date

For additional fields, contactAlgoSec.

The default value is no value.

Any

recommend_if_custom_field_true

Indicates that the action should be available via an explicit buttonnext to the Other drop-down list,only if a specific custom field'svalue is t rue.

This is useful for actions that arerestricted to certain devicestypes. For example, editing awork order can only be done forCheck Point devices; therefore,this action should only beavailable if a custom field calledIs Work Order Editable is set to"true". (FireFlow automaticallysets it to "true" only for CheckPoint devices.)


The name of a custom field.

Popular fields that may be usedare:

Is Work Order Editable. Indicates whether the work

order can be edited. Is Active Change Applicable.

Indicates whetherActiveChange is relevant


Any

recommend_if_cur

rent_user_is_not_owner

Indicates whether the action

should be available via anexplicit button next to the Otherdrop-down list, only if the currentuser is not the change request'sowner.

This can be one of the

following: true

1

false

0


Any




154

recommend_if_tick et_belongs_to_no_ one

Indicates whether the actionshould be available via anexplicit button next to the Otherdrop-down list only if the changerequest is not assigned to a user.


true

1

false

0


Any

hide_from_actions _menu_if_not_recommended

Indicates that the action shouldnot appear in the Other drop-down list, if it is not

available via an explicit buttonnext to the Other drop-down list.


true

1

false

0


Any

need_user_confirm Indicates whether a confirmation

message should appear when auser performs the action.


This can be one of the

following: true

1

false

0


Any

user_confirm_message

The confirmation message thatshould appear when the user that

performs the action, if theneed_user_confirm attribute isset to t rue.


Any text.

The default confirmationmessage is:

Ar e you sur e you wantt o <TI TLE>?

Where <TI TLE>is the title ofthe action.

Any




155

require_login_with _valid_license

Indicates whether a validFireFlow license and a user thatwas defined in AlgoSec FirewallAnalyzer is required, in order forthe action to appear in the Other

drop-down list.Note: This is a cosmetic issueonly. Actions that involveFireFlow Analytics will notsucceed if there is no validlicense or if the user logged inwas not defined in AlgoSecFirewall Analyzer.



true

1

false

0

The default value is f al s e.


require_ticket_right

Indicates whether the user must be granted a specific right, inorder for the action to appear inthe Other drop-down list.

Note: This is not just a cosmeticissue. Actions that require theuser to have a specific right willnot appear in the UI if the userdoes not have the right.Furthermore, even if they didappear, they would not succeed,unless the user had the right.


The name of a global right.

Popular rights that may be used

are: AllowActiveChange

AllowAffectedRules

AllowApprove

AllowChangeValidation

AllowDeleteTicket

AllowImplementationDone

AllowImplementationPlan

AllowInitialPlan

AllowManualCheck

AllowNotifyRequestor

AllowObjectChangeValidat

ion AllowReImplement

AllowRePlan

AllowReject

AllowRequestorResponse

AllowResolve

AllowReview

AllowRiskCheck

ModifyChanges

ModifyReconciliation

UserDefinedRight01

UserDefinedRight02 UserDefinedRight03

UserDefinedRight04

UserDefinedRight05

UserDefinedRight06

UserDefinedRight07

UserDefinedRight08

UserDefinedRight09





156

UserDefinedRight10

For additional rights, contactAlgoSec.


goto_homepage Indicates whether the user should be re-directed to the Home pageafter executing the action.



true

1

false

0


Any

goto_homepage_pr int_sub_tickets

Indicates whether after the actionis performed on a parent request,the user should be redirected tothe Home page, which displays alist of the parent request's

sub-requests.This attribute is relevant only foractions of the typechange_st atus,r epl y_t o_user andi nternal _comment .



true

1

false

0



goto_parent Indicates whether after the actionis performed on a sub-request,the user should be redirected tothe parent request.

This attribute is relevant only for

actions of the typechange_st at us,r epl y_t o_user andi nter nal _comment .



true

1

false

0



mandatory_fields_r equired

Indicates whether certain changerequest fields are mandatory, inwhich case if the fields are notfilled in when the action is

performed, a message will appear prompting the user the fill themin.

The fields in question are: Source

Destination

Service

Action

Firewall



true

1

false

0


Any




157

mail_content The default text that will appearin the main message box whencommenting on a change requestor replying to the user.


actions of the typer epl y_t o_user andi nternal _comment .


Any text


Any

transition_to_match_status

Indicates whether after the actionis performed, the changerequest's "match status" should

be set to a specific value, and thechange request should bedisplayed in the Au to Matching

page.


actions of the typechange_st at us,r epl y_t o_user andi nternal _comment .


This can be set to the followingvalues:

new

r echeck

perf ect match

i d mat ch

change i s wi der t han

t i cket par t i al l y

i mpl ement ed

pendi ng

appr oved no change

unabl e t o mat ch

manual l y mat ched

al r eady works



VisualFlow_visible Indicates whether the actionshould be displayed in the

workflow layout, when viewing aworkflow.

Note: When viewing a status forwhich this action is an outboundaction, the action will bedisplayed in the workflow layout,regardless of this attribute'svalue.



true 1

false

0


Any

modify_custom_field_title

The message that should appearwhen this action is performed,instructing the user to completethe custom field specified in the

cust om_f i el d_name attribute.

This attribute is relevant only foractions of the typemodi f y_cust om_f i el d.

Any string. Any




158

custom_field_name If the action requires a customfield's value as input, thisattribute indicates the customfield's name.


actions of the typemodi f y_cust om_f i el d.

Any custom field's name. Any

allow_unprivileged _users

Indicates whether unprivilegedusers should be allowed to

perform this action.

This attribute is relevant only foractions of the typechange_st atus,r epl y_t o_user , andi nternal _comment .



true

1

false

0


Any

transition_to_condition The unique IDs of one or moreconditions, under which changerequests should transition to a

particular status, when this actionis performed.

When multiple condition IDs arespecified, FireFlow will checkthe conditions in order listed inthis attribute. When FireFlowencounters a condition that istrue, it will stop checking anyadditional conditions andtransition the change request to

the relevant status.

The condi t i onKeyattributes of one or moreconditions.

Multiple attributes must beseparated by commas (,).

Any




159

In the following example, the action "Initial Plan" is of the type "initial_plan" (that is, it performs initial planning). This action will appear in the FireFlow interface only if a valid FireFlow license exists, only forregular and parent requests, and only for users that have been granted the right Al l owI ni t i al Pl an.Executing this action changes the change request status to "check".

<act i on t i t l e="I ni t i al Pl an"

t ype="i ni t i al _pl an"

key="i ni t i al _pl an"

t r ansi t i on_t o_st at us="check"

r equi r e_l ogi n_wi t h_val i d_l i cense="t r ue"

r equi r e_t i cket _r i ght ="Al l owI ni t i al Pl an"

t i cket _member_t ype="Par ent , Regul ar " / >

In the following example, the action "Re-Plan" is of the type "reply_to_user" (that is, it comments on thechange request and sends an email to the user). The default email text is "Your request needs to bere-planned". When this action is executed, a confirmation message will appear prompting the user toapprove the change request before continuing. The change request's status changes to "open", which appearsas "plan" in the FireFlow interface. This action will appear only for regular and parent requests, and only forusers that have been granted the right Al l owRePl an.

<act i on t i t l e="Re- Pl an"

t ype="r epl y_t o_user "

key=" r e_pl an"

t r ansi t i on_t o_st at us="open"

need_user_ conf i r m="t r ue"

mai l _cont ent ="Your r equest needs t o be r e- pl anned"

r equi r e_t i cket _r i ght ="Al l owRePl an"

t i cket _member_ t ype="Par ent , Regul ar" / >

Note: The following pre-defined actions are always available in the Other drop-down list and can always be performed on a change request, regardless of the changes made to the lifecycle:Comment, Reply - appear at the beginning of the list

Duplicate, Save As Template - appear at the end of the listAdditional actions defined in the XML file appear between these two sets of actions in the Other drop-downlist.




160

Status Tag AttributesEach status tag in the XML file determines the change request's behavior when the change request is inthe status. The following table explains each status tag attribute.

Status Tag Attributes

Name Descripti on Possible Values Permitted Change

name The name of the status as itappears in the FireFlow interface.This is also a unique key.

Note: The status "open" appearsin the UI as "plan".

The status "reconcile" appears inthe UI as “pending match”.

The status "reconciled" appears

in the UI as "matched".The status "check" appears in theUI as "approve".

The status "implementation plan|appears in the UI as "create workorder".


Up to 50 characters of Latincharacter set. Spaces are allowed.

Change is permitted with thefollowing limitations:

Do not rename thefollowing statuses:new, open, resolved,rejected, deleted

Renaming the followingstatuses requires

additional configurationchanges in the databaseand/orFi r eFl ow_Si t eConf i g. pmfile:approved, implementation

plan, reconcile, reconciled.Contact AlgoSec forassistance.

enabled Indicates whether this status isenabled in the FireFlow interface.

This can be one of the following:

true

1

false

0

The default value is t rue.

Any

responsible The single user group responsiblefor change requests in this status.

Note: Usually, this group isconfigured to see these changerequests in its Home page (seeCustomizing the Home Page perGroup (on page 18)).

When an action is performed onthe change request, and the action

transitions the change request toa new status for which the changerequest owner is not responsible,the change request is re-assignedto the default assignee of the newstatus’s responsible group, andthe current user is re-directed totheir Home page.


Any user group name Any




161

additional_res ponsibles

Additional user groupsresponsible for change requestsin this status.


A comma-separated list ofresponsible groups

Any

image The name of the image used inthe lifecycle diagram at the top ofthe change request page.



new

open

check

implement

validate

reconcile

resolved

rejected

deleted

There is no reason to changethis attribute.

image_not_considered_visited

The lifecycle diagram usesvariations of each image toindicate whether the changerequest is currently in the status,has previously been there("visited"), or neither.

This attribute controls whether achange request that has

previously been to this status(and is currently not in thisstatus), is considered to have"visited" this status or not.

Note: This attribute controls thelifecycle images only.



true

1

false

0



allow_to_plan_change

Indicates whether it is possible to plan the change when a changerequest is in this status.

Planning the change involvesmodifying any of the followingfields:

Source

Destination

Service

Action

NAT



true

1

false

0


Any

Important : Initial planning willnot succeed if the changerequest's current status isconfigured to have thisattribute set to f al se.

incoming_cor respondence_ transition_to_ status

Indicates whether to change thechange request status to aspecific status, when incomingcorrespondence from the changerequest’s unprivileged requestorto the change request occurs.

If this attribute is not set, then the

Any status name defined in the<st atuses>node.


Any




162

change request status will notchange upon incomingcorrespondence.


final Indicates whether a change

request in this status isconsidered "closed".

This mainly affects theOpen/Closed change request listin the FireFlow requestorinterface.



true

1

false

0


There is no reason to change

this attribute.

show_in_waiting_tab

Indicates whether a changerequest should appear in theChange Requests AwaitingResponse page for unprivileged

users.


true

1

false

0


Any

status_after_new

The status to which the changerequest should transition after ithas been assigned an owner.

This attribute is only relevant foronly"new" status.

Any status name defined in the<st at uses>node.

The default value is open.





163

In addition, a status can have a nested <act i ons>tag that overrides global action attributes, when thechange request is in the status.

In the following example, the status "new" is assigned the "new" lifecycle image. The Network user group isresponsible for this status. While the change request is in this status, modification of traffic fields is allowed.

Also note that there is an action override: When the change request is in this status, the initial planningaction (identified using the key initial_plan which is equal to the key in the main <act i ons>node) isrecommended.

<st at us name="new" i mage="new" r esponsi bl e="Net wor k"al l ow_t o_pl an_change="t r ue">

<act i ons>

<act i on key=”1348” r ecommend="t r ue"/ >

<! - - mor e act i ons her e - - >

</ act i ons>

</ st at us>

Note: Most illegal changes to the XML file will cause the whole file to not be read. In this case, only thedefault actions (comment, duplicate, etc.) will be available, and the FireFlow log file/ usr / share/ f i ref l ow/ var / l og/ f i ref l ow. l og will describe the problem. Also, logging in as a

privileged user will cause the log snippet to be displayed onscreen in a warning message. Other local illegalchanges are detected only upon executing the specific action that contains the illegal change. In this case,too, the FireFlow log file will explain the problem, once the action is attempted.

Note: Some changes that are listed in the preceding table as not permitted will not be detected byFireFlow. They will simply cause erratic undocumented behavior by the system.

Condition Tag Attributes and SyntaxIf an acti on tag's t r ansi t i on_t o_condi t i on attribute is set, then change requests will transition to a

particular status when the action is performed, provided certain conditions are met. The condi t i on tagdefines the required conditions, as well as the status to which change requests should transition.

The following table explains each condi t i on tag attribute.

Condition Tag Attributes


GoToStatus The new status that the changerequest should transition to whenthe action is performed, if thecondition(s) in the condi t i onattribute are met.

Any existing status name Any

conditionKey The condition's unique ID. Any string.

Cannot contain a comma ","

Any




164

msgToUser The message that should appearonscreen when transitioning tothe new status.

Any string. Any

In addition to these attributes, every condi t i on tag must contain one check sub-tag. The sub-tag's syntax

is as follows:<check><! [ CDATA[ query] ] ></ check>

Where query is an XQL query specifying the desired condition's requirements. For information on therequired query syntax, see Action Condition Syntax (on page 105).

In the following example, when the RiskCheck action is performed, FireFlow will check the noRiskscondition first. If the number of risks equals zero, then FireFlow will transition the change request to the"create work order" status (called "implementation plan" in the XML). It will not check the

priorityLessThan7 condition.

However, if the number of risks is different than zero, FireFlow will check the priorityLessThan7 condition.If the change request priority is less than 7, FireFlow will transition the change request to "review" status. If

the change request priority is not less than 7, FireFlow will transition the change request to "approve" status(called "check" in the XML).

<act i on t i t l e="Ri skCheck" . . .

t r ansi t i on_t o_condi t i on="noRi sks, pr i or i t yLessThan7" transition_to_status="check"/ >

<condi t i on condi t i onKey="noRi sks" GoToSt at us=" i mpl ement at i on pl an" msgToUser ="OKt o i mpl ement">

<check><! [ CDATA[ Ti cket [ Ri sksNumber = "0"] ] ] ></ check>

</ condi t i on>

<condi t i on condi t i onKey="pr i or i t yLessThan7" GoToSt at us="r evi ew" msgToUser =”Need

t o be r evi ewed”> <check><! [ CDATA[ Ti cket [ Pr i or i t y < 7] ] ] ></ check>

</ condi t i on>

Modifying WorkflowsFireFlow does not allow overriding the following built-in workflows, which are located in the directory/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ Wor kf l ows/ :

St andard_Conf i g. xml

Change- Obj ect _Conf i g. xml Mul t i - Appr oval _Conf i g. xml

Non- Fi r ewal l _Conf i g. xml

Par al l el - Appr oval _Conf i g. xml

Request - Recer t i f i cat i on_Conf i g. xml

Rul e- Removal _Conf i g. xml

St andard- Wi t h- SLA_Conf i g. xml




165

Web- Fi l t er _Conf i g. xml

These workflows can only be disabled. See Disabling Workflows (on page 165).

If you want to modify a built-in workflow, copy it under a different name, then modify the newly namedworkflow and disable the built-in one.

The following procedure can be used to modify custom workflows.

To modify a workflow


2 Under the directory / usr / share/ f i ref l ow/ l ocal / et c/s i t e/ Workf l ows/ , open the desiredworkflow file.

3 Make the desired modifications to the change request lifecycle.

You can add new actions and new statuses to the change request lifecycle. See Action Tag Attributes (on page 149) and Status Tag Attributes (on page 160) for information on the relevant tag attributes.

4 Save the file.

5 Restart FireFlow.


Disabling WorkflowsYou can disable both built-in and custom workflows.

To disable a workflow

1 Under the directory usr/ shar e/ f i r ef l ow/ l ocal / et c/ si t e/ Wor kf l ows/ , open the workflowconfiguration file Workf l ows_Conf i g. xml .

2 Locate the desired workflow's line, and add the following to it:

enabl ed="f al se"

3 For example, to disable the Custom workflow, change:

<workf l ow name="Cust om" descr i pt i on="Thi s i s a cust om workf l ow"f i l ename_pr ef i x="Cust om" / >

to

<workf l ow name="Cust om" enabl ed="f al se" descr i pt i on="Thi s i s a cust omworkf l ow"f i l ename_pr ef i x="Cust om" / >

4 Save the file.

5 Restart FireFlow.


Deleting Workflows

Note: FireFlow allows deleting only custom workflows, not built-in workflows.

To delete a workflow





166

2 In the directory / usr / share/ f i ref l ow/ l ocal / et c/ s i t e/ Workf l ows/ , remove the desiredworkflow file.

3 In the directory / usr / share/ f i ref l ow/ l ocal / et c/ s i t e/ Workf l ows/ , open the fileWorkf l ows_Conf i g. xml .

4Remove the line of the workflow you want to delete.

5 Restart FireFlow.


Reverting to the System Default Workflow via XML

To revert to the system default workflow settings


2 Under the directory / usr / share/ f i ref l ow/ l ocal / et c/s i t e/ Workf l ows/ , remove all of theworkflow files.

3 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , remove the fileWorkf l ows_Conf i g. xml .

4 Restart FireFlow.




167

This section explains how to use hooks with FireFlow.

In This Chapter

Overview........................................................................... . 167Using Hooks to Control Parameters .................................. . 167Hook Functions ................................................................. . 169Comprehensive Example ................................................... . 176

OverviewIt is possible to configure FireFlow to extract certain parameters on the fly, by using hooks. This helpsstreamline the change request lifecycle and is particularly helpful for MSPs.

For example, during the Initial Plan stage of the change request lifecycle, FireFlow checks the requestedtraffic against the ALL_FIREWALLS group, by default. If you have several customers, each of which is alarge organization with numerous devices, checking traffic against all of the devices of each organization isunnecessary and time consuming. By using hooks, it is possible to configure FireFlow to check traffic onlyagainst the devices of the organization that issued the change request.

You can use hooks to do the following:

Retrieve the name of the workflow to assign the change request in the Request stage

Retrieve the device group against which traffic should be checked in the Initial Plan stage

Retrieve the name of the user group responsible for the change request in each lifecycle stage

Retrieve appearing in the Requestors Web Interface

Validate a change request before its creation

Suggest host names to match IP addresses with no associated hostname in a work order

Add suffixes to add to suggested rule comments in a work order

Validate host names, groups, and comments in a manually edited work order

Run additional risk checks on external systems

Using Hooks to Control Parameters

To use hooks to control parameters


2 Under the / usr/ shar e/ f i r ef l ow/ l ocal / Hooks directory that implements the

Fi r eFl ow: : Hooks package, create a Perl pm file.

C H A P T E R 1 3

Using Hooks




168

The file can have any name. For example, you can create the file/ usr / shar e/ f i r ef l ow/ l ocal / Hooks/ MyHooks. pm, which begins with the line:

package Fi r eFl ow: : Hooks;

3 In the file you created, implement the desired hooking functions.

For information on the hooking functions, see Hook Functions (on page 169).4 Under the directory / usr / share/ f i ref l ow/ l ocal / et c/ s i te / , open

Fi r eFl ow_Si t eConf i g. pm.

5 Add the configuration item HooksFi l eNames, and set its value to the name of the Perl pm file youcreated.

For example:

Set ( @HooksFi l eNames, (

"MyHooks"

) ) ;

6 Save the file.

7 Restart FireFlow.




Chapter 13 Using Hooks

169

Hook Functions

GetExternalRisksSyntax

sub GetExternalRisks

Description

This function is called for every change request, after FireFlow has finished running a risk check. It receivesthe change request as input, along with a list of devices on which a risk check should be run. The risk checkis run on an external system, and the function then returns the risk check results. These results are displayedin FireFlow after the FireFlow risk check results, for example:

Input Parameters

$t i cket A Perl hash reference containing a single key called f l atT i cket , which points to the flat ticket representation of the change request.

For an example of a flat ticket, see Flat Ticket Example (on page 116).




170

$f i r ewal l A Perl array reference containing an array of device names on which a riskcheck should be run.

Note: These are the same devices on which the FireFlow risk check ran.

Return Values

A Perl hash reference containing the following keys:

Ri skLi st . An array of all the risks that were detected, sorted from high to low severity, where each risk isrepresented by a hash reference containing the risk's name, description, code, and severity.

pr of i l e. The risk check's profile.

hi gh. The number of risks at the High severity level.

l ow. The number of risks at the Low severity level.

medi um. The number of risks at the Medium severity level.

suspected hi gh. The number of risks at the Suspected High severity level.

Note: If there are no risks at a certain severity level, the relevant key will have no value defined.

GetFirewallGroupName

Syntax

sub GetFirewallGroupName

Description

This function is called for every change request just before initial planning is executed on the changerequest. It receives the change request as input and returns the name of the device group against whichFireFlow will check traffic in the Initial Plan stage.

Input Parameters$cont ext A Perl hash reference containing a single key called f l atT i cket , which

points to the flat ticket representation of the change request.


Return Values

One of the following values:

The desired device group's name This must be the group's real name, not its display name.

" " Use the default behavior: FireFlow will check traffic against the groupconfigured as $FAQuer yDef aul t Gr oup in the configuration file. (Thedefault is the ALL_FIREWALLS group.)




171

GetRealGroupName

Syntax

sub GetRealGroupName

Description

This function is called for every change request, when the change request transitions from one status toanother. It receives the change request as input, as well as the “meta group” name that the change request'sworkflow specifies as the responsible group for the change request’s new status. It returns the name of theuser group that is responsible for the change request in its current status.

Input Parameters

$cont ext A Perl hash reference containing a single key called f l atT i cket , which points to the flat ticket representation of the change request.


$met aGr oup A user group name, as it appears in the workflow XML.

This may be a meta group's name. For example if the meta group's name is"security", the hook may then return the user group "securityA" for requestorsof company A, and the user group "securityB" for requestors of company B,where "securityA" and "securityB" are real user groups (not meta groups) thatexist in FireFlow.

Return Values


The desired user group's name" " Use the default behavior: The user group specified in the workflow

configuration will be responsible for the change request.




172

GetRequestorSearches

Syntax

sub GetRequestorSearches

Description

This function allows adding searches to the Requestors Web Interface. It receives the requestor's user properties as input, as well as the name of the page in the Requestors Web Interface on which the searchshould appear. It returns a search on the specified page.

Note: By default, requestors can only view change requests that they requested themselves. Therefore, if thehook returns a search query with change requests that other users requested, those change requests will not

be displayed in the Requestor Web Interface. To enable the display of change requests requested by otherusers, it is necessary to grant requestors more permissive rights. See Working with Rights (on page 177).

Input Parameters

$r equest or A hash reference to the requestor's user properties.

For a list of user properties that are included in the hash, and for information onmodifying the list of included properties, see Configuring the List of User

Properties (on page 216).

$f r i endl y_status The Requestors Web Interface page that is currently being displayed. This canhave the following values:

Open

Awai t i ng Response

Cl osed

Return ValuesAn array, in the following format:

my $search = {Fi el d1 => Val ue1, Fi el d2 => Val ue2, . . . };

Where each field in the array is a hash reference representing a search.

Supported fields are:




173

Ti t l e The search's title. This will appear in the Requestors Web Interface.


For mat A string containing a comma-separated list of columns that should be includedin the search results.

For example:my $For mat = qq{

' <A HREF="}. RT- >Conf i g- >Get ( ' WebPat h' ) . qq{/ Sel f Ser vi ce/ Di spl ay. ht ml ?i d=__i d__" >__i d__</ a>/ TI TLE: I d' ,

' <A HREF="}. RT- >Conf i g- >Get ( ' WebPat h' ) . qq{/ Sel f Ser vi ce/ Di spl ay. ht ml ?i d=__i d__" >__Subj ect __ </ a>/ TI TLE: Subj ect ' ,

' __Cust omFi el d. {Wor kf l ow}__' ,

St at us,

Owner Name,

Pr i or i t y, Cr eatedRel at i ve,

Last UpdatedRel at i ve};


Quer y An SQL query. For example:

Queue = ' Fi r ewal l s' AND i d > 100 ANDRequest or. Emai l Addr ess LI KE ' al gosec. com'

Note: If a field is missing from the query, a warning will be written to the logand the search will not be displayed.


Or der By An array of columns names, indicating the column by which search resultsshould be sorted by default.

The default value is ( ' Last Updat ed' ) . This field is optional.

Or der An array indicating the default sort order of the search results. This can havethe following values:

ASC. Show the oldest search results first.

DESC. Show the most recent search results first.

The default is ( ' DESC' ) . This field is optional.

Rows The number of search result rows to display per page.

The default value is null. This field is optional.

For example:

my $sear ch = {

Ti t l e => " The t i t l e of t he sear ch" ,

For mat => $For mat ,

Quer y => $Quer y,

Or der => @Or der ,

Or der By => @Or der By,

Rows => $Rows;




174

GetWorkFlowName

Syntax

sub GetWorkFlowName

Description

This function is called for every change request, when the change request is created and its workflow must be determined. It receives the change request as input and returns the name of the workflow that FireFlowshould assign the change request.

Input Parameters

$cont ext A Perl hash reference containing a single key called f l atT i cket , which points to the flat ticket representation of the change request.


Return Values


The desired workflow's name

" " Use the default behavior: Assign a workflow based on the configuredworkflow conditions.

SuggestCommentSuffix

Syntax

sub SuggestCommentSuffix

Description

This function is called for every change request, in which the work order contains a suggested rulecomment. It receives the change request as input, as well as the original rue comment and the rule commentsuggested by FireFlow. It returns a suffix to be added to the rule comment suggested by FireFlow.

Input Parameters



$or i gComment The original rule comment.

$comment Val ue The rule comment suggested by FireFlow.

Return Values

A suffix to be added to the rule comment suggested by FireFlow.




175

SuggestHostName

Syntax

sub SuggestHostName

Description

This function is called for every change request, in which the work order contains an IP address or subnetthat is not associated with a hostname. It receives the change request as input, as well as the IPaddress/subnet and an indication of whether the IP address/subnet is a source or destination. It returns asuggested hostname for the IP address/subnet.

Input Parameters



$i p The IP address or subnet that does not have an associated hostname.

$f i el d The IP address or subnet's function. This can have the following values:

Source

Dest i nat i on

Return Values

A suggested hostname for the IP address/subnet.

ValidateTicketSyntax

sub ValidateTicket

Description

This function is called for every change request that is created via the Web interface. It receives the changerequest as input. It returns a return code and a list of error messages, so as to validate the change request.

Input Parameters

$t i cket A Perl hash reference containing a single key called f l atT i cket , which

points to the flat ticket representation of the change request.

Note: The hash will contain only data that was entered in the request form. TheI D field will be set to "New".


Return Values

A return code and a list of error messages.




176

ValidateWorkOrderEdit

Syntax

sub ValidateWorkOrderEdit

Description

This function is called for every change request, in which the work order contains hostnames, host andservice groups, and/or comments that were manually edited. It receives the change request as input, as wellas the edited work order elements. It returns the elements that are invalid.

Input Parameters



$val i dat i onHash A Perl hash reference containing the work order elements that were manuallyedited.

The hash contains the following elements:

obj ect s - The objects names to be validated.

groups - The host and service groups to be validated.

comment s - The comments to be validated.

Return Values

$i nval i dHash A Perl hash reference containing the work order elements that were found to beinvalid.

Comprehensive ExampleFor a comprehensive example, refer to the following files on the FireFlow server:

A sample Perl module is located under / usr / shar e/ f i r ef l ow/ l ocal / Hooks/ Exampl eHooks. pm

The related XML data is located under/ usr / shar e/ f i r ef l ow/ l ocal / et c/ si t e/ Hooks/ Exampl e_Conf i g. xml



177

This section explains how to configure rights.

In This Chapter

Overview........................................................................... . 177Configuring Global Rights for Groups .............................. . 178Configuring Global Rights for Users ................................ . 181Configuring Queue Rights for Groups .............................. . 183Configuring Queue Rights for Users ................................. . 186

OverviewFireFlow enables you to assign rights to users and user group. Each right represents an action that the user oruser group can perform.

There are two types of rights:

Built-in rights

FireFlow includes a set of built-in rights that represent specific actions users can perform.

User-defined rights

FireFlow includes a set of user-defined rights that are labeled UserDefinedRight01 throughUserDefinedRight10. Unlike the built-in rights, which are tied to specific actions, user-defined rights can

be used to represent any custom action, in order to restrict the performance of those actions to certainusers.

For example, let's say you want to modify the Standard workflow so that it includes a custom actioncalled "First Approve", and you want to restrict this action to users who have "First Approval" rights. As"First Approval" rights do not exist in the FireFlow system, you can decide that UserDefinedRight01 willrepresent "First Approval" rights, and assign these rights to the desired user groups.

Note: You cannot rename user-defined rights.

When assigning rights to a user group, all members of the group (both users and sub-groups) willautomatically inherit the rights.

Note: It is recommended to assign rights to user groups, rather than to individual users. This approach

enables you to quickly configure a new user's rights, by simply adding the user to the desired group.

You can assign rights to the following types of user groups:

System groups

Includes Everyone, Privileged, and Unprivileged (requestors).

User roles

Includes Cc, Requestor, and Owner.

C H A P T E R 1 4

Working with Rights




178

Rights assigned to a user role are only relevant for users who are filling that role in relation to a specificchange request. For example, if you assign "ShowTicket" rights to the Requestor role, then a user who isthe requestor for a specific change request will be able to view that change request. The same user willnot be able to view other change requests for which they are not the requestor, unless the user also

belongs to a system or user-defined group with "ShowTicket" rights.

Note: The AdminCc user role is not in use and should be ignored.

User-defined groups

Includes Network, Security, and any other group defined by a user.

Rights can be assigned at either of the following levels:

Global

Assign rights at the global level for actions that should be performed on all change requests and foractions that are not related to change requests. You can assign both user-defined and built-in rights.

See Configuring Global Rights for Groups (on page 178) and Configuring Global Rights for Users (on page 181).

Queue Assign rights at the queue level for actions that should only be performed on change requests belongingto a certain queue.

Only built-in rights can be assigned at the queue level.

See Configuring Queue Rights for Groups (on page 183) and Configuring Queue Rights for Users (on page 186).

Configuring Global Rights for Groups

Configuring Global Built-in Rights for GroupsNote: By default, both the Network and Security user groups can view matching output, but only theSecurity user group can perform manual matching. Furthermore, both these user groups can view changerecords in FireFlow and modify their summary or comment on the change records. If desired, you canchange these settings for these user groups or any other user group.

To configure global built-in rights for a group






Chapter 14 Working with Rights

179


3 Click Global.


4 Click Group Rights.




180


5 Locate the desired group.

6 To assign rights, do the following:

a) In the New rights list box next to the desired user group, select the rights you want to assign thisgroup.

For information on some of the most commonly used global built-in rights, see Global Built-in

Rights (page 180).


Note: It is recommended to select rights similar to those of the pre-defined Security and/or Networkgroups.

b)

Click Modify Group Rights.


7 To revoke rights, do the following:

a) In the Current rights area, select the check boxes next to the rights you want to revoke.

b) Click Modify Group Rights.


Global Built-in Rights

Right Description

DeleteMatches Allows users in the group to delete matching output for all change requests. This right isrequired for manual matching.

ModifyChanges Allows users in the group to modify or comment on change records.




181

ModifyMatches Allows users in the group to modify matching output for all change requests. This rightis required for manual matching.

ShowChanges Allows users in the group to view change records for all change requests.

ShowMatches Allows users in the group to view matching output for all change requests.

Configuring Global User-Defined Rights for Groups To configure global user-defined rights for a group

1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent theright to perform a certain custom action.

For example, if you want to modify the Standard workflow so that it includes a custom action called"First Approve", and you want to restrict this action to users who have "First Approval" rights, youwould choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.

2 Assign the user-defined right to the user groups that should be allowed to perform the custom action, bydoing the following:

a)

Log in to FireFlow for advanced configuration purposes.See Logging in for Advanced Configuration Purposes (on page 7).

b)

In the main menu, click Advanced Configurat ion.


c) Click Global.


d)

Click Group Rights.


e)

In the User defined groups area, for each group to which you want to assign the user-defined rights,select the relevant rights in the New right s list box.

f)


In our example, you would assign UserDefinedRight01 rights to the user groups that should be allowed to perform the "First Approve" action.

3 Modify the custom action to restrict its use to users with the selected user-defined right.

For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page71).

Configuring Global Rights for Users

Configuring Global Built-in Rights for Users To configure global built-in rights for a user





3 Click Global.




182


4 Click User Rights.

The Modify global user rights page appears.

5 Locate the desired user.


a)

In the New rights list box next to the desired user, select the rights you want to assign this user.For information on some of the most commonly used global built-in rights, see Global Built-in

Rights (page 180).


b) Click Modify User Rights.



a)


b)

Click Modify User Rights.


Configuring Global User-Defined Rights for Users To configure global user-defined rights for a user

1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent theright to perform a certain custom action.




183

For example, if you want to modify the Standard workflow so that it includes a custom action called"First Approve", and you want to restrict this action to users who have "First Approval" rights, youwould choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.

2 Assign the user-defined right to the user that should be allowed to perform the custom action, by doingthe following:

a)

Log in to FireFlow for advanced configuration purposes.


b)



c)

Click Global.


d)

Click User Rights.

The Modify global user rights page appears.

e) For each user to which you want to assign the user-defined rights, select the relevant rights in theNew rights list box.

f)


In our example, you would assign UserDefinedRight01 rights to the users that should be allowed to perform the "First Approve" action.

3 Modify the custom action to restrict its use to users with the selected user-defined right.

For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page71).

Configuring Queue Rights for Groups

Configuring Queue Built-in Rights for Groups

To configure queue rights for a user group



2 Click Queues.




184

The Admin queues page appears.

3 Click Firewalls.

The Editing Configuration for queue Firewalls page appears.





185

The Modify group rights fo r queue Firewalls page appears.

5 Locate the desired user group.


a) In the New rights list box next to the desired user group, select the rights you want to assign this

group.

For information on some of the most commonly used queue built-in rights, see Queue Built-in Rights (page 186).


Note: It is recommended to select rights similar to those of the pre-defined Security and/or Networkgroups.

Note: The list box includes rights for change request-related actions that can be performed via theFireFlow interface. If a change request-related right is selected, the relevant option will appear as anaction button or in the Other drop-down list. For example, if you select the TakeTicket right for the

Network group, then members of the Network group will see the Take option in the Other drop-downlist. In contrast, if a change request-related right is not selected, the relevant action will not appear in theOther drop-down list.

b) Click Modify Group Rights.



a)


b)






186

Queue Built-in Rights

Right Description

AllowActiveChange Allows users in the group to implement changes on Check Point devices for whichActiveChange is enabled, for change requests in the queue.

AllowAffectedRules Allows users in the group to find affected rules of change object requests in the queue.

AllowApprove Allows users in the group to approve change requests in the queue.

AllowChangeValidation Allows users in the group to perform change validation for change requests in the queue.

AllowDeleteTicket Allows users in the group to delete change requests in the queue.

AllowImplementationDone Allows users in the group to declare implementation as complete for change requests inthe queue.

AllowImplementationPlan Allows users in the group to create a work order for change requests in the queue.

AllowInitialPlan Allows users in the group to perform initial planning for change requests in the queue.

AllowManualCheck Allows users in the group to perform a manual check for change requests in the queue.Used by the built-in Generic workflow.

AllowNotifyRequestor Allows users in the group to notify the requestor that change request validation isrequired for change requests in the queue.

AllowObjectChangeValidation

Allows users in the group to perform change validation for object change requests in thequeue.

AllowReImplement Allows users in the group to re-implement change requests in the queue.

AllowRePlan Allows users in the group to re-plan change requests in the queue.

AllowReject Allows users in the group to reject change requests in the queue.

AllowRequestorResponse Allows users in the group to respond to change requests in the queue, specifying that thechange works or does not work. This right is typically granted to the requestor roleinstead of to a system or user-defined group.

AllowResolve Allows users in the group to resolve change requests in the queue.

AllowReview Allows users in the group to review change requests in the queue. Used by the built-inMulti-Approval workflow.

AllowRiskCheck Allows users in the group to perform risk checks for change requests in the queue.

Configuring Queue Rights for Users

Configuring Queue Built-in Rights for Users

To configure queue rights for a user group



2 Click Queues.

The Admin queues page appears.




187

3 Click Firewalls.

The Editing Configuration for queue Firewalls page appears.

4 In the main menu, click User Rights.

The Modify user rights for queue Firewalls page appears.

5 Locate the desired user.

6 To assign rights, do the following:a)

In the New rights list box next to the desired user, select the rights you want to assign this user.

For information on some of the most commonly used queue built-in rights, see Queue Built-in Rights (page 186).


Note: The list box includes rights for change request-related actions that can be performed via theFireFlow interface. If a change request-related right is selected, the relevant option will appear as anaction button or in the Other drop-down list. For example, if you select the TakeTicket right for a user,then that user will see the Take option in the Other drop-down list. In contrast, if a change request-relatedright is not selected, the relevant action will not appear in the Other drop-down list.

b)

Click Modify User Rights.The selected rights appear in the Current rights area.


a)


b)







189

This section explains how to configure SLA notifications.

In This Chapter

Overview........................................................................... . 189Adding SLA Notifications................................................. . 189Editing SLA Notifications ................................................. . 194Managing Email Subscriptions to SLA Notifications ........ 196Deleting SLA Notifications ............................................... . 197

OverviewFireFlow enables you to create custom pages displaying a specific set of SLO data. These pages are calledSLA notifications, and they can be made available to yourself only, certain user groups, or system-wide.

In addition, users can be subscribed to SLA notifications, so that they periodically receive the SLAnotifications' content via email.

Adding SLA Notifications

To add an SLA notification1 Log in to FireFlow for advanced configuration purposes.



C H A P T E R 1 5

Working with SLA Notifications




190


3 Click SLA Notifications.

The SLA Notifications page appears.




Chapter 15 Working with SLA Notifications

191

The Create a new SLA notification page appears.

5 In the Name field, type a name for the SLA notification.

6 Click Save.

7 In the main menu, under the SLA notification's name, click Content.

The Modify the content of SLA notifi cation page appears.




192

8 For each element you want to add to the SLA notification, do the following:

a)


For information on each element, see SLA Notification Elements (page 192).

b)

Click .The selected element moves to the right list box. The order that the elements appear in the boxrepresents the order in which they will appear in the SLA notification.

c)


d) To delete the element, select it and click Delete.


SLA Notification Elements

Select this element... To add this to the SLA notif ication...

"N" Soon to be due changerequests

Pre-defined search results consisting of a list of open change requests in the systemthat have a due date that has passed, that is the current date, or that is the day after thecurrent date.

"N" New RecertificationRequests

Pre-defined search results consisting of a list of recertification requests in the systemthat are new and still in the Request stage.

"N" New Change Requests Pre-defined search results consisting of a list of change requests in the system thatare new and still in the Request stage, and whose traffic has already been checkedagainst devices.

"N" Open Change Requests Pre-defined search results consisting of a list of change requests in the system thatare currently open.

"N" Parent RecertificationRequests Pending SubRequests Implementation

Pre-defined search results consisting of a list of parent recertification request in thesystem that are currently in the Implement stage and awaiting implementation of therelevant sub-requests.

"N" Parent Requests PendingSub Request Implementation

Pre-defined search results consisting of a list of parent requests in the system that arecurrently in the Implement stage and awaiting implementation of the relevantsub-requests.

"N" Recertification Requeststo Create Work Order

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Implement stage and awaiting a work order to be created.

"N" Recertification Requeststo Implement

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Implement stage and awaiting implementation.

"N" Recertification Requeststo Plan

Pre-defined search results consisting of all recertification requests in the system thatare currently in the Plan stage.

"N" Recertification Requeststo Send Recertify Notificationto Traffic Requestors

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Approve stage, and for which a recertification notificationwill be sent to the traffic requestors.

"N" Recertification Requeststo Validate

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Validate stage.




193

"N" Recertification RequestsWaiting for RecertifyResponse from TrafficRequestors

Pre-defined search results consisting of a list of recertification requests in the systemthat are currently in the Approve stage and awaiting confirmation from the trafficrequestors that the requested recertification is approved.

"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system that

were rejected.

"N" Resolved ChangeRequests

Pre-defined search results consisting of a list of change requests in the system thathave been resolved.

"N" Change Requests owned by Controllers group

Pre-defined search results consisting of a list of change requests in the system thatare owned by the Controllers group.

"N" Change Requests owned by Network group

Pre-defined search results consisting of a list of change requests in the system thatare owned by the Network group.

"N" Change Requests owned by Security group

Pre-defined search results consisting of a list of change requests in the system thatare owned by the Security group.

"N" Change Requests Relevant

to My Groups

Pre-defined search results consisting of a list of change requests in the system that

are relevant to the user groups to which you belong."N" Change Requests that aredue to be recertified

Pre-defined search results consisting of a list of traffic change requests in the systemthat expired, and which should be recertified.

"N" Change Requests Flagged by Requestor as "Change Does Not Work"

Pre-defined search results consisting of a list of change requests in the system thathave been flagged by the requestor as "Change Does Not Work".

"N" Change Requests thatReceived Requestor'sResponse

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage and received the requestor's confirmation that therequested change was implemented successfully.

"N" Change Requests toApprove

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Approve stage.

"N" Change Requests to CreateWork Order

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Implement stage and awaiting a work order to be created.

"N" Change Requests toExpire in the Next 30 days

Pre-defined search results consisting of a list of change requests in the system thatwill expire within the next 30 days.

"N" Change Requests toImplement

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Implement stage and awaiting implementation.

"N" Change Requests to Plan Pre-defined search results consisting of all change requests in the system that arecurrently in the Plan stage.

"N" Change Requests toReview

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Review stage and awaiting a controller's review.

"N" Change Requests to Send

Removal Notification to RuleRequestors

Pre-defined search results consisting of a list of change requests in the system that

are currently in the Approve stage, and for which a rule removal notification will besent to the rule's traffic requestors.

"N" Change Requests toValidate

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage.

"N" Change Requests Waitingfor Removal Response fromRule Requestors

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Approve stage and awaiting confirmation from the rule’s trafficrequestors that the requested rule removal is approved.




194

"N" Change Requests Waitingfor Requestor's Response

Pre-defined search results consisting of a list of change requests in the system thatare currently in the Validate stage and awaiting the requestor's confirmation that therequested change was implemented successfully.

"N" Total New ChangeRequests

Pre-defined search results consisting of a list of all change requests in the system thatare new and still in the Request stage, including change requests whose traffic has

not yet been checked against devices.

Bookmarked Change Requests A list of change requests that the user bookmarked.

My Change Requests Pre-defined search results consisting of a list of change requests in the system thatare owned by you.

RefreshHomepage Controls for refreshing the page.

Unowned Change Requests Pre-defined search results consisting of a list of change requests in the system thatcurrently have no owner.

Saved Search Name A custom search that was saved under "FireFlow's saved searches", and which isavailable to your user role.

For information on saving searches, see Saving Searches.

Chart Name A chart that was saved under "FireFlow's saved searches", and which is available toyour user role.

For information on saving charts, see Saving Charts.

Search for chart Chart Name A custom search on which a certain chart is based.

Editing SLA Notifications

To edit an SLA notification







4 Click on the name of the desired notification.

The SLA notification appears.

5 To modify the SLA notification's name, do the following:

a)

In the main menu, under the SLA notification's name, click Basics.




195

The Modify the SLA notification page appears.

b)

In the Name field, type a name for the SLA notification.

c)

Click Save.

6 To modify the SLA notification's content, do the following:

a)

In the main menu, under the SLA notification's name, click Content.

The Modify the content of SLA notifi cation page appears.

b)

For each element you want to add to the SLA notification, do the following:1. In the Available list box, select the element you want to add.

For information on each element, see SLA Notification Elements (page 192).

2. Click .

The selected element moves to the right list box. The order that the elements appear in the boxrepresents the order in which they will appear in the SLA notification.

3.


4. To delete the element, select it and click Delete.





196

Managing Email Subscriptions to SLA NotificationsBy default, when you create an SLA notification, you are automatically subscribed to it, and emailscontaining the SLA notification's content will be sent to the email address associated with your account. Ifdesired, you can configure FireFlow to send these emails to other recipients, and/or change the frequencyand time at which these emails are sent.

To manage a subscription to an SLA notification









5 In the main menu, under the SLA notification's name, click Email Subscription.

The Subscribe to SLA notification page appears.

6 Complete the fields using the information in the following table.

7 Click Subscribe.




197

Email Subscription Fields


Frequency Specify how often emails containing SLA notification content should be sent. This

can have the following values: hourly. Emails will be sent once an hour.

daily. Emails will be sent once a day.

weekly. Emails will be sent once every specified number of weeks on thespecified day.

monthly . Emails will be sent once a month on the specified day of the month.

never . Emails will not be sent.

Hour Select the hour in the displayed timezone, at which emails containing SLAnotification content should be sent.

Note: The timezone can be configured in your user settings. Refer to the AlgoSec

FireFlow User Guide, Configuring User Settings.

Rows Select the number of change requests in each saved search that should appear inemails containing dashboard content.

Recipient Type a list of email addresses to which emails containing SLA notification contentsshould be sent. The email addresses must be separated by commas.

If this field is left empty, emails will be sent only to the email address associated withyour FireFlow user account. However, if this field is filled in, emails will not be sentto the email address associated with your FireFlow user account, unless you includeyour email address in the list.

Deleting SLA Notifications

To delete an SLA noti fication









5 In the main menu, under the SLA notification's name, click Basics.

The Modify the SLA notification page appears.

6 Click Delete.


7 Click OK.

The SLA notification is deleted.





199

This section explains how to override the FireFlow system defaults.

In This Chapter

Overriding System Default Settings .................................. . 199Overriding Specific System Default Settings .................... . 200Reverting to System Defaults ............................................ . 231

Overriding System Default SettingsYou can override default system settings, including timeout settings, log file settings, the default columnsdisplayed in search results, and more.

Note: The following is a general procedure that can be used to override the default settings of your choice.For information on specific settings you can override, see Overriding Specific System Default Settings (on

page 200).

To override system default settings


2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / , locate the file Fi r eFl ow_Conf i g. pm.

Note: This is the original system settings file, and it is required for reverting to system default settings.

Do not modify this file.

3 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , copy the contents of the originalfile into an override file called Fi r eFl ow_Si t eConf i g. pm.

4 Open the override file.

5 For each setting you want to override, do the following:

a)

Locate the relevant parameter in Fi r eFl ow_Conf i g. pm.

The file includes detailed information about each parameter. For further information, contactAlgoSec.

b) Copy the relevant code for the parameter.

c)

Paste the code into Fi r eFl ow_Si t eConf i g. pm.

d)

Make the desired modifications to the code.

6 Close the file Fi r eFl ow_Conf i g. pm.

Note: Do not save changes to this file.

7 Save the file Fi r eFl ow_Si t eConf i g. pm.

8 Restart FireFlow.


C H A P T E R 1 6

Overriding FireFlow System Defaults




200

Overriding Specific System Default Settings

Configuring the Maximum Rows Displayed in Home Page ListsBy default, FireFlow shows a maximum of 10 rows in each change request list in the Home page. You canmodify this system default using the following procedure.

Note: This system default can also be overridden by individual users via the page Preferences > FireFlowHome Page.

To configure the maximum rows displayed in Home page lists



3 Add the configuration item Def aul t Summar yRows, and set its value to the desired number of rows ineach change request list in the Home page.

To specify an unlimited number of rows, set it to an empty string ‘’.

For example, to set the maximum number of rows to 5, add the following item:

Set ( $Def aul t SummaryRows, ' 5' ) ;

4 Save the file.

5 Restart FireFlow.


Configuring the Change Request History OrderBy default, FireFlow displays the change request history with the newest item appearing at the top, andchange request creation appearing at the bottom. You can reverse the order using the following procedure.

Note: This system default can also be overridden by individual users via the page Preferences > Settings.

To configure the change request history order



3 Add the configuration item Ol dest Tr ansact i onsFi r st , and set its value to one of the following:

1 - Display change request histories with the newest items appearing at the bottom.

0 - Display change request histories with the newest items appearing at the top. This is the default.For example, to display change request histories with the newest items appearing at the bottom, add thefollowing item:

Set ( $Ol dest Tr ansacti onsFi r st , ' 1' ) ;

4 Save the file.

5 Restart FireFlow.




Chapter 16 Overriding FireFlow System Defaults

201

Configuring the Maximum Rows Displayed in Auto Matching PageSub-Lists

By default, FireFlow shows a maximum of 100 rows in each sub-list in the Auto Match ing page. You canmodify this system default using the following procedure.

Note: This system default can also be overridden by individual users via the page Preferences > AutoMatching.

To configure the maximum rows displayed in Auto Matching page sub-lists



3 Add the configuration item ChangesMaxRows , and set its value to the desired number of rows in eachsub-list in the Auto Matching page.

To specify an unlimited number of rows, set it to an empty string ‘’.For example, to set the maximum number of rows to 50, add the following item:

Set ( $ChangesMaxRows, ' 50' ) ;

4 Save the file.

5 Restart FireFlow.


Configuring the Time Frame for Items Displayed in Auto Matching PageListsBy default, FireFlow shows matches made in the last 30 days in each sub-list in the Auto Match ing page. Youcan modify this system default using the following procedure.

Note: This system default can also be overridden by individual users via the page Preferences > AutoMatching.

To configure the time frame for items displayed in Auto Matching page sub-lists



3 Add the configuration item Reconci l i at i onLast Days, and set its value to the desired number ofdays for which to display matches in each sub-list in the Auto Matching page.

To specify an unlimited number of days, set it to an empty string ''.

For example, to set the number of days to 365, add the following item:

Set ( $Reconci l i at i onLast Days, ' 365' ) ;

4 Save the file.

5 Restart FireFlow.





202

Enabling/Disabling Multiple Traffic Rows in Change RequestsBy default, FireFlow allows users to add more traffic rows to a change request, by clicking Add More Traff ic .If desired, you can disable this option and remove the Add More Traffic button.

To enable/disable multiple traffic rows in change requests



3 Add the configuration item Enabl eMul t i pl eTr af f i c.


To disable multiple traffic rows, set the configuration item's value to 0.

To enable multiple traffic rows, set the configuration item's value to 1.

For example, the following disables multiple traffic rows:

Set ( $Enabl eMul t i pl eTr af f i c, ' 0' ) ;

5 Save the file.

6 Restart FireFlow.


Hiding Change Request FieldsIf desired, you can hide the following change request fields:

Priority

Due

Describe the issue

Cc

Hidden fields will not be displayed in the FireFlow Web interface.

Note: Hidden fields are not removed from change requests; they are just not displayed . A hidden field canstill be assigned a value via the request template, and workflow conditions that rely upon a hidden field willstill work.

To hide change request fields



3 Add the configuration item Hi deFi el dsFr omTi cket .4 Set the configuration item's value to an array of fields to hide.

Supported fields are: Pr i or i t y, Due, Descr i be t he i ssue, and Cc.

Fields must be enclosed in quotation marks and separated by commas.

For example, the following hides the Priority, Describe the issue, and Cc fields:

Set ( $Hi deFi el dsFromTi cket , [ "Pri or i t y", "Descri be t he i ssue", "Cc"] ) ;

The default value is empty list, meaning that none of the fields are hidden.




203

5 Save the file.

6 Restart FireFlow.


Enabling/Disabling Sub-Request Traffic ModificationBy default, FireFlow does not allow users to modify traffic specified in sub-requests. If desired, you canenable sub-request traffic modification.

To enable/disable sub-request traffic modification



3 Add the configuration item Modi f ySubTi cket ChangeTr af f i c.


To enable sub-request traffic modification, set the configuration item's value to 1.

To disable sub-request traffic modification, set the configuration item's value to 0.

For example, the following enables modification:

Set ( $Modi f ySubTi cket ChangeTr af f i c, ' 1' ) ;

5 Save the file.

6 Restart FireFlow.


Configuring Whether Traffic Fields Are MandatoryBy default, all traffic fields in a change request (source, destination, service, and action fields) aremandatory, and FireFlow automatically validates these fields to ensure they are filled in. If desired, you canspecify that traffic fields are optional.

Note: You can also disable automatic traffic field validation. See Enabling/Disabling Traffic Field

Validation (on page 204).

To configure whether traffic fields are mandatory



3 Add the configuration item Al l Tr af f i cFi el dsMandat or y.


To specify that traffic fields are optional, set the configuration item's value to 0.

To specify that traffic fields are mandatory, set the configuration item's value to 1.

For example, the following specifies that traffic fields are optional:

Set ( $Al l Tr af f i cFi el dsMandat or y, ' 0' ) ;

5 Save the file.

6 Restart FireFlow.




204


Enabling/Disabling Traffic Field ValidationBy default, FireFlow automatically validates traffic fields in change requests, to determine whether allmandatory fields are filled in with appropriate values. If desired, you can disable validation of traffic fields.

To enable/disable traffic field validation



3 Add the configuration item Val i dat eTraf f i cFi el ds .


To disable traffic field validation, set the configuration item's value to 0.

To enable traffic field validation, set the configuration item's value to 1.

For example, the following disables traffic field validation:Set ( $Val i dat eTraf f i cFi el ds, ' 0' ) ;

5 Save the file.

6 Restart FireFlow.


Configuring Work Order Creation for "No Action Required" ChangeRequestsIn the Implement stage of a traffic change request lifecycle, FireFlow creates a work order consisting of alist of recommendations for implementing the requested change. If FireFlow detects that traffic is not routedthrough the device, then the work order states that no action is required.

In some cases involving Layer-2 devices, routing information may be missing, causing FireFlow toerroneously state that no action is required. You may therefore prefer to force FireFlow to create workorders suggesting a rule to add to the device policy, even when it has determined that no action is required.

Note: Such work orders will include a disclaimer stating the following: "Routing information might bemissing. Recommendation could be incomplete.".

To configure work order creation for "No Action Required" change requests


2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , open

Fi r eFl ow_Si t eConf i g. pm.3 Add the configuration item ForceCr eat eWorkOr der For NA.


To specify that work orders should state "No Action Required" when FireFlow detects that traffic isnot routed through the device, set the configuration item's value to 0.

This is the default value.

To force FireFlow to create work orders suggesting a rule to add to the device policy, even whenFireFlow has determined that no action is required, set the configuration item's value to 1.




205

For example, the following forces FireFlow to create work orders suggesting a rule to add to the device policy, even if FireFlow determines that no action is required:

Set ( $ForceCr eat eWorkOr derForNA, 1) ;

5 Save the file.

6Restart FireFlow.See Restarting FireFlow (on page 11).

Enabling/Disabling Translation of Object IP Addresses and Ports inWork OrdersIn order to prepare a work order, FireFlow translates object IP addresses and ports into host names which arethen displayed in a list of recommendations for implementing the requested change. As translating the IPaddress and ports may take several minutes in an environment containing many devices, you may prefer todisable translation, so that object IP addresses and ports are displayed instead of host names.

To enable/disable translation of object IP addresses and ports in work orders



3 Add the configuration item ShowHost groupsI nWor kOr der .


To enable translation on object IP addresses and ports to host names in work orders, set theconfiguration item's value to 1.


To disable translation on object IP addresses and ports to host names in work orders, set theconfiguration item's value to 0.

For example, the following disables translation on object IP addresses and ports to host names in workorders:

Set ( $ShowHost groupsI nWorkOr der , 0) ;

5 Save the file.

6 Restart FireFlow.


Configuring Automatic Initial PlanningBy default, immediately upon creation of a change request, FireFlow performs automatic initial planning, inorder to check the traffic specified in the change request against devices. If the traffic already works, thenFireFlow automatically closes the change request and sends the requestor an email indicating that thechange request was closed. Automatic initial planning is based on the most recent device configurationavailable on the AlgoSec server (made available via the real-time monitoring mechanism).

If desired, you can change this behavior in the following ways:

Instruct FireFlow to check traffic at the end of the Plan stage, instead of at the end of the Request stage

Instruct FireFlow to refer to periodic AlgoSec Firewall Analyzer device reports when checking trafficagainst devices, instead of referring to real-time monitoring data




206

Disable automatic closing of change requests whose traffic already works

To configure automatic initial planning



Fi r eFl ow_Si t eConf i g. pm.3 To configure when traffic checking is performed, do the following:

a)

Add the configuration item Cal l I ni t i al Pl anAsync.

b) Do one of the following:

To specify that FireFlow should perform traffic checking at the end of the Request stage, set theconfiguration item's value to 1.

To specify that FireFlow should perform traffic checking at the end of the Plan stage, set theconfiguration item's value to 0.

For example, the following instructs FireFlow to perform traffic checking at the end of the Requeststage:

Set ( $Cal l I ni t i al Pl anAsync, ' 1' ) ; Note: New change requests appear in the Home page's New Change Requests list once traffic checking iscomplete or when ten minutes have elapsed since the change request's creation, whichever occurs first.Therefore, when traffic checking occurs at the end of the Request stage, new change requests appear inthe Home page, as soon as traffic checking is done; however, when traffic checking occurs at the end ofthe Plan stage, ten minutes will pass before new change requests appear in the Home page.

In order to cause new change requests to appear in the Home page immediately, regardless of whentraffic checking occurs, customize the Network Operations group's Home page as follows: Remove the"N" New Change Requests element, and add the "N" Total New Change Requests element. New changerequests will appear in the Home page's Total New Change Requests list immediately upon changerequest creation.

For information on customizing a group's Home page, see Customizing the Home Page per Group (on page 18).

4 To specify which data FireFlow should refer to when checking traffic against devices, do the following:

a)

Add the configuration item UseMoni t orDataForFi r ewal l Query .

b)


To specify that FireFlow should refer to real-time monitoring data, set the configuration item'svalue to 1.

To specify that FireFlow should refer to AlgoSec Firewall Analyzer reports, set theconfiguration item's value to 0.

For example, the following instructs FireFlow to refer to AlgoSec Firewall Analyzer monitoringdata:

Set ( $UseMoni t or Dat aFor Fi r ewal l Quer y, ' 1' ) ;

5 To enable/disable automatic closing of change requests that already work, do the following:

a)

Add the configuration item Aut omat i cCheckAl r eadyWor ks .

b)


To enable automatic closing of change requests that already work, set the configuration item'svalue to 1.




207

To disable automatic closing of change requests that already work, set the configuration item'svalue to 0.

For example, the following enables automatic closing of change requests that already work:

Set ( $Aut omat i cCheckAl r eadyWorks , ' 1' ) ;

6Save the file.

7 Restart FireFlow.


Configuring the Risk Check Method for Change Requests with MultipleDevicesIn the Approve stage of traffic change request's lifecycle, FireFlow performs a risk check, to determinewhether implementing the change specified in the change request would introduce risks. The risk check isrun on the device specified in the change request, using the Risk Profile that the device was assigned whengenerating the last successful report in AlgoSec Firewall Analyzer.

When performing a risk check for a parent request with sub-requests, there are multiple devices and potential multiple Risk Profiles involved. You can configure FireFlow to use any of the following risk checkmethods:

One

FireFlow runs the risk check on one random device out of all the sub-request devices.

For example, let us assume that there are three sub-requests, as follows:

Sub-request Device Risk Profile

500 Check Point A r1

501 Check Point B r2

502 Cisco C r1

FireFlow will select a device at random (such as Cisco C) and run the risk check on it (using Risk Profiler1).

Only risk check results for the selected device will be displayed.

Profile

FireFlow runs the risk check on one random device per Risk Profile used by the sub-request devices.




208

In our example, there are two Risk Profiles, r1 and r2. FireFlow will select a device at random (eitherCheck Point A or Cisco C) to run the risk check on using Risk Profile r1, and it will also run a risk checkon Check Point B using Risk Profile r2.

Risk check results will be displayed per risk profile.

Al l

FireFlow runs the risk check on each of the sub-request devices.

In our example, FireFlow will run a risk check on Check Point A, Check Point B, and Check Point C,using their respective Risk Profiles.

Note that the risk check may take a while, and the results for each device may be similar.




209

Risk check results will be displayed for each device.

To set the default risk check method for change requests with multiple devices



3 Add the configuration item Ri skCheckOnParent Ti cket .




210


To use the One method, set the configuration item's value to "one" .

To use the Profile method, set the configuration item's value to "prof i l e" .


To use the All method, set the configuration item's value to " a l l " .For example, the following specifies that FireFlow should use the All method:

Set ( $Ri skCheckOnPar ent Ti cket , "al l ") ;

5 Save the file.

6 Restart FireFlow.


Configuring the Date FormatWhen filling in a change request’s due date or expiration date, and when searching for change requests

according to these date fields, users can specify the desired date in a variety of formats (for example, "20 Oct09", "Oct 20 2009", "2009-10-20", and more). By default, FireFlow interprets inputted dates in the format##/##/## as "dd/mm/yy" (for example, 10/11/09 is interpreted as the 10th of November, 2009). This systemdefault can be changed to "mm/dd/yy" (for example, 10/11/09 is interpreted as the 11th of October, 2009).

To configure the date format



3 Add the configuration item Dat eDayBef or eMont h, and set its value to one of the following:

1 - Interpret inputted dates in the format ##/##/## as "dd/mm/yy". This is the default.

0 - Interpret inputted dates in the format ##/##/## as "mm/dd/yy".

For example, to accept free-text date input as “mm/dd/yy” format, add the following item:

Set ( $Dat eDayBef or eMont h, 0) ;

4 Save the file.

5 Restart FireFlow.


Configuring Whether the Standard Template Appears in the RequestTemplates PageBy default, FireFlow displays the Standard template as an option in the Request Templates page. If desired,you can specify that the Standard template should not appear in this page.

Note: By default, FireFlow includes a single queue called “Firewalls”. When there are multiple queues, anda user is allowed to create change requests in more than one queue, the Standard template does not appear.(This is because a change request's template must specify the queue in which the change request is created,and the Standard template does not include pre-filled fields.)

To configure whether the Standard template should appear





211


3 Add the configuration item ShowSt andar dTempl at e.


To specify that the Standard template should not appear in the Request Templates page, set theconfiguration item's value to 0.

To specify that the Standard template should appear in the Request Templates page, set theconfiguration item's value to 1.

For example, the following specifies that the Standard template should not appear:

Set ( $ShowSt andardTempl ate, ' 0' ) ;

5 Save the file.

6 Restart FireFlow.


Enabling/Disabling Automatic Creation of Requestors upon AuthenticationIf RADIUS and/or LDAP authentication is configured, and a requestor who does not exist in FireFlowattempts to log in to FireFlow, FireFlow will check the inputted user credentials against the RADIUS orLDAP server. If the username and password pair exists in either database, then by default the requestor will

be automatically added to the FireFlow local user database and logged in.

Note: If both automatic creation of requestors upon authentication and importing user data from an LDAPserver are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlowand assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,regardless of the AFA user role assigned. For information on importing user data from an LDAP server, see

Importing User Data from an LDAP Server (on page 233).If desired, you can disable the automatic creation of requestors in FireFlow. Authenticated requestors will

be logged in, without being added to the local user database.

To enable/disable the automatic creation of requestors upon authentication



3 Add the configuration item AutoCr eat eRequest ors .


To disable automatic creation of requestors, set the configuration item's value to 0.

To enable automatic creation of requestors, set the configuration item's value to 1.


For example, the following disables automatic creation of requestors:

Set ( $Aut oCr eat eRequest ors, 0) ;

5 Save the file.

6 Restart FireFlow.





212

Configuring the No-Login Web Form's Requestor Field as Read-OnlyFireFlow includes a No-Login Web form that allows users to submit requests without logging in to thesystem. By default, the No-Login Web form contains an editable Requestor field, in which the requestor fills

in their email address. The requestor will then be notified by email of all changes made to the changerequest.

You can change this system default to make the Requestor field read-only. In this situation, the requestoraccesses the No-Login Web form by clicking a link in another application at your organization whichautomatically appends the requestor's email address to the URL. For example, the URL of the No-LoginWeb form is ht t ps: / / <f i r ef l ow_server >/ Fi r eFl ow/ NewTi cket ; however, when the requestor'semail address is appended the URL becomesht t ps: / / <f i r ef l ow_ser ver >/ Fi r eFl ow/ NewTi cket ?Request ors=some. r equest or@some. or

gani zat i on. com.

To configure the No-Login Web form's Requestor field as read-only



3 Add the configuration item Edi t abl eRequest or I nNoAut hTi cket s , and set its value to one of thefollowing:

1 - The Requestor field is read-write. This is the default.

0 - The Requestor field is read-only.

For example, to make the Requestor field read-only, add the following item:

Set ( $Edi t abl eRequest or I nNoAut hTi cket s, 0) ;

4 Save the file.

5 Restart FireFlow.


Configuring Automatic Approval of Minor Rule ChangesBy default, FireFlow displays any device policy rule changes in the Auto Match ing page and attempts tomatch them to resolved change requests. This includes minor policy rule changes, such as enabling rulelogging or updating a rule name. You can modify this system default so that FireFlow automaticallyapproves minor policy rule changes. These minor changes will then appear in the Auto Matching page in theChanges Without Request - Approved sub-list, without referring to a specific change request.

To configure automatic approval of minor rule changes

1Log in to the FireFlow server using the username "root" and the related password.


3 Add the configuration item I gnor eRul eFi el dsI nReconci l i at i on, and set its value to aspace-separated list of device policy rule fields, for which any changes should be automaticallyapproved.

To specify that no changes should be automatically approved, set it to an empty list ( ) .




213

The supported policy rule fields are: Fi r ewal l Name, Fi r ewal l Rul eNum, Name, Comment , Sour ce,Dest i nat i on, Ser vi ce, Sour ceExpanded, Dest i nat i onExpanded, Ser vi ceExpanded,Acti on, Enabl e, Tr ack, Ti me, I ns tal l , Vpn, Fr omZone, ToZone, ACL, I nt erf ace, Sour ceNat ,and Dest i nat i onNat .

Note: Sour ceExpanded, Dest i nat i onExpanded, and Ser vi ceExpanded are the IP addresses (and protocol/ports) represented by the rule’s object names. Therefore, for example, when adding Source toI gnor eRul eFi el dsI nReconci l i at i on, changes in a rule’s source object names will be approvedautomatically, while changes to the actual source IP addresses will not.

For example, to configure FireFlow to automatically approve changes to rules that involve loggingand/or comments only, add the following item:

Set ( @I gnoreRul eFi el dsI nReconci l i at i on, qw( Track Comment ) ) ;

4 Save the file.

5 Restart FireFlow.


Configuring the "From" Address in Dashboard EmailsUsers who are subscribed to dashboards periodically receive the dashboard's content via email. By default,the email's "From" field displays the FireFlow server's email address. If desired, you can change the emailaddress displayed in the "From" field of dashboard emails.

To change the "From" address in dashboard emails



3 Add the configuration item Dashboar dAddress , and set its value to the email address that should be

displayed in dashboard emails.For example, to set the address to "[email protected]", add the following item:

Set ( $Dashboar dAddr ess, ' admi n@mycompany. com' ) ;

Leave the configuration item's value empty to specify that the FireFlow server's email address should beused.

4 Save the file.

5 Restart FireFlow.


Configuring the Default Due Date for Rule Removal RequestsWhen submitting a Rule Removal request, you must specify the complete the Due Date field with the date bywhich requestors of related change requests must respond to a notification regarding the rule's impendingdeletion. This field's default value is 14 days from the change request's creation. If desired, you can changethe default value.

To change the default due date for rule removal requests





214


3 Add the configuration item Def aul t Rul eRemoval Due, and set its value to the number of days afterchange request creation that the change request should be due.

For example, to specify that the default due date for rule removal requests should be seven days afterchange request creation, add the following item:

Set ( $Def aul t Rul eRemoval Due, 7) ;

4 Save the file.

5 Restart FireFlow.


Configuring How Long the Device Objects List Is Stored in CacheBy default, FireFlow stores a list of device objects in cache for three minutes. This list is displayed in theSource and Destination wizards.

If desired, you can change the amount of time that the device objects list is stored in cache, by using thefollowing procedure.

To configure the amount of time the device objects list is stored in cache



3 Add the configuration item Fi r ewal l Obj ect Ref r eshTi me, and set its value to the desired number ofseconds that the device objects list should be stored in cache.

For example, to set the time in cache to two minutes (120 seconds), add the following item:

Set ( $Fi r ewal l Obj ect Ref r eshTi me, ' 120' ) ;

4 Save the file.

5 Restart FireFlow.


Configuring Whether Emails to Related Change Requestors Include theRule to be RemovedIn the Approve stage of rule removal request's lifecycle, FireFlow sends an email to the requestors of changerequests with traffic intersecting that of the rule slated for removal, informing them that the rule will beremoved by a certain date. By default, the email includes a table displaying the rule in question. If desired,

you can specify that this table should not be included in the email.

To change the default due date for rule removal requests



3 Add the configuration item ShowRul eI nf oWhenNot i f yRul eToRemove.





215

To specify that emails to related change requestors should include a table with the rule to beremoved, set the configuration item's value to 1.


To specify that emails to related change requestors should not include a table with the rule to beremoved, set the configuration item's value to 0.

For example, the following specifies that a table with the rule to be removed should not be included inemails to related change requestors:

Set ( $ShowRul eI nf oWhenNot i f yRul eToRemove, 0) ;

5 Save the file.

6 Restart FireFlow.


Configuring the Default Due Date for Change Requests Marked forFuture RecertificationWhen marking change requests for future recertification, the due date for the change request(s) is deferred to365 days from the original due date, by default. If desired, you can change this default value.

To change the default due date for change requests marked for future recertification



3 Add the configuration item Def aul t Expi r at i onPer i od, and set its value to the number of days afterthe original due date that the change request should be due.

For example, to specify that the default due date for such requests should be 90 days after the originaldue date, add the following item:

Set ( $Def aul t Expi r at i onPer i od, 90) ; 4 Save the file.

5 Restart FireFlow.


Configuring the Default Due Date for Recertification RequestsWhen recertifying a change request that is due for recertification, the due date for the recertification requestis 14 days from the present date, by default. If desired, you can change this default value.

To change the default due date for recertification requests

1 Log in to the FireFlow server using the username "root" and the related password.2 Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i t e/ , open

Fi r eFl ow_Si t eConf i g. pm.

3 Add the configuration item Recer t i f i cat i onDaysToWai t For Responses, and set its value to thenumber of days after change request creation that the change request should be due.

For example, to specify that the default due date for recertification requests should be seven days afterchange request creation, add the following item:

Set ( $Recer t i f i cat i onDaysToWai t For Responses, 7) ;




216

4 Save the file.

5 Restart FireFlow.


Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields inFlat TicketsBy default, FireFlow automatically includes all user-defined custom traffic fields (that is, custom fields

belonging to the following categories: additional for traffic, additional for source, additional for destination,and additional for service) in the XML of a change request (a flat ticket ). If desired, you can disable inclusionof such fields in flat tickets.

To enable/disable inclusion of user-defined custom traffic fields in flat tickets



Fi r eFl ow_Si t eConf i g. pm.3 Add the configuration item I ncl udeUserDef i nedTr af f i cCust omFi el dsI nXML.


To disable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item'svalue to 0.

To enable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item'svalue to 1.

For example, the following disables inclusion of user-defined custom traffic fields in flat tickets:

Set ( $I ncl udeUser Def i nedTr af f i cCust omFi el dsI nXML, ' 0' ) ;

5 Save the file.

6 Restart FireFlow.


Configuring the List of User PropertiesIn order to display searches in the Requestors Web Interface, the Get Request or Sear ches hook is used toretrieve a list of the requestor's user properties as hash. By default, the following properties are included inthe list:

Ci ty

Count r y

Emai l Addr ess

HomePhone

I d

Or gani zat i on

Real Name

Custom user fields. These fields will appear without spaces as hash keys. For example, a custom fieldnamed "Custom Field" will appear as: "Cust omFi el d" .




217

For example, the user properties hash translated to XML format may appear as follows:

<User >

<Ci t y></ Ci t y>


<Emai l Address>r equest or 1@mycompany. com</ Emai l Address > <HomePhone></ HomePhone>

6894


<Real Name>Rachel Request or </ Real Name>

<Cust omFi el d></ Cust omFi el d>

</ User >

If desired, you can modify the list of user properties.

To configure the list of user properties



3 Add the following lines to the file:

# Set l i st of user col umns t hat User: : get UserAsHash shoul d r et ur n ( Rel evant f orHooks) .

Set ( @User Fi el dsFor HooksSear ch, ( ' I d' , ' Real Name' , ' HomePhone' , ' Or gani zat i on' ,' Emai l Address' , ' Ci t y' , ' Count ry' ) ) ;

4 To add items to the user properties list, add the desired user properties to@User Fi el dsForHooksSear ch, in single quotation marks, separated by commas.

You can add any of the properties listed in the following table.

For example, to include the user's nickname as a property, write:

Set ( @User Fi el dsFor HooksSear ch, ( ' I d' , ' Real Name' , ' HomePhone' , ' Or gani zat i on' ,' Emai l Addr ess' , ' Ci t y' , ' Count r y' , ' Ni ckname' ) ) ;

Note: You must use only supported properties. Otherwise, a warning will be written to the log and thesearch will not be displayed.

5 To remove items from the user properties list, delete the relevant user properties from@User Fi el dsForHooksSear ch.

6 Save the file.

7 Restart FireFlow.


Supported User Properties

Property Description

Addr ess1 The requestor's primary mailing address.

Addr ess2 The requestor's secondary mailing address.

AuthSyst em The type of authentication to use for the requestor.

Ci ty The requestor's city.




218

Comment s Comments about the requestor.

Count r y The requestor's country.

Cr eat ed The date on which the requestor was added to FireFlow.

Cr eat or The user who added the requestor to FireFlow.

Emai l Addr ess The requestor's email address.

HomePhone The requestor's home telephone number.

I d The requestor's ID number.

Lang The requestor's desired FireFlow interface language.

Last Updat ed The date on which the requestor's properties were last updated inFireFlow.

Last Updat edBy The user who last updated the requestor's properties in FireFlow.

Mobi l ePhone The requestor's mobile telephone number.

Name The requestor's username.

Ni ckname The requestor's nickname.

Or gani zat i on The requestor's organization.

Pager Phone The requestor's pager number.

Passwor d The requestor's password.

Real Name The requestor's full name.

Si gnat ur e The requestor's signature.

State The requestor's state.

Ti meZone The requestor's time zone.

Wor kPhone The requestor's work telephone number.Zi p The requestor's zip code.

Replacing the LogoYou can replace the logo that appears in the top-left corner of every FireFlow page.

Note: Replacing the logo by setting the Fi r eFl ow_Si t eConf i g. pmoverride file's LogoI mageFi l eName configuration item—the method that was used until version 2.5—is no longer supported, as of version 6.0. Ifyou used this method in the past, you must replace the logo once again, using the following method.

To replace the logo

1 Create a logo file.The file must be in GIF, JPG, or PNG format, and it must be 115 pixels in width and 50 pixels in height.It is important to use these exact dimensions, so that the logo image is not distorted.

2 Log into AlgoSec Firewall Analyzer (AFA).

For instructions, refer to the AlgoSec Firewall Analyzer User Guide.

3 In the toolbar, click Administ rat ion.




219

The Administ rat ion page appears with the Options tab displayed.

4 Click the Display tab.




220

The Display tab appears.

5 Select the Enable Custom Logo check box.

6 Click Browse and browse to the custom logo file.

7 Click Open.

8 Click OK.

The custom logo is uploaded.

A success message appears.9 Click OK.

To remove a custom logo

1 In the toolbar, click Administ rat ion.

The Administ rat ion page appears with the Options tab displayed.

2 Click the Web GUI tab.

The Web GUI tab appears.

3 Clear the Enable Custom Logo check box.

4 Click OK.

The custom logo is removed, and the AlgoSec logo reappears in the Web interface.

Configuring FireFlow's Default Interface LanguageFireFlow's default interface language is English. If desired, you can change the default language.

To configure FireFlow's default interface language





221


3 Add the configuration item Def aul t Lang, and set its value to the code for the desired language.

See the following table for language codes.

For example, to configure French as the default language, add the following item:Set ( $Def aul t Lang, ' f r ' ) ;

4 Save the file.

5 Restart FireFlow.


Language Codes

Language Code

Chinese (PRC) zh_CN

Chinese (Taiwan) zh_TW

Croatian hr

Czech cs

Danish da

Dutch nl

English en

Finnish f i

French f r

German de

Hebrew he

Hungarian hu

Indonesian i d

Italian i t

Japanese j a

Norwegian Bokmal nb

Polish pl

Portuguese pt

Portuguese (Brazillian) pt _BR

Russian r u Spanish es

Swedish sv

Turkish t r




222

Modifying FireFlow Interface TextYou can modify the text appearing in the FireFlow interface in the following ways:

Change the languageFor example, you can change the interface language to French, Spanish, or any other language.

Change the wording

For example, you can change the name of the "Change Requests Waiting for User Accept" list to"Change Requests Waiting to be Accepted".

To modify the FireFlow interface text

1 Under / usr / share/ f i ref l ow/ l ocal / po or / usr / share/ f i ref l ow/ l i b/ RT/ I 18N, open the*.po file of the language whose texts you want to translate or change.

2 In any text editor, create a language file encoded in UTF-8.

3 Add the following lines at the start of the new language file you created:

msgi d "" msgst r " "

"Cont ent - Type: t ext/ pl ai n; char set =UTF- 8\ n"

Note: These must be the first three lines of the file.

4 For each string you want to translate or change, copy the relevant msgi d lines from the *.po file youopened into the language file you created.

The msgi d lines represent the original text.

5 In the language file you created, after each msgi d line, add a msgst r line specifying the desired text.

For example, to translate the text on the No Change Record button into French, the file should include thefollowing lines:

msgi d "No Change Recor d" msgst r "Aucun enr egi st r ement de modi f i cat i on"

To translate the Add More Fil es link to French, the file should include the following lines:

msgi d "Add More Fi l es"

msgst r "Aj out er d' aut r es f i chi er s"

You can also translate text that includes placeholders (in the format %x), by including the same placeholders in the translation. For example:

msgi d "Owner changed f r om %1 t o %2"

msgst r "Pr opr i ét ai r e changé de %1 en %2"

6 Close the original *.po file without saving changes.

7 Save the new file as XX. po, where XX is a two-letter abbreviation of the language used in the file orsome other indication of the file's use.


9 Place the language file on the FireFlow server, under the directory/ usr / share/ f i ref l ow/ l ocal / et c/ s i te /po/ .

Note: You can use scp to copy the file from your own computer to the FireFlow server.






223

FireFlow will refer to the new *.po file for strings. If a string does not appear in the file, FireFlow willrefer to the original English-language *.po file for the missing string.

Adding/Removing Standard NAT Fields in Change RequestsYou can remove all standard NAT fields from change requests. The standard NAT fields include:

Source NAT

Destination NAT

NAT Type

Port Translation

Note: The following procedure will remove the standard NAT fields for all users except FireFlowconfiguration administrators. If it is necessary to remove these fields for FireFlow configurationadministrators as well, contact AlgoSec Professional Services.

To add/remove standard NAT fields in change requests

1 In the main menu, click Advanced Configurat ion.The Advanced Configurat ion page appears.

2 For each of the NAT-related FireFlow fields listed in the table below, do the following:

a)

Click FireFlow Fields.




224


b) Click on the field's name.


c) In the main menu, click Group Rights.




225


d) In each user group's Current rights area, select the SeeCustomField and ModifyCustomField check boxes.

Note: These check boxes might not appear for all user groups.

e)

Click Submit.

NAT-related FireFlow Field s

FireFlow Field Descripti on

Change Destination NAT: Changedestination NAT

Displays the destination NAT value to which the connection's destinationshould be translated, as planned during the Plan stage.

Change NAT Type: Change NATtype

Displays the type of NAT (Static or Dynamic), as planned during the Planstage.

Change Port Translation: Change porttranslation

Displays the port value to which the connection's port should be translated, as planned during the Plan stage.

Change Source NAT: Change source NAT

Displays the source NAT value to which the connection's source should betranslated, as planned during the Plan stage.

Requested Destination NAT:Requested destination NAT

Displays the destination NAT value to which the connection's destinationshould be translated, as specified in the original request.

Requested NAT Type: Requested NAT type

Displays the type of NAT (Static or Dynamic), as specified in the originalrequest.

Requested Port Translation:Requested port translation

Displays the port value to which the connection's port should be translated, asspecified in the original request.




226

Requested Source NAT: Requestedsource NAT

Displays the source NAT value to which the connection's source should betranslated, as specified in the original request.

Adding/Removing Optional NAT Fields in Change RequestsYou can configure FireFlow to display separate fields for source NAT, destination NAT, and porttranslation before and after translation. In this case, the existing Source NAT, Destination NAT, and PortTranslation fields will display the values before translation, and the following new fields will display thevalues after translation:

Source after NAT

Destination after NAT

Port after Translation

The new NAT fields will appear below the standard NAT fields throughout the FireFlow Web interface, forexample in work orders or when editing a change request.

To add optional NAT fields

1 On the original site, open a terminal and log in using the username "root" and the related password.


/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -e

The optional NAT fields are added to the FireFlow Web interface.

To remove optional NAT fields



/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -d

The optional NAT fields are removed from the FireFlow Web interface.

Configuring the Default Authentication ActionFireFlow enables you to specify the default authentication action used for Check Point devices. FireFlowwill display the configured authentication action in the Action field of work orders for Check Point-relatedchange requests.

To configure the default authentication action



3Add the configuration item Def aul t Aut hAct i on, and set its value to one of the following: User Aut h - User Authentication.

Sessi on Auth - Session Authentication.

Cl i ent Aut h - Client Authentication.

For example, to make the default User Authentication, add the following item:

Set ( $Def aul t Aut hAct i on, "User Aut h") ;

4 Save the file.




227

5 Restart FireFlow.


Enabling/Disabling User Group Authentication during Initial PlanningBy default, when the default authentication action used for Check Point devices is set to User

Aut hent i cat i on, FireFlow performs user group authentication during initial planning. If desired, you candisable this.

To enable/disable user group authentication during initial planning



3 Add the configuration item Val i dat eUserI nSour ce.


To enable user group authentication during initial planning, set the configuration item's value to 1. To disable user group authentication during initial planning, set the configuration item's value to 0.

For example, the following enables user group authentication during initial planning:

Set ( $Val i dat eUser I nSour ce, ' 1' ) ;

5 Save the file.

6 Restart FireFlow.


Configuring the Handling of NAT-Only Traffic ChangesBy default, if a traffic change request already works, it is automatically closed during initial planning. If

desired, you can configure FireFlow to keep the change request open, if it includes NAT fields. In addition,when handling of NAT-only traffic changes is enable, you can configure FireFlow to display NATinformation in work orders and to use NAT information in risk checks.

To configure handling of NAT-only traffic changes



3 Add the configuration item handl eNATChanges.


To enable handling of NAT-only traffic changes, set the configuration item's value to 1.

To disable handling of NAT-only traffic changes, set the configuration item's value to 0. This is thedefault value.

For example, the following enables handling of NAT-only traffic changes:

Set ( $handl eNATChanges, ' 1' ) ;

5 If you enabled handling of NAT-only traffic changes, configure whether FireFlow should use NATinformation in risk checks, by doing the following:

a) Add the configuration item sendNATi nf ormat i onI nRi skCheck.




228

b)

Do one of the following

To enable using NAT information in risk checks, set the configuration item's value to 1.

To disable using NAT information in risk checks, set the configuration item's value to 0. This isthe default value.

For example, the following enables using NAT information in risk checks:Set( $sendNATi nf or mati onI nRi skCheck, ' 1' ) ;

Note: When this feature is enabled, the Source NAT and Destination NAT fields will be used in riskchecks. However, if the optional Source after NAT field is enabled, it will be used instead of the SourceNAT field. Likewise, if the optional Destination after NAT field is enabled, it will be used instead of theDestination NAT field. For information on these optional fields, see Adding/Removing Optional NAT

Fields in Change Requests (on page 226). If you enabled handling of NAT-only traffic changes,configure whether FireFlow should display NAT information in work orders, by doing the following:

c) Add the configuration item showAl l NatTabl e.

d) Do one of the following

To enable displaying NAT information in work orders, set the configuration item's value to 1.

To disable displaying NAT information in work orders, set the configuration item's value to 0.This is the default value.

For example, the following enables displaying NAT information in work orders:

Set ( $showAl l Nat Tabl e, ' 1' ) ;

6 Save the file.

7 Restart FireFlow.


Automatically Sending Work Orders to an Implementation Team

Sometimes, changes on devices are implemented by a group of people who have no access to the FireFlowsystem. In this case, you can configure FireFlow to automatically generate a work order in PDF format andsend it to the implementation team via email, each time a work order is created.

To automatically send work orders to an implementation team



2 Enable generating work orders in PDF format, by doing the following:

a)


The Advanced Configuration page appears.

b)

Click Global.




229

The Admin/Global configuration page appears.

c)

Click Scrips.

The Modify scrips wh ich apply to all queues page appears.

d)

Click 550 On comp letion o f Create Work Order Create Summary PDF.




230

The Modify a scrip that applies to all queues page appears.

e)

In the Stage field, select TransactionCreate.

f)

Click Update.

3 Enable automatic sending of emails with work orders in PDF format attached, by doing the following:

a)



b) Click Global.


c)

Click Scrips.

The Modify scrips which apply to all queues page appears.d)

Click 560 On completion of Create Work Order Notify Work Order Recipient.


e) In the Stage field, select TransactionCreate.

f) Click Update.

4 To customize the email template used for sending work orders, do the following:

a)





231


b)

Click Global.


c)

Click Email Templates.

The Modify email templates which apply to all queues page appears.d)

Click Notify Work Order Summary.

The Modify email template Notify Work Order Summary page appears.

e) Edit the email content as desired.

f) Click Update.

5 Configure the email recipient, by doing one of the following:

When customizing the email template as described in the previous step, type the desired address inthe To field.

Configure the relevant parameter, by doing the following:

1. Log in to the FireFlow server using the username "root" and the related password.

2.

Under the directory / usr / share/ f i ref l ow/ l ocal / etc / s i te/ , openFi r eFl ow_Si t eConf i g. pm.

3. Add the configuration item WorkOr der Reci pi ent Emai l and set its value to the desired emailaddress.

For example, the following specifies that work order should be sent [email protected]:

Set ( $WorkOr der Reci pi ent Emai l , ' I mpl ement at i onGr oup@mycompany. com' ) ;

4.

Save the file.

5.

Restart FireFlow.


Note: If you configure the recipient email address using both methods, the address specified in the emailtemplate will be used.

Reverting to System Defaults

To revert to the system defaults


2 In the directory / usr / share/ f i ref l ow/ l ocal / etc / s i te/ , remove the fileFi r eFl ow_Si t eConf i g. pm.

3In the directory / usr / share/ f i ref l ow/ l ocal / etc / s i te/ po/ , remove any *.po files.

4 Restart FireFlow.






233

If AlgoSec Firewall Analyzer is configured to authenticate users against an LDAP server (for example,Microsoft Active Directory), you can configure AlgoSec Firewall Analyzer and FireFlow to import userdata from the LDAP server upon each login. For example, when a user logs in, FireFlow can import datasuch as the user's telephone number.

AlgoSec Firewall Analyzer can import a user's full name, email address, and user role, while FireFlow canimport data for any user field that exists both in the LDAP server and in FireFlow. If you want to import anLDAP field that does not exist in FireFlow, you can add a parallel custom field in FireFlow.

Note: Do not add custom fields that have the same name as an existing user field in FireFlow. Doing so willcause importing data from the LDAP server to fail.

Note: Since data is imported only upon user login, the data stored for users who log in infrequently may beoutdated.

Note: If both automatic creation of requestors upon authentication and importing user data from an LDAPserver are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlowand assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,regardless of the AFA user role assigned. For information on automatic creation of requestors upon login,see Enabling/Disabling Automatic Creation of Requestors upon Authentication (on page 211).

Note: A requestor cannot be converted to a privileged user and vice versa, by changing the user's AFA userrole or FireFlow user group via LDAP. These roles are permanent.

Note: When a requestor is automatically created upon first login, and the

Note: If you configured the import of user data from an LDAP server in a FireFlow version prior to 6.1, youmust re-configure it using the following procedure.

To import data from an LDAP database

1 In AFA, configure LDAP user authentication.

You must select the Fetch user data from LDAP check box, complete the fields in the Mapping to LDAPFields area, and then restart FireFlow.

Refer to the AlgoSec FireFlow User Guide, Configuring User Authentication.

2 To enable importing AFA user roles, add or edit the desired roles.

You must fill in the Role LDAP DN field.

Refer to the AlgoSec Firewall Analyzer User Guide, Adding and Editing User Roles.

3 To enable importing FireFlow user groups, add or edit the desired user groups.

You must fill in the Group LDAP DN field.See Working with User Groups (on page 29).

4 To import user fields from the LDAP server, which do not exist in FireFlow, do the following:

a)

For each user field that exists in the LDAP server but not in FireFlow, add a custom user field inFireFlow.

See Adding User-Defined Custom Fields (on page 44).

b) On the AFA server, open / home/ af a/ . f a/ conf i g.

C H A P T E R 1 7

Importing User Data from an LDAP Server




234

c)

Add the attribute LDAP_At t r Cust om.

d) Set this attribute's value to a list of custom FireFlow fields and the parallel LDAP fields in thefollowing format:

FF_Cust Fi el d1, LDAP_At t r 1; FF_Cust Fi el d2, LDAP_At t r 2; . . .

Where:

FF_Cust Fi el dX - The name of a user field in FireFlow to which you want to import data. Thiscan be a a built-in field or a user-defined custom field.

LDAP_At t r X - The name of a user field in the LDAP server from which you want to importdata.

In order to map a user-defined custom field called "Department" to an LDAP attribute called"department", set the following value:

LDAP_At t r Cust om=Depart ment , depar t ment

Note: In this example, the LDAP server field names are taken from Active Directory. If a differentLDAP server is used, the names must be changed accordingly.

e)

Save the file.



235

This section explains how to integrate FireFlow with an external Change Management System.

In This Chapter

Overview........................................................................... . 235Integrating FireFlow via the REST Interface .................... . 235Integrating FireFlow via a CMS's Web Service................. 239Integrating FireFlow via Email ......................................... . 244

OverviewFireFlow can be integrated with an organization's main Change Management System (CMS), such as BMCRemedy, HP Service Center and Service Manager (formerly Peregrine), and more. Communication betweenthe two systems can be based on the following protocols:

REST in terface

The CMS can use the REST interface to create change requests in FireFlow via HTTP.

See Integrating FireFlow via the REST Interface (on page 235).

Web service

FireFlow can establish a uni-directional connection with a CMS's Web service. This enables FireFlow tosend the CMS requests to open a change request or update its status.

See Integrating FireFlow via a CMS's Web Service (on page 239).

Email

FireFlow can send email messages to the CMS and receive requests to open a change request or updateits status via email. If the CMS has these same capabilities, it is possible to achieve an email-basedintegration.

Email is the easiest protocol to configure and allows for bi-directional communication.

See Integrating FireFlow via Email (on page 244).

Regardless of the protocol selected, integrating FireFlow with a CMS requires customization on both sides.

Integrating FireFlow via the REST InterfaceFireFlow can be integrated with a CMS via the REST interface. The REST interface is an HTTP-based APIthat can be used by the CMS to create change requests in FireFlow via HTTP.

If you need other assistance in using the REST interface, contact AlgoSec Professional Services.

C H A P T E R 1 8

Integrating FireFlow with External

Change Management Systems




236

REST Interface Integration Steps

To integrate FireFlow with a CMS via the REST interface

1 Configure CMS authentication to FireFlow.

See Configuring Authentication to FireFlow (on page 236).

2 Use the CMS to create change requests in FireFlow as desired.

See Creating Change Requests via the REST Interface (on page 237).

Configuring Authentication to FireFlowThe REST interface does not support HTTP authentication. Therefore, in order for the CMS to authenticateto FireFlow, the CMS must obtain a valid session token and then submit the session cookie with eachrequest. You can generate a session cookie by submitting the default login form with the username as the"user" parameter and the password as the "pass" parameter.

For example, the following Perl code generates a session cookie:

my $i s_cooki e_exi st = 0;# f i r st l ogi n t o f i r ef l ow and creat e cooki esub set Cooki e{

unl ess ( $i s_cooki e_exi st ) {l og_pr i nt ( " I nf o", "Tr yi ng t o l ogi n t o $Fi r eFl ow_URL/ ") ;

# i ni t i al i ze t he usar agent and t he cooki e j ar$ua = LWP: : User Agent - >new;$ua- >t i meout ( $MaxHt t pRequest Ti meout I nSeconds) ;$cooki eJ ar = HTTP: : Cooki es - >new( i gnore_di scar d => 1 ) ;$ua- >cooki e_j ar ( $cooki eJ ar ) ;

# f i r st go to the l ogi n page - j ust f or get t i ng t he cooki e$r esponse = $ua- >post ( $Fi r eFl ow_URL . ' / ' ) ;i f ( ! $r esponse- >i s_success) {

l og_pr i nt ( "Er r or ", "f ai l ed t o connect t o Fi r eFl ow ser ver ") ;r et ur n $r esponse;

}

# now l ogi n t o Fi r eFl ow$r esponse = $ua- >post ( $Fi r eFl ow_URL . ' / ' ,

[ ' user' => $access_user ,' pass' => $access_password,]

) ;i f ( ! $r esponse- >i s_success) {

l og_pr i nt ( "Er r or ", "f ai l ed t o connect t o Fi r eFl ow ser ver ") ;r et ur n $r esponse;

}$i s_cooki e_exi st = 1;

}}



Chapter 18 Integrating FireFlow with External Change Management Systems

237

Creating Change Requests via the REST Interface

To create a new change request in FireFlow via the REST interface

On the FireFlow server, post the following:

on0 FireFlow/REST/1.0/ticket/new requestContent

Where requestContent contains the change request details in the following format:

key1: val ue1

key2: val ue2

. . .

For information on the available keys and their values, refer to the following table.

For example, you can create a change request by posting the following:

on0 / Fi r eFl ow/ REST/ 1. 0/ t i cket / new

Queue: 1

Request or : r eq@al gosec. com

Subj ect : Cr eat i ng t i cket vi a REST CF. {Request ed Sour ce}: 1. 1. 1. 1

CF. {Request ed Sour ce}: 2. 2. 2. 2

CF. {Request ed Dest i nat i on}: 3. 3. 3. 3

CF. {Request ed Servi ce}: ssh

CF. {Request ed Servi ce}: ht t ps

REST Change Request Creation Keys

Set this key... To this value...

Requestor The email address of the change requestor.

This key is mandatory.

Queue The queue to which the change request belongs.

This key is mandatory.

Subject A title for the change request.

This key is optional.

Status The change request's status.


Owner The change request's owner.


Due The date by which this change request should be resolved, in the following format: YYYY- MM- DD HH: MM: SS


Priority A number indicating this request's priority, where 0 indicates lowest priority.





238

CF.{customField } The value of cust omFi el d, which is a custom field supported by FireFlow.

You can create a change request key for any of the built-in custom fields listed in thefollowing table. For example, the following key specifies that the requested serviceis SSH:

CF. {Request ed Servi ce}: ssh

In addition, you can create a change request key for a user-defined custom field belonging to any the following categories: additional for object, additional for traffic,additional for source, additional f or destination, and additional for service. To do so,use the following format:

CF. {__REQUESTED__ fieldName}

Where fieldName is the name of the user-defined custom field. For example, thefollowing key specifies that the custom field "Application" is Syslog.

CF. {__REQUESTED__Appl i cat i on}: sysl og

If desired, you can use the same custom field multiple times when creating a singlechange request. For example, if you include all of the following keys, the changerequest will have SSH, HTTPS, and TCP/7 as requested services:

CF. {Request ed Servi ce}: ssh CF. {Request ed Servi ce}: ht t ps

CF. {Request ed Servi ce}: t cp/ 7

This field is optional.

REST Change Request Buil t-in Custom Fields

Set this custom field... To this value...

Expires The date on which this change request will expire, in the following format:

YYYY- MM- DD HH: MM: SS

Requested Source The IP address, IP range, network, device object, or DNS name of the connection

source.

Requested Destination The IP address, IP range, network, device object, or DNS name of the connectiondestination.

Requested Service The device service or port for the connection (for example "http" or "tcp/123").

Requested Action The device action to perform for the connection. This can be either of the following:

Al l ow - Allow the connection.

Dr op - Block the connection.

Requested Source NAT The source NAT value, if the connection’s source should be translated.

Requested Destination NAT The destination NAT value, if the connection’s destination should be translated.

Requested Port Translation The port value, if the connection’s port should be translated.

Workflow The change request's workflow.

Owning Group The group to which the change request should be assigned.

Requested NAT Type The type of NAT. This can have the following values:

Stat i c

Dynami c

CMS ticket id The ID number of a related change request in the CMS.




239

Firewall Name The name of the device.

Form Type The request template type. This can have the following values:

Obj ect Change

Tr af f i c Change

Gener i c Change Requested Object Action The requested action in an object change request. This can have the following values:

AddI PsToObj ect

RemoveI PsFr omObj ect

NewObj ect

Del et eObj ect

Requested Object Name The object's name in an object change request.

Requested IPs To Add The IP addresses to add to an object in an object change request.

Requested IPs To Remove The IP addresses to remove from an object in an object change request.

Requested Object Scope The object scope in an object change request.

Integrating FireFlow via a CMS's Web ServiceFireFlow can be integrated with a CMS via the CMS's Web service. A Web service is an API that can beaccessed and executed over the network, thus allowing FireFlow to perform remote operations on the CMS.Supported operations are described in XML format in the Web service's WSDL (Web Services Description

Language) file, and FireFlow refers to this file when performing operations on the CMS.

FireFlow uses the Web service to perform the following operations:

Creating a change request

When a requestor opens a change request in FireFlow, FireFlow uses the Web service to create a newchange request in the CMS.

Updating a change request's status

At certain stages during the FireFlow change request lifecycle (for example, Approve and Resolve),FireFlow uses the Web service to change the change request's status in the CMS.

If you are not sure whether your CMS includes a Web service and a WSDL file, or if you need otherassistance in integrating FireFlow with a Web service, contact AlgoSec Professional Services.

Web Service Integration Steps

To integrate FireFlow with a CMS via a Web service1 Determine the full URL to the Web service's WSDL file.

2 Create a new directory under / usr/ shar e/ f i r ef l ow/ l ocal / WebSer vi ceCl i ent , and name itafter the Web service.

3 Use the following command to create Perl classes from the WSDL file:

wsdl2perl.pl -b /usr/share/fireflow/local/WebServiceClient/WebServiceName/ -p WebServiceName WsdlUrl

Where:




240

WebServiceName is the name of the Web service, and

WsdlUrl is the full URL to the Web service's WSDL file.

New directories are created under/ usr/ shar e/ f i r ef l ow/ l ocal / WebSer vi ceCl i ent / WebServiceName/ . For example:

WebServiceNameAttr , WebServiceNameI nt er f aces, WebServiceName Types, and so on.4 Use the examples located under / usr/ shar e/ f i r ef l ow/ l ocal / WebSer vi ceCl i ent / to write a

Perl class that inherits from WebServi ces: : Base and implements the following sub-routines:

get SOAPModul e

getSer ver Act i onsFor St at us

Bui l dPar amsHashForAct i on

handl eResponseHASH

5 Configure FireFlow to use a Web service.

See Configuring FireFlow to Use a Web Service (on page 240).

Configuring FireFlow to Use a Web Service To configure FireFlow to use a Web service



3 Add the configuration item WebServi cesModul e and set it to the name of the Perl class you created.

4 If the Web service requires authentication, do the following:

Add the configuration item WebSer vi cesUser name and set it to the user name to use whenauthenticating to the Web service.

Add the configuration item WebSer vi cesPasswordEncr ypted and set it to the password to usewhen authenticating to the Web service.

5 Save the file.

6 Restart FireFlow.








241


9 At the top of the workspace, click Global.


10 Click Scrips.




242

The Modify scrips which apply to all queues page appears.

11 Click 320 On Non Sub Ticket Create Notify WebService.




243


12 In the Stage drop-down list, select TransactionBatch.

13 Click Update.

The Modify scrips which apply to all queues page reappears.

14 Click 330 On Non Sub Ticket Status Change Notify WebService.


15 In the Stage drop-down list, select TransactionCreate.

16 Click Update.




244

Integrating FireFlow via EmailFireFlow can be integrated with a CMS via email. In this situation, when a requestor opens a change requestin the CMS, a new change request is automatically created in FireFlow. Network operations and informationsecurity users can then work with the new change request, in the same way as they would work with achange request that originated in FireFlow.

To ensure that a relationship is maintained between the original CMS change request and the new FireFlowchange request, the CMS passes the CMS change request ID number to FireFlow, and FireFlow passes theFireFlow change request ID number to the CMS. This information is used to associate the CMS changerequest and the FireFlow change request with each other.

At certain stages during the FireFlow change request lifecycle, most importantly when it is resolved,FireFlow notifies the CMS of the change request's status change. Thus communication between the CMSand FireFlow runs in both directions, as shown in the following table.

CMS FireFlow

Create Change Request → Create Change Request

Notified ← Approve Change Request

Notified and Closed ← Resolve Change Request

The following example describes an email-based integration between FireFlow and BMC Remedy ChangeManagement Application.

Note: The instructions provided are specific to Remedy Action Request System 7.1.00 and may vary fordifferent Remedy versions.

For information on integrating FireFlow with other change management systems, contact AlgoSec.

Email Integration Steps To integrate FireFlow with BMC Remedy via email

1 Prepare email addresses and a Remedy user.

See Preparation (on page 245).

2 Configure FireFlow for use with Remedy.

See Configuring FireFlow for Use with Remedy (on page 245).

3 Configure the Remedy incoming mailbox.

See Configuring the Remedy Incoming Mailbox (on page 246).4 Configure the Remedy outgoing mailbox.

See Configuring the Remedy Outgoing Mailbox (on page 247).

5 Configure Remedy email security.

See Configuring Remedy Email Security (on page 248).

6 Configure the Remedy filter.

See Configuring the Remedy Filter (on page 249).




245

Preparation

Email Addresses

Use the table below to record email addresses used by both Remedy and FireFlow to receive change requestsubmissions and send change request updates.

FireFlow Email Address

Remedy Email Address

Remedy User

Create or select an existing Remedy user that will perform actions on behalf of FireFlow, then choose analpha-numeric string to serve as a security key for this user. Use the table below to record the user'susername, password, and security key.

Username

Password

Security Key

Configuring FireFlow for Use with Remedy To configure FireFlow for use with Remedy



3 Add the configuration item Ext er nal CMSEmai l , and set its value to the email address of the RemedyServer to which FireFlow should send its emails, and which FireFlow should notify upon change requestclosure.

For example:

Set ( $Ext ernal CMSEmai l , ' r emedy@my. organi zat i on. com' ) ;

To specify that FireFlow should not send email and notifications to the Remedy Server, leave this itemempty.

4 Add the configuration item External CMSSender Emai l s , and set its value to a space-separated list ofemail addresses, from which the Remedy Server is expected to send emails to FireFlow upon change

request creation.For example:

Set ( @External CMSSender Emai l s, qw( r emedy@my. organi zat i on. comr emedy- al i as@my. organi zat i on. com) ) ;

5 Save the file.

6 Restart FireFlow.





246





9 At the top of the workspace, click Global.The Admin/Global configurat ion page appears.

10 Click Scrips.

The Modify scrips which apply to all queues page appears.

11 Click 020 On Non Sub Ticket Create External Source Parse Text Fields From External System .



13 Click Update.


14 Click 140 On Non Sub Ticket Close External Source Notify Other Recipients .


15 In the Email Template drop-down list, select Global template: Notify Remedy Ticket Close.


17 Click Update.


Configuring the Remedy Incoming Mailbox

To configure the Remedy incoming mailbox

1 Open the BMC Remedy User.

2 Open the AR System Emai l Mail box Conf iguration form in Search mode.3 Choose the Incoming mailbox, and click the Advanced Configurat ion tab.




247

The Advanced Configurat ion tab appears.

4 Configure the fields as follows:

In the Associated Mailbox Name list, select the name of the outgoing mailbox.

In the Email Action list, select Parse.

In the Reply With Result list, select No.

In the Enable Modify Actions list, select Yes.

In the Use Security Key list, select Yes.

In the Use Supplied User Information list, select Yes.

In the Use Email From Address list, select Yes.

Leave all other fields at their default settings.

5 Save your changes.

Configuring the Remedy Outgoing Mailbox

To configure the Remedy outgoing mailbox

1 Enter BMC Remedy User .

2 Open the AR Sys tem Email Mail box Conf iguration form in Search mode.

3 Choose the Outgoing mailbox, and click the Advanced Configurat ion tab.




248

The Advanced Configurat ion tab appears.


In the Associated Mailbox Name list, select the name of the incoming mailbox.

In the Delete Outgoing Notification Messages list, select No.

Leave all other fields at their default settings.5 Save your changes.

Configuring Remedy Email Security To configure Remedy email security

1 Enter BMC Remedy User .

2 Open the AR Sys tem Email Secu ri ty form in Search mode.




249

The form appears.

3Configure the fields as follows:

In the Status list, select Enabled.

In the Key field, type the security key you prepared in Remedy User (on page 245).

In the User Name field, type the username you prepared in Remedy User (on page 245).

In the Force For Mailbox list, select No.

In the Force From Email Address list, select Yes.

In the Email Addresses field, type the FireFlow email address you prepared in Email Addresses (on page 245).



Configuring the Remedy FilterWhen integrated with FireFlow, Remedy sends an email to FireFlow upon each change request submission.The email serves two purposes:

When FireFlow receives the email, ticket creation is triggered.

When the ticket is resolved, FireFlow responds to this email, closing the original Remedy change.

In order to configure Remedy to send email upon change request submissions, you must specify a filterusing the following procedure.

Note: For more detailed instructions on how to configure Remedy for email integration, refer to theConfiguring the email engine for modify actions

and Defining workflow to send email notifications

sections in the BMC Remedy Action Request System Administering BMC Remedy Email Engine document. This document for version 7.0 is located here:http://documents.bmc.com/supportu/documents/84/75/58475/58475.pdf

To configure Remedy fil ter

1 Enter BMC Remedy Administrator .

2 Create a new filter.




250

The Basic tab appears.


In the Name field, type a name for the filter, for example "CHG:CreateFireFlowTicket".

In the Form Name area, select the CHG:Infrastructure Change check box.

In the Execute On area, select the Submit check box.

In the Run If area, type any qualification that fits all and only firewall change requests.

For example: 'Product Cat Tier 1(2)' = "Firewall".

Leave all other fields at their default settings.4 Click the If Action tab.




251

The If Action tab appears.


In the New Action list, select Notify.

In the Text field, paste the exact text specified in Remedy Filter Text (on page 252).

In the User Name field, type the FireFlow email address you prepared in Email Addresses (on page245).

In the Priority field, type the email's priority (between 1-10).

In the Mechanism list, select Email. In the Fields tab, do the following:

In the Subject field, type a subject for the emails, such as "Request submitted by Remedy$Infrastructure Change ID$".

In the Include Fields list, select Selected.

In the Fields area, select the following fields:

Description

Detailed Description

First Name

Infrastructure Change ID

Last Name Middle Initial

Request ID

Submit Date

Submitter

In the Messages tab, in the Mailbox Name field, type the name of the outgoing mailbox.

Note: This field is required only if you are not using the default mailbox.




252



Remedy Filter TextYou must copy the following text verbatim into the Remedy filter in the BMC Remedy Administrator, inorder to enable FireFlow to close the Remedy change upon FireFlow ticket resolution.

The first paragraph can be modified, as it is meant for human readability only. The rest of the text includesseven identical blocks that allow FireFlow to move the Remedy change throughout the full workflow untilClosed status, by responding to the email received from Remedy.

Replace <remedy server>, <username> and <password> with the relevant values for your installation.

This is an automatic email sent by BMC Remedy Change Management Application to notify thatchange id $Infrastructure Change ID$ has been submitted.

Server: <remedy server>

User Name: <username>

Password: <password>

Key: FireFlow

Action: Modify

Form: CHG:Infrastructure Change

Request ID: $Request ID$


User Name: <username>Password: <password>

Key: FireFlow

Action: Modify






Key: FireFlow

Action: Modify








253


Key: FireFlow

Action: Modify






Key: FireFlow

Action: Modify



Server: <remedy server>User Name: <username>


Key: FireFlow

Action: Modify






Key: FireFlow

Action: Modify







255

This section explains how to use the FireFlow Web service.

In This Chapter

Overview........................................................................... . 255FireFlow Services .............................................................. . 255Data Types ......................................................................... . 259

OverviewFireFlow has its own Web service. A Web service is an API that can be accessed and executed over thenetwork, thus allowing Web service clients, which are the machines used by authenticated FireFlow users, to

perform remote operations on the Web service server , which is FireFlow. Supported operations aredescribed in XML format in FireFlow's Web service's WSDL (Web Services Description Language) file,available at ht t ps: / / <al gosec_ser ver >/ WebSer vi ces/ Fi r eFl ow. wsdl where<al gosec_server >is the AlgoSec server URL. Web clients refer to the WSDL file when performingoperations on FireFlow.

FireFlow Services

FireFlowAuthenticateRequest

Description

Authenticates a user.

Once authenticated, the client will receive a session identifier. This identifier will be required as proof ofauthentication for future requests.

Header Elements

Element Type Mandatory Descripti on

ver si on String Yes The API version.

opaque String No A value that will be echoed in the response.

This value must be maximum 1024 characters inlength.

C H A P T E R 1 9

Configuring the FireFlow Web Service




256

Message Elements


user name String Yes The client’s username.

passwor d String Yes The client’s password in cleartext.

Returns

A Fi r eFl owAut hent i cat i onResponse response. See FireFlowAuthenticationResponse (on page257).

FireFlowCreateTicketRequest

Description

Creates a new FireFlow change request.

Header Elements



si d String Yes The client’s session identifier.

onBehal f Of String No The name of the user on whose behalf to act.

If acting on a user's behalf is not allowed, theaction will fail and the response will indicate thereason.



Message Elements


t empl ate String Yes The request template of the new change request.

In the current API version, this elament's valuemust be Standard.

t i cket Ti cket Yes A Ti cket object. See Ticket (on page 259).

Returns

A Fi r eFl owCr eat eTi cket Response response. See FireFlowCreateTicketResponse (on page 258).



Chapter 19 Configuring the FireFlow Web Service

257

FireFlowTerminateSessionRequest

Description

Terminates the current session.

Header Elements



si d String Yes The client’s session identifier.



Message Elements

None.

Returns

A Fi r eFl owTer mi nat eSessi onResponse response. See FireFlowTerminateSessionResponse (on page 258).

FireFlowAuthenticationResponse

DescriptionThe response to an authentication attempt.

Header Elements



opaque String No A value that is echoed from the request.

Message Elements


r esul t Integer Yes An indicator of the authentication's outcome. Avalue of 1 indicates success.

si d String Yes The session identifier.

message String No A message describing the authentication'soutcome in English.




258

FireFlowCreateTicketResponse

Description

A general response to various services.

Header Elements




Message Elements




t i cket I d Integer Yes The newly created change request's ID number.

FireFlowTerminateSessionResponse

Description

The response to the session termination request.

Header Elements




Message Elements



si d String Yes The terminated session's identifier.





259

Data Types

TicketDescription

A FireFlow change request.

Elements


owner String No The email address of the change request owner.

r equest or String Yes The email address of the requestor.

cc List of Strings No A list of email addresses to which the FireFlowsystem should send copies.

subj ect String Yes The change request's title.

due String No The date by which this change request should beresolved, in the format: date, GMT

expi r e String No The date on which this change request will expire,in the format: dat e, GMT

pr i or i t y Integer No A number indicating this request's priority, where0 indicates lowest priority.

r ef er sTo Integer No The ID number of a change request to which thischange request refers.

r ef er r edBy Integer No The ID numbers of a change request that refer tothis change request.

ext er nal I d String No The ID number of an external system changerequest to which this change request should belinked.

devi ces List of Strings No A list of device names, on which the changeshould be made.

descri pt i on String No A free text description of the issue.

t r af f i cLi nes List of Tr af f i cLi neobjects

No A list of traffic tuples. See TrafficLine (on page260).

cust omFi el ds List ofCust omFi el dobjects

No A list of custom fields. See CustomField (on page261).




260

TrafficLine

Description

A traffic tuple in a FireFlow change request.

Elements


t raf f i cSource List of Tr af f i cAddr ess objects

Yes A list of source IP addresses. See TrafficAddress (on page 260).

t raf f i cDest i nati on

List of Tr af f i cAddr ess objects

Yes A list of destination IP addresses. SeeTrafficAddress (on page 260).

t r af f i cServ i ce List of Tr af f i cSer vi ce objects

Yes A list of traffic services. See TrafficService (on page 261).

nat Tr af f i cNAT No NAT for the defined traffic. See TrafficNAT (on page 261).

acti on Integer Yes The device action to perform for the connection.This can be either of the following:

1. Allow the connection.

0. Block the connection.

Note: All traffic tuples in a change request musthave the same action.


No A list of custom fields. See CustomField (on page261).

TrafficAddress

Description

An address in a traffic tuple.

Elements


address String Yes The IP address, IP range, network, deviceobject, or DNS name of the connection source.


No A list of custom fields. See CustomField (on page 261).




261

TrafficService

Description

A service in a traffic tuple.

Elements


ser vi ce String Yes The device service or port for the connection (forexample "http" or "tcp/123").


No A list of custom fields. See CustomField (on page 261).

TrafficNAT

Description

Network Address Translation (NAT) information for a traffic tuple.

Elements


source String Yes The source NAT value after translation.

dest i nat i on String Yes The destination NAT value after translation.

port String Yes Type the port value after translation.

t ype Integer No The type of NAT. The possible values are:

0. Static NAT.

1. Dynamic NAT.

CustomField

Description

A custom field in a FireFlow change request.

Elements


Key String Yes The custom field's name.

val ue String Yes The custom field's value.





263

AlgoSec® FireFlow™ includes a copy customization utility that can be used to copy user customizations between sites. This section explains how to use this utility.

In This Chapter

Overview........................................................................... . 263Creating a Customizations File ......................................... . 266Loading a Customizations File to the Target Site .............. 267

OverviewThe AlgoSec FireFlow copy customization utility can be used to copy the following user customizations

between sites:

Database entities

Configuration files

Translation files

Scripts for uploading change requests from file

Hook files

Web Service clients

Database EntitiesThe utility copies the following database entities:

Queues

The following information is copied for each queue:

Description

CorrespondAddress

CommentAddress

InitialPriority

FinalPriority

DefaultDueIn

SubjectTag

Disabled

Attributes: AdminGroupID, SecurityGroupID, NetworkGroupID, ReadOnlyGroupID,ControllersGroupID (according to the ID of the created groups)

C H A P T E R 2 0

Using the AlgoSec FireFlow Copy

Customization Utili ty




264

Note: If a queue's name is changed on the original site, the utility will create both a queue with theoriginal name and a queue with the new name on the target site.

Groups

The following information is copied for each group:

Description Disabled

Global rights, including rights for roles

Queue rights per queue, including rights for roles

Group rights

Home Page settings

The group's membership in other groups

Note: When updating FireFlow, global rights, queue rights, and group rights that are not in acustomization file will be revoked.

Note: If a group's name is changed on the original site, the utility will create both a group with the

original name and a group with the new name on the target site.Note: Since the utility does not copy users and their group memberships, it will be necessary to definethe users as members of the new group on the target site.

Custom fields

All custom fields are copied, including those for change requests, users, and groups.

The following information is copied for each custom field:

Description

DisplayName

Type

ValuesClass

LookupType

Pattern

LinkValueTo

IncludeContentForValue

Category

DefaultValue

Disabled

HideIfEmpty

Note: When updating FireFlow, custom fields that do not appear in the customization file will be

removed. Furthermore, custom fields referring to queues, system group rights, or user-defined grouprights that do not appear in the customization file will be removed.

Note: If a custom field's name is changed on the original site, the utility will create both a custom fieldwith the original name and a custom field with the new name on the target site.

Request templates

The following information is copied for each request template:

Description

All defined values



Chapter 20 Using the AlgoSec FireFlow Copy Customization Utility

265

Note: If a request template's name is changed on the original site, the utility will create both a templatewith the original name and a template with the new name on the target site.

Note: Request templates cannot be disabled; therefore, the utility will not remove them from the targetsite.

Email templatesAll email templates are copied, including both global and per queue.

The following information is copied for each email template:

Name

Description

Content

Note: Email templates cannot be disabled; therefore, the utility will not remove them from the target site.

Scrips

All scrips are copied, including both global and per queue.

The following information is copied for each scrip:

Description

Stage

CustomIsApplicableCode (in case of a user-defined condition)

CustomPrepareCode (in case of a user-defined action)

CustomCommitCode (in case of a user-defined action)

ScripAction name

ScripCondition name

Email Template name

Note: FireFlow scrips have no name; therefore, if two scrips have the same description, only one of them

will be updated. Saved searches

Global Home Page settings

Configuration FilesThe utility copies the following configuration files:

The workflow configuration file/ usr/ shar e/ f i r ef l ow/ l ocal / et c/ si t e/ Wor kf l ows_Conf i g. xml

The utility overwrites this file on the target site.

All workflow files located under / usr / share/ f i r ef l ow/ l ocal / et c/ s i t e/ Workf l ows/

The utility overwrites everything in this folder on the target site.

The suggested source/destination addresses list/ usr / shar e/ f i r ef l ow/ l ocal / et c/ si t e/ Suggest edAddr essObj ect s_Conf i g. xml

The utility overwrites this files on the target site.

The FireFlow site configuration file/ usr / share/ f i ref l ow/ l ocal / et c/s i t e/ Fi reFl ow_Si t eConf i g. pm




266

The utility adds all parameters in the file that do not include the words Email, Password, Address, orFAUser to the the parallel file on the target site, that is, all user and password-related parameters are notcopied. Other parameters are updated or added to the end of the file on the target site.

The file on the original site is backed up before it is edited.

Translation FilesThe utility copies all translation files located under / usr / share/ f i ref l ow/ l ocal / etc / s i te/ po.

Upload Change Requests from File ScriptsThe utility copies all scripts for uploading change requests from file, located under/ usr / share/ f i ref l ow/ l ocal / etc / s i te/ bi n.

Hook FilesThe utility copies all hook files and related configuration files located under/ usr/ shar e/ f i r ef l ow/ l ocal / Hooks and / usr / share/ f i ref l ow/ l ocal / et c/s i t e/ Hooks .

Web Service ClientsThe utility copies all Web service clients located under / usr/ shar e/ f i r ef l ow/ l ocal / WebSer vi ceCl i ent / . It overwrites everything in this folder on thetarget site.

Creating a Customizations FileIn order to copy customizations from the original site to a target site, you must create a customizations fileusing the following procedure.

To create a customizations file



/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -d -f CustFile [-e]

For information on the command's flags, see the following table.

A customizations file is created containing the data described in Overview (on page 263), and saved to

the current directory.

Customizations Utility Flags

Flag Description

- f CustFile The name under which to save the customizations file.

The default value isuser _cust omi zat i ons_yyyy- mm- dd- hhmmss. t ar . gz , where



Chapter 20 Using the AlgoSec FireFlow Copy Customization Utility

267

yyyy-mm-dd-hhmmss is a timestamp. For example:user_cust omi zat i ons_2010- 09- 07- 091318. t ar. gz

- e Do not include disabled groups and disabled custom fields in the customizations file.

Loading a Customizations File to the Target SiteOnce you have created a customizations file, you can load it to the target site.

To load a customizations fi le to the target site

1 On the target site, open a terminal and log in using the username "root" and the related password.

Important: The "root" user must have read permissions for the customizations file; otherwise, loading thefile will fail.


/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -l -f CustFile [-u] [-r ]

For information on the command's flags, see the following table.The f i r ef l ow_backup utility runs and backs up FireFlow to the directory/ var / f i r ef l ow/ backup.

Apache Web service and FireFlow workers both stop.

The customizations file is loaded to the target site. Data is overwritten and/or added as described inOverview (on page 263).

Apache Web service restarts.

FireFlow workers start automatically every 5 minutes, as configured on the server’s cron.

3 Refresh the workflows, by doing the following:

a)

Access VisualFlow.

See Accessing VisualFlow (on page 74). b)

In the VisualFlow main menu, click Workflow Installation.



c) Click OK.

d)

Click Refresh Workflows.

The workflows are loaded into FireFlow.

Customizations Utility Flags

Flag Description

- f CustFile The name of the customizations file to load.

Note: The file must be located in the current directory.

- u Update existing elements on the target site with data from the customizations file.

If this flag is not used, only new elements will be added.

- r Remove database entities that do not appear in customizations file from the target site.

The entities will be marked as disabled.





A

About VisualFlow • 73Accessing Online Help • 78Accessing VisualFlow • 74, 136, 137, 139, 267Action Condition Syntax • 102, 105, 164Action Tag Attributes • 146, 149, 165Adding Actions • 95, 136, 137, 138, 140, 141Adding Parallel Action Logic • 103, 126Adding SLA Notifications • 189Adding SLOs • 129Adding Statuses • 87, 137, 139Adding the • 22, 23

Adding User Groups • 29, 139Adding User-Defined Custom Fields • 44, 233Adding Workflows • 78, 136, 137, 139, 146Adding/Removing Optional NAT Fields in

Change Requests • 226, 228Adding/Removing Standard NAT Fields in

Change Requests • 223Advanced Configuration Options • 2Advanced Configuration Tools • 3Assigning Global and Queue Rights to User

Groups • 31, 33, 35Automatically Sending Work Orders to an

Implementation Team • 228

C

Comprehensive Example • 86, 126, 146, 176Condition Tag Attributes and Syntax • 163Condition Tag Syntax • 144, 145Configuration Files • 265Configuration Options • 1Configuring a Group's Global and Queue Rights •

35, 139, 141Configuring Authentication to FireFlow • 236Configuring Automatic Approval of Minor Rule

Changes • 212Configuring Automatic Initial Planning • 205Configuring Change Request Creation from File •

2, 61, 62Configuring FireFlow for Use with Remedy •

244, 245Configuring FireFlow to Use a Web Service • 240Configuring FireFlow's Default Interface

Language • 220

Configuring Global Built-in Rights for Groups •

178Configuring Global Built-in Rights for Users •

181Configuring Global Rights for Groups • 35, 178Configuring Global Rights for Users • 178, 181Configuring Global User-Defined Rights for

Groups • 181Configuring Global User-Defined Rights for

Users • 182Configuring Group Rights for Custom Fields •

31, 33, 36Configuring Group Rights for FireFlow Fields •

36, 39, 44Configuring Group Rights for User-Defined

Custom Fields • 36, 37, 43, 46Configuring How Long the Device Objects List Is

Stored in Cache • 214Configuring Queue Built-in Rights for Groups •

183Configuring Queue Built-in Rights for Users •

186Configuring Queue Rights for Groups • 35, 178,

183Configuring Queue Rights for Users • 178, 186

Configuring Remedy Email Security • 244, 248Configuring the • 213Configuring the Change Request History Order •

200Configuring the Date Format • 210Configuring the Default Authentication Action •

226Configuring the Default Due Date for Change

Requests Marked for Future Recertification •215

Configuring the Default Due Date forRecertification Requests • 215

Configuring the Default Due Date for RuleRemoval Requests • 213

Configuring the FireFlow Web Service • 3, 255Configuring the Handling of NAT-Only Traffic

Changes • 227Configuring the List of User Properties • 172, 216Configuring the Maximum Rows Displayed in

Auto Matching Page Sub-Lists • 201

Index




Configuring the Maximum Rows Displayed inHome Page Lists • 200

Configuring the No-Login Web Form's RequestorField as Read-Only • 212

Configuring the Order of User-Defined Custom

Fields • 52Configuring the Remedy Filter • 244, 249Configuring the Remedy Incoming Mailbox •

244, 246Configuring the Remedy Outgoing Mailbox •

244, 247Configuring the Risk Check Method for Change

Requests with Multiple Devices • 207Configuring the Time Frame for Items Displayed

in Auto Matching Page Lists • 201Configuring Whether Emails to Related Change

Requestors Include the Rule to be Removed •

214Configuring Whether the Standard Template

Appears in the Request Templates Page • 210Configuring Whether Traffic Fields Are

Mandatory • 203Configuring Work Order Creation for • 204Consulting Log Files • 4Contacting Technical Support • 5Controlling Whether Wizard Tabs Appear • 57Controlling Whether Wizard Tabs Appear for

Privileged Users and Requestors • 57Controlling Whether Wizard Tabs Appear in the

No-Login Form • 57, 60Creating a Customizations File • 266Creating Change Requests via the REST

Interface • 236, 237CustomField • 259, 260, 261Customizing Pre-defined Search Results • 13, 22Customizing the Appearance of Pre-defined

Search Results • 22Customizing the Common Services List • 56Customizing the FireFlow Home Page • 2, 13Customizing the Home Page Globally • 13, 14Customizing the Home Page per Group • 13, 18,

31, 33, 92, 160, 206Customizing the Source, Destination, and ServiceWizards • 2, 55

Customizing the Suggested Sources/DestinationsList • 55

D

Data Types • 259Database Entities • 263

Deleting Actions • 94, 128, 136, 138, 141Deleting SLA Notifications • 197Deleting SLOs • 132Deleting Statuses • 94Deleting Workflows • 133, 165

Disabling Change Request Creation from File •64

Disabling Privileged Users • 25Disabling User Groups • 41Disabling User-Defined Custom Fields • 51Disabling Workflows • 165Discarding Workflow Changes • 73, 135

E

Editing Actions • 127, 136, 138, 140Editing FireFlow Fields • 49Editing SLA Notifications • 194

Editing SLOs • 94, 132Editing Statuses • 93Editing the Workflow Configuration File • 143,

147Editing User Groups • 32Editing User-Defined Custom Fields • 49Editing Workflows • 87, 136, 137, 139Email Addresses • 245, 249, 251Email Integration Steps • 244Enabling Privileged Users • 27Enabling User Groups • 41Enabling User-Defined Custom Fields • 51

Enabling/Disabling Automatic Creation ofRequestors upon Authentication • 211, 233

Enabling/Disabling Inclusion of User-DefinedCustom Traffic Fields in Flat Tickets • 106,108, 113, 115, 216

Enabling/Disabling Multiple Traffic Rows inChange Requests • 202

Enabling/Disabling Sub-Request TrafficModification • 203

Enabling/Disabling Traffic Field Validation •203, 204

Enabling/Disabling Translation of Object IP

Addresses and Ports in Work Orders • 205Enabling/Disabling User Group Authenticationduring Initial Planning • 227

ExampleAdding Another Approve Stage • 139Allowing the Network Group to Approve

Change Requests • 137Removing the Notify Requestor Stage • 136

Examples • 136



Chapter 20 Index

Exiting VisualFlow • 78

F

FireFlow Advanced Configuration • 1FireFlow Services • 255

FireFlowAuthenticateRequest • 255FireFlowAuthenticationResponse • 256, 257FireFlowCreateTicketRequest • 256FireFlowCreateTicketResponse • 256, 258FireFlowTerminateSessionRequest • 257FireFlowTerminateSessionResponse • 257, 258Flat Ticket Example • 69, 105, 116, 169, 170,

171, 174, 175, 176Flat Ticket Nodes • 105, 106

G

GetExternalRisks • 169

GetFirewallGroupName • 170GetRealGroupName • 171GetRequestorSearches • 172Getting Started with VisualFlow • 74GetWorkFlowName • 174

H

Hiding Change Request Fields • 202Hook Files • 266Hook Functions • 168, 169

I

Importing User Data from an LDAP Server • 3,211, 233

Installing Workflows • 73, 134, 136, 139, 141Integrating FireFlow via a CMS's Web Service •

235, 239Integrating FireFlow via Email • 235, 244Integrating FireFlow via the REST Interface •

235Integrating FireFlow with External Change

Management Systems • 3, 235Introduction • 1

L

Loading a Customizations File to the Target Site •267

Logging in for Advanced Configuration Purposes• 3, 7, 14, 18, 22, 23, 25, 27, 29, 32, 33, 35, 41,44, 49, 51, 52, 57, 66, 74, 136, 137, 139, 178,181, 183, 189, 194, 196, 197, 228, 240, 246

M

Managing Email Subscriptions to SLA Notifications • 196

Managing Group Members • 31, 33

Modifying Email Templates • 66Modifying FireFlow Email Templates • 2, 65Modifying FireFlow Interface Text • 3, 222Modifying Workflows • 164

O

Overriding FireFlow System Defaults • 2, 199Overriding Specific System Default Settings •

199, 200Overriding System Default Settings • 60, 199Overview • 13, 43, 61, 65, 71, 133, 143, 167, 177,

189, 235, 255, 263, 266, 267

P

Preparation • 244, 245

R

Remedy Filter Text • 251, 252Remedy User • 245, 249Reordering Actions • 128, 137, 140Reordering Statuses • 94, 137, 140Reordering Workflows • 133Replacing the Logo • 2, 218REST Interface Integration Steps • 236

Restarting FireFlow • 4, 11, 56, 60, 63, 64, 127,135, 136, 139, 141, 144, 147, 165, 166, 168,199, 200, 201, 202, 203, 204, 205, 207, 210,211, 212, 213, 214, 215, 216, 217, 221, 222,227, 228, 231, 240, 245

Reverting to System Defaults • 231Reverting to the System Default Workflow via

XML • 166

S

Setting the Default Workflow • 133Status Tag Attributes • 146, 160, 165

SuggestCommentSuffix • 174SuggestHostName • 175Supported Boolean Operators • 81, 86, 106, 126,

145Supported Comparison Operators • 106, 125Supported Fields • 81, 145

T

The VisualFlow User Interface • 75




Ticket • 256, 259TrafficAddress • 260

AlgoSec FireFlow v6.3 Advanced Configuration Guide

Documents