You are on page 1of 280

AlgoSec FireFlow

Advanced Configuration Guide


Release 6.3

Printed on 2 September, 2012

Copyright 2003-2012 AlgoSec Systems Ltd. All rights reserved


AlgoSec and FireFlow are registered trademarks of AlgoSec Systems Ltd. and/or its affiliates in the U.S.
and certain other countries.
Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient,
SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,
SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard,
SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
Reporter, SmartView Status, SmartViewTracker, UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1
SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or
registered trademarks of Check Point Software Technologies Ltd. or its affiliates.
Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, are trademarks or registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.
All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.
Specifications subject to change without notice.
Limited Liability Statement
In no event will AlgoSec Systems Ltd be liable for any loss of data; lost opportunity for profits; cost of
cover; or special, incidental, consequential or indirect damages arising from the use of this software.
Proprietary & Confidential Information
This document contains proprietary information. Neither this document nor said proprietary information
shall be published, reproduced, copied, disclosed, or used for any purpose other than the review and
consideration of this material without written approval from AlgoSec Systems Ltd., 1900 Campus
Commons Drive, Suite 100, Reston, VA 20191.
The software contains proprietary information of AlgoSec Systems Ltd; it is provided under a license
agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse
engineering of the software is prohibited.
Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec Systems Ltd. and the client and
remains the exclusive property of AlgoSec Systems Ltd. If you find any problems in the documentation,
please report them to us in writing. AlgoSec Systems Ltd. does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Systems Ltd.
AlgoSec Systems Ltd.
1900 Campus Commons Drive, Suite 100
Reston, VA 20191

Contents
Introduction ................................................................................................................................................... 1
FireFlow Advanced Configuration ............................................................................................................................................... 1
Configuration Options ................................................................................................................................................................. 1
Advanced Configuration Options ................................................................................................................................................ 2
Advanced Configuration Tools .................................................................................................................................................... 3
Consulting Log Files ................................................................................................................................................................... 4
Contacting Technical Support ..................................................................................................................................................... 5

Logging in for Advanced Configuration Purposes .................................................................................... 7


Restarting FireFlow..................................................................................................................................... 11
Customizing the FireFlow Home Page ...................................................................................................... 13
Overview ................................................................................................................................................................................... 13
Customizing the Home Page Globally ...................................................................................................................................... 14
Customizing the Home Page per Group ................................................................................................................................... 18
Customizing Pre-defined Search Results ................................................................................................................................. 22
Customizing the Appearance of Pre-defined Search Results ........................................................................................... 22
Adding the "Certify Change Requests" Button to Pre-Defined Search Results ................................................................. 23

Working with Users..................................................................................................................................... 25


Disabling Privileged Users ........................................................................................................................................................ 25
Enabling Privileged Users ......................................................................................................................................................... 27

Working with User Groups ......................................................................................................................... 29


Adding User Groups ................................................................................................................................................................. 29
Editing User Groups.................................................................................................................................................................. 32
Managing Group Members ....................................................................................................................................................... 33
Assigning Global and Queue Rights to User Groups................................................................................................................ 35
Configuring a Group's Global and Queue Rights .............................................................................................................. 35
Configuring Group Rights for Custom Fields ............................................................................................................................ 36
Configuring Group Rights for User-Defined Custom Fields............................................................................................... 37
Configuring Group Rights for FireFlow Fields ................................................................................................................... 39
Disabling User Groups .............................................................................................................................................................. 41
Enabling User Groups............................................................................................................................................................... 41

Working with Custom Fields ...................................................................................................................... 43


Overview ................................................................................................................................................................................... 43
Adding User-Defined Custom Fields......................................................................................................................................... 44
Editing User-Defined Custom Fields ......................................................................................................................................... 49
Editing FireFlow Fields.............................................................................................................................................................. 49
Disabling User-Defined Custom Fields ..................................................................................................................................... 51
Enabling User-Defined Custom Fields ...................................................................................................................................... 51

AlgoSec FireFlow

Release 6.3

Configuring the Order of User-Defined Custom Fields ............................................................................................................. 52

Customizing the Source, Destination, and Service Wizards ................................................................... 55


Customizing the Suggested Sources/Destinations List ............................................................................................................ 55
Customizing the Common Services List ................................................................................................................................... 56
Controlling Whether Wizard Tabs Appear ................................................................................................................................ 57
Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors .............................................................. 57
Controlling Whether Wizard Tabs Appear in the No-Login Form ...................................................................................... 60

Configuring Change Request Creation from File ..................................................................................... 61


Overview ................................................................................................................................................................................... 61
Configuring Change Request Creation from File ...................................................................................................................... 62
Disabling Change Request Creation from File.......................................................................................................................... 64

Modifying FireFlow Email Templates ........................................................................................................ 65


Overview ................................................................................................................................................................................... 65
Modifying Email Templates ....................................................................................................................................................... 66

Working with Workflows in VisualFlow..................................................................................................... 71


Overview ................................................................................................................................................................................... 71
About VisualFlow ...................................................................................................................................................................... 73
Getting Started with VisualFlow ................................................................................................................................................ 74
Accessing VisualFlow ........................................................................................................................................................ 74
The VisualFlow User Interface .......................................................................................................................................... 75
Viewing Workflow Layouts................................................................................................................................................. 76
Accessing Online Help ...................................................................................................................................................... 78
Exiting VisualFlow ............................................................................................................................................................. 78
Adding Workflows ..................................................................................................................................................................... 78
Workflow Condition Syntax ....................................................................................................................................................... 81
Supported Fields ............................................................................................................................................................... 81
Supported Boolean Operators ........................................................................................................................................... 86
Comprehensive Example .................................................................................................................................................. 86
Editing Workflows ..................................................................................................................................................................... 87
Working with Statuses .............................................................................................................................................................. 87
Adding Statuses ................................................................................................................................................................ 87
Editing Statuses................................................................................................................................................................. 93
Reordering Statuses .......................................................................................................................................................... 94
Deleting Statuses .............................................................................................................................................................. 94
Working with Actions................................................................................................................................................................. 95
Adding Actions................................................................................................................................................................... 95
Action Condition Syntax .................................................................................................................................................. 105
Adding Parallel Action Logic ............................................................................................................................................ 126
Editing Actions ................................................................................................................................................................. 127
Reordering Actions .......................................................................................................................................................... 128
Deleting Actions............................................................................................................................................................... 128
Working with SLAs .................................................................................................................................................................. 129
Adding SLOs ................................................................................................................................................................... 129
Editing SLOs.................................................................................................................................................................... 132
Deleting SLOs ................................................................................................................................................................. 132
Reordering Workflows............................................................................................................................................................. 133

Contents
Setting the Default Workflow................................................................................................................................................... 133
Deleting Workflows ................................................................................................................................................................. 133
Viewing the Workflow XML ..................................................................................................................................................... 134
Viewing Individual Workflows' XML Files ........................................................................................................................ 134
Viewing the Workflow Configuration File ......................................................................................................................... 134
Installing Workflows ................................................................................................................................................................ 134
Discarding Workflow Changes ................................................................................................................................................ 135
Examples ................................................................................................................................................................................ 136
Example: Removing the Notify Requestor Stage ............................................................................................................ 136
Example: Allowing the Network Group to Approve Change Requests ............................................................................ 137
Example: Adding Another Approve Stage ....................................................................................................................... 139

Working with Workflows via XML ............................................................................................................ 143


Editing the Workflow Configuration File .................................................................................................................................. 143
Workflow Configuration File Structure ............................................................................................................................. 144
Workflow Tag Attributes .................................................................................................................................................. 144
Condition Tag Syntax ...................................................................................................................................................... 145
Comprehensive Example ................................................................................................................................................ 146
Adding Workflows ................................................................................................................................................................... 146
Workflow File Structure ................................................................................................................................................... 148
Action Tag Attributes ....................................................................................................................................................... 149
Status Tag Attributes ....................................................................................................................................................... 160
Condition Tag Attributes and Syntax ............................................................................................................................... 163
Modifying Workflows ............................................................................................................................................................... 164
Disabling Workflows................................................................................................................................................................ 165
Deleting Workflows ................................................................................................................................................................. 165
Reverting to the System Default Workflow via XML ............................................................................................................... 166

Using Hooks .............................................................................................................................................. 167


Overview ................................................................................................................................................................................. 167
Using Hooks to Control Parameters ....................................................................................................................................... 167
Hook Functions ....................................................................................................................................................................... 169
GetExternalRisks ............................................................................................................................................................. 169
GetFirewallGroupName ................................................................................................................................................... 170
GetRealGroupName ........................................................................................................................................................ 171
GetRequestorSearches ................................................................................................................................................... 172
GetWorkFlowName ......................................................................................................................................................... 174
SuggestCommentSuffix ................................................................................................................................................... 174
SuggestHostName .......................................................................................................................................................... 175
ValidateTicket .................................................................................................................................................................. 175
ValidateWorkOrderEdit .................................................................................................................................................... 176
Comprehensive Example ........................................................................................................................................................ 176

Working with Rights ................................................................................................................................. 177


Overview ................................................................................................................................................................................. 177
Configuring Global Rights for Groups ..................................................................................................................................... 178
Configuring Global Built-in Rights for Groups.................................................................................................................. 178
Configuring Global User-Defined Rights for Groups ....................................................................................................... 181
Configuring Global Rights for Users ....................................................................................................................................... 181
Configuring Global Built-in Rights for Users .................................................................................................................... 181
Configuring Global User-Defined Rights for Users .......................................................................................................... 182

AlgoSec FireFlow

Release 6.3

Configuring Queue Rights for Groups..................................................................................................................................... 183


Configuring Queue Built-in Rights for Groups ................................................................................................................. 183
Configuring Queue Rights for Users ....................................................................................................................................... 186
Configuring Queue Built-in Rights for Users.................................................................................................................... 186

Working with SLA Notifications ............................................................................................................... 189


Overview ................................................................................................................................................................................. 189
Adding SLA Notifications ........................................................................................................................................................ 189
Editing SLA Notifications......................................................................................................................................................... 194
Managing Email Subscriptions to SLA Notifications ............................................................................................................... 196
Deleting SLA Notifications ...................................................................................................................................................... 197

Overriding FireFlow System Defaults ..................................................................................................... 199


Overriding System Default Settings ........................................................................................................................................ 199
Overriding Specific System Default Settings .......................................................................................................................... 200
Configuring the Maximum Rows Displayed in Home Page Lists..................................................................................... 200
Configuring the Change Request History Order .............................................................................................................. 200
Configuring the Maximum Rows Displayed in Auto Matching Page Sub-Lists................................................................ 201
Configuring the Time Frame for Items Displayed in Auto Matching Page Lists .............................................................. 201
Enabling/Disabling Multiple Traffic Rows in Change Requests ....................................................................................... 202
Hiding Change Request Fields ........................................................................................................................................ 202
Enabling/Disabling Sub-Request Traffic Modification...................................................................................................... 203
Configuring Whether Traffic Fields Are Mandatory ......................................................................................................... 203
Enabling/Disabling Traffic Field Validation ...................................................................................................................... 204
Configuring Work Order Creation for "No Action Required" Change Requests .............................................................. 204
Enabling/Disabling Translation of Object IP Addresses and Ports in Work Orders......................................................... 205
Configuring Automatic Initial Planning ............................................................................................................................. 205
Configuring the Risk Check Method for Change Requests with Multiple Devices .......................................................... 207
Configuring the Date Format ........................................................................................................................................... 210
Configuring Whether the Standard Template Appears in the Request Templates Page ................................................ 210
Enabling/Disabling Automatic Creation of Requestors upon Authentication ................................................................... 211
Configuring the No-Login Web Form's Requestor Field as Read-Only ........................................................................... 212
Configuring Automatic Approval of Minor Rule Changes ................................................................................................ 212
Configuring the "From" Address in Dashboard Emails .................................................................................................... 213
Configuring the Default Due Date for Rule Removal Requests....................................................................................... 213
Configuring How Long the Device Objects List Is Stored in Cache................................................................................. 214
Configuring Whether Emails to Related Change Requestors Include the Rule to be Removed ..................................... 214
Configuring the Default Due Date for Change Requests Marked for Future Recertification ........................................... 215
Configuring the Default Due Date for Recertification Requests ...................................................................................... 215
Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields in Flat Tickets ....................................................... 216
Configuring the List of User Properties............................................................................................................................ 216
Replacing the Logo.......................................................................................................................................................... 218
Configuring FireFlow's Default Interface Language ........................................................................................................ 220
Modifying FireFlow Interface Text ................................................................................................................................... 222
Adding/Removing Standard NAT Fields in Change Requests ........................................................................................ 223
Adding/Removing Optional NAT Fields in Change Requests ......................................................................................... 226
Configuring the Default Authentication Action ................................................................................................................. 226
Enabling/Disabling User Group Authentication during Initial Planning ............................................................................ 227
Configuring the Handling of NAT-Only Traffic Changes .................................................................................................. 227
Automatically Sending Work Orders to an Implementation Team ................................................................................... 228
Reverting to System Defaults ................................................................................................................................................. 231

Contents

Importing User Data from an LDAP Server ............................................................................................. 233


Integrating FireFlow with External Change Management Systems ...................................................... 235
Overview ................................................................................................................................................................................. 235
Integrating FireFlow via the REST Interface ........................................................................................................................... 235
REST Interface Integration Steps .................................................................................................................................... 236
Configuring Authentication to FireFlow............................................................................................................................ 236
Creating Change Requests via the REST Interface ........................................................................................................ 237
Integrating FireFlow via a CMS's Web Service ....................................................................................................................... 239
Web Service Integration Steps ........................................................................................................................................ 239
Configuring FireFlow to Use a Web Service.................................................................................................................... 240
Integrating FireFlow via Email................................................................................................................................................. 244
Email Integration Steps ................................................................................................................................................... 244
Preparation ...................................................................................................................................................................... 245
Configuring FireFlow for Use with Remedy ..................................................................................................................... 245
Configuring the Remedy Incoming Mailbox ..................................................................................................................... 246
Configuring the Remedy Outgoing Mailbox ..................................................................................................................... 247
Configuring Remedy Email Security ................................................................................................................................ 248
Configuring the Remedy Filter ......................................................................................................................................... 249
Remedy Filter Text .......................................................................................................................................................... 252

Configuring the FireFlow Web Service ................................................................................................... 255


Overview ................................................................................................................................................................................. 255
FireFlow Services ................................................................................................................................................................... 255
FireFlowAuthenticateRequest ......................................................................................................................................... 255
FireFlowCreateTicketRequest ......................................................................................................................................... 256
FireFlowTerminateSessionRequest ................................................................................................................................ 257
FireFlowAuthenticationResponse .................................................................................................................................... 257
FireFlowCreateTicketResponse ...................................................................................................................................... 258
FireFlowTerminateSessionResponse.............................................................................................................................. 258
Data Types.............................................................................................................................................................................. 259
Ticket ............................................................................................................................................................................... 259
TrafficLine ........................................................................................................................................................................ 260
TrafficAddress ................................................................................................................................................................. 260
TrafficService................................................................................................................................................................... 261
TrafficNAT ....................................................................................................................................................................... 261
CustomField .................................................................................................................................................................... 261

Using the AlgoSec FireFlow Copy Customization Utility ...................................................................... 263


Overview ................................................................................................................................................................................. 263
Database Entities ............................................................................................................................................................ 263
Configuration Files........................................................................................................................................................... 265
Translation Files .............................................................................................................................................................. 266
Upload Change Requests from File Scripts .................................................................................................................... 266
Hook Files........................................................................................................................................................................ 266
Web Service Clients ........................................................................................................................................................ 266
Creating a Customizations File ............................................................................................................................................... 266
Loading a Customizations File to the Target Site ................................................................................................................... 267

AlgoSec FireFlow

Release 6.3

Index........................................................................................................................................................... 269

CHAPTER 1

Introduction
This section introduces the AlgoSec FireFlow advanced configuration options and tools, as well as this
guide.

In This Chapter
FireFlow Advanced Configuration ..................................... 1
Configuration Options ........................................................ 1
Advanced Configuration Options ....................................... 2
Advanced Configuration Tools .......................................... 3
Consulting Log Files .......................................................... 4
Contacting Technical Support ............................................ 5

FireFlow Advanced Configuration


FireFlow comes with several built-in advanced configuration options. For example, it is possible to
customize FireFlow's look and feel or integrate FireFlow with other change management systems.
This guide discusses the various advanced configuration options available and the tools used to implement
them. It is intended for professional integrators and other technical users.

Configuration Options
You can perform the following customizations of FireFlow:

Adding, editing, and deleting requestors


Refer to the AlgoSec FireFlow User Guide, Managing Requestors in the Web Interface and Managing
Requestors in the Requestor Database.
Adding, editing, and deleting users
Refer to the AlgoSec FireFlow User Guide, Managing Privileged Users.
Adding, editing, and deleting user groups
See Working with User Groups (on page 29).
Adding, editing, and deleting custom fields
See Working with Custom Fields (on page 43).
Adding, editing, and deleting SLA notifications
See Working with SLA Notifications (on page 189).

AlgoSec FireFlow

Release 6.3

Advanced Configuration Options


You can perform the following advanced customizations of FireFlow:

Customizing the FireFlow Home page


See Customizing the FireFlow Home Page (on page 13).
Customizing the Source, Destination, and Services wizards
See Customizing the Source, Destination, and Service Wizards (on page 55).
Configuring change request creation from spreadsheet files attached to change requests
See Configuring Change Request Creation from File (on page 61).
Modifying existing email templates
See Modifying FireFlow Email Templates (on page 65).
Adding, editing, and deleting workflows
A change request's workflow determines which lifecycle stages it will pass through. You can customize
change request lifecycles, by creating new workflows, and by disabling or deleting the built-in
workflows. Furthermore, you can modify the set of conditions determining when each workflow should
be assigned.
You can modify workflows via the VisualFlow interface or via XML files. See Working with
Workflows in VisualFlow (on page 71) and Working with Workflows via XML (on page 143).
Customizing the FireFlow risk check
The FireFlow default traffic change request lifecycle includes the Approve stage, in which a risk check
is performed to determine whether implementing the change specified in a change request would
introduce risks. The risk check is based on device analyses produced by AlgoSec Firewall Analyzer
(AFA), a comprehensive device analysis solution that is a companion product of FireFlow.
It is possible to customize the FireFlow risk check, by configuring AFA to treat certain types of traffic as
non-threatening trusted traffic when it produces the devices analyses. This enables you to eliminate
false-alarms triggered by traffic that is necessary for the organization. In addition, you can create Risk
Profiles that specify the severity level of individual risks. FireFlow risk check will then use your custom
Risk Profiles to detect risks of your preferred risk level classification.
For information on configuring trusted traffic and Risk Profiles in AFA, refer to the AlgoSec Firewall
Analyzer User Guide.
Using hooks to control FireFlow parameters
You can streamline the change request lifecycle, by using hooks to control certain parameters, such as
the name of the workflow to assign the change request in the Request stage, or the device group against
which to check traffic. FireFlow will extract the desired parameters on the fly.
See Using Hooks (on page 167).
Configuring rights
See Working with Rights (on page 177).
Overriding FireFlow system defaults
See Overriding FireFlow System Defaults (on page 199).
Replacing the logo and/or texts in the FireFlow user interface
You can replace the logo in the FireFlow user interface with the organization's logo. See Replacing the
Logo (on page 218).

Introduction

In addition, you can replace the text that appear throughout the FireFlow user interface, either with
custom texts, or with translations into any language. See Modifying FireFlow Interface Text (on page
222).
Integrating FireFlow with a third-party Change Management System
See Integrating FireFlow with External Change Management Systems (on page 235).
Using the FireFlow Web service
See Configuring the FireFlow Web Service (on page 255).
Configuring the import of user data from an LDAP server into FireFlow
See Importing User Data from an LDAP Server (on page 233).
Performing change request migration
AlgoSec provides an API for performing a one-time migration of historic change requests from an
existing Change Management System to FireFlow. For further information, contact AlgoSec.
Customizing the incoming email parsing format
In organizations where submitting requests to FireFlow via email is supported, all request emails must
confirm to the following format by default:
Source: <source>
Destination: <destination>
Service: <service>
Action: <action>

where:
<source> is the IP address, IP range, network, device object, or DNS name of the connection

source.
<destination> is the IP address, IP range, network, device object, or DNS name of the

connection destination.
<service> is the device service or port for the connection.
<action> is the device action to perform for the connection. This can be either of the following:
allow - Allow the connection.
drop - Block the connection.
If desired, you can change the required format for request emails. For further information, contact
AlgoSec.

Advanced Configuration Tools


Advanced FireFlow customization is performed using the following tools:

FireFlow user interface


In order to perform advanced configurations via the FireFlow user interface, you must log in as a
FireFlow configuration administrator. See Logging in for Advanced Configuration Purposes (on page
7).
Original and override configuration files

AlgoSec FireFlow

Release 6.3

FireFlow includes a set of original configuration files that contain various FireFlow default settings. In
order to modify the default settings in a particular file, you create an override configuration file whose
content is copied from the original file and modified to suit your needs. If the override file exists,
FireFlow ignores the original file and refers only to the override file.
In order to access original and override files, you must log in to the FireFlow server via SSH with the
username "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is
"algosec".
FireFlow restart utility
FireFlow includes a utility for restarting it after certain configuration changes are made. In order to use
this utility, you must log in to the FireFlow server via SSH with the username "root". The default
password for this user on an AlgoSec Hardware Appliance or a VM is "algosec". For further
information, see Restarting FireFlow (on page 11).
AlgoSec Firewall Analyzer user interface
In order to perform advanced configurations via the AlgoSec Firewall Analyzer user interface, you must
log in as an AFA administrator. For information on logging in to AlgoSec Firewall Analyzer, refer to the
AlgoSec FireFlow User Guide, Logging into the AlgoSec Firewall Analyzer Web Interface, or the
AlgoSec Firewall Analyzer User Guide.

Consulting Log Files


You can download a ZIP containing all FireFlow log files.
If desired, you can also access the following log files directly:

/usr/share/fireflow/var/log/fireflow.log. The main FireFlow log file.


/usr/share/fireflow/local/VisualFlow/log/production.log. The VisualFlow log file.
/var/log/httpd/error_log. The Apache error log file.

Note: In order to access these log files directly, you must log in to the FireFlow server via SSH with the
username "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is
"algosec".

To download FireFlow logs


1 Log in to FireFlow.
2 In the toolbar, click Info.
The Info dialog box opens.

Introduction

3 Click Download Support Zip.


A ZIP file called FireFlow_support.zip is downloaded to your computer.
4 Click OK.

Contacting Technical Support


To contact AlgoSec Technical Support
1 Open any Web browser, and navigate to:
http://www.algosec.com/en/support/submit_service_request.php
2 Open a ticket.
3 Attach relevant logs to the ticket:
AFA or FireFlow logs, if the ticket concerns these products
HA logs, if the ticket concerns HA-related issues. For information on collecting these logs, refer to
the AlgoSec Hardware Appliance User Guide.

CHAPTER 2

Logging in for Advanced Configuration


Purposes
You can perform advanced configurations via the FireFlow user interface, when logged in as a FireFlow
configuration administrator. A FireFlow configuration administrator is a privileged user with FireFlow
Administrator - Allow FireFlow Advanced Configuration permissions. These permissions are granted in
AlgoSec Firewall Analyzer. For information, refer to the AlgoSec FireFlow User Guide, Adding and
Editing Users.
Note: After completing initial configuration, it is recommended to revoke FireFlow Administrator - Allow
FireFlow Advanced Configuration permissions for all users, in order to avoid accidental changes to the
configuration.

To log into FireFlow for advanced configuration purposes


1 In your browser's Address field, type https://<algosec_server>/algosec/ where
<algosec_server> is the AlgoSec server URL.
The AlgoSec Security Suite page appears.

2 Click FireFlow.

AlgoSec FireFlow

The FireFlow Login page appears.

3 Enter your username and password in the fields provided.


4 If the Domain field appears, type the name of the domain.
This field only appears when domains are enabled.
To login as management do not enter a domain name.
5 Click Login.

Release 6.3

Chapter 2

Logging in for Advanced Configuration Purposes

The FireFlow Home Page appears.

Advanced configuration settings can be accessed by clicking the Configuration and Advanced
Configuration main menu items. When domains are enabled, domain level administrators will not see the
Advanced Configuration option in the main menu.

CHAPTER 3

Restarting FireFlow
After making certain FireFlow configuration changes, it is necessary to restart all FireFlow workers that are
running background tasks, as well as restart Apache. The FireFlow restart utility enables you to perform all
the necessary restart actions with a single command.
Note: The procedures that require restarting FireFlow are marked as such in this guide.

To restart FireFlow
1 Log in to the FireFlow server using the username "root" and the related password.
2 Enter the following command:
restart_fireflow
All FireFlow workers that are currently running background tasks are restarted.
Apache is restarted.

11

CHAPTER 4

Customizing the FireFlow Home Page


This section explains how to customize the FireFlow Home page.

In This Chapter
Overview ............................................................................ 13
Customizing the Home Page Globally ............................... 14
Customizing the Home Page per Group ............................. 18
Customizing Pre-defined Search Results ........................... 22

Overview
If desired, you can customize the Home page on any of the following levels:

Globally
Global customization affects the Home page of all users. It enables adding or removing any screen
element.
See Customizing the Home Page Globally (on page 14).
Per group
Per-group customization affects the Home page of all users belonging to a specific user group. It enables
adding screen elements to the Home page, but not removing those that were added via global
customization.
See Customizing the Home Page per Group (on page 18).
Per user
Per-user customization affects the Home page of a specific user only. It enables adding screen elements
to the Home page, but not removing those that were added via global or per-group customization.
Refer to the AlgoSec FireFlow User Guide, Customizing the FireFlow Home Page.

Elements that can be added to the Home page include the following:

Pre-defined search results


FireFlow includes a set of pre-defined search results that you can include on the Home page. If desired,
you can customize them as described in Customizing Pre-defined Search Results (on page 22).
Custom search results
In order to include custom search results, you must save them under "FireFlow's saved searches". For
information on saving search results, refer to the AlgoSec FireFlow User Guide, Saving Searches.
Charts
In order to include a chart, you must save it under "FireFlow's saved searches". For information on
saving charts, refer to the AlgoSec FireFlow User Guide, Saving Charts.
Refresh fields

13

AlgoSec FireFlow

Release 6.3

Customizing the Home Page Globally


By default, the Home page is globally configured to include the Change Request I own pre-defined search
results and a Refresh field. If desired, you can add or remove elements.
Note: Elements that are added to the Home page via global customization cannot be removed via per-group
or per-user customization.

Note: When domains are enabled, domain level administrators will not see the Advanced Configuration
option in the main menu. To login as management do not enter a domain name.

To customize the Home page globally


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.

3 Click Global.

14

Chapter 4

Customizing the FireFlow Home Page

The Admin/Global configuration page appears.

4 Click FireFlow Home Page.


The FireFlow Home Page appears.

5 For each element you want to add to the Home page, do the following:
a) In the Available list box, select the element you want to add.
15

AlgoSec FireFlow

Release 6.3

For information on each element, see the following table.


b) Click
.
The selected element moves to the right list box. The order that the elements appear in the box
represents the order in which they will appear in the Home page.
c) To move the element up or down in the box, select the element and click the
buttons.
d) To delete the element, select it and click Delete.
Your changes are saved.

or

Home Page Elements


Select this element...

To add this to the Home page...

"N" Soon to be due change


requests

Pre-defined search results consisting of a list of open change requests in the system
that have a due date that has passed, that is the current date, or that is the day after the
current date.

"N" Change Requests owned


by Controllers group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Controllers group.

"N" Change Requests owned


by Network group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Network group.

"N" Change Requests owned


by Security group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Security group.

"N" Change Requests Relevant Pre-defined search results consisting of a list of change requests in the system that
to My Groups
are relevant to the user groups to which you belong.
"N" Change Requests that are
due to be recertified

Pre-defined search results consisting of a list of traffic change requests in the system
that expired, and which should be recertified.

"N" Change Requests Flagged Pre-defined search results consisting of a list of change requests in the system that
by Requestor as "Change Does have been flagged by the requestor as "Change Does Not Work".
Not Work"
"N" Change Requests that
Received Requestor's
Response

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Validate stage and received the requestor's confirmation that the
requested change was implemented successfully.

"N" Change Requests to


Approve

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Approve stage.

"N" Change Requests to Create Pre-defined search results consisting of a list of change requests in the system that
Work Order
are currently in the Implement stage and awaiting a work order to be created.
"N" Change Requests to
Expire in the Next 30 days

Pre-defined search results consisting of a list of change requests in the system that
will expire within the next 30 days.

"N" Change Requests to


Implement

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Implement stage and awaiting implementation.

"N" Change Requests to Plan

Pre-defined search results consisting of all change requests in the system that are
currently in the Plan stage.

"N" Change Requests to


Review

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Review stage and awaiting a controller's review.

16

Chapter 4

Customizing the FireFlow Home Page

"N" Change Requests to Send


Removal Notification to Rule
Requestors

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Approve stage, and for which a rule removal notification will be
sent to the rule's traffic requestors.

"N" Change Requests to


Validate

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Validate stage.

"N" Change Requests Waiting Pre-defined search results consisting of a list of change requests in the system that
for Removal Response from
are currently in the Approve stage and awaiting confirmation from the rules traffic
Rule Requestors
requestors that the requested rule removal is approved.
"N" Change Requests Waiting Pre-defined search results consisting of a list of change requests in the system that
for Requestor's Response
are currently in the Validate stage and awaiting the requestor's confirmation that the
requested change was implemented successfully.
"N" New Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are new and still in the Request stage, and whose traffic has already been checked
against devices.

"N" New Recertification


Requests

Pre-defined search results consisting of a list of recertification requests in the system


that are new and still in the Request stage.

"N" Open Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are currently open.

"N" Parent Recertification


Requests Pending Sub
Requests Implementation

Pre-defined search results consisting of a list of parent recertification request in the


system that are currently in the Implement stage and awaiting implementation of the
relevant sub-requests.

"N" Parent Requests Pending


Sub Request Implementation

Pre-defined search results consisting of a list of parent requests in the system that are
currently in the Implement stage and awaiting implementation of the relevant
sub-requests.

"N" Recertification Requests


to Create Work Order

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Implement stage and awaiting a work order to be created.

"N" Recertification Requests


to Implement

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Implement stage and awaiting implementation.

"N" Recertification Requests


to Plan

Pre-defined search results consisting of all recertification requests in the system that
are currently in the Plan stage.

"N" Recertification Requests Pre-defined search results consisting of a list of recertification requests in the system
to Send Recertify Notification that are currently in the Approve stage, and for which a recertification notification
to Traffic Requestors
will be sent to the traffic requestors.
"N" Recertification Requests
to Validate

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Validate stage.

"N" Recertification Requests


Waiting for Recertify
Response from Traffic
Requestors

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Approve stage and awaiting confirmation from the traffic
requestors that the requested recertification is approved.

"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system that
were rejected.
"N" Resolved Change
Requests

Pre-defined search results consisting of a list of change requests in the system that
have been resolved.

"N" Total New Change


Requests

Pre-defined search results consisting of a list of all change requests in the system that
are new and still in the Request stage, including change requests whose traffic has
not yet been checked against devices.

17

AlgoSec FireFlow

Release 6.3

Bookmarked Change Requests A list of change requests that the user bookmarked.
My Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are owned by you.

RefreshHomepage

Controls for refreshing the page.

Unowned Change Requests

Pre-defined search results consisting of a list of change requests in the system that
currently have no owner.

Saved Search Name

A custom search that was saved under "FireFlow's saved searches", and which is
available to your user role.
For information on saving searches, see Saving Searches.

Chart Name

A chart that was saved under "FireFlow's saved searches", and which is available to
your user role.
For information on saving charts, see Saving Charts.

Search for chart Chart Name

A custom search on which a certain chart is based.

Customizing the Home Page per Group


By default, the Home page for a user group is configured to include certain pre-defined search results, as
well as the globally configured elements. If desired, you can add or remove elements.
Note: Elements that were added to the Home page via global customization cannot be removed via per-group
customization. Likewise, elements that are added to the Home page via per-group customization cannot be
removed via per-user customization.

To customize the Home page for a specific user group


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.

18

Chapter 4

Customizing the FireFlow Home Page

The FireFlow Configuration page appears.

3 Click Groups.
The Select a group page appears.

4 (Optional) To search for the desired group, do the following:

19

AlgoSec FireFlow

Release 6.3

a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) To include disabled groups in the search, select the Include disabled groups in listing check box.
c) Click Go.
The groups matching the search criteria are displayed.
5 Click the desired group's name.
The Editing membership for group page appears.

6 In the main menu, click FireFlow Home Page.

20

Chapter 4

Customizing the FireFlow Home Page

The FireFlow Home Page for the selected group appears.

7 For each element you want to add to the Home page, do the following:
a) In the Available list box, select the element you want to add.
For information on each element, see Home Page Elements (page 16).
b) Click
.
The selected element moves to the right list box. The order that the elements appear in the box
represents the order in which they will appear in the Home page.
Note: All custom elements will appear above the globally added pre-defined search results in the
Home page.
c) To move the element up or down in the box, select the element and click the
buttons.
d) To delete the element, select it and click Delete.
Your changes are saved.
8 To reset the page's fields to their default values, click Reset to default.

or

21

AlgoSec FireFlow

Release 6.3

Customizing Pre-defined Search Results


The pre-defined search results described in Home Page Elements (page 16) represent specific saved
searches. For example, "N" New Change Requests represents an advanced search for all change requests
with the status "New", and it displays search results in descending order sorted according to the LastUpdated
column.
If desired, you can customize the pre-defined search results' appearance, so as to include different columns,
sort order, number of results rows, and so on. See Customizing the Appearance of Pre-defined Search
Results (on page 22).
You can also add the Certify Change Requests button to pre-defined search results that consist of resolved
traffic change requests, so as to enable users to create recertification requests. See Adding the "Certify
Change Requests" Button to Pre-Defined Search Results (on page 23).

Customizing the Appearance of Pre-defined Search Results


To customize pre-defined search results' appearance
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Search.
The Query Builder page appears.

3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant
pre-defined search.

22

Chapter 4

Customizing the FireFlow Home Page

4 Click Load.
The search is loaded.
5 In the Display Columns area, modify the search results' appearance as desired.
For information, refer to the AlgoSec FireFlow User Guide, Column Format Fields.
6 Click Save.
The pre-defined search's definition is modified.

Adding the "Certify Change Requests" Button to Pre-Defined Search


Results
To customize pre-defined search results' appearance
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Search.
The Query Builder page appears.
3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant
pre-defined search.
4 Click Load.
The search is loaded.
5 In the main menu, click Edit Search - Advanced.
6 In the Format field, add:
/ALLOW_RECERTIFICATION

7 Click Apply.
The Query Builder page reappears with your changes.
8 Click Save.
The pre-defined search's definition is modified.

23

CHAPTER 5

Working with Users


This section explains how to enable and disable privileged users in FireFlow. For information on adding,
editing, and deleting privileged users, refer to the AlgoSec FireFlow User Guide, Managing Privileged
Users.

In This Chapter
Disabling Privileged Users ................................................. 25
Enabling Privileged Users .................................................. 27

Disabling Privileged Users


If desired, you can disable a privileged user, so that they no longer appears in the FireFlow interface.
Note: Values that were entered for a user before they were disabled are retained in the FireFlow database.
Note: Users that are deleted from AlgoSec Firewall Analyzer and FireFlow are demoted to requestors and
disabled. Refer to the AlgoSec FireFlow User Guide, Deleting Users.

To disable a privileged user


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.

25

AlgoSec FireFlow

The FireFlow Configuration page appears.

3 Click Users.
The Select a user page appears.

4 (Optional) To search for the desired user, do the following:

26

Release 6.3

Chapter 5

Working with Users

a) In the Find all users whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) Click Go.
The users matching the search criteria are displayed.
5 Click on the desired user's name.
The Modify the user page appears.

6 Clear the User enabled check box.


7 Click Save.
The user is disabled.

Enabling Privileged Users


You can re-enable a disabled user.

To enable a privileged user


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.

27

AlgoSec FireFlow

Release 6.3

3 Click Users.
The Select a user page appears.
4 Search for the desired user, by doing the following:
a) In the Find all users whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) Select the Include disabled users in search check box.
c) Click Go.
The users matching the search criteria are displayed.
5 Click on the desired user's name.
The Modify the user page appears.
6 Select the User enabled check box.
7 Click Save.
The user is enabled.

28

CHAPTER 6

Working with User Groups


This section explains how to add user groups to FireFlow. It also describes how to edit and disable user
groups.

In This Chapter
Adding User Groups........................................................... 29
Editing User Groups ........................................................... 32
Managing Group Members ................................................ 33
Assigning Global and Queue Rights to User Groups ......... 35
Configuring Group Rights for Custom Fields .................... 36
Disabling User Groups ....................................................... 41
Enabling User Groups ........................................................ 41

Adding User Groups


To add a user group
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.

29

AlgoSec FireFlow

The FireFlow Configuration page appears.

3 Click Groups.
The Select a group page appears.

4 In the main menu, click Create.

30

Release 6.3

Chapter 6

Working with User Groups

The Create a new group page appears.

5 Complete the fields using the information in Group Fields (page 31).
6 Click Save.
7 Specify which users and groups should be members in the new user group.
See Managing Group Members (on page 33).
Note: If desired, this step can be skipped and performed later on, as described in the AlgoSec FireFlow
User Guide, Adding Users to FireFlow User Groups.
8 If you did not copy settings from another group, or if you copied settings and would like to modify them,
do the following:
a) Customize the group's Home page.
See Customizing the Home Page per Group (on page 18).
b) Assign global and queue rights to the user group.
See Assigning Global and Queue Rights to User Groups (on page 35).
c) Configure the group's rights for each custom field.
See Configuring Group Rights for Custom Fields (on page 36).
Group Fields
In this field...

Do this...

Name

Type a name for the group.

Description

Type a description of the group.

Group LDAP DN

Type the DN of the group in the LDAP server.


For example: "cn=network_users,ou=organization,o=mycompany,c=us"

31

AlgoSec FireFlow

Release 6.3

Enabled

Select this option.

Copy Group Rights and


Home Page Settings from
group

To assign this group the same settings as another group, select the group from which to
copy settings.
The following settings will be copied from the selected group:
Group rights
Global permissions
Queue permissions
Rights for custom fields
Home page settings
Note: It is recommended to select this option when creating a new group, as it
significantly shortens the group creation process.

Revoke rights which were


not granted to this group

To revoke any group rights that were assigned to this group, but which are not assigned
to the group in the Copy Group Rights and Home Page Settings from group field, select
this option.
This field only appears when editing a user group.

Editing User Groups


Note: Do not change any of the pre-defined Admin user group's settings. This group consists of the AlgoSec
administrators and is only used by FireFlow internally.
Note: If you change the name of a pre-defined user group (Network, Security, Controllers, or Read-Only),
you must also change the group's name in all workflows. For information, see Working with Workflows in
VisualFlow (on page 71).

To edit a user group


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 To edit the group's name, description, and whether it should inherit its settings from another group, do
the following:
a) In the main menu, click Configuration.
The FireFlow Configuration page appears.
b) Click Groups.
The Select a group page appears.
c) (Optional) To search for the desired group, do the following:
1. In the Find groups whose area, select the desired options in the drop-down lists, and type the
search string in the field provided.
2. To include disabled groups in the search, select the Include disabled groups in listing check box.
3. Click Go.
The groups matching the search criteria are displayed.
d) Click the desired group's name.
The Editing membership for group page appears.
e) In the main menu, click Basics.

32

Chapter 6

3
4
5
6

Working with User Groups

f) The Modify the group page appears.


Complete the fields using the information in Group Fields (page 31).
g) Click Save.
To edit the group's members, see Managing Group Members (on page 33).
To customize the group's Home page, see Customizing the Home Page per Group (on page 18).
To assign global and queue rights to the group, see Assigning Global and Queue Rights to User Groups
(on page 35).
To configure the group's rights for custom fields, see Configuring Group Rights for Custom Fields (on
page 36).

Managing Group Members


To manage a group's members
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click Groups.
The Select a group page appears.
4 (Optional) To search for the desired group, do the following:
a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) To include disabled groups in the search, select the Include disabled groups in listing check box.
c) Click Go.
The groups matching the search criteria are displayed.
5 Click the desired group's name.

33

AlgoSec FireFlow

Release 6.3

The Editing membership for group page appears.

6 To add users and/or groups:


a) In the Add members area, select the desired users and groups.
b) Click Save.
The users and/or groups are added to the user group and appear in the Current members area.
Note: Members of this user group will see the Home page elements configured for this user group.
7 To remove users and/or groups:
a) In the Current members list, select the check boxes next to the desired users and/or groups.
b) Click Save.
The users and/or groups are removed from the new user group and appear in the Add members area.
8 To specify the group member to which change requests should automatically be assigned, when they are
sent to this user group:
a) In the Group Default Assignee area, click Change.
The Select Default Assignee window opens.

b) Select the desired group member.


c) Click OK.

34

Chapter 6

Working with User Groups

Note: If you do not specify a user, then the first member of the group will become the default assignee.
9 Click Save.

Assigning Global and Queue Rights to User Groups


A user group can be assigned global rights, which are rights for actions that can be performed on all change
requests or actions that are not related to change requests, and queue rights, which are rights for actions that
can only be performed on change requests belonging to a certain queue.
FireFlow allows you to assign these rights to a user group in the following ways:

By viewing a single user group and then assigning it the desired global and queue rights
See Configuring a Group's Global and Queue Rights (on page 35).
By viewing all global rights and then assigning them to the desired user group
See Configuring Global Rights for Groups (on page 178).
By viewing all queue rights and then assigning them to the desired user group
See Configuring Queue Rights for Groups (on page 183).

Configuring a Group's Global and Queue Rights


To configure a user group's global and queue rights
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click Groups.
The Select a group page appears.
4 (Optional) To search for the desired group, do the following:
a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) To include disabled groups in the search, select the Include disabled groups in listing check box.
c) Click Go.
The groups matching the search criteria are displayed.
5 Click the desired group's name.
The Editing membership for group page appears.
6 In the main menu, click Rights.

35

AlgoSec FireFlow

Release 6.3

The Editing rights for group page appears.

The Editing Rights on Global actions area enables you to grant rights for global actions, and the Editing
Rights on Queue actions area enables you to grant rights for queue rights.
7 To assign rights, do the following in the relevant area:
a) In the New rights list box, select the rights you want to assign this group.
To select multiple rights, press Ctrl while you click on the desired rights.
b) Click Modify Rights.
The selected rights appear in the Current rights area.
8 To revoke rights, do the following in the relevant area:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify Rights.
The selected rights are removed from the Current rights area.

Configuring Group Rights for Custom Fields


You can configure group rights for the following types of custom fields:

36

User-defined custom fields


See Configuring Group Rights for User-Defined Custom Fields (on page 37).
FireFlow fields
See Configuring Group Rights for FireFlow Fields (on page 39).

Chapter 6

Working with User Groups

For information on both types of custom fields, see Working with Custom Fields (on page 43).

Configuring Group Rights for User-Defined Custom Fields


To configure a group's rights for a user-defined custom field
1 In the main menu, click Configuration.
The FireFlow Configuration page appears.
2 Click User Defined Custom Fields.
The Select a Custom Field page appears.

3 Click on the desired custom field's name.

37

AlgoSec FireFlow

The Editing Custom Field page appears.

4 In the main menu, click Group Rights.


The Modify group rights for custom field page appears.

38

Release 6.3

Chapter 6

Working with User Groups

5 Complete the fields using the information in Modify Group Rights Fields (page 39).
6 Click Submit.
Modify Group Rights Fields
In this field...

Do this...

System groups

In this area, select the level of rights that each system (built-in) group should have for
this field.
The system groups are:
Everyone. Represents all users, including both privileged and unprivileged users.
Privileged. Represents all information security and network operations users, as
well as any user-defined user groups.
Unprivileged. Represents requestors.
The available levels of rights are:
AdminCustomField. Users in this group can view and modify the field's
definition (for example, they can modify the field's name, disable it, and so on).
ModifyCustomField. Users in this group can modify the field's value, but cannot
view the field.
SeeCustomField. Users in this group can view the field, but cannot modify its
value.
(no value). Users in this group cannot view or modify the field.

User defined groups

In this area, select the level of rights that each user-defined user group should have
for the field.
The available levels of rights are:
AdminCustomField. Users in this group can view and modify the field's
definition (for example, they can modify the field's name, disable it, and so on).
ModifyCustomField. Users in this group can modify the field's value, but cannot
view the field.
SeeCustomField. Users in this group can view the field, but cannot modify its
value.
(no value). Users in this group cannot view or modify the field.

Reset

Click this button to remove all your unsaved modifications to the fields on this page.

Configuring Group Rights for FireFlow Fields


To configure a group's rights for a FireFlow field

1 In the main menu, click Advanced Configuration.

39

AlgoSec FireFlow

The Advanced Configuration page appears.

2 Click FireFlow Fields.


The Select a FireFlow Field page appears.

3 Click on the desired FireFlow field's name.

40

Release 6.3

Chapter 6

Working with User Groups

The Editing Custom Field page appears.


4 In the main menu, click Group Rights.
The Modify group rights for custom field page appears.
5 Complete the fields using the information in Modify Group Rights Fields (page 39).
6 Click Submit.

Disabling User Groups


If desired, you can disable a user group, so that it no longer appears in the FireFlow interface.
Note: Values that were entered for the user group before it was disabled are retained in the FireFlow
database.

To disable a user group


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click Groups.
The Select a group page appears.
4 (Optional) To search for the desired group, do the following:
a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) Click Go.
The groups matching the search criteria are displayed.
5 Click the desired group's name.
The Editing membership for group page appears.
6 In the main menu, click Basics.
The Modify the group page appears.
7 Clear the Enabled check box.
8 Click Save.

Enabling User Groups


You can re-enable a disabled user group.

To enable a user group


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click Groups.
41

AlgoSec FireFlow

5
6
7
8

42

Release 6.3

The Select a group page appears.


Search for the desired group, by doing the following:
a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) Select the Include disabled groups in listing check box.
c) Click Go.
The groups matching the search criteria are displayed.
Click the desired group's name.
The Editing membership for group page appears.
In the main menu, click Basics.
The Modify the group page appears.
Select the Enabled check box.
Click Save.

CHAPTER 7

Working with Custom Fields


This section explains how to work with custom fields.

In This Chapter
Overview ............................................................................ 43
Adding User-Defined Custom Fields ................................. 44
Editing User-Defined Custom Fields ................................. 49
Editing FireFlow Fields ...................................................... 49
Disabling User-Defined Custom Fields.............................. 51
Enabling User-Defined Custom Fields............................... 51
Configuring the Order of User-Defined Custom Fields ..... 52

Overview
FireFlow includes two types of custom fields:

User-defined custom fields


You can define custom fields and add them to change requests, users, or user groups throughout the
FireFlow user interface. For example, you can add a budget number field in change requests or an
extension number field for users. In addition, it is possible to add custom fields to a change request's
traffic fields.

Custom fields can also be added to object changes in a change request.

You can edit, disable, configure the order of, and configure groups rights for custom fields. For
information on configuring a custom field's group rights, see Configuring Group Rights for
User-Defined Custom Fields (on page 37).
FireFlow fields

43

AlgoSec FireFlow

Release 6.3

FireFlow comes with a set of built-in custom fields called FireFlow fields. You can modify the display
name and description of such fields. In addition, you can configure groups rights for them, as described
in Configuring Group Rights for FireFlow Fields (on page 39).

Adding User-Defined Custom Fields


Note: You cannot add user-defined custom fields that have the same name as a built-in FireFlow field. To
view a list of built-in FireFlow fields, click Advanced Configuration > FireFlow Fields.

To add a user-defined custom field


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.

3 Click User Defined Custom Fields.

44

Chapter 7

Working with Custom Fields

The Select a Custom Field page appears.

4 In the main menu, click Create.


The Create a Custom Field page appears.

5 Complete the fields using the relevant information in Custom Field Page Fields (page 46).
6 Click Create.
Additional fields appears.
45

AlgoSec FireFlow

Release 6.3

7 Complete the fields using the relevant information in Custom Field Page Fields (page 46).
8 Click Save.
If the new field is a list (that is, you chose one of the "Select" options in the Type field), and you chose to
specify which values should be included in the list in the Values area of this page (that is, you chose
Provide list of values below in the Field values source field), additional fields appear in the Value area.
Do any of the following:
To add more values to the list, do the following for each value you want to add:
1. Complete the new fields using the relevant information in Create a Custom Field Page Fields
(page 46).
2. Click Save.
The value is added, and additional fields appear in the Value area.
To delete existing values from the list, do the following:
1. Select the check box next to each value you want to delete.
2. Click Save.
The specified values are deleted.
The new field appears throughout the FireFlow user interface.
Note: By default, all user groups (including the Unprivileged group) are granted SeeCustomField and
ModifyCustomField rights for the new custom field, except for the Read-Only group, which is granted only
SeeCustomField rights. The Admin group is also granted AdminCustomField rights for the new custom
field. If you would like to modify group rights for the new custom field, see Configuring Group Rights for
User-Defined Custom Fields (on page 37).
Custom Field Page Fields
In this field...

Do this...

Name

Type a name to represent the field internally.


This field is mandatory and must be filled in with a unique value containing any of the
following: letters, digits, hyphen, underscore, dots, and spaces.
Note that this is not the name that users will see in the FireFlow interface.

Description

Type a description of the field.


This description will appear as a tooltip, when you mouse-over the custom field's name
in the Create Change Request page.

Display Name

Type the name that should represent the field in the FireFlow interface.

Category

Select the field's category. This can be any of the following:


additional. Allows creating a custom field for change requests, users, or user groups.
additional for object. Allows creating a custom field for each object change in an
object change request. For example, select this category if you want to add a
comment field to each object change in a change request.
additional for traffic. Allows creating a custom field for each traffic change in a
traffic change request. For example, select this category if you want to add a
comment field to each line of traffic in a change request.
additional for source. Allows creating a custom field that appears below a traffic
change request's Source field. For example, select this category if you want to add a
comment field next to a traffic source.

46

Chapter 7

Working with Custom Fields

additional for destination. Allows creating a custom field that appears below a traffic
change request's Destination field. For example, select this category if you want to
add a comment field next to a traffic destination.
additional for service. Allows creating a custom field that appears below a traffic
change request's Service field. For example, select this category if you want to add a
comment field next to a traffic service.

Type

Select the field's type. This can be any of the following:


Fill in one wikitext area. Allows entering multi-line blocks of wikitext
Upload one image. Allows uploading one image file
Upload multiple images. Allows uploading multiple image files
Select date. Allows selecting a date
Upload one file. Allows uploading one file
Upload multiple files. Allows uploading multiple files
Text-1. Allows entering a large block of text
Select one value. Allows selecting one value from a list
Enter one value. Allows entering one line of text in the field
Enter multiple values (one per line). Allows entering multiple values in the field,
each one on a separate line
Select or enter one value. Allows selecting one value from a list or entering one
value
Select one value from drop down. Allows selecting one values from a drop-down list
Select multiple values using control key. Allows selecting multiple values from a
list, by pressing Ctrl while clicking on the desired values
Enter one value with autocompletion. Allows entering one value that is automatically
completed
Enter multiple values with autocompletion. Allows entering multiple values that are
automatically completed

Field values source

If the new field is a list (that is, you chose one of the "Select" options in the Type field),
select the source of the values that should appear in the list. This can be any of the
following:
Provide list of values below. The list of values specified in the Value area at the
bottom of this page
Firewall names
Firewall hostgroup names
Firewall service group names
Available Workflows

Applies To

Select one of the following:


Change Requests. The custom field should appear in change requests.
Users. The custom field should appear for users.
Groups. The custom field should appear for user groups.

47

AlgoSec FireFlow

Link values to

Release 6.3

If you want the field's value to link to a Web page, enter the URL that should open upon
clicking the link.
The URL can include parameters, which FireFlow will replace as follows:
FireFlow will replace this parameter...

With this...

__id__

The record ID

__CustomField__

The custom field's value

For example, if you specify the URL


https://Third-party_system/show_ticket?id=__CustomField__,
then the field's value will be a link. If the field's value for a specific change request is
123, then clicking on the link will open a browser displaying the Web page
https://3rd_party_system/show_ticket?id=123.
Include page

If you want the field to display a Web page, enter the URL of the desired Web page.
The URL can include the same parameters as Link values to.
For example, if you specify the URL
https://Third-party_system/show_ticket?id=__CustomField__,
and the field's value for a specific change request is 123, then the field will display the
Web page https://3rd_party_system/show_ticket?id=123.

Default Value

Type a default value for the field.


Note: FireFlow does not check whether the specified default value is valid for the field.

Validation

Select the form of validation to perform for this field. This can be any of the following:
(?#Mandatory). The field is mandatory. FireFlow will require this field to be filled
in.
(?#Digits).^[d\.]+$. The field's value must be a number.
(?#Year).^[12]\d{3}$. The field's value must be a year.
None. To specify that FireFlow should not perform validation for the field, do not
select a value.

Hide custom field if it has


empty value

Select this option to indicate that the custom field should only appear in the FireFlow
interface if it has a value.

Enabled

Select this check box to enable the field.


If you do not enable the field, it will not appear in the FireFlow user interface.

Values

If the new field is a list (that is, you chose one of the "Select" options in the Type field),
and you chose to specify which values should be included in the list in the Values area of
this page (that is, you chose Provide list of values below in the Field values source field),
then specify the desired values using the fields in this area.

Sort

Type a whole number indicating the value's position in the list. For example, if the value
should appear first in the list, type 1.

Name

Type the name of the value.

Description

Type a description of the value.

48

Chapter 7

Working with Custom Fields

Editing User-Defined Custom Fields


To edit an existing user-defined custom field
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click User Defined Custom Fields.
The Select a Custom Field page appears.
4 Click on the desired field's name.
The Editing Custom Field page appears.

5 Modify the fields as desired, using the information in Custom Field Page Fields (page 46).
6 Click Save.

Editing FireFlow Fields


For the FireFlow fields, you may change only the display name and description. Any other change will
cause FireFlow to behave unpredictably.

To edit a FireFlow field


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
49

AlgoSec FireFlow

2 In the main menu, click Advanced Configuration.


The Advanced Configuration page appears.

3 Click FireFlow Fields.


The Select a FireFlow Field page appears.

50

Release 6.3

Chapter 7

Working with Custom Fields

4 Click on the desired custom field's name.


The Editing Custom Field page appears.
5 In the Description field, type a description of the custom field.
This description will appear as a tooltip, when you mouse-over the custom field's name in the Create
Change Request page.
6 In the Display Name field, type the name that should represent the field in the FireFlow interface.
7 Click Save.

Disabling User-Defined Custom Fields


If desired, you can disable a user-defined custom field, so that it no longer appears in the FireFlow interface.
Note: Values that were entered for a custom field before it was disabled are retained in the FireFlow
database.

To disable an existing user-defined custom field


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click User Defined Custom Fields.
The Select a Custom Field page appears.
4 (Optional) To filter the displayed fields, do the following:
a) In the Only show custom fields for area, select the desired option in the drop-down list.
b) Click Go.
The fields matching the filter criteria are displayed.
5 Click on the desired field's name.
The Editing Custom Field page appears.
6 Clear the Enabled check box.
7 Click Save.

Enabling User-Defined Custom Fields


You can re-enable a disabled user-defined custom field.

To enable a user-defined custom field


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click User Defined Custom Fields.
The Select a Custom Field page appears.
51

AlgoSec FireFlow

Release 6.3

4 Select the Include disabled custom fields in listing check box.


5 (Optional) To filter the displayed fields, in the Only show custom fields for area, select the desired option
in the drop-down list.
6 Click Go.
7 Click on the desired field's name.
The Editing Custom Field page appears.
8 Select the Enabled check box.
9 Click Save.

Configuring the Order of User-Defined Custom Fields


When multiple user-defined custom fields are defined for change requests, you can configure the order in
which they should appear in change requests.

To configure the order of user-defined custom fields in change requests


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click User Defined Custom Fields.
The Select a Custom Field page appears.
4 In the main menu, click Order.
The Order Custom Fields page appears with all user-defined custom fields, divided according to
category: custom fields for change requests, services, traffic requests, object requests, users, and groups.

52

Chapter 7

Working with Custom Fields

Within each category, the fields are listed in the order that they will appear in the FireFlow Web
interface.

5 In each category, do one or more of the following:


To move a change request up in the list, click Move up next to it.
To move a change request down in the list, click Move down next to it.
Note: These links only appear when there is more than one custom field in the category.
The fields will appear in the specified order.

53

CHAPTER 8

Customizing the Source, Destination, and


Service Wizards
When defining traffic in a request or change request, users can select objects in the Source Wizard,
Destination Wizard, and Service Wizard. This section explains how to customize these wizards in the
following ways:

Customize the list of suggested sources/destinations in the Source Wizard/Destination Wizard's


Suggested tab
Customize the list of common services in the Service Wizard's Common tab
Control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and the
Services Wizard's Common tab appear for different types of users

In This Chapter
Customizing the Suggested Sources/Destinations List ...... 55
Customizing the Common Services List ............................ 56
Controlling Whether Wizard Tabs Appear ........................ 57

Customizing the Suggested Sources/Destinations List


When defining traffic in a request or change request, double-clicking in the Source or Destination field
opens the Choose Source Wizard or Choose Destination Wizard. The Suggested tab of these wizards displays
a list of suggested sources/destinations, for example "email server" or "my computer", enabling the user to
specify a source/destination without knowing its IP address.

You can customize this list as desired, and even remove the Suggested tab entirely.

To customize the suggested sources/destinations list


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/, locate the file
SuggestedAddressObjects_Config.xml.

55

AlgoSec FireFlow

Release 6.3

Note: This is the original suggested sources/destinations list file, and it can be used to revert to defaults,
as needed. Do not modify this file.
3 Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the original
file into an override file that is also called SuggestedAddressObjects_Config.xml.
4 Open the override file.
5 To add a suggested source/destination to the list, add the following tags, anywhere between <objects>
and </objects>:
<object name="objectName">
<value>objectValue</value>
</object>

Where:
objectName is the source/destination name that should appear in the Suggested list.
objectValue is the value to which FireFlow should resolve the source/destination name.
For example, to add the source/destination "lab", which FireFlow should resolve to IP address
192.168.2.0/24, add the following:
<object name="lab">
<value>192.168.2.0/24</value>
</object>

Note: The source/destination "my computer" is built-in. FireFlow resolves it to the IP address of the
user's computer, which FireFlow automatically detects from the browser.
6
7
8
9

To remove a suggested source/destination from the list, delete the relevant tags.
To remove the Suggested tab from the wizards, delete the contents of this file.
Save the override file.
Restart FireFlow.
See Restarting FireFlow (on page 11).

Customizing the Common Services List


When defining traffic in a request or change request, double-clicking in the Choose Service field opens the
Service Wizard. The Common tab of this wizard displays a list of common services suggested
sources/destinations, for example "http" or "all_tcp_ports", enabling the user to specify a service without
knowing its protocol or port.

56

Chapter 8

Customizing the Source, Destination, and Service Wizards

You can customize this list as desired, by adding, editing, and deleting custom services in AlgoSec Firewall
Analyzer. For instructions, refer to the AlgoSec Firewall Analyzer User Guide.

Controlling Whether Wizard Tabs Appear


You can control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and the
Services Wizard's Common tab appear for various types of users, including:

Privileged users
See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).
Requestors
See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).
Anonymous users using the No-Login Web form
See Controlling Whether Wizard Tabs Appear in the No-Login Form (on page 60).

By default, these tabs appear for all types of users.

Controlling Whether Wizard Tabs Appear for Privileged Users and


Requestors
To control whether tabs appear for privileged users and requestors
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.

57

AlgoSec FireFlow

The Advanced Configuration page appears.

3 Click Global.
The Admin/Global configuration page appears.

4 Click Group Rights.

58

Release 6.3

Chapter 8

Customizing the Source, Destination, and Service Wizards

The Modify global group rights page appears.

5 Locate the desired user group.


Note: For requestors, the relevant group is Unprivileged.
6 To allow users in this user group to view tabs, do any of the following in the New rights list box next to
the group:
To allow users in this group to view the Source/Destination Wizard's Suggested tab, select
SeeSuggestedAddressObjects.
To allow users in this group to view the Source/Destination Wizard's Firewall Object tab, select
SeeFirewallAddressObjects.
To allow users in this group to view the Services Wizard's Common tab, select
SeeCommonServiceObjects.
To select multiple rights, press Ctrl while you click on the desired rights.
7 To prevent users in this user group from viewing tabs, do any of the following in the Current rights area
under the group:
To prevent users in this group from viewing the Source/Destination Wizard's Suggested tab, select
the SeeSuggestedAddressObjects check box.
To prevent users in this group from viewing the Source/Destination Wizard's Firewall Object tab,
select the SeeFirewallAddressObjects check box.
To prevent users in this group from viewing the Services Wizard's Common tab, select the
SeeCommonServiceObjects check box.
8 Click Modify Group Rights.

59

AlgoSec FireFlow

Release 6.3

Controlling Whether Wizard Tabs Appear in the No-Login Form


To control whether wizard tabs appear in the No-Login Web form
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/, open the file FireFlow_Config.pm.
Note: This is the original system settings file, and it is required for reverting to system default settings.
Do not modify this file.
3 Under the directory /usr/share/fireflow/local/etc/site/, open the
FireFlow_SiteConfig.pm override file.
Note: If this file does not exist, create it as described in Overriding System Default Settings (on page
199).
4 Copy the following configuration items from the FireFlow_Config.pm file into the
FireFlow_SiteConfig.pm file:
To control whether the Source/Destination Wizard's Suggested tab appears, copy the configuration
item AllowAnonymousUserSeeSuggestedAddressObjects.
To control whether the Source/Destination Wizard's Firewall Object tab appears, copy the
configuration items AllowAnonymousUserSeeFirewallAddressObjects.
To control whether the Services Wizard's Common tab appears, copy the configuration item
AllowAnonymousUserSeeCommonServiceObjects.

5 In the FireFlow_SiteConfig.pm file, set these configuration items' values to one of the following:
1 - Display this tab. This is the default.
0 - Do not display this tab.
For example, to remove the Common tab, set the configuration item as follows:
Set($AllowAnonymousUserSeeCommonServiceObjects, 1);

6 Close the file FireFlow_Config.pm.


Note: Do not save changes to this file.
7 Save the file FireFlow_SiteConfig.pm.
8 Restart FireFlow.
See Restarting FireFlow (on page 11).

60

CHAPTER 9

Configuring Change Request Creation


from File
This section explains how to configure change request creation from file.

In This Chapter
Overview ............................................................................ 61
Configuring Change Request Creation from File ............... 62
Disabling Change Request Creation from File................... 64

Overview
Requestors can create new change requests from files attached to change requests. The process is as follows:
1 The requestor chooses a request template that supports creating change requests from file, such as
FireFlow's built-in sample template "240: Sample - Upload change requests from Excel". The requestor
then attaches a file specifying the desired change's details.
Note: In order to support creating change requests from file, a request template's Create change requests
from file field must be set to "Yes", and the Request Type field must be set to "Traffic Change".
2 The requestor submits the change request.
3 FireFlow runs a parsing script that converts the attached file to XML format.
If the parsing script is configured for single change request creation, then all traffic lines in the file are
interpreted as multiple traffic lines in a single change request. If the script is configured for multiple
change request creation, then each traffic line in the file is interpreted as a separate change request, (and
the change requests will all be linked to each other via their Depends On field).
4 FireFlow converts the XML to one or more change requests.
By default, FireFlow uses an out-of-the-box parsing script,
/usr/share/fireflow/local/bin/parse_excel_example.pl, which supports creating multiple

change requests from file, where all of the change request data is on a single worksheet and the file format is
one of the following:

xls (Microsoft Excel up to 2003)


xlsx (Microsoft Excel 2007 and up)
sxc (OpenOffice 1.0 Spreadsheet)
ods (OpenOffice Spreadsheet)
csv (Coma-separated text values)

If desired, you can configure change request creation from file in the following ways:

Enable the creation of change requests from files in additional formats


Configure whether multiple or single change requests are created from each file
61

AlgoSec FireFlow

Release 6.3

Enable/disable file validity enforcement


By default, FireFlow automatically checks uploaded files for errors. If an error is detected in a file,
FireFlow alerts the requestor and halts change request creation for this file, until the error has been fixed.
If desired, you can disable validity enforcement, in which case change requests will be created only from
valid lines in the file.
Enable/disable automatic change request creation
By default, FireFlow automatically creates change requests from uploaded files. If desired, you can
require change request creation to be triggered manually later in the change request workflow, when a
certain button is clicked. For information on how to perform this customization, contact AlgoSec
Support.
Disable change request creation from file (both automatic and manual)

You can view a sample worksheet filled with data that is expected by the out-of-the-box parsing script under
/usr/share/fireflow/local/extras/Firewall Rules Request Example.xls.

Configuring Change Request Creation from File


Note: If you are using multiple parsing scripts, you must perform this procedure for each script.

To configure change request creation from file


1 To enable the creation of change requests from files in a format that is not supported by the default
parsing script, obtain a custom parsing script from AlgoSec Professional Services.
2 Log in to the FireFlow server using the username "root" and the related password.
3 Do one of the following:
To work with the default parsing script, copy parse_excel_example.pl from
/usr/share/fireflow/local/bin/ to /usr/share/fireflow/local/etc/site/bin/.
To work with a custom parsing script, save the custom script under
/usr/share/fireflow/local/etc/site/bin.
4 Give the parsing script execute permissions, by running the following command:
chmod a+x [script-name]
Where script-name is the name of the parsing script.
5 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
6 Locate the configuration item AttachmentParsingScripts, and set it to the path of the parsing
script.
For example:
Set($AttachmentParsingScripts, {
"/usr/share/fireflow/local/etc/site/bin/custom_parsing_script1.pl" =>
["xls", "xlsx", "sxc", "ods", "csv"],});

If you have multiple parsing scripts, add them as follows:


Set($AttachmentParsingScripts, {
"/usr/share/fireflow/local/etc/site/bin/custom_parsing_script1.pl" =>
["xls", "xlsx", "sxc", "ods", "csv"],
"/usr/share/fireflow/local/etc/site/bin/custom_parsing_script2.pl" =>
["xml"],});

62

Chapter 9

Configuring Change Request Creation from File

7 To enable/disable automatic creation of change requests from files, do the following:


a) Add the configuration item AutoCreateTicketsFromAttachments.
b) Do one of the following:
To enable automatic creation of change requests from uploaded files, set the configuration item's
value to 1.
This is the default value.
To require manual triggering of change request creation from uploaded files, set the
configuration item's value to 0.
For example, the following enables automatic creation of change requests from file:
Set($AutoCreateTicketsFromAttachments,'1');

8 To enable/disable validity enforcement for uploaded files, do the following:


a) Add the configuration item ForceValidAttachmentsBeforeCreateTickets.
b) Do one of the following:
To enable validity enforcement of uploaded files, set the configuration item's value to 1.
This is the default value.
To disable validity enforcement of uploaded files, set the configuration item's value to 0.
For example, the following enables validity enforcement of uploaded files:
Set($ForceValidAttachmentsBeforeCreateTickets,'1');

9 Save the file.


10 To configure whether multiple change requests or a single change request is created from a file, do the
following:
a) Under /usr/share/fireflow/local/etc/site/bin/, open the parsing script.
b) Locate the following lines:
# In this example: Multiple tickets mode
my $mode = $MULTIPLE_TICKETS_MODE;
# Set mode to $SINGLE_TICKETS_MODE if you wish to work in single ticket mode
# my $mode = $SINGLE_TICKETS_MODE;

c) Uncomment the my $mode line that reflects the mode you want to use, and comment the my $mode
line that reflects the mode you do not want to use.
d) For example, to create a single change request from file, modify the lines as follows:
# In this example: Multiple tickets mode
# my $mode = $MULTIPLE_TICKETS_MODE;
# Set mode to $SINGLE_TICKETS_MODE if you wish to work in single ticket mode
my $mode = $SINGLE_TICKETS_MODE;

11 Save the script.


12 Restart FireFlow.
See Restarting FireFlow (on page 11).

63

AlgoSec FireFlow

Release 6.3

Disabling Change Request Creation from File


To disable change request creation from file
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Locate the configuration item AttachmentParsingScripts, and remove the parsing script(s) from
it, as follows:
For example:
Set($AttachmentParsingScripts, {});

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

64

CHAPTER 10

Modifying FireFlow Email Templates


This section explains how to modify the email templates on which FireFlow bases the emails it sends to
users.

In This Chapter
Overview ............................................................................ 65
Modifying Email Templates ............................................... 66

Overview
FireFlow sends emails to users upon various events in the change request lifecycle. It uses the following a
set of templates to create the emails' content.
FireFlow Templates
This template...

Is used to send emails to...

And is used when...

Transaction

Change request owners

A reply is written for an item in a change


request's history.
A comment is written for an item in a
change request's history.
A change request's owner is changed.

Correspondence

Requestors

A reply is written for an item in a change


request's history.

Resolved

Requestors

A change request is resolved.

Autoreply

Requestors

A new change request is created.

Notify External System Ticket An external Change Management


Close
System (CMS)

A change request is resolved.

If desired, you can modify these templates.


Note: Other templates appear in the FireFlow interface; however, they are not used for FireFlow emails and
should therefore be ignored.
Note: It is possible to customize which events trigger email sending and to whom the emails are sent. For
further information, contact AlgoSec.

65

AlgoSec FireFlow

Modifying Email Templates


To modify an email template
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.

3 Click Global.

66

Release 6.3

Chapter 10

Modifying FireFlow Email Templates

The Admin/Global configuration page appears.

4 Click Email Templates.

67

AlgoSec FireFlow

The Modify templates which apply to all queues page appears.

5 Click on the name of the desired template.

68

Release 6.3

Chapter 10

Modifying FireFlow Email Templates

The Modify template page appears.

6 In the Content field, type the template's content.


You can use variables in the template. For a list of popular variables and their explanations, see Email
Template Variables (page 69).
Note: Do not modify the Name and Description fields.
Note: The email template variables that include Perl code (appearing in curly braces {}) are subject to
Perl syntax.
7 To reset the template to its default settings, click Reset.
8 Click Update.
Email Template Variables
This variable...

Represents...

For example...

{$Ticket->id}

The change request ID number

364

{$Ticket->Subject}

The change request subject

Need to open device ports for project


Armageddon

{$Ticket->Status}

The change request status

plan

{$Ticket->RequestorAddresses}

The requestor's email address

john.doe@mycompany.com

{$Ticket->OwnerObj->Name}

The change request owner's username ned.netop

{$Ticket->getTicketAsXML()}

The change request in XML format (a See Flat Ticket Example (on page 116).
flat ticket)

69

AlgoSec FireFlow

Release 6.3

{$RT::WebURL}Ticket/Display.ht The URL at which the change request https://fireflow-demo.algosec.com/FireF


ml?id={$Ticket->id}
is displayed
low/Ticket/Display.html?id=136
{$Transaction->CreatedAsString}

70

The date and time at which the email Mon Nov 17 16:58:44 2008
is sent

CHAPTER 11

Working with Workflows in VisualFlow


This section explains how to add, edit, and delete workflows in VisualFlow. It also explains how to modify
the set of conditions determining when each workflow should be assigned.
VisualFlow is the new and recommended method of working with workflows.

In This Chapter
Overview ............................................................................ 71
About VisualFlow .............................................................. 73
Getting Started with VisualFlow ........................................ 74
Adding Workflows ............................................................. 78
Workflow Condition Syntax .............................................. 81
Editing Workflows ............................................................. 87
Working with Statuses........................................................ 87
Working with Actions ........................................................ 95
Working with SLAs ........................................................... 129
Reordering Workflows ....................................................... 133
Setting the Default Workflow ............................................ 133
Deleting Workflows ........................................................... 133
Viewing the Workflow XML ............................................. 134
Installing Workflows .......................................................... 134
Discarding Workflow Changes .......................................... 135
Examples ............................................................................ 136

Overview
FireFlow assigns each change request to a workflow that controls the change request's lifecycle, including
the actions that can be performed on the change request, the behavior associated with each action, and the
possible change request statuses. In order to determine which workflow to use for a change request,
FireFlow performs the following steps:
1 FireFlow refers to the template that the requestor selected for the change request.
2 If the template specifies a workflow, FireFlow assigns the change request to that workflow.
3 If the template does not specify a workflow, then FireFlow refers to a set of conditions that determine
which workflow should be assigned.
4 If FireFlow fails to assign a workflow based on the set of conditions, then FireFlow assigns the change
request to the default workflow (which, by default, is the Standard workflow).

71

AlgoSec FireFlow

Release 6.3

FireFlow comes with the following set of built-in workflows, located under
/usr/share/fireflow/local/etc/Workflows/:
Built-In Workflows
Workflow

File Name

Description

Standard

Standard_Config.xml

This is the default workflow,


resulting in the default change
request lifecycle. Used by traffic
change requests.

Generic

Generic_Config.xml

This workflow is used for change


requests that are not related to
traffic. As such, no device change
planning or matching of device
changes to the change request are
required, and these stages (Plan
and Match) are omitted.

Request
Approve
Implement
Validate
Resolved
Audit

Multi-Approval

Multi-Approval_Conf
ig.xml

This workflow is used for change


requests that require approval
from multiple users. It therefore
includes an extra stage (Review)
that is performed by a controller
user.

Request
Plan
Approve
Review
Implement
Validate
Match
Resolved
Audit

Parallel-Approva Parallel-Approval_C
onfig.xml
l

This workflow is used for change


requests that require approval
from two users in parallel. It
therefore includes an extra change
request approval stage called
Review that is performed by a
controller.

Request
Plan
Approve
Review
Implement
Validate
Resolved
Audit

Change-Object

Change-Object_Confi
g.xml

This workflow is used for change


requests for modifying device
objects.

Request
Approve
Implement
Validate
Resolved
Audit

Rule-Removal

Rule-Removal_Config
.xml

This workflow is used for change


requests that are for removing
device rules.

Request
Approve
Implement

72

Lifecycle Stages
Request
Plan
Approve
Implement
Validate
Match
Resolved
Audit

Chapter 11

Working with Workflows in VisualFlow

Web-Filter

Web-Filter_Config.x
ml

Request-Recertif Request-Recertifica
tion_Config.xml
ication

Validate
Resolved

This workflow is used for change


requests that are for filtering Web
connections. It is relevant for Blue
Coat devices only.

Request
Plan
Approve
Implement
Validate
Match
Resolved
Audit

Request
Approve
Implement
Validate
Resolved
Audit

This workflow is used to


determine whether an Allow rule
that was added to a device policy
as the result of an expired traffic
change request is still relevant. If
the rule is no longer relevant, a
rule removal request is created to
remove it.

You cannot modify the built-in workflows; however, you can create new ones as desired. For you
convenience, FireFlow allows you to create variations of existing workflows (both built-in and custom
ones), by duplicating the relevant workflow and then modifying it.
Furthermore, you can modify the set of conditions determining which workflow should be assigned, when
the template does not specify a workflow.
You can work with workflows in the following ways:

By using VisualFlow, an interface that is accessible from FireFlow (highly recommended)


By working directly with workflow XML files (not recommended, as manual changes may be
overwritten by VisualFlow, if performed incorrectly)

This section explains how to work with workflows using VisualFlow. For information on working with
workflows via XML, see Working with Workflows via XML (on page 143).

About VisualFlow
VisualFlow enables you to add, edit, and delete custom workflows in a Web interface, without any need to
manually edit the workflow XML files.
All workflow changes are saved locally as drafts. In order for the changes to take effect, you must install the
workflows on FireFlow. The changes are exported to the workflow XML files (overwriting the existing
settings), which are then imported to FireFlow. See Installing Workflows (on page 134).
If you have not yet installed your changes, you can choose to discard them. VisualFlow will be refreshed
from the existing workflow XML files. See Discarding Workflow Changes (on page 135).

73

AlgoSec FireFlow

Getting Started with VisualFlow


This section contains all the information you need in order to get started using VisualFlow.

Accessing VisualFlow
To access VisualFlow
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.

3 Click VisualFlow.

74

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

VisualFlow opens in a new browser tab, displaying the List of Workflows page.

The VisualFlow User Interface


The VisualFlow user interface consists of the following major elements:

Main menu. Used for navigating between the VisualFlow pages.


Workspace. Displays the VisualFlow page selected in the main menu. When viewing a specific
workflow, the workspace includes the workflow's layout. See Viewing Workflow Layouts (on page 76).
When domains are enabled, there is a Domains column in the workflows list.

75

AlgoSec FireFlow

Release 6.3

Toolbar. Displays your username and a link to information about the VisualFlow version.

Viewing Workflow Layouts


A workflow's layout is a graph that includes all actions and statuses in the workflow, each of which can be
clicked for further viewing and editing.

To view a workflow layout

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details, and the Layout area displays the workflow's
layout.

76

Chapter 11

Working with Workflows in VisualFlow

For information on the various layout elements, click Show legend or see the following table.
3 To zoom in, click the
icon.
The workflow layout is magnified. Use the scroll bar to view the desired part of the layout.
4 To zoom out, click the
icon.
The workflow layout returns to its regular size.
5 To print the workflow layout:
a) Click
.
The workflow layout opens in a new tab.
b) Use your browser's Print button to print the layout.
6 To view only the layout elements that are related to a specific action or status, click on the desired
action/status.
The Edit Action or Edit Status page appears, and the Layout area displays only those elements that are
directly related to the selected action/status.

Workflow Layout Elements


This element...

Represents...
A single workflow stage.

A status.
Click to edit the status's details.
A status that is currently being edited.

An action.

An action that is currently being edited.


Indicates that an action can be clicked for editing.

Indicates that an action cannot be clicked for editing.

77

AlgoSec FireFlow

Release 6.3

A conditional action.

A parallel action.

Accessing Online Help


To access online help

At the top of the workspace, click Help.


The online help opens.

Exiting VisualFlow
To exit VisualFlow

Close the browser tab.

Adding Workflows
Adding new workflows is done by creating a copy of an existing workflow and then modifying the copy.

To add a custom workflow

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears. When domains are enabled, there is a Domains column in the
workflows list.
2 Next to an existing workflow on which you would like to base the new workflow, click Duplicate.
A confirmation message appears.
3 Click OK.
A new workflow appears at the bottom of the workflows list. Its name is
OriginalWorkflow-Copy-Number, where:
OriginalWorkflow is the name of the workflow you copied.
Number is a number used to differentiate between copies of the duplicated workflow.

78

Chapter 11

Working with Workflows in VisualFlow

For example, if you duplicated the Standard workflow, and there is already a workflow called
Standard-Copy-1, then the new workflow will be called Standard-Copy-2.

A message at the top of the screen informs you that changes have been made to the workflows.
4 Do one of the following:
Next to the new workflow, click Edit.
Click on the workflow's name.

79

AlgoSec FireFlow

Release 6.3

The Edit Workflow page opens with the workflow's details.

5 In the Edit workflow details area, complete the fields using the information in Workflow Details Fields
(page 80).
When domains are enabled, there is a Domains selection box in the Edit workflow details area.
6 Click Save Draft.
7 Add, edit, and delete workflow statuses as desired.
See Working with Statuses (on page 87).
8 Add, edit, and delete workflow actions as desired.
See Working with Actions (on page 95).
9 Add, edit, and delete SLOs in the workflow's SLA as desired.
See Working with SLAs (on page 129).
Workflow Details Fields
In this field...

Do this...

Name

Type a name for the workflow.

Domains

Specify the domains in which the workflow should be available, by doing one of the
following:
To specify that the workflow should be available in all domains, select the All check
box.
To specify that the workflow should be available only in specific domains, clear the
All check box, then hold down the Ctrl key while clicking on the desired domains'

80

Chapter 11

Working with Workflows in VisualFlow

names.
Description

Type a description of the workflow.

Configuration File

Type a prefix for the workflow file name associated with this workflow. The workflow
file is named Prefix_Config.xml, where Prefix is the string you enter in this field.
By default, the prefix is the workflow's name.

Enabled

Specify whether this workflow should be enabled, by choosing one of the following:
Yes. The workflow is enabled and will appear in the FireFlow interface.
No. The workflow is disabled. It will not appear in the FireFlow interface, and no
change requests will have this workflow.
The default value is Yes.

Condition

Type the condition under which a workflow should be assigned to change requests,
when the change request's template does not specify a workflow.
For information on the required syntax, see Workflow Condition Syntax (on page 81).

Workflow Condition Syntax


A workflow's Condition field contains a query that specifies the condition under which the workflow should
be assigned to change requests. The query is composed of pairs in the following format:
field = 'value'

Where field is a supported field in FireFlow, and value is the field's value. For information on supported
fields, see Supported Fields (on page 81). For example, the following query specifies that the change
request status must be "new":
Status = 'new'

You can use != to indicate "not". For example, the following query specified that the change request must
not be "new":
Status != 'new'

It is possible to use Boolean operators between field-value pairs. For a list of supported operators, see
Supported Boolean Operators (on page 86). For example, the following query specifies that the change
request status must be "new", and the owner must be John Smith:
Status = 'new' AND Owner = 'John Smith'

For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,
the following query specifies that the change request status must be "new" or "plan", and the owner must be
John Smith or Sue Michaels.
(Status = 'new' OR Status = 'plan') AND (Owner = 'John Smith' OR Owner = 'Sue
Michaels')

Supported Fields
There are two types of supported fields:

Standard fields
81

AlgoSec FireFlow

Release 6.3

These fields should be written as they appear in Standard Fields (page 82). For example:
Subject = 'Allow Web Access'

Custom fields
These fields include those listed in Custom Fields (page 84), as well as any fields added by users. They
should be used in the following format:
'CF.{field}'
Where field is the name of the custom field.
For example:
'CF.{Firewall Brand}' = 'Check Point'

Standard Fields
Field

Description

Id

The change request ID number.

Subject

The change request subject.

Content

Text that appears in the original change request description or in a comment or reply
added to the change request.

Content-Type

The file type of an attachment attached to the change request.

Filename

The filename of an attachment for the change request.

Status

The change request status.

Owner

The user who is the current change request owner.

Creator

The user who is the change request creator.

LastUpdatedBy

The user who last updated the change request.

Requestor.EmailAddress

The requestor's email address.

Requestor.Name

The requestor's username.

Requestor.RealName

The requestor's full name.

Requestor.Nickname

The requestor's nickname.

Requestor.Organization

The requestor's organization.

Requestor.Address1

The requestor's primary mailing address.

Requestor.Address2

The requestor's secondary mailing address.

Requestor.WorkPhone

The requestor's office telephone number.

Requestor.HomePhone

The requestor's home telephone number.

Requestor.MobilePhone

The requestor's mobile telephone number.

Requestor.PagerPhone

The requestor's pager telephone number.

Requestor.id

The requestor's ID.

Cc.EmailAddress

The email address of a user who receives copies of email messages for the change
request.

Cc.Name

The username of a user who receives copies of email messages for the change
request.

82

Chapter 11

Working with Workflows in VisualFlow

Cc.RealName

The full name of a user who receives copies of email messages for the change
request.

Cc.Nickname

The nickname of a user who receives copies of email messages for the change
request.

Cc.Organization

The organization of a user who receives copies of email messages for the change
request.

Cc.Address1

The primary mailing address of a user who receives copies of email messages for the
change request.

Cc.Address2

The secondary mailing address of a user who receives copies of email messages for
the change request.

Cc.WorkPhone

The office telephone number of a user who receives copies of email messages for the
change request.

Cc.HomePhone

The home telephone number of a user who receives copies of email messages for the
change request.

Cc.MobilePhone

The mobile telephone number of a user who receives copies of email messages for
the change request.

Cc.PagerPhone

The pager telephone number of a user who receives copies of email messages for the
change request.

Cc.id

The ID of a user who receives copies of email messages for the change request.

Owner.EmailAddress

The owner's email address.

Owner.Name

The owner's username.

Owner.RealName

The owner's full name.

Owner.Nickname

The owner's nickname.

Owner.Organization

The owner's organization.

Owner.Address1

The owner's primary mailing address.

Owner.Address2

The owner's secondary mailing address.

Owner.WorkPhone

The owner's office telephone number.

Owner.HomePhone

The owner's home telephone number.

Owner.MobilePhone

The owner's mobile telephone number.

Owner.PagerPhone

The owner's pager telephone number.

Owner.id

The owner's ID.

Created

The date on which the change request was created.

Resolved

The date on which the change request was resolved.

Last.Updated

The date on which the change request was last updated.

Due

The change request's due date.

Priority

The change request's priority.

RefersTo

The ID numbers of change requests to which this change request refers, separated by
spaces.

83

AlgoSec FireFlow

ReferredToBy

Release 6.3

The ID numbers of change requests that refer to this change request, separated by
spaces.

Custom Fields
Field

Description

Expires

The date on which this change request will expire.

Requested Source

The IP address, IP range, network, device object, or DNS name of the connection
source, as specified in the original request.

Requested Destination

The IP address, IP range, network, device object, or DNS name of the connection
destination, as specified in the original request.

Requested Service

The device service or port for the connection, as specified in the original request.

Requested Action

The device action to perform for the connection, as specified in the original request.

Requested Source NAT

The source NAT value to which the connection's source should be translated, as
specified in the original request.

Ticket Template Name

The name of the change request's template.

Requested Destination NAT

The destination NAT value to which the connection's destination should be


translated, as specified in the original request.

Requested Port Translation

The port value to which the connection's port should be translated, as specified in the
original request.

Workflow

The workflow assigned to the change request.

Owning Group

The user group that currently owns the change request.

Requested NAT Type

The type of NAT (Static or Dynamic), as specified in the original request.

CMS ticket id

The ID number of a related change request in an external change management


system that is integrated with FireFlow.

Firewall Name

The name of the device.

Firewall IP Address

The IP address of the device.

Firewall Brand

The device vendor.

Firewall Management Server

The device management server name.

Firewall Policy

The device security policy.

Firewall Last Report

The last report generated for the device.

Firewall Last Report Date

The date and time at which the last report for this device was generated.

Change Description

The change description.

Change Source

The IP address, IP range, network, device object, or DNS name of the connection
source, as planned during the Plan stage.

Change Destination

The IP address, IP range, network, device object, or DNS name of the connection
destination, as planned during the Plan stage.

Change Service

The device service or port for the connection, as planned during the Plan stage.

Change Action

The device action to perform for the connection, as planned during the Plan stage.

84

Chapter 11

Working with Workflows in VisualFlow

Change Source NAT

The source NAT value to which the connection's source should be translated, as
planned during the Plan stage.

Change Destination NAT

The destination NAT value to which the connection's destination should be


translated, as planned during the Plan stage.

Change Port Translation

The port value to which the connection's port should be translated, as planned during
the Plan stage.

Change NAT Type

The type of NAT (Static or Dynamic), as planned during the Plan stage.

Change Implementation Notes The words that appear in the change request's implementation notes, if the change
request has completed the Implement stage.
Request Risk Check Result

The number and/or and severity of risks that implementation of the planned change
would entail.

Initial Plan Result

The results of initial planning.

Form Type

The type of form used for the change request (Traffic Change, Object Change, or
Generic Change).

Change Validation Result

The results of change validation.

Risks Number

The number of risks detected for the planned change, if the change request has
completed the risk check in the Approve stage.

Risks Details

Details about the risks detected for the planned change, if the change request has
completed the risk check in the Approve stage.

Translated Source

The change request's source, as translated to IP addresses.

Requested Object Action

The requested action for an object change request (AddIPsToObject /


RemoveIPsFromObject / NewObject / DeleteObject).

Translated Destination

The change request's destination, as translated to IP addresses.

Change Object Action

The action for an object change request, as specified during the Plan stage
(AddIPsToObject / RemoveIPsFromObject / NewObject / DeleteObject).

Translated Service

The change request's service, as translated to ports.

Requested Object Name

An object's name, as specified in the original object change request.

Automatically Implemented

An indication of whether the requested change should be automatically


implemented.

Change Object Name

An object's name, as specified for an object change request in the Plan stage.

Already Works Firewalls

The devices on which the requested change already works.

Requested IPs To Add

The IP addresses to add to an object, as specified in the original object change


request.

Change IPs To Add

The IP addresses to add to an object, as specified for an object change request in the
Plan stage.

Requested IPs To Remove

The IP addresses to remove from an object, as specified in the original object change
request.

Change IPs To Remove

The IP addresses to remove from an object, as specified for an object change request
in the Plan stage.

Requested Object Scope

The object scope, as specified in the original object change request.

Change Object Scope

The object scope, as specified for an object change request in the Plan stage.

85

AlgoSec FireFlow

Release 6.3

Is Work Order Editable

An indication of whether the work order is editable.

Is Active Change Applicable

An indication of whether ActiveChange can be used to implement the requested


change.

Object Change Validation


Result

The results of object change validation.

Create tickets from attachment An indication of whether the change request was created from a file.
Affected Rules Result

The device rules that are affected by a suggested object change request.

Firewall Provider-1

The name or IP address of the Provider-1 managing the device.


This field is relevant for Check Point devices only.

Supported Boolean Operators


Supported Boolean Operators
Operator

Description

AND

Both of the field-value pairs joined by this operator must be true.


In the following example, the condition is only met for new change requests owned
by John Smith:
Status = 'new' AND Owner = 'John Smith'

OR

One or both of the field-value pairs joined by this operator must be true.
In the following example, the condition is met for change requests that are new,
change requests that are owned by John Smith, and new change requests owned by
John Smith:
Status = 'new' OR Owner = 'John Smith'

Comprehensive Example
In the following example, the workflow will be assigned when the change request's template does not
specify a workflow, and one of the following conditions are met:

The change request's priority is greater than 7.


The requestor's email address includes the string "company.com".
The value of the custom field called "Project" is "Infrastructure".

(Priority > 7) OR (Requestor.EmailAddress LIKE 'company.com') OR ('CF.{Project}'


= 'Infrastructure')

86

Chapter 11

Working with Workflows in VisualFlow

Editing Workflows
Note: You can edit the workflow details of built-in workflows; however, you cannot change their statuses
and actions.

To edit an existing workflow

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Next to the new workflow, click Edit.
Click on the workflow's name.
The Edit Workflow page opens with the workflow's details.
3 To edit the workflow's details, do the following:
a) In the Edit workflow details area, complete the fields using the information Workflow Details Fields
(page 80).
When domains are enabled, there is a Domains selection box in the Edit workflow details area.
b) Click Save Draft.
A message at the top of the screen informs you that changes have been made to the workflows.
4 To add, edit, and delete workflow statuses, see Working with Statuses (on page 87).
5 To add, edit, and delete workflow actions, see Working with Actions (on page 95).
6 To add, edit, and delete SLOs in the workflow's SLA, see Working with SLAs (on page 129).

Working with Statuses


You can add, edit, reorder, and delete statuses in a workflow.

Adding Statuses
To add a status

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click Statuses.

87

AlgoSec FireFlow

The Available statuses page appears.

4 Click New Status.

88

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

The Edit Status page appears.

5 Complete the fields using the information in Status Fields (page 91).

89

AlgoSec FireFlow

If you expanded the Advanced area, additional fields appear.

6 Click Save Draft.


The status is added to the workflow's list of available statuses and to the workflow.

90

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

The Outbound Actions and Inbound Actions areas appear.

7 Add, edit, or delete actions for this status.


See Working with a Status's Actions.
8 Click Save Draft.
The status is added to the workflow's list of available statuses and to the workflow.
Status Fields
In this field...

Do this...

Name

Type the name of the status as it appears in the FireFlow interface. This is also a unique
key.
The name can include up to 50 characters of Latin character set. Spaces are allowed.
This field is mandatory.
Note: Some statuses cannot be renamed. When editing such a status, this field is
read-only.

Stage

The name of the image used in the lifecycle diagram at the top of the change request
page.
This field is mandatory.

91

AlgoSec FireFlow

Release 6.3

Responsible group

Select the single user group responsible for change requests in this status.
Note: Usually, this group is configured to see these change requests in its Home page
(see Customizing the Home Page per Group (on page 18)).
When an action is performed on the change request, and the action transitions the
change request to a new status for which the change request owner is not responsible, the
change request is re-assigned to the default assignee of the new statuss responsible
group, and the current user is re-directed to their Home page.
If you want to designate a new responsible group for the status, first create the group in
the FireFlow Configuration page, then access VisualFlow again. The new group will
appear in this list, and you can select it.
This field is mandatory.

Additional responsible
groups
DD - Needs further
explanation for groups
under domains

All user groups that are responsible for change requests in this status, other than the
group specified in the Responsible group field.
This field is read-only, and it only appears for statuses that are the source status of a
parallel action.

Enabled

Specify whether this status should be enabled, by choosing one of the following:
Yes. The status is enabled and will appear in the FireFlow interface.
No. The status is disabled. It will not appear in the FireFlow interface, and no change
requests will have this status.
The default value is Yes.
Note: Some statuses cannot be disabled. When editing such a status, this field either does
not appear or is read-only.

Advanced

Expand this area to display the Advanced fields.

Allow editing traffic fields

Specify whether it is possible to plan the change when a change request is in this status.
Planning the change involves modifying any of the following fields:
Source
Destination
Service
Action
NAT
Choose one of the following:
Yes. These fields can be modified.
No. These fields cannot be modified.
The default value is No.

Next status when mail or


comment is received from
requestor

Select the next status to assign the change request, when incoming correspondence from
the change requests unprivileged requestor to the change request occurs.
If this field is not set, then the change request status will not change upon incoming
correspondence.
This field only appears for statuses where an email response is possible.

Await Requestor's
Response

Specify whether a change request should appear in the Change Requests Awaiting
Response page for unprivileged users.
The default value is No.

92

Chapter 11

Working with Workflows in VisualFlow

Mark change request as


closed

Specify whether a change request in this status is considered "closed", by choosing one
of the following:
Yes. Consider the change request "closed", and display it in the Closed Change
Requests tab in the FireFlow requestor interface.
No. Do not consider the change request "closed".
The default value is No.
This field does not appear for the "new" status.

Stage still incomplete

Specify whether there are additional statuses that a change request must achieve before
completing the stage, by choosing one of the following:
Yes. There are additional statuses that a change request must achieve before
completing this stage.
No. This is the last status in the stage. The stage will be marked with a check mark.
The default value is No.
This field must be set to No for exactly one status per stage.

Status after new

Select the status to which the change request should transition after it has been assigned
an owner.
This field only appears for the "new" status.

Editing Statuses
To edit statuses

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 Do one of the following:
To go directly to the desired status, click the status in the workflow layout.
To select the status from a list of statuses:
1. In the VisualFlow main menu, click Statuses.
The Available statuses page appears.
2. Next to the desired status, click Edit.
The Edit Status page appears.
4 Complete the fields using the information in Status Fields (page 91).
If you expanded the Advanced area, additional fields appear.
5 Add, edit, or delete actions for this status.
See Working with a Status's Actions.
6 Click Save Draft.

93

AlgoSec FireFlow

Release 6.3

Reordering Statuses
You can control the order in which statuses appear in a workflow's list of available statuses.

To reorder statuses

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click Statuses.
The Available statuses page appears.

4 In the list of statuses, click


the list.

next to a status you want to move, and drag it to the desired location in

Deleting Statuses
To delete a status

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click Statuses.
The Available statuses page appears.
4 Next to the desired status, click Delete.
Note: Some statuses cannot be deleted. These statuses do not have a Delete link next to them.
Note: If a status is the source or target of an action, or if the status is used in one or more SLOs, you must
disassociate those actions/SLOs from the status before you can delete it. See Deleting Actions (on page
128) and Editing SLOs (on page 132).
A confirmation message appears.
5 Click OK.
The status is deleted from the workflow's list of available statuses and from the workflow.

94

Chapter 11

Working with Workflows in VisualFlow

Working with Actions


Adding Actions
To add an action

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 Do one of the following:
In the VisualFlow main menu, click Actions.
The Available actions page appears with a list of actions used in the workflow.

In the workflow layout, click on a status to which you want to add an action.

95

AlgoSec FireFlow

Release 6.3

The Edit Status page appears with a list of inbound and outbound actions for the status.

4 Do one of the following:


To add a new action from scratch, in the New Action drop-down list, select the new action's type.
An action's type describes what it does. For information on available action types, see Action Types
(page 100).
To add a new action that is based on an existing action:
1. Next to the desired existing action, click Duplicate.
A confirmation message appears.
2. Click OK.
The new action is named OriginalAction-Copy-Number, where:
OriginalAction is the name of the action you copied.
Number is a number used to differentiate between copies of the duplicated action.
For example, if you duplicated an action called Risk Check, and there is already an action called
Risk Check-Copy-1, then the new action will be called Risk Check-Copy-2.

96

Chapter 11

Working with Workflows in VisualFlow

The Edit Action page appears.

5 Complete the fields using the information in Action Fields (page 101).

97

AlgoSec FireFlow

If you expanded the Advanced area, additional fields appear.

98

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

99

AlgoSec FireFlow

Release 6.3

6 If you set the Parallel field to Yes, set the action's responsible groups by doing the following:
a) Click the Set responsible groups link.
The Responsible groups dialog box appears.

The Responsible group field displays the user group responsible for change requests in this status.
b) In the Additional responsible groups list, select the additional user groups responsible for change
requests in this status.
To select multiple user groups, press Ctrl while you click on the desired user groups.
c) Click OK.
7 Click Save Draft.
The action is added to the list of actions.
Action Type
This action type...

Does this...

Change status

Changes the status of the change request

Internal comment

Adds a comment to the change request that is hidden from the requestor.

Reply to user

Adds a comment to the change request that is seen by the requestor. Includes sending an
email to the requestor. Includes sending an email to the requestor.

Modify custom field

Allows a user to modify one or more custom fields.

Take ownership

Assigns the user ownership of a change request.

Assign

Allows a user to assign ownership of a change request to another user.

Initial plan

Performs initial planning. Relevant only for traffic change requests.


It is recommended to consult with AlgoSec before using this action type.

Risk check

Performs a risk check. Relevant only for traffic change requests.


It is recommended to consult with AlgoSec before using this action type.

Implementation plan

Creates a work order.


It is recommended to consult with AlgoSec before using this action type.

Manual reconcile

Opens a dialog box that allows a user to manually match the change request with a
change record. Relevant only for traffic change requests.
It is recommended to consult with AlgoSec before using this action type.

No change record

Opens a dialog box that allows a user to manually match the change request, while
specifying that there is no associated change record. Relevant only for traffic change
requests.

100

Chapter 11

Working with Workflows in VisualFlow

It is recommended to consult with AlgoSec before using this action type.


Change validation

Performs validation of a traffic change request. Relevant only for traffic change
requests.
It is recommended to consult with AlgoSec before using this action type.

Review work order

Enables a user to view an existing work order and edit it. Relevant controls will appear
in UI only for Check Point and Juniper devices. Relevant only for traffic change
requests.
It is recommended to consult with AlgoSec before using this action type.

Active change

Enables a user to implement planned changes via ActiveChange. Relevant controls will
appear in UI only for Check Point devices using OPSEC. Relevant only for traffic
change requests.
It is recommended to consult with AlgoSec before using this action type.

Object change validation

Performs validation of an object change request. Relevant only for object change
requests.
It is recommended to consult with AlgoSec before using this action type.

Affected rules

Finds affected rules for an object change request. Relevant only for object change
requests.
It is recommended to consult with AlgoSec before using this action type.

Related tickets

Finds change requests that are related to a change request. Relevant only for rule
removal requests.
It is recommended to consult with AlgoSec before using this action type.

Notify requestors

Enables a user to notify other users regarding the impending removal/disablement of a


device rule. Relevant only for rule removal requests.
It is recommended to consult with AlgoSec before using this action type.

View correspondence

Allows a user to view correspondences with other users regarding the impending
removal/disablement of a device rule. Relevant only for rule removal requests.
It is recommended to consult with AlgoSec before using this action type.

Rule removal validation

Performs validation of a rule removal request. Relevant only for rule removal requests.
It is recommended to consult with AlgoSec before using this action type.

Action Fields
In this field...

Do this...

Name

A unique key value for the action. Used when the action's behavior is to be overridden
for a specific status.
This field is mandatory. It is only available when working with a workflow's list of
actions.

Type

Select the action's type, which describes what it does. See Action Types (page 100).
This field is mandatory. It is only available when working with a workflow's list of
actions.

Category

Type the action's category.


You can create categories and assign similar actions to them. When editing an action,
the Edit action details area will display links to other actions belonging to the same
category.

101

AlgoSec FireFlow

Release 6.3

Source status

Use the fields in this area to specify the status or statuses from which the change request
must transition, before this action can be performed.

Target status

Use the fields in this area to specify the status or statuses to which the change request
will transition when the action is performed.

Required action right

Specify whether the user must be granted a specific right, in order for the action to
appear in the Other drop-down list, by selecting the relevant right.
Note: This is a cosmetic issue only. Actions that require the user to have a specific right
will not succeed if the user does not have the right.

Return to homepage

Specify whether the user should be re-directed to the Home page after executing the
action, by choosing one of the following:
Yes. Redirect the user to the Home page.
No. The user should remain on the current page.
The default value is No.

Enabled

Specify whether this action should be enabled, by choosing one of the following:
Yes. The action is enabled and will appear in the FireFlow interface.
No. The action is disabled and will not appear in the FireFlow interface.
The default value is Yes.

Display action button

Specify whether the action should be available via an explicit button next to the Other
drop-down list, by choosing one of the following:
Yes. Make the action available via a button. The button will always be visible,
unless the Display action button when field is empty field is set to a field name.
No. Do not make the action available via a button.
The default value is No.

Advanced

Expand this area to display the Advanced fields.

Conditional target status

Use the fields in this area to specify a set of conditional target statuses that the change
request can transition to.
FireFlow will check the conditions in the order listed; therefore, if the first condition is
met, FireFlow will not check the second condition, and so on.
If none of the conditions are met, the change request will transition to the status
specified in the Edit action details area's Target status field, by default.

Target status

Select a new status that the change request should transition to when the action is
performed, if the condition(s) in the Condition field are met.

Condition

Type an XQL query specifying the conditions under which the change request will
transition to the status specified in the Target Status field.
For example, to specify the condition that the number of risks must be zero, type:
Ticket[RisksNumber = "0"]
For information on the required query syntax, see Action Condition Syntax (on page
105).

Message to user

Type a message that should appear onscreen when transitioning to the new status.

Click this button to add another conditional target status.

102

Chapter 11

Working with Workflows in VisualFlow

Parallel

Specify whether the action will be performed in parallel to a second, identical action.
Choose one of the following:
Yes. The action will be performed in parallel to a second, identical action.
No. The action will be performed sequentially to all other actions.
The default value is No.
It is possible to add more parallel action logic. See Adding Parallel Action Logic (on
page 126).
This field is enabled only for statuses of the following types: Change status, Internal
comment, and Reply to user.

action completed when

The strategy used to determine whether the parallel action has been completed.
To specify that the action should be considered completed only when all responsible
groups have performed it, select all.
If desired, you can configure other strategies. For example, you can configure a strategy
specifying that if a specific group performs the action, then the action should be
considered completed; otherwise, FireFlow should wait for all other groups to perform
the action. For information on configuring additional strategies, contact AlgoSec.

Display action button when Specify whether the action should be available via an explicit button next to the Other
field is empty
drop-down list only if a specific change request field is empty, by selecting the relevant
change request field.
Display action button when Specify whether the action should be available via an explicit button next to the Other
current user is not the
drop-down list only if the current user is not the change request's owner. Choose one of
owner
the following:
Yes. Display the action button if the current user is not the change request's owner.
No. Do not make displaying the action button dependent on whether the current user
is the change request's owner.
The default value is No.
Display action button when Specify whether the action should be available via an explicit button next to the Other
change request is
drop-down list only if the change request is not assigned to a user. Choose one of the
unassigned
following:
Yes. Display the action button if the change request is not assigned to a user.
No. Do not make displaying the action button dependent on whether the change
request is assigned to a user.
The default value is No.
Display action button when Specify whether the action should be available via an explicit button next to the Other
field value is true
drop-down list only if a specific change request field's value is "true", by selecting the
relevant change request field.
This is useful for actions that are restricted to certain devices types. For example, editing
a work order can only be done for is Check Point devices; therefore, this action should
only be available if a custom field called "Check Point" is set to "true".
Modify Field Title

Type the message that should appear when this action is performed, instructing the user
to complete the field specified in the Field Name field.
This field is only relevant if the Type field's value is Modify custom field.

Field Name

If the action requires a field's value as input, select the field's name.
To select multiple fields, hold down the CTRL key while clicking on the desired fields.
This field is only relevant if the Type field's value is Modify custom field.

103

AlgoSec FireFlow

Release 6.3

Display in workflow layout Specify whether the action should be displayed in the workflow layout when viewing a
workflow, by choosing one of the following:
Yes. Display the action in the workflow layout.
No. Do not display the action in the workflow layout.
The default value is No.
Note: When viewing a status for which this action is an outbound action, the action will
be displayed in the workflow layout, regardless of this attribute's value.
Applies to change requests Select the check boxes next to the types of change requests for which the action is
of type
relevant, and for which the action should appear.
This can be one or more of the following:
Regular. The action is relevant to regular change requests.
A regular change request is relevant to only one device.
Parent. The action is relevant to parent requests.
A parent request is relevant to multiple devices and has a sub-request for each
device.
Sub request. The action is relevant to sub-requests. A sub-request is relevant to one
device, out of the multiple devices that are relevant to its parent request.
If you do not select any of the check boxes, the action will be relevant to all change
request types.
User confirmation needed

Specify whether a confirmation message should appear when a user performs the action,
by choosing one of the following:
Yes. Display a message when the action is performed.
No. Do not display a message when the action is performed.
The default value is No.

Mail content

Type the default text that will appear in the main message box when commenting on a
change request or replying to the user.
This field is relevant only for actions of the type Reply to user and Internal comment.

Set 'auto-matching status'

Specify whether after the action is performed, the change request's "auto-matching
status" should be set to a specific value, and the change request should be displayed in
the Auto Matching page, by selecting the relevant status.
The default value is No.

Traffic fields required

Specify whether certain change request fields are mandatory, in which case if the fields
are not filled in when the action is performed, a message will appear prompting the user
the fill them in. The fields in question are:
Source
Destination
Service
Action
Firewall
Choose one of the following:
Yes. These fields are mandatory.
No. These fields are optional.
The default value is No.

104

Chapter 11

Working with Workflows in VisualFlow

Hide from 'Other' actions


menu

Specify whether the action should not appear in the Other drop-down list, if it is not
available via an explicit button next to the Other drop-down list. Choose one of the
following:
Yes. Hide this action in the Other drop-down list, if it does not appear via an explicit
button.
No. Display this action in the Other drop-down list, regardless of whether it
appears via an explicit button,
The default value is No.

Allow this action for


unprivileged users

Specify whether unprivileged users should be allowed to perform this action, by


choosing one of the following:
Yes. Allow unprivileged users to perform this action.
No. Do not allow unprivileged users to perform this action.
The default value is No.

Return to homepage and


display sub requests

Specify whether after the action is performed on a parent request, the user should be
redirected to the Home page, which displays a list of the parent request's sub-requests.
Choose one of the following:
Yes. Redirect the user to the Home page with a list of the parent request's
sub-requests.
No. The user should remain on the current page.
The default value is No.
This field is relevant only for actions of the type Change status, Reply to user and
Internal comment.

Return to parent request

Specify whether after the action is performed on a sub-request, the user should be
redirected to the parent request, by choosing one of the following:
Yes. Redirect the user to the parent request.
No. The user should remain on the current page.
The default value is No.

Action Condition Syntax


In order to specify a condition under which a change request will transition to a new status when an action is
performed, you must compose an XQL query. The XQL query can include the following:

Elements
An element may be any node in the XML of a change request, called a flat ticket. A flat ticket's root node
is <Ticket>, which is written in an XQL query as Ticket.
In order to specify a sub-node, use "/". For example, to specify a flat ticket's <Firewall> node, write:
Ticket/Firewall

You can use an asterisk "*" to specify a wildcard. For example, to specify any sub-node of Firewall,
write:
Ticket/Firewall/*

For information about available flat ticket nodes, see Flat Ticket Nodes (on page 106). For an example
of a flat ticket, see Flat Ticket Example (on page 116).
Filters
In order to apply a condition to an element, use square brackets "[ ]" in the following format:
Element[condition]

105

AlgoSec FireFlow

Release 6.3

Where condition is a sub-query specifying the desired condition.


For example, to specify that the device brand must be Juniper Netscreen, write the following:
Ticket/Firewall[Brand = "Juniper Netscreen"]

Comparison operators
Elements in a sub-query may be compared via comparison operators in the following format:
element operator "value"

Where operator is a supported comparison operator, and value is the element's desired value.
In the previous example, the sub-query used the = operator as follows:
Brand = "Juniper Netscreen"

For a list of supported comparison operators, see Supported Comparison Operators (on page 125).
Boolean operators
It is possible to use Boolean operators between sub-queries. For example, the following query specifies
that the change request must be assigned to the Standard workflow, and the status must be "new":
Ticket[Workflow = "Standard"] $and$ Ticket[Status = "new"]

For more intricate queries, you can use parentheses to group sub-queries. For example, the following
query specifies that the change request must be assigned to the Standard workflow, and the change
request status must be "new" or "plan".
Ticket[Workflow = "Standard"] $and$ (Ticket[Status = 'new'] $or$
Ticket[Status = 'plan'])

For a list of supported Boolean operators, see Supported Boolean Operators (on page 126).

Flat Ticket Nodes


The following table lists the standard flat ticket nodes in alphabetical order.
Note: These nodes represent the various change request fields.
If you configured custom fields, there will also be a node for each custom field, and those nodes can be used
as elements in XQL queries.
Flat Ticket Nodes
Node

Description

Sub-nodes

Action

The action to perform for the connection.

If inclusion of user-defined custom


traffic fields in flat tickets is enabled,
then this node will have the following
sub-nodes:
Value.
A node for each custom field. Each
such node will have its own Value
sub-node.
See Enabling/Disabling Inclusion of
User-Defined Custom Traffic Fields in
Flat Tickets (on page 216).

Sub-node of PlannedTraffic and


RequestedTraffic.

106

Chapter 11

AffectedRulesResult

Working with Workflows in VisualFlow

The device rules that will be affected by the None


requested change.
Sub-node of Ticket.
Relevant for object change requests only.

AlreadyWorksFirewalls

The names of devices on which the


requested change already works.

None

Sub-node of Ticket.
Relevant for traffic change requests only.
AutomaticallyImplemented

Indicates whether the requested change


should be automatically implemented.

None

Sub-node of Ticket.
Relevant for traffic change requests only.
Brand

The device vendor.

None

Sub-node of Firewall.
Cc

Email addresses to which the FireFlow


system will send copies of all email
messages regarding this request.

None

Sub-node of Ticket.
ChangeFullData

The change description.

None

Sub-node of Ticket.
ChangeImplementationNote The change request's implementation notes, None
s
if the change request has completed the
Implement stage.
Sub-node of Ticket.
Relevant for traffic change requests only.
City

The city in which the change request owner


or requestor is located, depending on the
parent node.

None

Sub-node of Owner and Requestor.


None

ClosedAt

The date and time when the change request


was closed.
Sub-node of Ticket.

CMSticketid

The ID number of a related change request in None


an external change management system that
is integrated with FireFlow.
Sub-node of Ticket.

code

The code number of a risk.


Sub-Node of Risk.
Relevant for traffic change requests only.

None

Country

The country in which the change request


None
owner or requestor is located, depending on
the parent node.
Sub-node of Owner and Requestor.

107

AlgoSec FireFlow

Created

Release 6.3

The date and time when the change request


was created.

None

Sub-node of Ticket.
Createticketsfromattachmen Indicates whether the change request was
t
created from a file.

None

Sub-node of Ticket.
Description

The description of the change request.

None

Sub-node of Ticket.
description

The description of a risk.


Sub-Node of Risk.
Relevant for traffic change requests only.

None

Destination

The IP address, IP range, network, device


object, or DNS name of the connection
destination.

If inclusion of user-defined custom


traffic fields in flat tickets is enabled,
then this node will have the following
sub-nodes:
Value.
A node for each custom field. Each
such node will have its own Value
sub-node.
See Enabling/Disabling Inclusion of
User-Defined Custom Traffic Fields in
Flat Tickets (on page 216).

Sub-node of PlannedTraffic and


RequestedTraffic.
Relevant for traffic change requests only.

Due

The date by which this change request


should be resolved.

None

Sub-node of Ticket.
EmailAddress

The email address of the change request


None
owner or requestor, depending on the parent
node.
Sub-node of Owner and Requestor.

Expires

The date on which this change request will


expire.

None

Sub-node of Ticket.
Firewall

Information about the device on which the


change will be implemented, if the change
request has completed the Plan stage.
Sub-node of Ticket.

FormType

Brand
IPAddress
LastReport
LastReportDate
ManagementServer
Name
Policy

The change request's form type (Traffic


None
Change / Object Change / Generic Change).
Sub-node of Ticket.

108

Chapter 11

HomePhone

The home telephone number of the change None


request owner or requestor, depending on the
parent node.
Sub-node of Owner and Requestor.

Id

The ID number of the change request or the None


change request owner, depending on the
parent node.

Working with Workflows in VisualFlow

Sub-node of Ticket and Owner.


ImplementaionDate

The date on which the change request was


implemented.

None

Sub-node of Ticket.
InitialPlanStartTime

The amount of time that has elapsed since


initial planning, in UNIX time.

None

Sub-node of Ticket.
IPAddress

The IP address of the device.

None

Sub-node of Firewall.
IPsToAdd

The IP addresses to add to the device object. None


Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for object change requests only.

IPsToRemove

The IP addresses to remove from the device None


object.
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for object change requests only.

IsActiveChangeApplicable

Indicates whether ActiveChange can be used None


to automatically implement the requested
change.
Sub-node of Ticket.
Relevant for traffic change requests only.

IsWorkOrderEditable

Indicates whether the work order is editable. None


Sub-node of Ticket.

LastReport

The last report generated for the device.

None

Sub-node of Firewall.
LastReportDate

The date and time at which the last report for None
this device was generated.
Sub-node of Firewall.

LastUpdated

The date and time when the change request


was last updated.

None

Sub-node of Ticket.
LastUpdatedBy

The username of the person who last updated None


the change request.
Sub-node of Ticket.

109

AlgoSec FireFlow

ManagementServer

Release 6.3

The name of the device's management


server.

None

Sub-node of Firewall.
Name

The name of the device.

None

Sub-node of Firewall.
name

The name of a risk.

None

Sub-Node of Risk.
Relevant for traffic change requests only.
New

Indicates whether the change request is new. None


Sub-node of Ticket.

ObjectChangeValidationRes The results of object change validation.


ult
Sub-node of Ticket.
Relevant for object change requests only.

None

ObjectName

None

The name of the device object.


Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for object change requests only.

Organization

The organization to which the change


request owner or requestor belongs,
depending on the parent node.

None

Sub-node of Owner and Requestor.


Owner

The change request owner's username and


email address.
Sub-node of Ticket.

OwningGroup

The name of the user group that currently


owns the change request.
Sub-node of Ticket.

110

City
Country
EmailAddress
HomePhone
Id
Organization
RealName

None

Chapter 11

PlannedTraffic

The changes planned during the Plan stage.


Sub-node of Ticket.

Policy

The device security policy.

Working with Workflows in VisualFlow

Action
Destination
IPsToRemove
IPsToAdd
ObjectName
Requestedaction
RuleDisplayId
RuleId
RuleRemovalRelatedTickets
RuleRemovalRelatedTicketsReque
stors
RuleRemovalRuleAction
RuleRemovalUserstoNotify
Scope
Service
Source

None

Sub-node of Firewall.
Priority

A number indicating this request's priority,


where 0 indicates lowest priority.

None.

Sub-node of Ticket.
RealName

The full names of the change request owner None


or requestor, depending on the parent node.
Sub-node of Owner and Requestor.

Requestedaction

The action the user selected to perform on


the rule (remove or disable).

None

Sub-node of PlannedTraffic and


RequestedTraffic.
Relevant for rule removal requests only.
RequestedTraffic

The changes requested during the Request


stage.
Sub-node of Ticket.

Action
Destination
IPsToRemove
IPsToAdd
ObjectName
Requestedaction
RuleDisplayId
RuleId
RuleRemovalRelatedTickets
RuleRemovalRelatedTicketsReque
stors
RuleRemovalRuleAction
RuleRemovalUserstoNotify
Scope
Service
Source

111

AlgoSec FireFlow

Requestor

Release 6.3

Information about the requestor.


Sub-node of Ticket.

Risk

A risk that implementation of the planned


change would entail.
Sub-node of RiskDetails.
Relevant for traffic change requests only.

RisksDetails

The results of the risk check, if the change


request has completed the Check stage.

City
Country
EmailAddress
HomePhone
Organization
RealName

code
description
name
severity

Risk

Sub-node of Ticket.
Relevant for traffic change requests only.
RisksNumber

The total number of risks that


implementation of the planned change
would entail.

None

Sub-node of Ticket.
Relevant for traffic change requests only.
RuleDisplayId

The rule ID as displayed to users.

None

Sub-node of PlannedTraffic and


RequestedTraffic.
Relevant for rule removal requests only.
RuleId

The rule ID as displayed in reports.


Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for rule removal requests only.

RuleRemovalRelatedTickets FireFlow change requests with traffic that


intersects that of the rule slated to be
removed/disabled.
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for rule removal requests only.

None

None

RuleRemovalRelatedTickets The requestors of FireFlow change requests None


Requestors
with traffic that intersects that of the rule
slated to be removed/disabled.
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for rule removal requests only.
RuleRemovalRuleAction

112

The action to perform on the rule in the


device policy (for example, allow or drop).
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for rule removal requests only.

None

Chapter 11

Working with Workflows in VisualFlow

RuleRemovalUserstoNotify FireFlow users to notify regarding the rule's None


upcoming removal/disablement.
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for rule removal requests only.
Scope

The scope of the change (Local / Global).

None

Sub-node of PlannedTraffic and


RequestedTraffic.
Relevant for object change requests only.
Service

The device service or port for the


connection.
Sub-node of PlannedTraffic and
RequestedTraffic.
Relevant for traffic change requests only.

If inclusion of user-defined custom


traffic fields in flat tickets is enabled,
then this node will have the following
sub-nodes:
Value.
A node for each custom field. Each
such node will have its own Value
sub-node.
See Enabling/Disabling Inclusion of
User-Defined Custom Traffic Fields in
Flat Tickets (on page 216).

severity

The severity of a risk.


Sub-Node of Risk.
Relevant for traffic change requests only.

None

Source

The IP address, IP range, network, device


object, or DNS name of the connection
source.

If inclusion of user-defined custom


traffic fields in flat tickets is enabled,
then this node will have the following
sub-nodes:
Value.
A node for each custom field. Each
such node will have its own Value
sub-node.
See Enabling/Disabling Inclusion of
User-Defined Custom Traffic Fields in
Flat Tickets (on page 216).

Sub-node of PlannedTraffic and


RequestedTraffic.
Relevant for traffic change requests only.

Status

The change request's status.

None

Sub-node of Ticket.
Subject

The change request's subject.


Sub-node of Ticket.

None

Ticket

The root node of a flat ticket.

AffectedRulesResult
AlreadyWorksFirewalls
AutomaticallyImplemented
Cc
ChangeFullData
ChangeImplementationNotes
ClosedAt
CMSticketid

113

AlgoSec FireFlow

Release 6.3

TicketTemplateName

The name of the change request's template.

Createticketsfromattachment
Description
Due
Expires
Firewall
FormType
Id
ImplementaionDate
InitialPlanStartTime
IsActiveChangeApplicable
IsWorkOrderEditable
LastUpdated
LastUpdatedBy
New
ObjectChangeValidationResult
Owner
OwningGroup
Planned Traffic
Priority
RequestedTraffic
Requestor
RiskDetails
RisksNumber
Status
Subject
TicketTemplateName
TrafficChangeTime
TranslatedDestination
TranslatedService
TranslatedSource
Workflow

None

Sub-node of Ticket.
TrafficChangeTime

The amount of time that has elapsed since


the traffic was changed, in UNIX time.

None

Sub-node of Ticket.
Relevant for traffic change requests only.
TranslatedDestination

The change request's destination, as


translated to IP addresses.

None

Sub-node of Ticket.
Relevant for traffic change requests only.
TranslatedService

The change request's destination, as


translated to ports.
Sub-node of Ticket.
Relevant for traffic change requests only.

114

None

Chapter 11

TranslatedSource

Working with Workflows in VisualFlow

The change request's source, as translated to None


IP addresses.
Sub-node of Ticket.
Relevant for traffic change requests only.

Value

The value of this node's parent node.

None

Sub-node of Action, Destination,


Service, and Source.
Relevant only when inclusion of
user-defined custom traffic fields in flat
tickets is enabled. See Enabling/Disabling
Inclusion of User-Defined Custom Traffic
Fields in Flat Tickets (on page 216).
Workflow

The change request's assigned workflow.

None

Sub-node of Ticket.

115

AlgoSec FireFlow

Release 6.3

Flat Ticket Example


A flat ticket is a change request in XML format.
Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Enabled)
<Ticket>
<AdditionalResponsibleGroups></AdditionalResponsibleGroups>
<AffectedRulesResult></AffectedRulesResult>
<AlreadyWorksFirewalls></AlreadyWorksFirewalls>
<ApplicationDefaultServices>tcp/21/*</ApplicationDefaultServices>
<AutomaticallyImplemented>No</AutomaticallyImplemented>
<CMSticketid></CMSticketid>
<CategorytoUpdate></CategorytoUpdate>
<Cc></Cc>
<ChangeCategory></ChangeCategory>
<ChangeFullData>{&quot;zoneSpanning&quot;:null,&quot;acl&quot;:null,&quot;from
Zone&quot;:null,&quot;recommendation_new_format&quot;:1,&quot;report&quot;:&qu
ot;eliezer-13656&quot;,&quot;origRuleScript&quot;:&quot;fwrules51&quot;,&quot;
firewall&quot;:&quot;fw3&quot;,&quot;tuples&quot;:{&quot;tuple-1&quot;:{&quot;
orig_rules&quot;:&quot;orig_rules.html&quot;,&quot;suggestions&quot;:{&quot;ad
d&quot;:[{&quot;source&quot;:[&quot;192.168.3.186&quot;],&quot;sourceReq&quot;
:&quot;192.168.3.186&quot;,&quot;data_time&quot;:&quot;saved-2012-04-01-133038
&quot;,&quot;destination&quot;:[&quot;10.10.10.2-10.10.10.3&quot;],&quot;statu
s&quot;:&quot;N/A&quot;,&quot;srvReq&quot;:&quot;ftp&quot;,&quot;service&quot;
:[&quot;tcp/21&quot;],&quot;destReq&quot;:&quot;10.10.10.2,10.10.10.3&quot;,&q
uot;tuples&quot;:&quot;1&quot;}]},&quot;noActionRequired&quot;:1}},&quot;actio
n&quot;:[&quot;Allow&quot;],&quot;queryURL&quot;:&quot;https://192.168.2.245:4
43/~eliezer/algosec/session-1802f5044ffe48d097279d515a6fa864/work/fw3-18947/qu
ery-18947/query.html&quot;,&quot;ticket&quot;:&quot;1320&quot;,&quot;toZone&qu
ot;:null}</ChangeFullData>
<ChangeImplementationNotes></ChangeImplementationNotes>
<ChangeURL></ChangeURL>
<ChangeUserGroup></ChangeUserGroup>
<ChangeWebAction>Allow</ChangeWebAction>
<ClosedAt></ClosedAt>
<Created>Sun Apr 01 13:46:28 2012</Created>
<Createticketsfromattachment>No</Createticketsfromattachment>
<Customer>Example Customer</Customer>
<Description></Description>
<Due>Sun Apr 01 2012</Due>
<Expires>Tue May 01 2012</Expires>
<Firewall>

116

Chapter 11

Working with Workflows in VisualFlow

<Brand>Check Point</Brand>
<IPAddress>10.132.32.1</IPAddress>
<LastReport>eliezer-13656</LastReport>
<LastReportDate>2012-03-31 21:34:09</LastReportDate>
<ManagementServer>m_10_132_31_1</ManagementServer>
<Name>fw3</Name>
<Policy>yaara_10.W</Policy>
</Firewall>
<FormType>Traffic Change</FormType>
<Id>1320</Id>
<InitialPlanStartTime>1333277359.81826</InitialPlanStartTime>
<IsActiveChangeApplicable>1</IsActiveChangeApplicable>
<IsWorkOrderEditable>true</IsWorkOrderEditable>
<LastUpdated>Sun Apr 01 13:54:55 2012</LastUpdated>
<LastUpdatedBy>eliezer.weiss+locadmin@algoseclabs.com</LastUpdatedBy>
<Moshe></Moshe>
<ObjectChangeValidationResult></ObjectChangeValidationResult>
<OrganizationMethodology></OrganizationMethodology>
<Owner>
<City>tel aviv</City>
<Country></Country>
<EmailAddress>eliezer.weiss+locnet@algoseclabs.com</EmailAddress>
<HomePhone></HomePhone>
<Id>67</Id>
<Organization>Algosec</Organization>
<RealName>local network</RealName>
</Owner>
<OwningGroup>Network</OwningGroup>
<PendingResponsibleGroups></PendingResponsibleGroups>
<PlannedTraffic>
<Action>
<Value>Allow</Value>
</Action>
<Destination>
<Value>10.10.10.2</Value>
</Destination>
<Destination>

117

AlgoSec FireFlow

Release 6.3
<Value>10.10.10.3</Value>
</Destination>
<DestinationNAT>165.13.12.11</DestinationNAT>
<NATType>Static</NATType>
<PortTranslation>tcp/8080</PortTranslation>
<Service/Application>
<Value>tcp/21</Value>
</Service/Application>
<Source>
<Value>192.168.3.186</Value>
</Source>
<SourceNAT>178.16.1.18</SourceNAT>
<application>mail server</application>

</PlannedTraffic>
<Priority>0</Priority>
<RecertificationCandidateDevices></RecertificationCandidateDevices>
<RecertificationRelatedTicketsCalculationDate></RecertificationRelatedTicketsC
alculationDate>
<RecertificationStatus>Stand by</RecertificationStatus>
<RecertifiedTrafficTicket></RecertifiedTrafficTicket>
<RecommendReimplement></RecommendReimplement>
<RequestedCategory></RequestedCategory>
<RequestedTraffic>
<Action>
<Value>Allow</Value>
</Action>
<Destination>
<Value>10.10.10.2</Value>
</Destination>
<Destination>
<Value>10.10.10.3</Value>
</Destination>
<DestinationNAT>165.13.12.11</DestinationNAT>
<NATType>Static</NATType>
<PortTranslation>tcp/8080</PortTranslation>
<Service/Application>

118

Chapter 11

Working with Workflows in VisualFlow

<Value>ftp</Value>
</Service/Application>
<Source>
<Value>192.168.3.186</Value>
</Source>
<SourceNAT>178.16.1.18</SourceNAT>
<application>mail server</application>
</RequestedTraffic>
<RequestedURL></RequestedURL>
<RequestedUserGroup></RequestedUserGroup>
<RequestedWebAction>Allow</RequestedWebAction>
<Requestor>
<City></City>
<Country></Country>
<EmailAddress>eliezer.weiss+locadmin@algoseclabs.com</EmailAddress>
<HomePhone></HomePhone>
<Id>65</Id>
<Organization>Algosec</Organization>
<RealName>Local FireFlow admin</RealName>
</Requestor>
<RiskLevel>No Risk</RiskLevel>
<RisksDetails></RisksDetails>
<RisksNumber>0</RisksNumber>
<Status>validate</Status>
<Subject>FTP access to mail servers</Subject>
<TicketTemplateID></TicketTemplateID>
<TicketTemplateName></TicketTemplateName>
<TrafficChangeTime></TrafficChangeTime>
<TranslatedDestination>10.10.10.2-10.10.10.3</TranslatedDestination>
<TranslatedService>tcp/21</TranslatedService>
<TranslatedSource>192.168.3.186</TranslatedSource>
<Workflow>Standard-With-SLA</Workflow>
<reportpdf>6208</reportpdf>
</Ticket>

Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Disabled)
119

AlgoSec FireFlow
<Ticket>
<AddTraffic>Yes</AddTraffic>
<Cc></Cc>
<ClosedAt></ClosedAt>
<Created>Mon Jun 28 07:21:13 2010</Created>
<Description></Description>
<Due></Due>
<Firewall>
<Brand>Juniper Netscreen</Brand>
<IPAddress>100.0.0.1</IPAddress>
<LastReport>michal-8247</LastReport>
<LastReportDate>2010-06-27 19:32:18</LastReportDate>
<Name>192_168_2_53_root</Name>
<Policy>192_168_2_53_root.nsc</Policy>
</Firewall>
<Id>1567</Id>
<InitialPlanStartTime>1277717369.39996</InitialPlanStartTime>
<LastUpdated>Mon Jun 28 09:33:08 2010</LastUpdated>
<LastUpdatedBy>a123@algosec.com</LastUpdatedBy>
<Owner>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<HomePhone></HomePhone>
<Id>25</Id>
<Organization></Organization>
<RealName>JohnSmith</RealName>
</Owner>
<PlannedTraffic>
<Action>Allow</Action>
<Destination>*</Destination>
<Service>*</Service>
<Source>*</Source>
</PlannedTraffic>
<Priority>0</Priority>
<RequestedTraffic>
<Action>Allow</Action>

120

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

<Destination>*</Destination>
<Service>ssh</Service>
<Source>*</Source>
</RequestedTraffic>
<Requestor>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<HomePhone></HomePhone>
<Organization></Organization>
<RealName>JaneBrown</RealName>
</Requestor>
<RisksDetails>
<Risk>
<code>I01</code>
<description>&quot;Any&quot; service can enter your
network</description>
<name>I01-inbound-any</name>
<severity>high</severity>
</Risk>
</RisksDetails>
<RisksNumber>3</RisksNumber>
<Status>check</Status>
<Subject></Subject>
<TrafficChangeTime>1277717369.02893</TrafficChangeTime>
<Workflow>Standard</Workflow>
<CustomField1>1</CustomField1>
</Ticket>

Object Change Flat Ticket


<Ticket>
<AffectedRulesResult>The change will affect 1 rules: 12 in device
Kartiv</AffectedRulesResult>
<AlreadyWorksFirewalls></AlreadyWorksFirewalls>
<AutomaticallyImplemented></AutomaticallyImplemented>
<CMSticketid></CMSticketid>
<Cc></Cc>

121

AlgoSec FireFlow
<ChangeFullData></ChangeFullData>
<ChangeImplementationNotes></ChangeImplementationNotes>
<ClosedAt></ClosedAt>
<Created>Mon Feb 14 08:22:13 2011</Created>
<Createticketsfromattachment>No</Createticketsfromattachment>
<Description></Description>
<Due></Due>
<Expires></Expires>
<Firewall>
<Brand>Check Point</Brand>
<IPAddress>10.20.17.1</IPAddress>
<LastReport>michal-12327</LastReport>
<LastReportDate>2011-02-07 20:23:19</LastReportDate>
<ManagementServer>m_10_20_16_1</ManagementServer>
<Name>Kartiv</Name>
<Policy>Standard.W</Policy>
</Firewall>
<FormType>Object Change</FormType>
<Id>2128</Id>
<ImplementaionDate></ImplementaionDate>
<InitialPlanStartTime></InitialPlanStartTime>
<IsActiveChangeApplicable>1</IsActiveChangeApplicable>
<IsWorkOrderEditable>true</IsWorkOrderEditable>
<LastUpdated>Mon Feb 14 08:22:52 2011</LastUpdated>
<LastUpdatedBy></LastUpdatedBy>
<New></New>
<ObjectChangeValidationResult></ObjectChangeValidationResult>
<Owner>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<HomePhone></HomePhone>
<Id>25</Id>
<Organization></Organization>
<RealName>m</RealName>
</Owner>
<OwningGroup>Network</OwningGroup>

122

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

<PlannedTraffic>
<Action>Remove IPs from Object</Action>
<IPsToRemove>10.10.17.3</IPsToRemove>
<ObjectName>a_10.10.17.2-3</ObjectName>
<Scope>Local</Scope>
</PlannedTraffic>
<PlannedTraffic>
<Action>Remove IPs from Object</Action>
<IPsToRemove>10.40.17.0-10.40.17.255</IPsToRemove>
<ObjectName>RemoteAccess</ObjectName>
<Scope>Global</Scope>
</PlannedTraffic>
<Priority>0</Priority>
<RequestedTraffic>
<Action>Remove IPs from Object</Action>
<IPsToRemove>10.10.17.3</IPsToRemove>
<ObjectName>a_10.10.17.2-3</ObjectName>
<Scope>Local</Scope>
</RequestedTraffic>
<RequestedTraffic>
<Action>Remove IPs from Object</Action>
<IPsToRemove>10.40.17.0-10.40.17.255</IPsToRemove>
<ObjectName>RemoteAccess</ObjectName>
<Scope>Global</Scope>
</RequestedTraffic>
<Requestor>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<HomePhone></HomePhone>
<Organization></Organization>
<RealName>m</RealName>
</Requestor>
<RisksDetails></RisksDetails>
<RisksNumber></RisksNumber>
<Status>implement</Status>
<Subject>For NZ</Subject>

123

AlgoSec FireFlow
<TicketTemplateName>130: Object Change Request</TicketTemplateName>
<TrafficChangeTime></TrafficChangeTime>
<TranslatedDestination></TranslatedDestination>
<TranslatedService></TranslatedService>
<TranslatedSource></TranslatedSource>
<Workflow>Change-Object</Workflow>
</Ticket>

Rule Removal Flat Ticket


<Ticket>
<Firewall>
<Brand>Check Point</Brand>
<IPAddress>10.20.17.1</IPAddress>
<LastReport>michal-12327</LastReport>
<LastReportDate>2011-02-07 20:23:19</LastReportDate>
<ManagementServer>m_10_20_16_1</ManagementServer>
<Name>Kartiv</Name>
<Policy>Standard.W</Policy>
</Firewall>
<FormType>Rule Removal</FormType>
<Id>2128</Id>
<ImplementaionDate></ImplementaionDate>
<InitialPlanStartTime></InitialPlanStartTime>
<IsWorkOrderEditable>true</IsWorkOrderEditable>
<LastUpdated>Mon Feb 14 08:22:52 2011</LastUpdated>
<LastUpdatedBy></LastUpdatedBy>
<New></New>
<Owner>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<HomePhone></HomePhone>
<Id>25</Id>
<Organization></Organization>
<RealName>m</RealName>
</Owner>
<OwningGroup>Network</OwningGroup>
124

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

<PlannedTraffic>
<Requestedaction>Remove Rule</Requestedaction>
</PlannedTraffic>
<RequestedTraffic>
<Requestedaction>Remove rule</Requestedaction>
<RuleDisplayId>1</RuleDisplayId>
<RuleId>57E7BF23-D6BD-498A-9DDA-9071ECC47E46</RuleId>
<RuleRemovalRelatedTickets>748</RuleRemovalRelatedTickets>
<RuleRemovalRelatedTickets>471</RuleRemovalRelatedTickets>
<RuleRemovalRelatedTickets>323</RuleRemovalRelatedTickets>
<RuleRemovalRelatedTickets>5</RuleRemovalRelatedTickets>
<RuleRemovalRelatedTicketsRequesotrs>65</RuleRemovalRelatedTicketsRequesotrs>
<RuleRemovalRelatedTicketsRequesotrs>37</RuleRemovalRelatedTicketsRequesotrs>
<RuleRemovalRuleAction>accept</RuleRemovalRuleAction>
<RuleRemovalUserstoNotify>65</RuleRemovalUserstoNotify>
<RuleRemovalUserstoNotify>37</RuleRemovalUserstoNotify>
</RequestedTraffic>
<Workflow>Rule-Removal</Workflow>
</Ticket>

Supported Comparison Operators


Supported Comparison Operators
Operator

Description

Equal

!=

Not equal

=~

Contains

!~

Does not contain

<

Less than

>

Greater than

125

AlgoSec FireFlow

Release 6.3

Supported Boolean Operators


Supported Boolean Operators
Operator

Description

$and$

Both of the sub-queries joined by this operator must be true.


In the following example, the condition is only met for new change requests with the
Standard workflow:
Ticket[Workflow = "Standard"] $and$ Ticket[Status = "new"]

$or$

One or both of the sub-queries pairs joined by this operator must be true.
In the following example, the condition is met for change requests that are new,
change requests owned by John Smith, and new change requests owned by John
Smith:
Ticket[Status = "new"] $or$ Ticket/Owner[RealName = "John
Smith"]

Comprehensive Example
The following XQL query specifies that one of the following must be true, in order for the condition to be
satisfied.

The change request's priority is greater than 7.


The requestor's email address includes the string "company.com".
The value of the custom field called "Project" is "Infrastructure".

Ticket[(Priority > 7)] $or$ Ticket/Requestor[EmailAddress =~ "company.com"] $or$


Ticket[Project = "Infrastructure"]

Adding Parallel Action Logic


By default, FireFlow allows you to specify whether an action will be performed in parallel to a second,
identical action.
If desired, you can add more logic for parallel actions. For example, you can add the following parallel
action logic:

50% of the responsible groups must meet certain criteria, in order to trigger this action.
The "Managers" user group must meet certain criteria in order to trigger this action.

To add parallel action logic


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory usr/share/fireflow/local/etc/site/lib/, open the file
ParallelLogic.pm.
3 For each parallel logic you want to configure, add the following lines to the file:
sub parallel_ logicName
{
my $additionalGroups = shift;

126

Chapter 11

Working with Workflows in VisualFlow

my $pendingGroups = shift;
}

Where logicName is the name of the parallel logic. This can be any string.
The function will receive the following parameters as input:
$additionalGroups - The additional responsible groups field after update
$pendingGroups - The pending responsible groups field after update
The function will return a Boolean value:
1 - The logic is satisfied, and the action will be triggered.
0 - The logic is not satisfied, and the action is still in parallel status.
4 Save the file.
5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Editing Actions
Editing an action will modify the action's default settings throughout all statuses in the workflow.

To edit an action

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 Do one of the following:
In the VisualFlow main menu, click Actions.
The Available actions page appears with a list of actions used in the workflow.
In the workflow layout, click on a status that uses the desired action as an inbound or outbound
action.
The Edit Status page appears with a list of inbound and outbound actions for the status.
4 Click Edit next to the desired action.
The Edit Action page appears.
5 Complete the fields using the information in Action Fields (page 101).
If you expanded the Advanced area, additional fields appear.
6 If you set the Parallel field to all, set the action's responsible groups by doing the following:
a) Click the Click here to set the action's responsible groups link.
The Responsible groups dialog box appears.
The Responsible group field displays the user group responsible for change requests in this status.
b) In the Additional responsible groups list, select the additional user groups responsible for change
requests in this status.
To select multiple user groups, press Ctrl while you click on the desired user groups.
c) Click OK.

127

AlgoSec FireFlow

Release 6.3

7 Click Save Draft.

Reordering Actions
You can control the order in which actions appear in a workflow's list of actions.

To reorder actions

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click Actions.
The Available actions page appears.

4 In the list of actions, click


the list.

next to an action you want to move, and drag it to the desired location in

Deleting Actions
To delete an action

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 Do one of the following:
In the VisualFlow main menu, click Actions.
The Available actions page appears with a list of actions used in the workflow.
In the workflow layout, click on a status that uses the desired action as an inbound or outbound
action.
The Edit Status page appears with a list of inbound and outbound actions for the status.
4 Next to the desired action, click Delete.
A confirmation message appears.
5 Click OK.
The action is deleted from the list.

128

Chapter 11

Working with Workflows in VisualFlow

Working with SLAs


FireFlow enables you to configure a Service Level Agreement (SLA) per workflow. An SLA is a formal
definition of the logical workflow stages that comprise a change request's lifecycle and, optionally, the
amount of time allotted for completing each of these stages and the change request lifecycle as a whole.
Hence, a separate SLA must be defined for each workflow.
In an SLA, each of the workflow stages is represented by a Service Level Objectives (SLO). An SLO
specifies the following:

The stage's starting point, which is when the change request enters a certain status
The stage's ending point, which is when the change request leaves a certain status
The stage's name

FireFlow uses the information specified in an SLO to measure the amount of time spent on the relevant
stage; and once the change request has completed its lifecycle, FireFlow can use all of the SLA's SLOs
together to calculate the amount of time spent on the entire lifecycle.
FireFlow then uses the calculated SLA information to generate reports on change requests that meet certain
criteria (for example, change requests in which have spent more than a certain number of days in a particular
stage), and display those reports in searches, charts, and dashboards. For information on configuring SLA
notifications, see Working with SLA Notifications (on page 189).

Adding SLOs
To add an SLO to a workflow's SLA

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click SLA.

129

AlgoSec FireFlow

The Available SLA page appears with all of the SLOs comprising the workflow's SLA.

4 Click New SLO.

130

Release 6.3

Chapter 11

Working with Workflows in VisualFlow

The Edit SLO page appears.

5 Complete the fields using the information in SLO Fields (page 131).
6 Click Save Draft.
The new SLO is added to the workflow's SLA.
SLO Fields
In this field...

Do this...

Name

Type the name of the SLO.


This field is mandatory.

Enabled

Specify whether this SLO should be enabled, by choosing one of the following:
Yes. The SLO is enabled and will be used for SLA calculations.
No. The SLO is disabled. It will not be used for SLA calculations.
The default value is Yes.

Statuses

Select one or more statuses that represent the starting point for the workflow stage
represented by this SLO. To select multiple statuses, hold down the Ctrl key while
clicking on the desired statuses. The selected statuses are highlighted in the diagram at
the top of the workspace.
Alternatively, click Enable visual edit, and then click on the desired statuses in the
diagram at the top of the workspace. The selected statuses appear in green. When
finished, click Finish visual edit.

131

AlgoSec FireFlow

Release 6.3

Time limit

To configure a time limit for the workflow stage represented by this SLO, type in the
number of time units in the field provided, and select the type of time unit in the
drop-down list.

Expiration target status

Select the status to which the change request should transition, when the specified time
limit has been exceeded.
This field is only enabled, if you configured a time limit for the SLO.

Clear on revisit

Specify whether when re-visiting the SLO or one of its statuses, the time counter should
be reset to zero, by choosing one of the following:
Yes. Reset the time counter, then begin timing from zero.
No. Resume timing, without resetting the time counter.
The default value is No.

End trigger

Specify what event should trigger the end of the SLO, by choosing one of the following:
Change request leaves the status. End the SLO, when the change request leaves the
status.
Parallel action done by group. End the SLO, when a parallel action is performed by a
certain responsible group. You must select the desired responsible group in the
drop-down list provided.
This field appears only for SLOs that contain a status with a parallel action.

Editing SLOs
To edit an SLO in a workflow's SLA

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click SLA.
The Available SLA page appears with all of the SLOs comprising the workflow's SLA.
4 Next to the desired SLO, click Edit.
The Edit SLO page appears.
5 Complete the fields using the information in SLO Fields (page 131).
6 Click Save Draft.

Deleting SLOs
To delete an SLO from a workflow's SLA

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 In the VisualFlow main menu, click SLA.
The Available SLA page appears with all of the SLOs comprising the workflow's SLA.
4 Next to the desired SLO, click Delete.

132

Chapter 11

Working with Workflows in VisualFlow

A confirmation message appears.


5 Click OK.
The SLO is deleted.

Reordering Workflows
You can control the order in which workflows appear in VisualFlow.

To reorder workflows

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.

2 In the list of workflows, click


location in the list.

next to a workflow you want to move, and drag it to the desired

Setting the Default Workflow


When FireFlow fails to assign a workflow based on a change requests template or workflow conditions, it
automatically uses the default workflow.
Only one workflow can be the set as the default workflow. By default, the Standard workflow is the default
workflow.

To set the default workflow

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Set as default.
Click on the workflow's name.
The workflow is marked as the default workflow in the Default column.

Deleting Workflows
Note: You cannot delete built-in workflows. For a list of built-in workflows, see Overview (on page 71).
Important: If you delete a workflow, then any change requests that are assigned to that workflow will be
re-assigned to the default workflow the next time they are accessed. Furthermore, if their current status does
not exist in the default workflow, the change requests will transition to the "new" status.

To delete an existing workflow

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Next to the desired workflow, click Delete.
A confirmation message appears.
3 Click OK.
133

AlgoSec FireFlow

Release 6.3

The workflow is deleted.


A message at the top of the screen informs you that changes have been made to the workflows.

Viewing the Workflow XML


You can view changes to workflows, as they appear in the individual workflows' XML files and in the
workflow configuration file, Workflows_Config.xml.

Viewing Individual Workflows' XML Files


To view an individual workflow's XML file

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Do one of the following:
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details.
3 Click View XML.
The workflow's XML file opens in a new tab.
For information on structure of workflows' XML files, see Workflow File Structure (on page 148).

Viewing the Workflow Configuration File


To view the workflow configuration file

1 In the VisualFlow main menu, click Workflows.


The List of Workflows page appears.
2 Click View XML.
The workflow configuration file opens in a new tab.
For information on the structure of the workflow configuration file, see Workflow Configuration File
Structure (on page 144).

Installing Workflows
Installing workflows imports all workflow changes into FireFlow.

To install workflows
1 Do one of the following:
In the VisualFlow main menu, click Workflows.
The List of Workflows page appears.
In the VisualFlow main menu, click Workflow Installation.

134

Chapter 11

Working with Workflows in VisualFlow

The Workflow Installation page appears.

2 Click Install All Workflows.


A confirmation message appears.
3 Click OK.
A backup of the previous workflows configuration is saved to
/usr/share/fireflow/local/etc/site/backup/YYYY_MM_DD_hh-mm-ss, where
YYYY_MM_DD_hh-mm-ss is a timestamp. For example: 2011_01_21_10-30-00

All workflow changes are imported into FireFlow.


The message informing you that changes have been made to the workflows disappears.
4 Restart FireFlow.
See Restarting FireFlow (on page 11).

Discarding Workflow Changes


You can discard all workflow changes that have not yet been installed. This will reload the XML workflow
files that are currently in use by FireFlow into VisualFlow.

To discard workflow changes

1 In the VisualFlow main menu, click Workflow Installation.


The Workflow Installation page appears.
A confirmation message appears.
2 Click OK.
3 Click Refresh Workflows.
All workflow changes are discarded.

135

AlgoSec FireFlow

Release 6.3

The message informing you that changes have been made to the workflows disappears.

Examples
Example: Removing the Notify Requestor Stage
The following comprehensive example describes how to modify a copy of the Standard workflow, so that
FireFlow does not wait for user acceptance after implementing change request.
Once implementation is complete, the Network user can simply resolve the change request (or re-implement
it, if an error was detected). Notification is only sent to the user upon the resolve action.

To configure this example


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 Access VisualFlow.
See Accessing VisualFlow (on page 74).
3 Add a new workflow based on the Standard workflow.
See Adding Workflows (on page 78).
The workflow "Standard-Copy-#" is created, where # represents the copy's number.
4 Edit the new workflow as follows:
Set the Name field to the workflow's name. For example, "MyStandard".
Set the Configuration File field to workflow's configuration file. For example, "MyStandard".
Set the Default field to yes.
See Editing Workflows (on page 87).
5 Delete the workflow's "Notify Requestor" action.
See Deleting Actions (on page 128).
6 Edit the workflow's "Resolve" action as follows:
Set the Type field's to Reply to user, so that mail can be sent to the requestor.
Set the Mail content field to "Your request has been implemented. It will be closed now.".
See Editing Actions (on page 127).
7 Add a "resolve" outbound action to the workflow's "Validate" status as follows:
Set the Display action button field to Yes, so that the "Resolve" button will appear for change
requests in the "Validate" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
8 Install the workflow.
See Installing Workflows (on page 134).
9 Log in to the FireFlow server via SSH, using the username "root" and the related password.
10 Restart FireFlow.
See Restarting FireFlow (on page 11).

136

Chapter 11

Working with Workflows in VisualFlow

Example: Allowing the Network Group to Approve Change Requests


The following comprehensive example describes how to modify a copy of the Standard workflow, to allow
Network users to approve change requests.
After initial planning, the change request achieves the new status "pre-check". Network users can then
decide whether to approve the change request, not approve it, or send it to a Security user.

To configure this example


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 Access VisualFlow.
See Accessing VisualFlow (on page 74).
3 Add a new workflow based on the Standard workflow.
See Adding Workflows (on page 78).
The workflow "Standard-Copy-#" is created, where # represents the copy's number.
4 Edit the new workflow as follows:
Set the Name field to the workflow's name. For example, "MyStandard".
Set the Configuration File field to workflow's configuration file. For example, "MyStandard".
Set the Default field to yes.
See Editing Workflows (on page 87).
5 Add a new status to the workflow as follows:
Set the Name field to "pre-check".
Set the Stage field to approve.
Set the Responsible group field to Network.
Set the Allow editing traffic fields field to yes.
Set the Stage still incomplete field to yes.
See Adding Statuses (on page 87).
6 Reorder the statuses so that the new "pre-check" status appears immediately before the "approve" status.
See Reordering Statuses (on page 94).
7 Add a new action to the workflow as follows:
Set the Name field to "send_to_security".
Set the Type field to Change status.
Set the Display Name field to "Send to Security".
Set the Target status field to approve.
Set the Required action right field to UserDefinedRight01.
Set the Applies to change requests of type field to Parent and Regular.
Set the Traffic fields required field to yes.
See Adding Actions (on page 95).
8 Reorder the actions so that the new "Send to Security" action appears immediately after the "Risk
Check" action.
See Reordering Actions (on page 128).

137

AlgoSec FireFlow

Release 6.3

9 Edit the "Initial Plan" action to transition the change request to the new "pre-check" status as follows:
Set the Target status field to pre-check.
See Editing Actions (on page 127).
10 Edit the "Risk Check" action to transition the change request to the new "pre-check" status as follows:
Set the Target status field to pre-check.
See Editing Actions (on page 127).
11 Add a "risk_check" outbound action to the "pre-check" status as follows:
Set the Display action button when field is empty field to Request Risk Check Result, so that the "Risk
Check" button will appear for change requests in the "pre-check" stage when this field is empty.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
12 Add a "send_to_security" outbound action to the "pre-check" status as follows:
Set the Display action button field to Yes, so that the "Send to Security" button will appear for change
requests in the "pre-check" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
13 Add an "approve" outbound action to the "pre-check" status as follows:
Set the Display action button field to Yes, so that the "Approve" button will appear for change
requests in the "pre-check" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
14 Add a "re_plan" outbound action to the "pre-check" status as follows:
Set the Display Name field to "Not Approve", so that this button's name will appear for change
requests in the "pre-check" stage.
Set the Display action button field to Yes, so that the "Not Approve" button will appear for change
requests in the "pre-check" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"
pop-up for change requests in "pre-check" stage.
Set the Mail content field to "Your request has not been approved and needs to be re-planned", so that
this text will appear in emails sent to the requestor for change requests in "pre-check" stage.
See Adding Actions (on page 95).
15 Add a "re_implement" outbound action to the "pre-check" status as follows:
Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"
pop-up for change requests in "pre-check" stage.
See Adding Actions (on page 95).
16 Delete the "Risk Check" outbound action from the "approve" status, so that the risk check button will
not appear for change requests in "Approve" stage.
See Deleting Actions (on page 128).
138

Chapter 11

Working with Workflows in VisualFlow

17 Assign the UserDefinedRight01 global right to the Network user group.


See Configuring a Group's Global and Queue Rights (on page 35).
Members of the Network group can now perform the "Send to Security" action.
18 Install the workflow.
See Installing Workflows (on page 134).
19 Log in to the FireFlow server via SSH, using the username "root" and the related password.
20 Restart FireFlow.
See Restarting FireFlow (on page 11).

Example: Adding Another Approve Stage


The following comprehensive example describes how to modify a copy of the Standard workflow, by
adding a second Approve stage to the lifecycle.
A new status, "second check", will be achieved after the first approve action. The second approve must then
be performed by the new "High Level Security" user group.

To configure this example


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 Add a user group as follows:
Set the Name field to "High Level Security".
Set the Description field to "High Level Security".
Set the Copy Group Rights and Home Page Settings from group field to Security.
See Adding User Groups (on page 29).
3 Access VisualFlow.
See Accessing VisualFlow (on page 74).
4 Add a new workflow based on the Standard workflow.
See Adding Workflows (on page 78).
The workflow "Standard-Copy-#" is created, where # represents the copy's number.
5 Edit the new workflow as follows:
Set the Name field to the workflow's name. For example, "MyStandard".
Set the Configuration File field to workflow's configuration file. For example, "MyStandard".
Set the Default field to yes.
See Editing Workflows (on page 87).
6 Add a new status for the workflow as follows:
Set the Name field to "second check".
Set the Stage field to approve.
Set the Responsible group field to High Level Security.
Set the Allow editing traffic fields field to yes.
Set the Stage still incomplete field to yes.
See Adding Statuses (on page 87).

139

AlgoSec FireFlow

Release 6.3

7 Reorder the statuses so that the new "second check" status appears immediately after the "approve"
status.
See Reordering Statuses (on page 94).
8 Add an "approve" outbound action to the "second check" status as follows:
Set the Display action button field to Yes, so that the "Approve" button will appear for change
requests in the "second check" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
9 Add a "re-plan" outbound action to the "second check" status as follows:
Set the Display Name field to "Reject", so that this button's name will appear for change requests in
the "second check" stage.
Set the Display action button field to Yes, so that the "Reject" button will appear for change requests
in the "second check" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"
pop-up for change requests in "second check" stage.
Set the Mail content field to "Your request has been rejected and needs to be re-planned", so that this
text will appear in emails sent to the requestor for change requests in "second check" stage.
See Adding Actions (on page 95).
10 Add a "re-implement" outbound action to the "second check" status as follows:
Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"
pop-up for change requests in "second check" stage.
See Adding Actions (on page 95).
11 Add a new action to the workflow as follows:
Set the Name field to "first_approve".
Set the Type field to Internal comment.
Set the Display Name field to "First Approve".
Set the Target status field to second check.
Set the Required action right field to UserDefinedRight02.
Set the Applies to change requests of type field to Parent and Regular.
Set the Traffic fields required field to yes.
See Adding Actions (on page 95).
12 Reorder the workflow's actions, so that the new "First Approve" action immediately after the "Risk
Check" action.
See Reordering Actions (on page 128).
13 Edit the "Approve" action as follows:
Set the Display Name field to "Final Approve".
See Editing Actions (on page 127).
14 Add a "first_approve" outbound action to the "approve" status as follows:

140

Chapter 11

Working with Workflows in VisualFlow

Set the Display action button field to Yes, so that the "First Approve" button will appear for change
requests in the "approve" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
Delete the "Final Approve" outbound action from the approve status.
See Deleting Actions (on page 128).
Assign the UserDefinedRight02 global right to the Security user group.
See Configuring a Group's Global and Queue Rights (on page 35).
Members of the Security group can now perform the "First Approve" action.
Install the workflow.
See Installing Workflows (on page 134).
Log in to the FireFlow server via SSH, using the username "root" and the related password.
Restart FireFlow.
See Restarting FireFlow (on page 11).

15
16

17
18
19

141

CHAPTER 12

Working with Workflows via XML


This section explains how to add, edit, and delete workflows by working directly with the workflow XML
files. It also explains how to modify the set of conditions determining when each workflow should be
assigned.
Warning: Working directly with workflow XML files is not recommended, as manual changes to the files
may be overwritten by VisualFlow if not performed correctly. VisualFlow is the recommended method of
working with workflows. For information on using VisualFlow, see Working with Workflows in
VisualFlow (on page 71).
For an overview of how FireFlow uses workflows and for information about built-in workflows, see
Overview (on page 71).

In This Chapter
Editing the Workflow Configuration File .......................... 143
Adding Workflows ............................................................. 146
Modifying Workflows ........................................................ 164
Disabling Workflows ......................................................... 165
Deleting Workflows ........................................................... 165
Reverting to the System Default Workflow via XML ....... 166

Editing the Workflow Configuration File


The workflow configuration file, Workflows_Config.xml, determines the following:

Which workflow should be assigned by default, when FireFlow fails to assign a workflow based on the
conditions
Whether a given workflow is enabled in FireFlow
The conditions in which a workflow should be assigned, when the change request's template does not
specify a workflow

To edit the workflow configuration file


1 Under the directory /usr/share/fireflow/local/etc/, locate the file
Workflows_Config.xml.
Note: This is the original system settings file, and it is required for reverting to system default settings.
Do not modify this file.
2 Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the original
file into an override file that is also called Workflows_Config.xml.
3 Open the override file.
4 Modify the workflow tags as desired.
See Workflow Tag Attributes (on page 144) for information on the workflow tag attributes.

143

AlgoSec FireFlow

Release 6.3

5 Add or modify condition tags to specify the conditions in which a workflow should be assigned, in
the event that the change request's template does not specify a workflow.
See Condition Tag Syntax (on page 145) for information on the condition tag's syntax.
6 Save the override file.
7 Restart FireFlow.
See Restarting FireFlow (on page 11).

Workflow Configuration File Structure


The workflow configuration file has an XML structure that is defined by XML schema file
Workflows_Config.xsd, located under /usr/share/fireflow/local/etc/. The main structure of
the workflow configuration file is:
<WorkflowsConfig>
<workflows>
<!-- each workflow tag defines a workflow that can be assigned to change
requests -->
<workflow name="workflow_name_here">
<!-- the condition tag defines the condition for assigning the workflow
to change requests -->
<condition><![CDATA[condition_here]]></condition>
</workflow>
</workflows>
</WorkflowsConfig>

Workflow Tag Attributes


Each workflow tag in the XML file defines a workflow that can be assigned to change requests. The
following table explains each workflow tag attribute.
Workflow Tag Attributes
Name

Description

Possible Values

Permitted Change

name

The name of the workflow as it


should appear in the FireFlow
interface.
This attribute is mandatory.

Any short phrase

Any

description

A description of the workflow.


Any short phrase
Appears in the FireFlow
interface, in change requests that
are assigned to this workflow.
This attribute is mandatory.

Any

144

Chapter 12

Working with Workflows via XML

filename_prefix

The name of the workflow file


associated with this workflow,
without the file suffix.
This attribute is mandatory.

The workflow file name,


without the "_Config.xml" file
suffix.
For example, when working
with the the Standard workflow,
the associated workflow file is
Standard_Config.xml.
Therefore, this attribute's value
should be "Standard".

There is no reason to
change this attribute. If
you do change it, then you
must ensure consistency
throughout the XML file.

default

Indicates whether the workflow


should be assigned by default,
when FireFlow fails to assign a
workflow based on the
conditions.
This attribute must be used in
exactly one workflow tag. By
default, it is used in the Standard
workflow's workflow tag.

This can be one of the


following:
1. This is the default
workflow.
0. This is not the default
workflow.

Any

enabled

Indicates whether the workflow


is enabled.
This attribute is optional.

Any
This can be one of the
following:
1. The workflow is enabled.
0. The workflow is
disabled.
The default value is 1.

Condition Tag Syntax


The condition tag in the XML file defines the condition under which the workflow specified in the parent
workflow tag should be assigned to change requests. The condition tag's syntax is as follows:
<condition><![CDATA[condition]]></condition>

Where condition is a query specifying the desired condition. This query is composed of pairs in the
following format:
field = 'value'

Where field is a supported field in FireFlow, and value is the field's value. For information on supported
fields, see Supported Fields (on page 81). For example, the following query specifies that the change
request status must be "new":
Status = 'new'

You can use != to indicate "not". For example, the following query specified that the change request must
not be "new":
Status != 'new'

It is possible to use Boolean operators between field-value pairs. For a list of supported operators, see
Supported Boolean Operators (on page 86). For example, the following query specifies that the change
request status must be "new", and the owner must be John Smith:
Status = 'new' AND Owner = 'John Smith'

145

AlgoSec FireFlow

Release 6.3

For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,
the following query specifies that the change request status must be "new" or "plan", and the owner must be
John Smith or Sue Michaels.
(Status = 'new' OR Status = 'plan') AND (Owner = 'John Smith' OR Owner = 'Sue
Michaels')

Comprehensive Example
In the following example, the Special workflow will be assigned when the change request's template does
not specify a workflow, and one of the following conditions are met:

The change request's priority is greater than 7.


The requestor's email address includes the string "company.com".
The value of the custom field called "Project" is "Infrastructure".

<workflow name="Special" description="Tickets requiring special treatment"


filename_prefix="Special" enabled="1" >
<condition><![CDATA[(Priority > 7) OR (Requestor.EmailAddress LIKE
'company.com') OR ('CF.{Project}' = 'Infrastructure')]]></condition>
</workflow>

Adding Workflows
To add a custom workflow
1 Log in to the FireFlow server using the username "root" and the related password.
2 Create the custom workflow, by doing the following:
a) Under the directory /usr/share/fireflow/local/etc/site/Workflows/, create a new
XML file with the required structure.
See Workflow File Structure (on page 148).
b) Add actions and statuses to the change request lifecycle.
See Action Tag Attributes (on page 149) and Status Tag Attributes (on page 160) for information
on the relevant tag attributes.
c) Save the file.
3 Add the custom workflow to the workflow configuration file, by doing the following:
a) Under the directory /usr/share/fireflow/local/etc/, locate the file
Workflows_Config.xml.
Note: This is the original system settings file, and it is required for reverting to system default
settings. Do not modify this file.
b) Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the
original file into an override file that is also called Workflows_Config.xml.
c) Open the override file.
d) Add a workflow tag for the new workflow.

146

Chapter 12

Working with Workflows via XML

See Workflow Tag Attributes (on page 144) for information on the relevant tag attributes.
e) Save the override file.
4 Restart FireFlow.
See Restarting FireFlow (on page 11).
5 Specify when the custom workflow should be used, by doing one or more of the following:
To assign change requests to the new workflow when a specific template is used, do one of the
following:
Modify an existing template to specify the new workflow.
Add a new template that specifies the new workflow.
For information on working with templates, refer to the AlgoSec FireFlow User Guide, Managing
Request Templates.
To assign change requests to the new workflow based on the workflow conditions, edit the
workflow configuration file and specify the conditions in which the workflow should be used.
See Editing the Workflow Configuration File (on page 143).

147

AlgoSec FireFlow

Release 6.3

Workflow File Structure


Workflow files have an XML structure that is defined by XML schema file
TicketLifeCycle_Config.xsd located under /usr/share/fireflow/local/etc/Workflows/.
The main structure of workflow files is:
<TicketStatusConfig>
<actions>
<!-- each action tag defines a global action that can be performed on the
change request -->
</actions>
<statuses>
<status name="status_name_here">
<actions>
<!-- each action tag defines the way in which the global actions
default behavior is overridden when the change request has this status -->
</actions>
</status>
<!-- more status values -->
</statuses>
<conditions>
<!-- each condition tag defines a condition for the change request to
transition to a particular status, when an action is performed -->
<condition conditionKey="unique_key_here"
GoToStatus="target_status_here" msgToUser="message_to_user_here">
<check><![CDATA[XQL_query]]></check>
</condition>
<!-- more conditions -->
</conditions>
</TicketStatusConfig>

148

Chapter 12

Working with Workflows via XML

Action Tag Attributes


Each action tag in the XML file configures an action's behavior. The following table explains each
action tag attribute.
Action Tag Attributes
Name

Description

Possible Values

title

The name of the action as it


Any short phrase
appears in the FireFlow interface.
This attribute is mandatory.

Any

type

The action's type, which


describes what it does.
This attribute is mandatory.

Actions of the
internal_comment
type can be changed to the
reply_to_user or
change_status type
and vice versa.
No other changes are
permitted to pre-defined
actions.

This can be one of the


following:
change_status. Changes the
status of the change request
internal_comment. Adds a
comment to the change
request that is hidden from
the requestor.
reply_to_user. Adds a
comment to the change
request that is seen by the
requestor. Includes sending
an email to the requestor.
initial_plan. Performs initial
planning. Relevant only for
traffic change requests.
risk_check. Performs a risk
check. Relevant only for
traffic change requests.
implementation_plan.
Creates a work order.
manual_reconcile. Opens a
dialog box that allows a
user to manually match the
change request with a
change record. Relevant
only for traffic change
requests.
no_change_record. Opens a
dialog box that allows a
user to manually match the
change request, while
specifying that there is no
associated change record.
Relevant only for traffic
change requests.
change_validation.
Performs validation of a
traffic change request.

Permitted Change

149

AlgoSec FireFlow

Release 6.3

150

Relevant only for traffic


change requests.
object_change_validation.
Performs validation of an
object change request.
Relevant only for object
change requests.
affected_rules. Finds
affected rules for an object
change request. Relevant
only for object change
requests.
review_work_order. Enables
a user to view an existing
work order and edit it.
Relevant controls will
appear in UI only for Check
Point devices. Relevant
only for traffic change
requests.
active_change. Enables a
user to implement planned
changes via ActiveChange.
Relevant controls will
appear in UI only for Check
Point devices using
OPSEC. Relevant only for
traffic change requests.
modify_custom_field.
Allows a user to modify a
specific custom field.
take_ownership. Assigns
the user ownership of a
change request.
assign. Allows a user to
assign ownership of a
change request to another
user.
organize. Enables the user
to choose an organization
methodology. Relevant on
for Blue Coat-related
requests.
related_tickets. Enables the
user to search for change
requests whose traffic
intersects that of the rule
selected for
removal/disablement.
Relevant only for rule
removal and recertification
requests.
notify_requestors. Enables

Chapter 12

Working with Workflows via XML

the user to notify the


requestors of related change
requests that the rule is
slated for
removal/disablement.
Relevant only for rule
removal and recertification
requests.
view_correspondence.
Enables the user to view
responses received from
requestors. Relevant only
for rule removal and
recertification requests.
rule_removal_validation.
Enables the user to validate
the implemented rule
removal/disablement
against the change request.
Relevant only for rule
removal requests.
recertification_validation.
Enables the user to
Relevant only for
recertification requests.
plan_removal. Enables the
user to plan the removal of
Allow traffic. Relevant only
for recertification requests.
recertify. Enables the user to
recertify a request. Relevant
only for traffic requests.

enabled

Indicates whether this action is


This can be one of the
enabled in the FireFlow interface. following:
true
1
false
0
The default value is true.

Any

key

A unique key value for the


A short alpha-numeric string
action. Used when the action's
that is unique to the XML file
behavior is to be overridden for a
specific status.
This attribute is mandatory.

There is no reason to
change this attribute. If
you do change it, then you
must ensure consistency
throughout the XML file.

category

The action's category.


You can create categories and
assign similar actions to them.

Any

Any string

151

AlgoSec FireFlow

Release 6.3

transition_to_status The new status that the change


Any status name as defined in
request will transition to when
the <statuses> node
the action is performed.
This attribute can be used to
remove statuses from the
lifecycle. It is also important
when adding statuses in the
middle of the lifecycle (see the
example in Example: Adding
Another Approve Stage).
If the
transition_to_conditio
n attribute is set, then this
attribute represents the status that
the change request will transition
to if all conditions in
transition_to_conditio
n are false.
This attribute is mandatory.

Change is permitted with


the following limitations:
Do not remove the
following statuses
from the lifecycle:
new, open, resolved,
rejected, deleted.
Do not change this
value so that the status
order is switched.
For example, the
change request must
not transition from
"new" to "implement"
to "check".

ticket_member_typ The types of change requests for This can be one or more of the There is no reason to
change this attribute.
e
which the action is relevant, and following:
for which the action should
Regular. The action is
appear.
relevant to regular change
This attribute is optional.
requests.
A regular change request is
relevant to only one device.
Parent. The action is
relevant to parent requests.
A parent request is relevant
to multiple devices and has
a sub-request for each
device.
SubTicket. The action is
relevant to sub-requests. A
sub-request is relevant to
one device, out of the
multiple devices that are
relevant to its parent
request.
The default value is no value, in
which case the action will be
relevant to all change request
types.
Multiple values must be
separated by commas.
Relevant only for traffic change
requests. (Object change
requests do not have
sub-requests.)
recommend

152

Indicates whether the action is


This can be one of the
"recommended". Recommended following:

Any

Chapter 12
actions are available via an
explicit button next to the Other
drop-down list.
This attribute is optional.

Working with Workflows via XML

true
1
false
0

The default value is false.


recommend_if_cus Indicates that the action should
tom_field_empty
be "recommended" (see
recommend) only if a specific
change request field is empty.
This attribute is optional.

The name of a change request


Any
field.
Popular fields that may be used
are:
Request Risk Check Result.
The risk check's output
Firewall Name. The name of
the device assigned to the
change request
CMS ticket id. The ID of an
external Change
Management System (if
applicable)
Expires. The change
request's expiration date
For additional fields, contact
AlgoSec.
The default value is no value.

recommend_if_cus Indicates that the action should


tom_field_true
be available via an explicit button
next to the Other drop-down list,
only if a specific custom field's
value is true.
This is useful for actions that are
restricted to certain devices
types. For example, editing a
work order can only be done for
Check Point devices; therefore,
this action should only be
available if a custom field called
Is Work Order Editable is set to
"true". (FireFlow automatically
sets it to "true" only for Check
Point devices.)
This attribute is optional.

The name of a custom field.


Any
Popular fields that may be used
are:
Is Work Order Editable.
Indicates whether the work
order can be edited.
Is Active Change Applicable.
Indicates whether
ActiveChange is relevant
The default value is no value.

recommend_if_cur Indicates whether the action


rent_user_is_not_o should be available via an
wner
explicit button next to the Other
drop-down list, only if the current
user is not the change request's
owner.

This can be one of the


following:
true
1
false
0
The default value is false.

Any

153

AlgoSec FireFlow

recommend_if_tick Indicates whether the action


et_belongs_to_no_ should be available via an
one
explicit button next to the Other
drop-down list only if the change
request is not assigned to a user.

Release 6.3

This can be one of the


following:
true
1
false
0

Any

The default value is false.


hide_from_actions Indicates that the action should
_menu_if_not_reco not appear in the Other
mmended
drop-down list, if it is not
available via an explicit button
next to the Other drop-down list.

This can be one of the


following:
true
1
false
0

Any

The default value is false.


need_user_confirm Indicates whether a confirmation
message should appear when a
user performs the action.
This attribute is optional.

This can be one of the


following:
true
1
false
0

Any

The default value is false.


user_confirm_mess The confirmation message that
age
should appear when the user that
performs the action, if the
need_user_confirm attribute is
set to true.
This attribute is optional.

154

Any text.
Any
The default confirmation
message is:
Are you sure you want
to <TITLE>?
Where <TITLE> is the title of
the action.

Chapter 12

Working with Workflows via XML

require_login_with Indicates whether a valid


_valid_license
FireFlow license and a user that
was defined in AlgoSec Firewall
Analyzer is required, in order for
the action to appear in the Other
drop-down list.
Note: This is a cosmetic issue
only. Actions that involve
FireFlow Analytics will not
succeed if there is no valid
license or if the user logged in
was not defined in AlgoSec
Firewall Analyzer.
This attribute is optional.

This can be one of the


following:
true
1
false
0

require_ticket_righ Indicates whether the user must


t
be granted a specific right, in
order for the action to appear in
the Other drop-down list.
Note: This is not just a cosmetic
issue. Actions that require the
user to have a specific right will
not appear in the UI if the user
does not have the right.
Furthermore, even if they did
appear, they would not succeed,
unless the user had the right.
This attribute is optional.

There is no reason to
The name of a global right.
Popular rights that may be used change this attribute.
are:
AllowActiveChange
AllowAffectedRules
AllowApprove
AllowChangeValidation
AllowDeleteTicket
AllowImplementationDone
AllowImplementationPlan
AllowInitialPlan
AllowManualCheck
AllowNotifyRequestor
AllowObjectChangeValidat
ion
AllowReImplement
AllowRePlan
AllowReject
AllowRequestorResponse
AllowResolve
AllowReview
AllowRiskCheck
ModifyChanges
ModifyReconciliation
UserDefinedRight01
UserDefinedRight02
UserDefinedRight03
UserDefinedRight04
UserDefinedRight05
UserDefinedRight06
UserDefinedRight07
UserDefinedRight08
UserDefinedRight09

There is no reason to
change this attribute.

The default value is false.

155

AlgoSec FireFlow

Release 6.3
UserDefinedRight10
For additional rights, contact
AlgoSec.
The default value is no value.

goto_homepage

Indicates whether the user should


be re-directed to the Home page
after executing the action.
This attribute is optional.

This can be one of the


following:
true
1
false
0

Any

The default value is false.


goto_homepage_pr Indicates whether after the action
int_sub_tickets
is performed on a parent request,
the user should be redirected to
the Home page, which displays a
list of the parent request's
sub-requests.
This attribute is relevant only for
actions of the type
change_status,
reply_to_user and
internal_comment.
This attribute is optional.

This can be one of the


following:
true
1
false
0

goto_parent

Indicates whether after the action


is performed on a sub-request,
the user should be redirected to
the parent request.
This attribute is relevant only for
actions of the type
change_status,
reply_to_user and
internal_comment.
This attribute is optional.

This can be one of the


following:
true
1
false
0

mandatory_fields_r Indicates whether certain change


equired
request fields are mandatory, in
which case if the fields are not
filled in when the action is
performed, a message will appear
prompting the user the fill them
in.
The fields in question are:
Source
Destination
Service
Action
Firewall
This attribute is optional.

This can be one of the


following:
true
1
false
0

156

There is no reason to
change this attribute.

The default value is false.

There is no reason to
change this attribute.

The default value is false.

The default value is false.

Any

Chapter 12

mail_content

The default text that will appear Any text


in the main message box when
The default value is no value.
commenting on a change request
or replying to the user.
This attribute is relevant only for
actions of the type
reply_to_user and
internal_comment.
This attribute is optional.

transition_to_matc
h_status

Indicates whether after the action


is performed, the change
request's "match status" should
be set to a specific value, and the
change request should be
displayed in the Auto Matching
page.
This attribute is relevant only for
actions of the type
change_status,
reply_to_user and
internal_comment.
This attribute is optional.

VisualFlow_visible Indicates whether the action


should be displayed in the
workflow layout, when viewing a
workflow.
Note: When viewing a status for
which this action is an outbound
action, the action will be
displayed in the workflow layout,
regardless of this attribute's
value.
This attribute is optional.

Working with Workflows via XML

Any

This can be set to the following There is no reason to


values:
change this attribute.
new
recheck
perfect match
id match
change is wider than
ticket
partially
implemented
pending
approved no change
unable to match
manually matched
already works
The default value is no value.
This can be one of the
following:
true
1
false
0

Any

The default value is false.

modify_custom_fie The message that should appear Any string.


ld_title
when this action is performed,
instructing the user to complete
the custom field specified in the
custom_field_name
attribute.
This attribute is relevant only for
actions of the type
modify_custom_field.

Any

157

AlgoSec FireFlow

Release 6.3

custom_field_name If the action requires a custom


Any custom field's name.
field's value as input, this
attribute indicates the custom
field's name.
This attribute is relevant only for
actions of the type
modify_custom_field.

Any

allow_unprivileged Indicates whether unprivileged


_users
users should be allowed to
perform this action.
This attribute is relevant only for
actions of the type
change_status,
reply_to_user, and
internal_comment.
This attribute is optional.

This can be one of the


following:
true
1
false
0

Any

transition_to_condi The unique IDs of one or more


tion
conditions, under which change
requests should transition to a
particular status, when this action
is performed.
When multiple condition IDs are
specified, FireFlow will check
the conditions in order listed in
this attribute. When FireFlow
encounters a condition that is
true, it will stop checking any
additional conditions and
transition the change request to
the relevant status.

The conditionKey
attributes of one or more
conditions.
Multiple attributes must be
separated by commas (,).

158

The default value is false.

Any

Chapter 12

Working with Workflows via XML

In the following example, the action "Initial Plan" is of the type "initial_plan" (that is, it performs initial
planning). This action will appear in the FireFlow interface only if a valid FireFlow license exists, only for
regular and parent requests, and only for users that have been granted the right AllowInitialPlan.
Executing this action changes the change request status to "check".
<action title="Initial Plan"
type="initial_plan"
key="initial_plan"
transition_to_status="check"
require_login_with_valid_license="true"
require_ticket_right="AllowInitialPlan"
ticket_member_type="Parent,Regular" />

In the following example, the action "Re-Plan" is of the type "reply_to_user" (that is, it comments on the
change request and sends an email to the user). The default email text is "Your request needs to be
re-planned". When this action is executed, a confirmation message will appear prompting the user to
approve the change request before continuing. The change request's status changes to "open", which appears
as "plan" in the FireFlow interface. This action will appear only for regular and parent requests, and only for
users that have been granted the right AllowRePlan.
<action title="Re-Plan"
type="reply_to_user"
key="re_plan"
transition_to_status="open"
need_user_confirm="true"
mail_content="Your request needs to be re-planned"
require_ticket_right="AllowRePlan"
ticket_member_type="Parent,Regular" />

Note: The following pre-defined actions are always available in the Other drop-down list and can always be
performed on a change request, regardless of the changes made to the lifecycle:
Comment, Reply - appear at the beginning of the list
Duplicate, Save As Template - appear at the end of the list
Additional actions defined in the XML file appear between these two sets of actions in the Other drop-down
list.

159

AlgoSec FireFlow

Release 6.3

Status Tag Attributes


Each status tag in the XML file determines the change request's behavior when the change request is in
the status. The following table explains each status tag attribute.
Status Tag Attributes
Name

Description

Possible Values

Permitted Change

name

The name of the status as it


Up to 50 characters of Latin
appears in the FireFlow interface. character set. Spaces are allowed.
This is also a unique key.
Note: The status "open" appears
in the UI as "plan".
The status "reconcile" appears in
the UI as pending match.
The status "reconciled" appears
in the UI as "matched".
The status "check" appears in the
UI as "approve".
The status "implementation plan|
appears in the UI as "create work
order".
This attribute is mandatory.

enabled

Indicates whether this status is


This can be one of the following: Any
enabled in the FireFlow interface. true
1
false
0

Change is permitted with the


following limitations:
Do not rename the
following statuses:
new, open, resolved,
rejected, deleted
Renaming the following
statuses requires
additional configuration
changes in the database
and/or
FireFlow_SiteConf
ig.pm file:
approved, implementation
plan, reconcile, reconciled.
Contact AlgoSec for
assistance.

The default value is true.


responsible

160

The single user group responsible Any user group name


for change requests in this status.
Note: Usually, this group is
configured to see these change
requests in its Home page (see
Customizing the Home Page per
Group (on page 18)).
When an action is performed on
the change request, and the action
transitions the change request to
a new status for which the change
request owner is not responsible,
the change request is re-assigned
to the default assignee of the new
statuss responsible group, and
the current user is re-directed to
their Home page.
This attribute is mandatory.

Any

Chapter 12

Working with Workflows via XML

additional_res Additional user groups


ponsibles
responsible for change requests
in this status.
This attribute is optional.

A comma-separated list of
responsible groups

image

This can be one of the following: There is no reason to change


this attribute.
new
open
check
implement
validate
reconcile
resolved
rejected
deleted

The name of the image used in


the lifecycle diagram at the top of
the change request page.
This attribute is mandatory.

image_not_co The lifecycle diagram uses


nsidered_visit variations of each image to
ed
indicate whether the change
request is currently in the status,
has previously been there
("visited"), or neither.
This attribute controls whether a
change request that has
previously been to this status
(and is currently not in this
status), is considered to have
"visited" this status or not.
Note: This attribute controls the
lifecycle images only.
This attribute is optional.
allow_to_pla
n_change

incoming_cor
respondence_
transition_to_
status

Indicates whether it is possible to


plan the change when a change
request is in this status.
Planning the change involves
modifying any of the following
fields:
Source
Destination
Service
Action
NAT
This attribute is optional.

Any

This can be one of the following: There is no reason to change


this attribute.
true
1
false
0
The default value is false.

This can be one of the following:


true
1
false
0

Any
Important: Initial planning will
not succeed if the change
request's current status is
configured to have this
attribute set to false.

The default value is false.

Indicates whether to change the Any status name defined in the


change request status to a
<statuses> node.
specific status, when incoming
The default value is no value.
correspondence from the change
requests unprivileged requestor
to the change request occurs.
If this attribute is not set, then the

Any

161

AlgoSec FireFlow

Release 6.3

change request status will not


change upon incoming
correspondence.
This attribute is optional.
final

Indicates whether a change


request in this status is
considered "closed".
This mainly affects the
Open/Closed change request list
in the FireFlow requestor
interface.
This attribute is optional.

show_in_wait Indicates whether a change


ing_tab
request should appear in the
Change Requests Awaiting
Response page for unprivileged
users.

This can be one of the following: There is no reason to change


this attribute.
true
1
false
0
The default value is false.

This can be one of the following: Any


true
1
false
0
The default value is false.

status_after_n The status to which the change


Any status name defined in the
ew
request should transition after it <statuses> node.
has been assigned an owner.
The default value is open.
This attribute is only relevant for
only"new" status.

162

There is no reason to change


this attribute.

Chapter 12

Working with Workflows via XML

In addition, a status can have a nested <actions> tag that overrides global action attributes, when the
change request is in the status.
In the following example, the status "new" is assigned the "new" lifecycle image. The Network user group is
responsible for this status. While the change request is in this status, modification of traffic fields is allowed.
Also note that there is an action override: When the change request is in this status, the initial planning
action (identified using the key initial_plan which is equal to the key in the main <actions> node) is
recommended.
<status name="new" image="new" responsible="Network"
allow_to_plan_change="true">
<actions>
<action key=1348 recommend="true"/>
<!-- more actions here -->
</actions>
</status>

Note: Most illegal changes to the XML file will cause the whole file to not be read. In this case, only the
default actions (comment, duplicate, etc.) will be available, and the FireFlow log file
/usr/share/fireflow/var/log/fireflow.log will describe the problem. Also, logging in as a
privileged user will cause the log snippet to be displayed onscreen in a warning message. Other local illegal
changes are detected only upon executing the specific action that contains the illegal change. In this case,
too, the FireFlow log file will explain the problem, once the action is attempted.
Note: Some changes that are listed in the preceding table as not permitted will not be detected by
FireFlow. They will simply cause erratic undocumented behavior by the system.

Condition Tag Attributes and Syntax


If an action tag's transition_to_condition attribute is set, then change requests will transition to a
particular status when the action is performed, provided certain conditions are met. The condition tag
defines the required conditions, as well as the status to which change requests should transition.
The following table explains each condition tag attribute.
Condition Tag Attributes
Name
GoToStatus

Description
Possible Values
The new status that the change
Any existing status name
request should transition to when
the action is performed, if the
condition(s) in the condition
attribute are met.

Permitted Change
Any

conditionKey

The condition's unique ID.

Any

Any string.
Cannot contain a comma ","

163

AlgoSec FireFlow

msgToUser

Release 6.3

The message that should appear


onscreen when transitioning to
the new status.

Any string.

Any

In addition to these attributes, every condition tag must contain one check sub-tag. The sub-tag's syntax
is as follows:
<check><![CDATA[query]]></check>

Where query is an XQL query specifying the desired condition's requirements. For information on the
required query syntax, see Action Condition Syntax (on page 105).
In the following example, when the RiskCheck action is performed, FireFlow will check the noRisks
condition first. If the number of risks equals zero, then FireFlow will transition the change request to the
"create work order" status (called "implementation plan" in the XML). It will not check the
priorityLessThan7 condition.
However, if the number of risks is different than zero, FireFlow will check the priorityLessThan7 condition.
If the change request priority is less than 7, FireFlow will transition the change request to "review" status. If
the change request priority is not less than 7, FireFlow will transition the change request to "approve" status
(called "check" in the XML).
<action title="RiskCheck" ...
transition_to_condition="noRisks,priorityLessThan7" transition_to_status="check"/>
<condition conditionKey="noRisks" GoToStatus="implementation plan" msgToUser="OK
to implement">
<check><![CDATA[Ticket[RisksNumber = "0"]]]></check>
</condition>
<condition conditionKey="priorityLessThan7" GoToStatus="review" msgToUser=Need
to be reviewed>
<check><![CDATA[Ticket[Priority < 7]]]></check>
</condition>

Modifying Workflows
FireFlow does not allow overriding the following built-in workflows, which are located in the directory
/usr/share/fireflow/local/etc/Workflows/:

164

Standard_Config.xml
Change-Object_Config.xml
Multi-Approval_Config.xml
Non-Firewall_Config.xml
Parallel-Approval_Config.xml
Request-Recertification_Config.xml
Rule-Removal_Config.xml
Standard-With-SLA_Config.xml

Chapter 12

Working with Workflows via XML

Web-Filter_Config.xml

These workflows can only be disabled. See Disabling Workflows (on page 165).
If you want to modify a built-in workflow, copy it under a different name, then modify the newly named
workflow and disable the built-in one.
The following procedure can be used to modify custom workflows.

To modify a workflow
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/Workflows/, open the desired
workflow file.
3 Make the desired modifications to the change request lifecycle.
You can add new actions and new statuses to the change request lifecycle. See Action Tag Attributes
(on page 149) and Status Tag Attributes (on page 160) for information on the relevant tag attributes.
4 Save the file.
5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Disabling Workflows
You can disable both built-in and custom workflows.

To disable a workflow
1 Under the directory usr/share/fireflow/local/etc/site/Workflows/, open the workflow
configuration file Workflows_Config.xml.
2 Locate the desired workflow's line, and add the following to it:
enabled="false"

3 For example, to disable the Custom workflow, change:


<workflow name="Custom" description="This is a custom workflow"
filename_prefix="Custom" />

to
<workflow name="Custom" enabled="false" description="This is a custom workflow"
filename_prefix="Custom" />

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Deleting Workflows
Note: FireFlow allows deleting only custom workflows, not built-in workflows.

To delete a workflow
1 Log in to the FireFlow server using the username "root" and the related password.

165

AlgoSec FireFlow

Release 6.3

2 In the directory /usr/share/fireflow/local/etc/site/Workflows/, remove the desired


workflow file.
3 In the directory /usr/share/fireflow/local/etc/site/Workflows/, open the file
Workflows_Config.xml.
4 Remove the line of the workflow you want to delete.
5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Reverting to the System Default Workflow via XML


To revert to the system default workflow settings
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/Workflows/, remove all of the
workflow files.
3 Under the directory /usr/share/fireflow/local/etc/site/, remove the file
Workflows_Config.xml.
4 Restart FireFlow.
See Restarting FireFlow (on page 11).

166

CHAPTER 13

Using Hooks
This section explains how to use hooks with FireFlow.

In This Chapter
Overview ............................................................................ 167
Using Hooks to Control Parameters ................................... 167
Hook Functions .................................................................. 169
Comprehensive Example.................................................... 176

Overview
It is possible to configure FireFlow to extract certain parameters on the fly, by using hooks. This helps
streamline the change request lifecycle and is particularly helpful for MSPs.
For example, during the Initial Plan stage of the change request lifecycle, FireFlow checks the requested
traffic against the ALL_FIREWALLS group, by default. If you have several customers, each of which is a
large organization with numerous devices, checking traffic against all of the devices of each organization is
unnecessary and time consuming. By using hooks, it is possible to configure FireFlow to check traffic only
against the devices of the organization that issued the change request.
You can use hooks to do the following:

Retrieve the name of the workflow to assign the change request in the Request stage
Retrieve the device group against which traffic should be checked in the Initial Plan stage
Retrieve the name of the user group responsible for the change request in each lifecycle stage
Retrieve appearing in the Requestors Web Interface
Validate a change request before its creation
Suggest host names to match IP addresses with no associated hostname in a work order
Add suffixes to add to suggested rule comments in a work order
Validate host names, groups, and comments in a manually edited work order
Run additional risk checks on external systems

Using Hooks to Control Parameters


To use hooks to control parameters
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the /usr/share/fireflow/local/Hooks directory that implements the
FireFlow::Hooks package, create a Perl pm file.

167

AlgoSec FireFlow

Release 6.3

The file can have any name. For example, you can create the file
/usr/share/fireflow/local/Hooks/MyHooks.pm, which begins with the line:
package FireFlow::Hooks;

3 In the file you created, implement the desired hooking functions.


For information on the hooking functions, see Hook Functions (on page 169).
4 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
5 Add the configuration item HooksFileNames, and set its value to the name of the Perl pm file you
created.
For example:
Set(@HooksFileNames,(
"MyHooks"
));

6 Save the file.


7 Restart FireFlow.
See Restarting FireFlow (on page 11).

168

Chapter 13

Using Hooks

Hook Functions
GetExternalRisks
Syntax
sub GetExternalRisks

Description
This function is called for every change request, after FireFlow has finished running a risk check. It receives
the change request as input, along with a list of devices on which a risk check should be run. The risk check
is run on an external system, and the function then returns the risk check results. These results are displayed
in FireFlow after the FireFlow risk check results, for example:

Input Parameters
$ticket

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

169

AlgoSec FireFlow

$firewall

Release 6.3

A Perl array reference containing an array of device names on which a risk


check should be run.
Note: These are the same devices on which the FireFlow risk check ran.

Return Values
A Perl hash reference containing the following keys:
RiskList. An array of all the risks that were detected, sorted from high to low severity, where each risk is
represented by a hash reference containing the risk's name, description, code, and severity.
profile. The risk check's profile.
high. The number of risks at the High severity level.
low. The number of risks at the Low severity level.
medium. The number of risks at the Medium severity level.
suspected high. The number of risks at the Suspected High severity level.
Note: If there are no risks at a certain severity level, the relevant key will have no value defined.

GetFirewallGroupName
Syntax
sub GetFirewallGroupName

Description
This function is called for every change request just before initial planning is executed on the change
request. It receives the change request as input and returns the name of the device group against which
FireFlow will check traffic in the Initial Plan stage.

Input Parameters
$context

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

Return Values
One of the following values:
The desired device group's name

This must be the group's real name, not its display name.

""

Use the default behavior: FireFlow will check traffic against the group
configured as $FAQueryDefaultGroup in the configuration file. (The
default is the ALL_FIREWALLS group.)

170

Chapter 13

Using Hooks

GetRealGroupName
Syntax
sub GetRealGroupName

Description
This function is called for every change request, when the change request transitions from one status to
another. It receives the change request as input, as well as the meta group name that the change request's
workflow specifies as the responsible group for the change requests new status. It returns the name of the
user group that is responsible for the change request in its current status.

Input Parameters
$context

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

$metaGroup

A user group name, as it appears in the workflow XML.


This may be a meta group's name. For example if the meta group's name is
"security", the hook may then return the user group "securityA" for requestors
of company A, and the user group "securityB" for requestors of company B,
where "securityA" and "securityB" are real user groups (not meta groups) that
exist in FireFlow.

Return Values
One of the following values:
The desired user group's name
""

Use the default behavior: The user group specified in the workflow
configuration will be responsible for the change request.

171

AlgoSec FireFlow

Release 6.3

GetRequestorSearches
Syntax
sub GetRequestorSearches

Description
This function allows adding searches to the Requestors Web Interface. It receives the requestor's user
properties as input, as well as the name of the page in the Requestors Web Interface on which the search
should appear. It returns a search on the specified page.
Note: By default, requestors can only view change requests that they requested themselves. Therefore, if the
hook returns a search query with change requests that other users requested, those change requests will not
be displayed in the Requestor Web Interface. To enable the display of change requests requested by other
users, it is necessary to grant requestors more permissive rights. See Working with Rights (on page 177).

Input Parameters
$requestor

A hash reference to the requestor's user properties.


For a list of user properties that are included in the hash, and for information on
modifying the list of included properties, see Configuring the List of User
Properties (on page 216).

$friendly_status

The Requestors Web Interface page that is currently being displayed. This can
have the following values:
Open
Awaiting Response
Closed

Return Values
An array, in the following format:
my $search = {Field1 => Value1, Field2 => Value2, ...};
Where each field in the array is a hash reference representing a search.
Supported fields are:

172

Chapter 13

Using Hooks

Title

The search's title. This will appear in the Requestors Web Interface.
This field is mandatory.

Format

A string containing a comma-separated list of columns that should be included


in the search results.
For example:
my $Format = qq{
'<B><A HREF="}. RT->Config->Get('WebPath')
.qq{/SelfService/Display.html?id=__id__">__id__</a><
/B>/TITLE:Id',
'<B><A HREF="}. RT->Config->Get('WebPath')
.qq{/SelfService/Display.html?id=__id__">__Subject__
</a>
</B>/TITLE:Subject',
'__CustomField.{Workflow}__',
Status,
OwnerName,
Priority,
CreatedRelative,
LastUpdatedRelative};
This field is mandatory.

Query

An SQL query. For example:


Queue = 'Firewalls' AND id > 100 AND
Requestor.EmailAddress LIKE 'algosec.com'
Note: If a field is missing from the query, a warning will be written to the log
and the search will not be displayed.
This field is mandatory.

OrderBy

An array of columns names, indicating the column by which search results


should be sorted by default.
The default value is ('LastUpdated'). This field is optional.

Order

An array indicating the default sort order of the search results. This can have
the following values:

ASC. Show the oldest search results first.


DESC. Show the most recent search results first.

The default is ('DESC'). This field is optional.


Rows

The number of search result rows to display per page.


The default value is null. This field is optional.

For example:
my $search = {
Title => "The title of the search",
Format => $Format,
Query => $Query,
Order => @Order,
OrderBy => @OrderBy,
Rows => $Rows;

173

AlgoSec FireFlow

Release 6.3

GetWorkFlowName
Syntax
sub GetWorkFlowName

Description
This function is called for every change request, when the change request is created and its workflow must
be determined. It receives the change request as input and returns the name of the workflow that FireFlow
should assign the change request.

Input Parameters
$context

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

Return Values
One of the following values:
The desired workflow's name
""

Use the default behavior: Assign a workflow based on the configured


workflow conditions.

SuggestCommentSuffix
Syntax
sub SuggestCommentSuffix

Description
This function is called for every change request, in which the work order contains a suggested rule
comment. It receives the change request as input, as well as the original rue comment and the rule comment
suggested by FireFlow. It returns a suffix to be added to the rule comment suggested by FireFlow.

Input Parameters
$ticket

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

$origComment

The original rule comment.

$commentValue

The rule comment suggested by FireFlow.

Return Values
A suffix to be added to the rule comment suggested by FireFlow.

174

Chapter 13

Using Hooks

SuggestHostName
Syntax
sub SuggestHostName

Description
This function is called for every change request, in which the work order contains an IP address or subnet
that is not associated with a hostname. It receives the change request as input, as well as the IP
address/subnet and an indication of whether the IP address/subnet is a source or destination. It returns a
suggested hostname for the IP address/subnet.

Input Parameters
$ticket

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

$ip

The IP address or subnet that does not have an associated hostname.

$field

The IP address or subnet's function. This can have the following values:
Source
Destination

Return Values
A suggested hostname for the IP address/subnet.

ValidateTicket
Syntax
sub ValidateTicket

Description
This function is called for every change request that is created via the Web interface. It receives the change
request as input. It returns a return code and a list of error messages, so as to validate the change request.

Input Parameters
$ticket

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
Note: The hash will contain only data that was entered in the request form. The
ID field will be set to "New".
For an example of a flat ticket, see Flat Ticket Example (on page 116).

Return Values
A return code and a list of error messages.

175

AlgoSec FireFlow

Release 6.3

ValidateWorkOrderEdit
Syntax
sub ValidateWorkOrderEdit

Description
This function is called for every change request, in which the work order contains hostnames, host and
service groups, and/or comments that were manually edited. It receives the change request as input, as well
as the edited work order elements. It returns the elements that are invalid.

Input Parameters
$ticket

A Perl hash reference containing a single key called flatTicket, which


points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).

$validationHash

A Perl hash reference containing the work order elements that were manually
edited.

The hash contains the following elements:

objects - The objects names to be validated.


groups - The host and service groups to be validated.
comments - The comments to be validated.

Return Values
$invalidHash

A Perl hash reference containing the work order elements that were found to be
invalid.

Comprehensive Example
For a comprehensive example, refer to the following files on the FireFlow server:

A sample Perl module is located under /usr/share/fireflow/local/Hooks/ExampleHooks.pm


The related XML data is located under
/usr/share/fireflow/local/etc/site/Hooks/Example_Config.xml

176

CHAPTER 14

Working with Rights


This section explains how to configure rights.

In This Chapter
Overview ............................................................................ 177
Configuring Global Rights for Groups ............................... 178
Configuring Global Rights for Users ................................. 181
Configuring Queue Rights for Groups ............................... 183
Configuring Queue Rights for Users .................................. 186

Overview
FireFlow enables you to assign rights to users and user group. Each right represents an action that the user or
user group can perform.
There are two types of rights:

Built-in rights
FireFlow includes a set of built-in rights that represent specific actions users can perform.
User-defined rights
FireFlow includes a set of user-defined rights that are labeled UserDefinedRight01 through
UserDefinedRight10. Unlike the built-in rights, which are tied to specific actions, user-defined rights can
be used to represent any custom action, in order to restrict the performance of those actions to certain
users.
For example, let's say you want to modify the Standard workflow so that it includes a custom action
called "First Approve", and you want to restrict this action to users who have "First Approval" rights. As
"First Approval" rights do not exist in the FireFlow system, you can decide that UserDefinedRight01 will
represent "First Approval" rights, and assign these rights to the desired user groups.
Note: You cannot rename user-defined rights.

When assigning rights to a user group, all members of the group (both users and sub-groups) will
automatically inherit the rights.
Note: It is recommended to assign rights to user groups, rather than to individual users. This approach
enables you to quickly configure a new user's rights, by simply adding the user to the desired group.
You can assign rights to the following types of user groups:

System groups
Includes Everyone, Privileged, and Unprivileged (requestors).
User roles
Includes Cc, Requestor, and Owner.

177

AlgoSec FireFlow

Release 6.3

Rights assigned to a user role are only relevant for users who are filling that role in relation to a specific
change request. For example, if you assign "ShowTicket" rights to the Requestor role, then a user who is
the requestor for a specific change request will be able to view that change request. The same user will
not be able to view other change requests for which they are not the requestor, unless the user also
belongs to a system or user-defined group with "ShowTicket" rights.
Note: The AdminCc user role is not in use and should be ignored.

User-defined groups
Includes Network, Security, and any other group defined by a user.

Rights can be assigned at either of the following levels:

Global
Assign rights at the global level for actions that should be performed on all change requests and for
actions that are not related to change requests. You can assign both user-defined and built-in rights.
See Configuring Global Rights for Groups (on page 178) and Configuring Global Rights for Users
(on page 181).
Queue
Assign rights at the queue level for actions that should only be performed on change requests belonging
to a certain queue.
Only built-in rights can be assigned at the queue level.
See Configuring Queue Rights for Groups (on page 183) and Configuring Queue Rights for Users (on
page 186).

Configuring Global Rights for Groups


Configuring Global Built-in Rights for Groups
Note: By default, both the Network and Security user groups can view matching output, but only the
Security user group can perform manual matching. Furthermore, both these user groups can view change
records in FireFlow and modify their summary or comment on the change records. If desired, you can
change these settings for these user groups or any other user group.

To configure global built-in rights for a group


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.

178

Chapter 14

Working with Rights

The Advanced Configuration page appears.

3 Click Global.
The Admin/Global configuration page appears.

4 Click Group Rights.

179

AlgoSec FireFlow

Release 6.3

The Modify global group rights page appears.

5 Locate the desired group.


6 To assign rights, do the following:
a) In the New rights list box next to the desired user group, select the rights you want to assign this
group.
For information on some of the most commonly used global built-in rights, see Global Built-in
Rights (page 180).
To select multiple rights, press Ctrl while you click on the desired rights.
Note: It is recommended to select rights similar to those of the pre-defined Security and/or Network
groups.
b) Click Modify Group Rights.
The selected rights appear in the Current rights area.
7 To revoke rights, do the following:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify Group Rights.
The selected rights are removed from the Current rights area.
Global Built-in Rights
Right

Description

DeleteMatches

Allows users in the group to delete matching output for all change requests. This right is
required for manual matching.

ModifyChanges

Allows users in the group to modify or comment on change records.

180

Chapter 14

Working with Rights

ModifyMatches

Allows users in the group to modify matching output for all change requests. This right
is required for manual matching.

ShowChanges

Allows users in the group to view change records for all change requests.

ShowMatches

Allows users in the group to view matching output for all change requests.

Configuring Global User-Defined Rights for Groups


To configure global user-defined rights for a group

1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent the


right to perform a certain custom action.
For example, if you want to modify the Standard workflow so that it includes a custom action called
"First Approve", and you want to restrict this action to users who have "First Approval" rights, you
would choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.
2 Assign the user-defined right to the user groups that should be allowed to perform the custom action, by
doing the following:
a) Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
b) In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
c) Click Global.
The Admin/Global configuration page appears.
d) Click Group Rights.
The Modify global group rights page appears.
e) In the User defined groups area, for each group to which you want to assign the user-defined rights,
select the relevant rights in the New rights list box.
f) Click Modify Group Rights.
In our example, you would assign UserDefinedRight01 rights to the user groups that should be allowed to
perform the "First Approve" action.
3 Modify the custom action to restrict its use to users with the selected user-defined right.
For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page
71).

Configuring Global Rights for Users


Configuring Global Built-in Rights for Users
To configure global built-in rights for a user
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
3 Click Global.
181

AlgoSec FireFlow

Release 6.3

The Admin/Global configuration page appears.


4 Click User Rights.
The Modify global user rights page appears.

5 Locate the desired user.


6 To assign rights, do the following:
a) In the New rights list box next to the desired user, select the rights you want to assign this user.
For information on some of the most commonly used global built-in rights, see Global Built-in
Rights (page 180).
To select multiple rights, press Ctrl while you click on the desired rights.
b) Click Modify User Rights.
The selected rights appear in the Current rights area.
7 To revoke rights, do the following:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify User Rights.
The selected rights are removed from the Current rights area.

Configuring Global User-Defined Rights for Users


To configure global user-defined rights for a user

1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent the


right to perform a certain custom action.

182

Chapter 14

Working with Rights

For example, if you want to modify the Standard workflow so that it includes a custom action called
"First Approve", and you want to restrict this action to users who have "First Approval" rights, you
would choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.
2 Assign the user-defined right to the user that should be allowed to perform the custom action, by doing
the following:
a) Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
b) In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
c) Click Global.
The Admin/Global configuration page appears.
d) Click User Rights.
The Modify global user rights page appears.
e) For each user to which you want to assign the user-defined rights, select the relevant rights in the
New rights list box.
f) Click Modify User Rights.
In our example, you would assign UserDefinedRight01 rights to the users that should be allowed to
perform the "First Approve" action.
3 Modify the custom action to restrict its use to users with the selected user-defined right.
For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page
71).

Configuring Queue Rights for Groups


Configuring Queue Built-in Rights for Groups
To configure queue rights for a user group

1 In the main menu, click Advanced Configuration.


The Advanced Configuration page appears.
2 Click Queues.

183

AlgoSec FireFlow

The Admin queues page appears.

3 Click Firewalls.
The Editing Configuration for queue Firewalls page appears.

4 In the main menu, click Group Rights.

184

Release 6.3

Chapter 14

Working with Rights

The Modify group rights for queue Firewalls page appears.

5 Locate the desired user group.


6 To assign rights, do the following:
a) In the New rights list box next to the desired user group, select the rights you want to assign this
group.
For information on some of the most commonly used queue built-in rights, see Queue Built-in
Rights (page 186).
To select multiple rights, press Ctrl while you click on the desired rights.
Note: It is recommended to select rights similar to those of the pre-defined Security and/or Network
groups.
Note: The list box includes rights for change request-related actions that can be performed via the
FireFlow interface. If a change request-related right is selected, the relevant option will appear as an
action button or in the Other drop-down list. For example, if you select the TakeTicket right for the
Network group, then members of the Network group will see the Take option in the Other drop-down
list. In contrast, if a change request-related right is not selected, the relevant action will not appear in the
Other drop-down list.
b) Click Modify Group Rights.
The selected rights appear in the Current rights area.
7 To revoke rights, do the following:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify Group Rights.
The selected rights are removed from the Current rights area.
185

AlgoSec FireFlow

Release 6.3

Queue Built-in Rights


Right

Description

AllowActiveChange

Allows users in the group to implement changes on Check Point devices for which
ActiveChange is enabled, for change requests in the queue.

AllowAffectedRules

Allows users in the group to find affected rules of change object requests in the queue.

AllowApprove

Allows users in the group to approve change requests in the queue.

AllowChangeValidation

Allows users in the group to perform change validation for change requests in the queue.

AllowDeleteTicket

Allows users in the group to delete change requests in the queue.

AllowImplementationDone Allows users in the group to declare implementation as complete for change requests in
the queue.
AllowImplementationPlan

Allows users in the group to create a work order for change requests in the queue.

AllowInitialPlan

Allows users in the group to perform initial planning for change requests in the queue.

AllowManualCheck

Allows users in the group to perform a manual check for change requests in the queue.
Used by the built-in Generic workflow.

AllowNotifyRequestor

Allows users in the group to notify the requestor that change request validation is
required for change requests in the queue.

AllowObjectChangeValida Allows users in the group to perform change validation for object change requests in the
tion
queue.
AllowReImplement

Allows users in the group to re-implement change requests in the queue.

AllowRePlan

Allows users in the group to re-plan change requests in the queue.

AllowReject

Allows users in the group to reject change requests in the queue.

AllowRequestorResponse

Allows users in the group to respond to change requests in the queue, specifying that the
change works or does not work. This right is typically granted to the requestor role
instead of to a system or user-defined group.

AllowResolve

Allows users in the group to resolve change requests in the queue.

AllowReview

Allows users in the group to review change requests in the queue. Used by the built-in
Multi-Approval workflow.

AllowRiskCheck

Allows users in the group to perform risk checks for change requests in the queue.

Configuring Queue Rights for Users


Configuring Queue Built-in Rights for Users
To configure queue rights for a user group

1 In the main menu, click Advanced Configuration.


The Advanced Configuration page appears.
2 Click Queues.
The Admin queues page appears.

186

Chapter 14

Working with Rights

3 Click Firewalls.
The Editing Configuration for queue Firewalls page appears.
4 In the main menu, click User Rights.
The Modify user rights for queue Firewalls page appears.

5 Locate the desired user.


6 To assign rights, do the following:
a) In the New rights list box next to the desired user, select the rights you want to assign this user.
For information on some of the most commonly used queue built-in rights, see Queue Built-in
Rights (page 186).
To select multiple rights, press Ctrl while you click on the desired rights.
Note: The list box includes rights for change request-related actions that can be performed via the
FireFlow interface. If a change request-related right is selected, the relevant option will appear as an
action button or in the Other drop-down list. For example, if you select the TakeTicket right for a user,
then that user will see the Take option in the Other drop-down list. In contrast, if a change request-related
right is not selected, the relevant action will not appear in the Other drop-down list.
b) Click Modify User Rights.
The selected rights appear in the Current rights area.
7 To revoke rights, do the following:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify User Rights.
The selected rights are removed from the Current rights area.

187

CHAPTER 15

Working with SLA Notifications


This section explains how to configure SLA notifications.

In This Chapter
Overview ............................................................................ 189
Adding SLA Notifications.................................................. 189
Editing SLA Notifications .................................................. 194
Managing Email Subscriptions to SLA Notifications ........ 196
Deleting SLA Notifications ................................................ 197

Overview
FireFlow enables you to create custom pages displaying a specific set of SLO data. These pages are called
SLA notifications, and they can be made available to yourself only, certain user groups, or system-wide.
In addition, users can be subscribed to SLA notifications, so that they periodically receive the SLA
notifications' content via email.

Adding SLA Notifications


To add an SLA notification
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.

189

AlgoSec FireFlow

The FireFlow Configuration page appears.

3 Click SLA Notifications.


The SLA Notifications page appears.

4 In the main menu, click Create.

190

Release 6.3

Chapter 15

Working with SLA Notifications

The Create a new SLA notification page appears.

5 In the Name field, type a name for the SLA notification.


6 Click Save.
7 In the main menu, under the SLA notification's name, click Content.
The Modify the content of SLA notification page appears.

191

AlgoSec FireFlow

Release 6.3

8 For each element you want to add to the SLA notification, do the following:
a) In the Available list box, select the element you want to add.
For information on each element, see SLA Notification Elements (page 192).
b) Click
.
The selected element moves to the right list box. The order that the elements appear in the box
represents the order in which they will appear in the SLA notification.
c) To move the element up or down in the box, select the element and click the
buttons.
d) To delete the element, select it and click Delete.
Your changes are saved.

or

SLA Notification Elements


Select this element...

To add this to the SLA notification...

"N" Soon to be due change


requests

Pre-defined search results consisting of a list of open change requests in the system
that have a due date that has passed, that is the current date, or that is the day after the
current date.

"N" New Recertification


Requests

Pre-defined search results consisting of a list of recertification requests in the system


that are new and still in the Request stage.

"N" New Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are new and still in the Request stage, and whose traffic has already been checked
against devices.

"N" Open Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are currently open.

"N" Parent Recertification


Requests Pending Sub
Requests Implementation

Pre-defined search results consisting of a list of parent recertification request in the


system that are currently in the Implement stage and awaiting implementation of the
relevant sub-requests.

"N" Parent Requests Pending


Sub Request Implementation

Pre-defined search results consisting of a list of parent requests in the system that are
currently in the Implement stage and awaiting implementation of the relevant
sub-requests.

"N" Recertification Requests


to Create Work Order

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Implement stage and awaiting a work order to be created.

"N" Recertification Requests


to Implement

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Implement stage and awaiting implementation.

"N" Recertification Requests


to Plan

Pre-defined search results consisting of all recertification requests in the system that
are currently in the Plan stage.

"N" Recertification Requests Pre-defined search results consisting of a list of recertification requests in the system
to Send Recertify Notification that are currently in the Approve stage, and for which a recertification notification
to Traffic Requestors
will be sent to the traffic requestors.
"N" Recertification Requests
to Validate

192

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Validate stage.

Chapter 15

"N" Recertification Requests


Waiting for Recertify
Response from Traffic
Requestors

Working with SLA Notifications

Pre-defined search results consisting of a list of recertification requests in the system


that are currently in the Approve stage and awaiting confirmation from the traffic
requestors that the requested recertification is approved.

"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system that
were rejected.
"N" Resolved Change
Requests

Pre-defined search results consisting of a list of change requests in the system that
have been resolved.

"N" Change Requests owned


by Controllers group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Controllers group.

"N" Change Requests owned


by Network group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Network group.

"N" Change Requests owned


by Security group

Pre-defined search results consisting of a list of change requests in the system that
are owned by the Security group.

"N" Change Requests Relevant Pre-defined search results consisting of a list of change requests in the system that
to My Groups
are relevant to the user groups to which you belong.
"N" Change Requests that are
due to be recertified

Pre-defined search results consisting of a list of traffic change requests in the system
that expired, and which should be recertified.

"N" Change Requests Flagged Pre-defined search results consisting of a list of change requests in the system that
by Requestor as "Change Does have been flagged by the requestor as "Change Does Not Work".
Not Work"
"N" Change Requests that
Received Requestor's
Response

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Validate stage and received the requestor's confirmation that the
requested change was implemented successfully.

"N" Change Requests to


Approve

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Approve stage.

"N" Change Requests to Create Pre-defined search results consisting of a list of change requests in the system that
Work Order
are currently in the Implement stage and awaiting a work order to be created.
"N" Change Requests to
Expire in the Next 30 days

Pre-defined search results consisting of a list of change requests in the system that
will expire within the next 30 days.

"N" Change Requests to


Implement

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Implement stage and awaiting implementation.

"N" Change Requests to Plan

Pre-defined search results consisting of all change requests in the system that are
currently in the Plan stage.

"N" Change Requests to


Review

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Review stage and awaiting a controller's review.

"N" Change Requests to Send


Removal Notification to Rule
Requestors

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Approve stage, and for which a rule removal notification will be
sent to the rule's traffic requestors.

"N" Change Requests to


Validate

Pre-defined search results consisting of a list of change requests in the system that
are currently in the Validate stage.

"N" Change Requests Waiting Pre-defined search results consisting of a list of change requests in the system that
for Removal Response from
are currently in the Approve stage and awaiting confirmation from the rules traffic
Rule Requestors
requestors that the requested rule removal is approved.

193

AlgoSec FireFlow

Release 6.3

"N" Change Requests Waiting Pre-defined search results consisting of a list of change requests in the system that
for Requestor's Response
are currently in the Validate stage and awaiting the requestor's confirmation that the
requested change was implemented successfully.
"N" Total New Change
Requests

Pre-defined search results consisting of a list of all change requests in the system that
are new and still in the Request stage, including change requests whose traffic has
not yet been checked against devices.

Bookmarked Change Requests A list of change requests that the user bookmarked.
My Change Requests

Pre-defined search results consisting of a list of change requests in the system that
are owned by you.

RefreshHomepage

Controls for refreshing the page.

Unowned Change Requests

Pre-defined search results consisting of a list of change requests in the system that
currently have no owner.

Saved Search Name

A custom search that was saved under "FireFlow's saved searches", and which is
available to your user role.
For information on saving searches, see Saving Searches.

Chart Name

A chart that was saved under "FireFlow's saved searches", and which is available to
your user role.
For information on saving charts, see Saving Charts.

Search for chart Chart Name

A custom search on which a certain chart is based.

Editing SLA Notifications


To edit an SLA notification
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click SLA Notifications.
The SLA Notifications page appears.
4 Click on the name of the desired notification.
The SLA notification appears.
5 To modify the SLA notification's name, do the following:
a) In the main menu, under the SLA notification's name, click Basics.

194

Chapter 15

Working with SLA Notifications

The Modify the SLA notification page appears.

b) In the Name field, type a name for the SLA notification.


c) Click Save.
6 To modify the SLA notification's content, do the following:
a) In the main menu, under the SLA notification's name, click Content.
The Modify the content of SLA notification page appears.
b) For each element you want to add to the SLA notification, do the following:
1. In the Available list box, select the element you want to add.
For information on each element, see SLA Notification Elements (page 192).
.
2. Click
The selected element moves to the right list box. The order that the elements appear in the box
represents the order in which they will appear in the SLA notification.
3. To move the element up or down in the box, select the element and click the
buttons.
4. To delete the element, select it and click Delete.
Your changes are saved.

or

195

AlgoSec FireFlow

Release 6.3

Managing Email Subscriptions to SLA Notifications


By default, when you create an SLA notification, you are automatically subscribed to it, and emails
containing the SLA notification's content will be sent to the email address associated with your account. If
desired, you can configure FireFlow to send these emails to other recipients, and/or change the frequency
and time at which these emails are sent.

To manage a subscription to an SLA notification


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click SLA Notifications.
The SLA Notifications page appears.
4 Click on the name of the desired notification.
The SLA notification appears.
5 In the main menu, under the SLA notification's name, click Email Subscription.
The Subscribe to SLA notification page appears.

6 Complete the fields using the information in the following table.


7 Click Subscribe.

196

Chapter 15

Working with SLA Notifications

Email Subscription Fields


In this field...

Do this...

Frequency

Specify how often emails containing SLA notification content should be sent. This
can have the following values:
hourly. Emails will be sent once an hour.
daily. Emails will be sent once a day.
weekly. Emails will be sent once every specified number of weeks on the
specified day.
monthly. Emails will be sent once a month on the specified day of the month.
never. Emails will not be sent.

Hour

Select the hour in the displayed timezone, at which emails containing SLA
notification content should be sent.
Note: The timezone can be configured in your user settings. Refer to the AlgoSec
FireFlow User Guide, Configuring User Settings.

Rows

Select the number of change requests in each saved search that should appear in
emails containing dashboard content.

Recipient

Type a list of email addresses to which emails containing SLA notification contents
should be sent. The email addresses must be separated by commas.
If this field is left empty, emails will be sent only to the email address associated with
your FireFlow user account. However, if this field is filled in, emails will not be sent
to the email address associated with your FireFlow user account, unless you include
your email address in the list.

Deleting SLA Notifications


To delete an SLA notification
1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Configuration.
The FireFlow Configuration page appears.
3 Click SLA Notifications.
The SLA Notifications page appears.
4 Click on the name of the desired notification.
The SLA notification appears.
5 In the main menu, under the SLA notification's name, click Basics.
The Modify the SLA notification page appears.
6 Click Delete.
A confirmation message appears.
7 Click OK.
The SLA notification is deleted.

197

CHAPTER 16

Overriding FireFlow System Defaults


This section explains how to override the FireFlow system defaults.

In This Chapter
Overriding System Default Settings ................................... 199
Overriding Specific System Default Settings ..................... 200
Reverting to System Defaults ............................................. 231

Overriding System Default Settings


You can override default system settings, including timeout settings, log file settings, the default columns
displayed in search results, and more.
Note: The following is a general procedure that can be used to override the default settings of your choice.
For information on specific settings you can override, see Overriding Specific System Default Settings (on
page 200).

To override system default settings


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/, locate the file FireFlow_Config.pm.
Note: This is the original system settings file, and it is required for reverting to system default settings.
Do not modify this file.
3 Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the original
file into an override file called FireFlow_SiteConfig.pm.
4 Open the override file.
5 For each setting you want to override, do the following:
a) Locate the relevant parameter in FireFlow_Config.pm.
The file includes detailed information about each parameter. For further information, contact
AlgoSec.
b) Copy the relevant code for the parameter.
c) Paste the code into FireFlow_SiteConfig.pm.
d) Make the desired modifications to the code.
6 Close the file FireFlow_Config.pm.
Note: Do not save changes to this file.
7 Save the file FireFlow_SiteConfig.pm.
8 Restart FireFlow.
See Restarting FireFlow (on page 11).

199

AlgoSec FireFlow

Release 6.3

Overriding Specific System Default Settings


Configuring the Maximum Rows Displayed in Home Page Lists
By default, FireFlow shows a maximum of 10 rows in each change request list in the Home page. You can
modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > FireFlow
Home Page.

To configure the maximum rows displayed in Home page lists


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item DefaultSummaryRows, and set its value to the desired number of rows in
each change request list in the Home page.
To specify an unlimited number of rows, set it to an empty string .
For example, to set the maximum number of rows to 5, add the following item:
Set($DefaultSummaryRows, '5');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Change Request History Order


By default, FireFlow displays the change request history with the newest item appearing at the top, and
change request creation appearing at the bottom. You can reverse the order using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Settings.

To configure the change request history order


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item OldestTransactionsFirst, and set its value to one of the following:
1 - Display change request histories with the newest items appearing at the bottom.
0 - Display change request histories with the newest items appearing at the top. This is the default.
For example, to display change request histories with the newest items appearing at the bottom, add the
following item:
Set($OldestTransactionsFirst, '1');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

200

Chapter 16

Overriding FireFlow System Defaults

Configuring the Maximum Rows Displayed in Auto Matching Page


Sub-Lists
By default, FireFlow shows a maximum of 100 rows in each sub-list in the Auto Matching page. You can
modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Auto
Matching.

To configure the maximum rows displayed in Auto Matching page sub-lists


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ChangesMaxRows, and set its value to the desired number of rows in each
sub-list in the Auto Matching page.
To specify an unlimited number of rows, set it to an empty string .
For example, to set the maximum number of rows to 50, add the following item:
Set($ChangesMaxRows, '50');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Time Frame for Items Displayed in Auto Matching Page
Lists
By default, FireFlow shows matches made in the last 30 days in each sub-list in the Auto Matching page. You
can modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Auto
Matching.

To configure the time frame for items displayed in Auto Matching page sub-lists
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ReconciliationLastDays, and set its value to the desired number of
days for which to display matches in each sub-list in the Auto Matching page.
To specify an unlimited number of days, set it to an empty string ''.
For example, to set the number of days to 365, add the following item:
Set($ReconciliationLastDays, '365');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

201

AlgoSec FireFlow

Release 6.3

Enabling/Disabling Multiple Traffic Rows in Change Requests


By default, FireFlow allows users to add more traffic rows to a change request, by clicking Add More Traffic.
If desired, you can disable this option and remove the Add More Traffic button.

To enable/disable multiple traffic rows in change requests


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item EnableMultipleTraffic.
4 Do one of the following:
To disable multiple traffic rows, set the configuration item's value to 0.
To enable multiple traffic rows, set the configuration item's value to 1.
For example, the following disables multiple traffic rows:
Set($EnableMultipleTraffic, '0');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Hiding Change Request Fields


If desired, you can hide the following change request fields:

Priority
Due
Describe the issue
Cc

Hidden fields will not be displayed in the FireFlow Web interface.


Note: Hidden fields are not removed from change requests; they are just not displayed. A hidden field can
still be assigned a value via the request template, and workflow conditions that rely upon a hidden field will
still work.

To hide change request fields


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item HideFieldsFromTicket.
4 Set the configuration item's value to an array of fields to hide.
Supported fields are: Priority, Due, Describe the issue, and Cc.
Fields must be enclosed in quotation marks and separated by commas.
For example, the following hides the Priority, Describe the issue, and Cc fields:
Set ($HideFieldsFromTicket, ["Priority", "Describe the issue", "Cc"]);

The default value is empty list, meaning that none of the fields are hidden.

202

Chapter 16

Overriding FireFlow System Defaults

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Enabling/Disabling Sub-Request Traffic Modification


By default, FireFlow does not allow users to modify traffic specified in sub-requests. If desired, you can
enable sub-request traffic modification.

To enable/disable sub-request traffic modification


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ModifySubTicketChangeTraffic.
4 Do one of the following:
To enable sub-request traffic modification, set the configuration item's value to 1.
To disable sub-request traffic modification, set the configuration item's value to 0.
For example, the following enables modification:
Set($ModifySubTicketChangeTraffic,'1');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Whether Traffic Fields Are Mandatory


By default, all traffic fields in a change request (source, destination, service, and action fields) are
mandatory, and FireFlow automatically validates these fields to ensure they are filled in. If desired, you can
specify that traffic fields are optional.
Note: You can also disable automatic traffic field validation. See Enabling/Disabling Traffic Field
Validation (on page 204).

To configure whether traffic fields are mandatory


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item AllTrafficFieldsMandatory.
4 Do one of the following:
To specify that traffic fields are optional, set the configuration item's value to 0.
To specify that traffic fields are mandatory, set the configuration item's value to 1.
For example, the following specifies that traffic fields are optional:
Set($AllTrafficFieldsMandatory, '0');

5 Save the file.


6 Restart FireFlow.

203

AlgoSec FireFlow

Release 6.3

See Restarting FireFlow (on page 11).

Enabling/Disabling Traffic Field Validation


By default, FireFlow automatically validates traffic fields in change requests, to determine whether all
mandatory fields are filled in with appropriate values. If desired, you can disable validation of traffic fields.

To enable/disable traffic field validation


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ValidateTrafficFields.
4 Do one of the following:
To disable traffic field validation, set the configuration item's value to 0.
To enable traffic field validation, set the configuration item's value to 1.
For example, the following disables traffic field validation:
Set($ValidateTrafficFields, '0');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Work Order Creation for "No Action Required" Change


Requests
In the Implement stage of a traffic change request lifecycle, FireFlow creates a work order consisting of a
list of recommendations for implementing the requested change. If FireFlow detects that traffic is not routed
through the device, then the work order states that no action is required.
In some cases involving Layer-2 devices, routing information may be missing, causing FireFlow to
erroneously state that no action is required. You may therefore prefer to force FireFlow to create work
orders suggesting a rule to add to the device policy, even when it has determined that no action is required.
Note: Such work orders will include a disclaimer stating the following: "Routing information might be
missing. Recommendation could be incomplete.".

To configure work order creation for "No Action Required" change requests
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ForceCreateWorkOrderForNA.
4 Do one of the following:
To specify that work orders should state "No Action Required" when FireFlow detects that traffic is
not routed through the device, set the configuration item's value to 0.
This is the default value.
To force FireFlow to create work orders suggesting a rule to add to the device policy, even when
FireFlow has determined that no action is required, set the configuration item's value to 1.
204

Chapter 16

Overriding FireFlow System Defaults

For example, the following forces FireFlow to create work orders suggesting a rule to add to the device
policy, even if FireFlow determines that no action is required:
Set ($ForceCreateWorkOrderForNA, 1);

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Enabling/Disabling Translation of Object IP Addresses and Ports in


Work Orders
In order to prepare a work order, FireFlow translates object IP addresses and ports into host names which are
then displayed in a list of recommendations for implementing the requested change. As translating the IP
address and ports may take several minutes in an environment containing many devices, you may prefer to
disable translation, so that object IP addresses and ports are displayed instead of host names.

To enable/disable translation of object IP addresses and ports in work orders


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ShowHostgroupsInWorkOrder.
4 Do one of the following:
To enable translation on object IP addresses and ports to host names in work orders, set the
configuration item's value to 1.
This is the default value.
To disable translation on object IP addresses and ports to host names in work orders, set the
configuration item's value to 0.
For example, the following disables translation on object IP addresses and ports to host names in work
orders:
Set ($ShowHostgroupsInWorkOrder, 0);

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Automatic Initial Planning


By default, immediately upon creation of a change request, FireFlow performs automatic initial planning, in
order to check the traffic specified in the change request against devices. If the traffic already works, then
FireFlow automatically closes the change request and sends the requestor an email indicating that the
change request was closed. Automatic initial planning is based on the most recent device configuration
available on the AlgoSec server (made available via the real-time monitoring mechanism).
If desired, you can change this behavior in the following ways:

Instruct FireFlow to check traffic at the end of the Plan stage, instead of at the end of the Request stage
Instruct FireFlow to refer to periodic AlgoSec Firewall Analyzer device reports when checking traffic
against devices, instead of referring to real-time monitoring data

205

AlgoSec FireFlow

Release 6.3

Disable automatic closing of change requests whose traffic already works

To configure automatic initial planning


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 To configure when traffic checking is performed, do the following:
a) Add the configuration item CallInitialPlanAsync.
b) Do one of the following:
To specify that FireFlow should perform traffic checking at the end of the Request stage, set the
configuration item's value to 1.
To specify that FireFlow should perform traffic checking at the end of the Plan stage, set the
configuration item's value to 0.
For example, the following instructs FireFlow to perform traffic checking at the end of the Request
stage:
Set($CallInitialPlanAsync,'1');

Note: New change requests appear in the Home page's New Change Requests list once traffic checking is
complete or when ten minutes have elapsed since the change request's creation, whichever occurs first.
Therefore, when traffic checking occurs at the end of the Request stage, new change requests appear in
the Home page, as soon as traffic checking is done; however, when traffic checking occurs at the end of
the Plan stage, ten minutes will pass before new change requests appear in the Home page.
In order to cause new change requests to appear in the Home page immediately, regardless of when
traffic checking occurs, customize the Network Operations group's Home page as follows: Remove the
"N" New Change Requests element, and add the "N" Total New Change Requests element. New change
requests will appear in the Home page's Total New Change Requests list immediately upon change
request creation.
For information on customizing a group's Home page, see Customizing the Home Page per Group (on
page 18).
4 To specify which data FireFlow should refer to when checking traffic against devices, do the following:
a) Add the configuration item UseMonitorDataForFirewallQuery.
b) Do one of the following:
To specify that FireFlow should refer to real-time monitoring data, set the configuration item's
value to 1.
To specify that FireFlow should refer to AlgoSec Firewall Analyzer reports, set the
configuration item's value to 0.
For example, the following instructs FireFlow to refer to AlgoSec Firewall Analyzer monitoring
data:
Set($UseMonitorDataForFirewallQuery,'1');

5 To enable/disable automatic closing of change requests that already work, do the following:
a) Add the configuration item AutomaticCheckAlreadyWorks.
b) Do one of the following:
To enable automatic closing of change requests that already work, set the configuration item's
value to 1.

206

Chapter 16

Overriding FireFlow System Defaults

To disable automatic closing of change requests that already work, set the configuration item's
value to 0.
For example, the following enables automatic closing of change requests that already work:

Set($AutomaticCheckAlreadyWorks,'1');

6 Save the file.


7 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Risk Check Method for Change Requests with Multiple
Devices
In the Approve stage of traffic change request's lifecycle, FireFlow performs a risk check, to determine
whether implementing the change specified in the change request would introduce risks. The risk check is
run on the device specified in the change request, using the Risk Profile that the device was assigned when
generating the last successful report in AlgoSec Firewall Analyzer.
When performing a risk check for a parent request with sub-requests, there are multiple devices and
potential multiple Risk Profiles involved. You can configure FireFlow to use any of the following risk check
methods:

One
FireFlow runs the risk check on one random device out of all the sub-request devices.
For example, let us assume that there are three sub-requests, as follows:
Sub-request
500

Device
Check Point A

Risk Profile
r1

501

Check Point B

r2

502

Cisco C

r1

FireFlow will select a device at random (such as Cisco C) and run the risk check on it (using Risk Profile
r1).
Only risk check results for the selected device will be displayed.

Profile
FireFlow runs the risk check on one random device per Risk Profile used by the sub-request devices.
207

AlgoSec FireFlow

Release 6.3

In our example, there are two Risk Profiles, r1 and r2. FireFlow will select a device at random (either
Check Point A or Cisco C) to run the risk check on using Risk Profile r1, and it will also run a risk check
on Check Point B using Risk Profile r2.
Risk check results will be displayed per risk profile.

208

All
FireFlow runs the risk check on each of the sub-request devices.
In our example, FireFlow will run a risk check on Check Point A, Check Point B, and Check Point C,
using their respective Risk Profiles.
Note that the risk check may take a while, and the results for each device may be similar.

Chapter 16

Overriding FireFlow System Defaults

Risk check results will be displayed for each device.

To set the default risk check method for change requests with multiple devices
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item RiskCheckOnParentTicket.
209

AlgoSec FireFlow

Release 6.3

4 Do one of the following:


To use the One method, set the configuration item's value to "one".
To use the Profile method, set the configuration item's value to "profile".
This is the default value.
To use the All method, set the configuration item's value to "all".
For example, the following specifies that FireFlow should use the All method:
Set($RiskCheckOnParentTicket,"all");

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Date Format


When filling in a change requests due date or expiration date, and when searching for change requests
according to these date fields, users can specify the desired date in a variety of formats (for example, "20 Oct
09", "Oct 20 2009", "2009-10-20", and more). By default, FireFlow interprets inputted dates in the format
##/##/## as "dd/mm/yy" (for example, 10/11/09 is interpreted as the 10th of November, 2009). This system
default can be changed to "mm/dd/yy" (for example, 10/11/09 is interpreted as the 11th of October, 2009).

To configure the date format


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item DateDayBeforeMonth, and set its value to one of the following:
1 - Interpret inputted dates in the format ##/##/## as "dd/mm/yy". This is the default.
0 - Interpret inputted dates in the format ##/##/## as "mm/dd/yy".
For example, to accept free-text date input as mm/dd/yy format, add the following item:
Set($DateDayBeforeMonth, 0);

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Whether the Standard Template Appears in the Request


Templates Page
By default, FireFlow displays the Standard template as an option in the Request Templates page. If desired,
you can specify that the Standard template should not appear in this page.
Note: By default, FireFlow includes a single queue called Firewalls. When there are multiple queues, and
a user is allowed to create change requests in more than one queue, the Standard template does not appear.
(This is because a change request's template must specify the queue in which the change request is created,
and the Standard template does not include pre-filled fields.)

To configure whether the Standard template should appear


1 Log in to the FireFlow server using the username "root" and the related password.
210

Chapter 16

Overriding FireFlow System Defaults

2 Under the directory /usr/share/fireflow/local/etc/site/, open


FireFlow_SiteConfig.pm.
3 Add the configuration item ShowStandardTemplate.
4 Do one of the following:
To specify that the Standard template should not appear in the Request Templates page, set the
configuration item's value to 0.
To specify that the Standard template should appear in the Request Templates page, set the
configuration item's value to 1.
For example, the following specifies that the Standard template should not appear:
Set($ShowStandardTemplate, '0');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Enabling/Disabling Automatic Creation of Requestors upon


Authentication
If RADIUS and/or LDAP authentication is configured, and a requestor who does not exist in FireFlow
attempts to log in to FireFlow, FireFlow will check the inputted user credentials against the RADIUS or
LDAP server. If the username and password pair exists in either database, then by default the requestor will
be automatically added to the FireFlow local user database and logged in.
Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP
server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow
and assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,
regardless of the AFA user role assigned. For information on importing user data from an LDAP server, see
Importing User Data from an LDAP Server (on page 233).
If desired, you can disable the automatic creation of requestors in FireFlow. Authenticated requestors will
be logged in, without being added to the local user database.

To enable/disable the automatic creation of requestors upon authentication


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item AutoCreateRequestors.
4 Do one of the following:
To disable automatic creation of requestors, set the configuration item's value to 0.
To enable automatic creation of requestors, set the configuration item's value to 1.
This is the default value.
For example, the following disables automatic creation of requestors:
Set($AutoCreateRequestors, 0);

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).
211

AlgoSec FireFlow

Release 6.3

Configuring the No-Login Web Form's Requestor Field as Read-Only


FireFlow includes a No-Login Web form that allows users to submit requests without logging in to the
system. By default, the No-Login Web form contains an editable Requestor field, in which the requestor fills
in their email address. The requestor will then be notified by email of all changes made to the change
request.
You can change this system default to make the Requestor field read-only. In this situation, the requestor
accesses the No-Login Web form by clicking a link in another application at your organization which
automatically appends the requestor's email address to the URL. For example, the URL of the No-Login
Web form is https://<fireflow_server>/FireFlow/NewTicket; however, when the requestor's
email address is appended the URL becomes
https://<fireflow_server>/FireFlow/NewTicket?Requestors=some.requestor@some.or
ganization.com.

To configure the No-Login Web form's Requestor field as read-only


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item EditableRequestorInNoAuthTickets, and set its value to one of the
following:
1 - The Requestor field is read-write. This is the default.
0 - The Requestor field is read-only.
For example, to make the Requestor field read-only, add the following item:
Set($EditableRequestorInNoAuthTickets, 0);

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Automatic Approval of Minor Rule Changes


By default, FireFlow displays any device policy rule changes in the Auto Matching page and attempts to
match them to resolved change requests. This includes minor policy rule changes, such as enabling rule
logging or updating a rule name. You can modify this system default so that FireFlow automatically
approves minor policy rule changes. These minor changes will then appear in the Auto Matching page in the
Changes Without Request - Approved sub-list, without referring to a specific change request.

To configure automatic approval of minor rule changes


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item IgnoreRuleFieldsInReconciliation, and set its value to a
space-separated list of device policy rule fields, for which any changes should be automatically
approved.
To specify that no changes should be automatically approved, set it to an empty list ().

212

Chapter 16

Overriding FireFlow System Defaults

The supported policy rule fields are: FirewallName, FirewallRuleNum, Name, Comment, Source,
Destination, Service, SourceExpanded, DestinationExpanded, ServiceExpanded,
Action, Enable, Track, Time, Install, Vpn, FromZone, ToZone, ACL, Interface, SourceNat,
and DestinationNat.
Note: SourceExpanded, DestinationExpanded, and ServiceExpanded are the IP addresses (and
protocol/ports) represented by the rules object names. Therefore, for example, when adding Source to
IgnoreRuleFieldsInReconciliation, changes in a rules source object names will be approved
automatically, while changes to the actual source IP addresses will not.
For example, to configure FireFlow to automatically approve changes to rules that involve logging
and/or comments only, add the following item:
Set (@IgnoreRuleFieldsInReconciliation, qw(Track Comment));

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the "From" Address in Dashboard Emails


Users who are subscribed to dashboards periodically receive the dashboard's content via email. By default,
the email's "From" field displays the FireFlow server's email address. If desired, you can change the email
address displayed in the "From" field of dashboard emails.

To change the "From" address in dashboard emails


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item DashboardAddress, and set its value to the email address that should be
displayed in dashboard emails.
For example, to set the address to "admin@mycompany.com", add the following item:
Set($DashboardAddress, 'admin@mycompany.com');

Leave the configuration item's value empty to specify that the FireFlow server's email address should be
used.
4 Save the file.
5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Default Due Date for Rule Removal Requests


When submitting a Rule Removal request, you must specify the complete the Due Date field with the date by
which requestors of related change requests must respond to a notification regarding the rule's impending
deletion. This field's default value is 14 days from the change request's creation. If desired, you can change
the default value.

To change the default due date for rule removal requests


1 Log in to the FireFlow server using the username "root" and the related password.

213

AlgoSec FireFlow

Release 6.3

2 Under the directory /usr/share/fireflow/local/etc/site/, open


FireFlow_SiteConfig.pm.
3 Add the configuration item DefaultRuleRemovalDue, and set its value to the number of days after
change request creation that the change request should be due.
For example, to specify that the default due date for rule removal requests should be seven days after
change request creation, add the following item:
Set($DefaultRuleRemovalDue,7);

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring How Long the Device Objects List Is Stored in Cache


By default, FireFlow stores a list of device objects in cache for three minutes. This list is displayed in the
Source and Destination wizards.
If desired, you can change the amount of time that the device objects list is stored in cache, by using the
following procedure.

To configure the amount of time the device objects list is stored in cache
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item FirewallObjectRefreshTime, and set its value to the desired number of
seconds that the device objects list should be stored in cache.
For example, to set the time in cache to two minutes (120 seconds), add the following item:
Set($FirewallObjectRefreshTime,'120');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring Whether Emails to Related Change Requestors Include the


Rule to be Removed
In the Approve stage of rule removal request's lifecycle, FireFlow sends an email to the requestors of change
requests with traffic intersecting that of the rule slated for removal, informing them that the rule will be
removed by a certain date. By default, the email includes a table displaying the rule in question. If desired,
you can specify that this table should not be included in the email.

To change the default due date for rule removal requests


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ShowRuleInfoWhenNotifyRuleToRemove.
4 Do one of the following:

214

Chapter 16

Overriding FireFlow System Defaults

To specify that emails to related change requestors should include a table with the rule to be
removed, set the configuration item's value to 1.
This is the default value.
To specify that emails to related change requestors should not include a table with the rule to be
removed, set the configuration item's value to 0.
For example, the following specifies that a table with the rule to be removed should not be included in
emails to related change requestors:
Set($ShowRuleInfoWhenNotifyRuleToRemove,0);

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Default Due Date for Change Requests Marked for
Future Recertification
When marking change requests for future recertification, the due date for the change request(s) is deferred to
365 days from the original due date, by default. If desired, you can change this default value.

To change the default due date for change requests marked for future recertification
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item DefaultExpirationPeriod, and set its value to the number of days after
the original due date that the change request should be due.
For example, to specify that the default due date for such requests should be 90 days after the original
due date, add the following item:
Set($DefaultExpirationPeriod,90);

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Default Due Date for Recertification Requests


When recertifying a change request that is due for recertification, the due date for the recertification request
is 14 days from the present date, by default. If desired, you can change this default value.

To change the default due date for recertification requests


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item RecertificationDaysToWaitForResponses, and set its value to the
number of days after change request creation that the change request should be due.
For example, to specify that the default due date for recertification requests should be seven days after
change request creation, add the following item:
Set($RecertificationDaysToWaitForResponses,7);
215

AlgoSec FireFlow

Release 6.3

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields in


Flat Tickets
By default, FireFlow automatically includes all user-defined custom traffic fields (that is, custom fields
belonging to the following categories: additional for traffic, additional for source, additional for destination,
and additional for service) in the XML of a change request (a flat ticket). If desired, you can disable inclusion
of such fields in flat tickets.

To enable/disable inclusion of user-defined custom traffic fields in flat tickets


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item IncludeUserDefinedTrafficCustomFieldsInXML.
4 Do one of the following:
To disable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item's
value to 0.
To enable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item's
value to 1.
For example, the following disables inclusion of user-defined custom traffic fields in flat tickets:
Set($IncludeUserDefinedTrafficCustomFieldsInXML, '0');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the List of User Properties


In order to display searches in the Requestors Web Interface, the GetRequestorSearches hook is used to
retrieve a list of the requestor's user properties as hash. By default, the following properties are included in
the list:

216

City
Country
EmailAddress
HomePhone
Id
Organization
RealName

Custom user fields. These fields will appear without spaces as hash keys. For example, a custom field
named "Custom Field" will appear as: "CustomField".

Chapter 16

Overriding FireFlow System Defaults

For example, the user properties hash translated to XML format may appear as follows:
<User>
<City></City>
<Country></Country>
<EmailAddress>requestor1@mycompany.com</EmailAddress>
<HomePhone></HomePhone>
<Id>6894</Id>
<Organization></Organization>
<RealName>Rachel Requestor</RealName>
<CustomField></CustomField>
</User>

If desired, you can modify the list of user properties.

To configure the list of user properties


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the following lines to the file:
# Set list of user columns that User::getUserAsHash should return (Relevant for
Hooks).
Set(@UserFieldsForHooksSearch,('Id', 'RealName', 'HomePhone', 'Organization',
'EmailAddress', 'City', 'Country'));

4 To add items to the user properties list, add the desired user properties to
@UserFieldsForHooksSearch, in single quotation marks, separated by commas.
You can add any of the properties listed in the following table.
For example, to include the user's nickname as a property, write:
Set(@UserFieldsForHooksSearch,('Id', 'RealName', 'HomePhone', 'Organization',
'EmailAddress', 'City', 'Country', 'Nickname'));

Note: You must use only supported properties. Otherwise, a warning will be written to the log and the
search will not be displayed.
5 To remove items from the user properties list, delete the relevant user properties from
@UserFieldsForHooksSearch.
6 Save the file.
7 Restart FireFlow.
See Restarting FireFlow (on page 11).
Supported User Properties
Property

Description

Address1

The requestor's primary mailing address.

Address2

The requestor's secondary mailing address.

AuthSystem

The type of authentication to use for the requestor.

City

The requestor's city.

217

AlgoSec FireFlow

Release 6.3

Comments

Comments about the requestor.

Country

The requestor's country.

Created

The date on which the requestor was added to FireFlow.

Creator

The user who added the requestor to FireFlow.

EmailAddress

The requestor's email address.

HomePhone

The requestor's home telephone number.

Id

The requestor's ID number.

Lang

The requestor's desired FireFlow interface language.

LastUpdated

The date on which the requestor's properties were last updated in


FireFlow.

LastUpdatedBy

The user who last updated the requestor's properties in FireFlow.

MobilePhone

The requestor's mobile telephone number.

Name

The requestor's username.

Nickname

The requestor's nickname.

Organization

The requestor's organization.

PagerPhone

The requestor's pager number.

Password

The requestor's password.

RealName

The requestor's full name.

Signature

The requestor's signature.

State

The requestor's state.

TimeZone

The requestor's time zone.

WorkPhone

The requestor's work telephone number.

Zip

The requestor's zip code.

Replacing the Logo


You can replace the logo that appears in the top-left corner of every FireFlow page.
Note: Replacing the logo by setting the FireFlow_SiteConfig.pm override file's LogoImageFileName
configuration itemthe method that was used until version 2.5is no longer supported, as of version 6.0. If
you used this method in the past, you must replace the logo once again, using the following method.

To replace the logo


1 Create a logo file.
The file must be in GIF, JPG, or PNG format, and it must be 115 pixels in width and 50 pixels in height.
It is important to use these exact dimensions, so that the logo image is not distorted.
2 Log into AlgoSec Firewall Analyzer (AFA).
For instructions, refer to the AlgoSec Firewall Analyzer User Guide.
3 In the toolbar, click Administration.

218

Chapter 16

Overriding FireFlow System Defaults

The Administration page appears with the Options tab displayed.

4 Click the Display tab.

219

AlgoSec FireFlow

The Display tab appears.

Select the Enable Custom Logo check box.


Click Browse and browse to the custom logo file.
Click Open.
Click OK.
The custom logo is uploaded.
A success message appears.
9 Click OK.
5
6
7
8

To remove a custom logo

1 In the toolbar, click Administration.


The Administration page appears with the Options tab displayed.
2 Click the Web GUI tab.
The Web GUI tab appears.
3 Clear the Enable Custom Logo check box.
4 Click OK.
The custom logo is removed, and the AlgoSec logo reappears in the Web interface.

Configuring FireFlow's Default Interface Language


FireFlow's default interface language is English. If desired, you can change the default language.

To configure FireFlow's default interface language


1 Log in to the FireFlow server using the username "root" and the related password.

220

Release 6.3

Chapter 16

Overriding FireFlow System Defaults

2 Under the directory /usr/share/fireflow/local/etc/site/, open


FireFlow_SiteConfig.pm.
3 Add the configuration item DefaultLang, and set its value to the code for the desired language.
See the following table for language codes.
For example, to configure French as the default language, add the following item:
Set($DefaultLang, 'fr');

4 Save the file.


5 Restart FireFlow.
See Restarting FireFlow (on page 11).
Language Codes
Language

Code

Chinese (PRC)

zh_CN

Chinese (Taiwan)

zh_TW

Croatian

hr

Czech

cs

Danish

da

Dutch

nl

English

en

Finnish

fi

French

fr

German

de

Hebrew

he

Hungarian

hu

Indonesian

id

Italian

it

Japanese

ja

Norwegian Bokmal

nb

Polish

pl

Portuguese

pt

Portuguese (Brazillian)

pt_BR

Russian

ru

Spanish

es

Swedish

sv

Turkish

tr

221

AlgoSec FireFlow

Release 6.3

Modifying FireFlow Interface Text


You can modify the text appearing in the FireFlow interface in the following ways:

Change the language


For example, you can change the interface language to French, Spanish, or any other language.
Change the wording
For example, you can change the name of the "Change Requests Waiting for User Accept" list to
"Change Requests Waiting to be Accepted".

To modify the FireFlow interface text


1 Under /usr/share/fireflow/local/po or /usr/share/fireflow/lib/RT/I18N, open the
*.po file of the language whose texts you want to translate or change.
2 In any text editor, create a language file encoded in UTF-8.
3 Add the following lines at the start of the new language file you created:
msgid ""
msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"

Note: These must be the first three lines of the file.


4 For each string you want to translate or change, copy the relevant msgid lines from the *.po file you
opened into the language file you created.
The msgid lines represent the original text.
5 In the language file you created, after each msgid line, add a msgstr line specifying the desired text.
For example, to translate the text on the No Change Record button into French, the file should include the
following lines:
msgid "No Change Record"
msgstr "Aucun enregistrement de modification"

To translate the Add More Files link to French, the file should include the following lines:
msgid "Add More Files"
msgstr "Ajouter d'autres fichiers"

You can also translate text that includes placeholders (in the format %x), by including the same
placeholders in the translation. For example:
msgid "Owner changed from %1 to %2"
msgstr "Propritaire chang de %1 en %2"

6 Close the original *.po file without saving changes.


7 Save the new file as XX.po, where XX is a two-letter abbreviation of the language used in the file or
some other indication of the file's use.
8 Log in to the FireFlow server using the username "root" and the related password.
9 Place the language file on the FireFlow server, under the directory
/usr/share/fireflow/local/etc/site/po/.
Note: You can use scp to copy the file from your own computer to the FireFlow server.
10 Restart FireFlow.
See Restarting FireFlow (on page 11).
222

Chapter 16

Overriding FireFlow System Defaults

FireFlow will refer to the new *.po file for strings. If a string does not appear in the file, FireFlow will
refer to the original English-language *.po file for the missing string.

Adding/Removing Standard NAT Fields in Change Requests


You can remove all standard NAT fields from change requests. The standard NAT fields include:

Source NAT
Destination NAT
NAT Type
Port Translation

Note: The following procedure will remove the standard NAT fields for all users except FireFlow
configuration administrators. If it is necessary to remove these fields for FireFlow configuration
administrators as well, contact AlgoSec Professional Services.

To add/remove standard NAT fields in change requests


1 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.

2 For each of the NAT-related FireFlow fields listed in the table below, do the following:
a) Click FireFlow Fields.

223

AlgoSec FireFlow

The Select a FireFlow Field page appears.

b) Click on the field's name.


The Editing Custom Field page appears.

c) In the main menu, click Group Rights.


224

Release 6.3

Chapter 16

Overriding FireFlow System Defaults

The Modify group rights for custom field page appears.

d) In each user group's Current rights area, select the SeeCustomField and ModifyCustomField check
boxes.
Note: These check boxes might not appear for all user groups.
e) Click Submit.
NAT-related FireFlow Fields
FireFlow Field

Description

Change Destination NAT: Change


destination NAT

Displays the destination NAT value to which the connection's destination


should be translated, as planned during the Plan stage.

Change NAT Type: Change NAT


type

Displays the type of NAT (Static or Dynamic), as planned during the Plan
stage.

Change Port Translation: Change port Displays the port value to which the connection's port should be translated, as
planned during the Plan stage.
translation
Change Source NAT: Change source Displays the source NAT value to which the connection's source should be
NAT
translated, as planned during the Plan stage.
Requested Destination NAT:
Requested destination NAT

Displays the destination NAT value to which the connection's destination


should be translated, as specified in the original request.

Requested NAT Type: Requested


NAT type

Displays the type of NAT (Static or Dynamic), as specified in the original


request.

Requested Port Translation:


Requested port translation

Displays the port value to which the connection's port should be translated, as
specified in the original request.

225

AlgoSec FireFlow

Requested Source NAT: Requested


source NAT

Release 6.3

Displays the source NAT value to which the connection's source should be
translated, as specified in the original request.

Adding/Removing Optional NAT Fields in Change Requests


You can configure FireFlow to display separate fields for source NAT, destination NAT, and port
translation before and after translation. In this case, the existing Source NAT, Destination NAT, and Port
Translation fields will display the values before translation, and the following new fields will display the
values after translation:

Source after NAT


Destination after NAT
Port after Translation

The new NAT fields will appear below the standard NAT fields throughout the FireFlow Web interface, for
example in work orders or when editing a change request.

To add optional NAT fields


1 On the original site, open a terminal and log in using the username "root" and the related password.
2 Enter the following command:
/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -e
The optional NAT fields are added to the FireFlow Web interface.

To remove optional NAT fields


1 On the original site, open a terminal and log in using the username "root" and the related password.
2 Enter the following command:
/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -d
The optional NAT fields are removed from the FireFlow Web interface.

Configuring the Default Authentication Action


FireFlow enables you to specify the default authentication action used for Check Point devices. FireFlow
will display the configured authentication action in the Action field of work orders for Check Point-related
change requests.

To configure the default authentication action


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item DefaultAuthAction, and set its value to one of the following:
User Auth - User Authentication.
Session Auth - Session Authentication.
Client Auth - Client Authentication.
For example, to make the default User Authentication, add the following item:
Set($DefaultAuthAction, "User Auth");

4 Save the file.

226

Chapter 16

Overriding FireFlow System Defaults

5 Restart FireFlow.
See Restarting FireFlow (on page 11).

Enabling/Disabling User Group Authentication during Initial Planning


By default, when the default authentication action used for Check Point devices is set to User
Authentication, FireFlow performs user group authentication during initial planning. If desired, you can
disable this.

To enable/disable user group authentication during initial planning


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ValidateUserInSource.
4 Do one of the following:
To enable user group authentication during initial planning, set the configuration item's value to 1.
To disable user group authentication during initial planning, set the configuration item's value to 0.
For example, the following enables user group authentication during initial planning:
Set($ValidateUserInSource,'1');

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

Configuring the Handling of NAT-Only Traffic Changes


By default, if a traffic change request already works, it is automatically closed during initial planning. If
desired, you can configure FireFlow to keep the change request open, if it includes NAT fields. In addition,
when handling of NAT-only traffic changes is enable, you can configure FireFlow to display NAT
information in work orders and to use NAT information in risk checks.

To configure handling of NAT-only traffic changes


1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item handleNATChanges.
4 Do one of the following:
To enable handling of NAT-only traffic changes, set the configuration item's value to 1.
To disable handling of NAT-only traffic changes, set the configuration item's value to 0. This is the
default value.
For example, the following enables handling of NAT-only traffic changes:
Set($handleNATChanges,'1');

5 If you enabled handling of NAT-only traffic changes, configure whether FireFlow should use NAT
information in risk checks, by doing the following:
a) Add the configuration item sendNATinformationInRiskCheck.

227

AlgoSec FireFlow

Release 6.3

b) Do one of the following


To enable using NAT information in risk checks, set the configuration item's value to 1.
To disable using NAT information in risk checks, set the configuration item's value to 0. This is
the default value.
For example, the following enables using NAT information in risk checks:
Set($sendNATinformationInRiskCheck,'1');

Note: When this feature is enabled, the Source NAT and Destination NAT fields will be used in risk
checks. However, if the optional Source after NAT field is enabled, it will be used instead of the Source
NAT field. Likewise, if the optional Destination after NAT field is enabled, it will be used instead of the
Destination NAT field. For information on these optional fields, see Adding/Removing Optional NAT
Fields in Change Requests (on page 226). If you enabled handling of NAT-only traffic changes,
configure whether FireFlow should display NAT information in work orders, by doing the following:
c) Add the configuration item showAllNatTable.
d) Do one of the following
To enable displaying NAT information in work orders, set the configuration item's value to 1.
To disable displaying NAT information in work orders, set the configuration item's value to 0.
This is the default value.
For example, the following enables displaying NAT information in work orders:
Set($showAllNatTable,'1');

6 Save the file.


7 Restart FireFlow.
See Restarting FireFlow (on page 11).

Automatically Sending Work Orders to an Implementation Team


Sometimes, changes on devices are implemented by a group of people who have no access to the FireFlow
system. In this case, you can configure FireFlow to automatically generate a work order in PDF format and
send it to the implementation team via email, each time a work order is created.

To automatically send work orders to an implementation team


1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 Enable generating work orders in PDF format, by doing the following:
a) In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
b) Click Global.

228

Chapter 16

Overriding FireFlow System Defaults

The Admin/Global configuration page appears.

c) Click Scrips.
The Modify scrips which apply to all queues page appears.

d) Click 550 On completion of Create Work Order Create Summary PDF.


229

AlgoSec FireFlow

Release 6.3

The Modify a scrip that applies to all queues page appears.

e) In the Stage field, select TransactionCreate.


f) Click Update.
3 Enable automatic sending of emails with work orders in PDF format attached, by doing the following:
a) In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
b) Click Global.
The Admin/Global configuration page appears.
c) Click Scrips.
The Modify scrips which apply to all queues page appears.
d) Click 560 On completion of Create Work Order Notify Work Order Recipient.
The Modify a scrip that applies to all queues page appears.
e) In the Stage field, select TransactionCreate.
f) Click Update.
4 To customize the email template used for sending work orders, do the following:
a) In the main menu, click Advanced Configuration.

230

Chapter 16

Overriding FireFlow System Defaults

The Advanced Configuration page appears.


b) Click Global.
The Admin/Global configuration page appears.
c) Click Email Templates.
The Modify email templates which apply to all queues page appears.
d) Click Notify Work Order Summary.
The Modify email template Notify Work Order Summary page appears.
e) Edit the email content as desired.
f) Click Update.
5 Configure the email recipient, by doing one of the following:
When customizing the email template as described in the previous step, type the desired address in
the To field.
Configure the relevant parameter, by doing the following:
1. Log in to the FireFlow server using the username "root" and the related password.
2. Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3. Add the configuration item WorkOrderRecipientEmail and set its value to the desired email
address.
For example, the following specifies that work order should be sent to
ImplementationGroup@mycompany.com:
Set($WorkOrderRecipientEmail, 'ImplementationGroup@mycompany.com');

4. Save the file.


5. Restart FireFlow.
See Restarting FireFlow (on page 11).
Note: If you configure the recipient email address using both methods, the address specified in the email
template will be used.

Reverting to System Defaults


To revert to the system defaults
1 Log in to the FireFlow server using the username "root" and the related password.
2 In the directory /usr/share/fireflow/local/etc/site/, remove the file
FireFlow_SiteConfig.pm.
3 In the directory /usr/share/fireflow/local/etc/site/po/, remove any *.po files.
4 Restart FireFlow.
See Restarting FireFlow (on page 11).

231

CHAPTER 17

Importing User Data from an LDAP Server


If AlgoSec Firewall Analyzer is configured to authenticate users against an LDAP server (for example,
Microsoft Active Directory), you can configure AlgoSec Firewall Analyzer and FireFlow to import user
data from the LDAP server upon each login. For example, when a user logs in, FireFlow can import data
such as the user's telephone number.
AlgoSec Firewall Analyzer can import a user's full name, email address, and user role, while FireFlow can
import data for any user field that exists both in the LDAP server and in FireFlow. If you want to import an
LDAP field that does not exist in FireFlow, you can add a parallel custom field in FireFlow.
Note: Do not add custom fields that have the same name as an existing user field in FireFlow. Doing so will
cause importing data from the LDAP server to fail.
Note: Since data is imported only upon user login, the data stored for users who log in infrequently may be
outdated.
Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP
server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow
and assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,
regardless of the AFA user role assigned. For information on automatic creation of requestors upon login,
see Enabling/Disabling Automatic Creation of Requestors upon Authentication (on page 211).
Note: A requestor cannot be converted to a privileged user and vice versa, by changing the user's AFA user
role or FireFlow user group via LDAP. These roles are permanent.
Note: When a requestor is automatically created upon first login, and the
Note: If you configured the import of user data from an LDAP server in a FireFlow version prior to 6.1, you
must re-configure it using the following procedure.

To import data from an LDAP database


1 In AFA, configure LDAP user authentication.
You must select the Fetch user data from LDAP check box, complete the fields in the Mapping to LDAP
Fields area, and then restart FireFlow.
Refer to the AlgoSec FireFlow User Guide, Configuring User Authentication.
2 To enable importing AFA user roles, add or edit the desired roles.
You must fill in the Role LDAP DN field.
Refer to the AlgoSec Firewall Analyzer User Guide, Adding and Editing User Roles.
3 To enable importing FireFlow user groups, add or edit the desired user groups.
You must fill in the Group LDAP DN field.
See Working with User Groups (on page 29).
4 To import user fields from the LDAP server, which do not exist in FireFlow, do the following:
a) For each user field that exists in the LDAP server but not in FireFlow, add a custom user field in
FireFlow.
See Adding User-Defined Custom Fields (on page 44).
b) On the AFA server, open /home/afa/.fa/config.

233

AlgoSec FireFlow

Release 6.3

c) Add the attribute LDAP_AttrCustom.


d) Set this attribute's value to a list of custom FireFlow fields and the parallel LDAP fields in the
following format:
FF_CustField1,LDAP_Attr1;FF_CustField2,LDAP_Attr2;...

Where:
FF_CustFieldX - The name of a user field in FireFlow to which you want to import data. This
can be a a built-in field or a user-defined custom field.
LDAP_AttrX - The name of a user field in the LDAP server from which you want to import
data.
In order to map a user-defined custom field called "Department" to an LDAP attribute called
"department", set the following value:
LDAP_AttrCustom=Department,department

Note: In this example, the LDAP server field names are taken from Active Directory. If a different
LDAP server is used, the names must be changed accordingly.
e) Save the file.

234

CHAPTER 18

Integrating FireFlow with External


Change Management Systems
This section explains how to integrate FireFlow with an external Change Management System.

In This Chapter
Overview ............................................................................ 235
Integrating FireFlow via the REST Interface ..................... 235
Integrating FireFlow via a CMS's Web Service ................. 239
Integrating FireFlow via Email .......................................... 244

Overview
FireFlow can be integrated with an organization's main Change Management System (CMS), such as BMC
Remedy, HP Service Center and Service Manager (formerly Peregrine), and more. Communication between
the two systems can be based on the following protocols:

REST interface
The CMS can use the REST interface to create change requests in FireFlow via HTTP.
See Integrating FireFlow via the REST Interface (on page 235).
Web service
FireFlow can establish a uni-directional connection with a CMS's Web service. This enables FireFlow to
send the CMS requests to open a change request or update its status.
See Integrating FireFlow via a CMS's Web Service (on page 239).
Email
FireFlow can send email messages to the CMS and receive requests to open a change request or update
its status via email. If the CMS has these same capabilities, it is possible to achieve an email-based
integration.
Email is the easiest protocol to configure and allows for bi-directional communication.
See Integrating FireFlow via Email (on page 244).

Regardless of the protocol selected, integrating FireFlow with a CMS requires customization on both sides.

Integrating FireFlow via the REST Interface


FireFlow can be integrated with a CMS via the REST interface. The REST interface is an HTTP-based API
that can be used by the CMS to create change requests in FireFlow via HTTP.
If you need other assistance in using the REST interface, contact AlgoSec Professional Services.

235

AlgoSec FireFlow

Release 6.3

REST Interface Integration Steps


To integrate FireFlow with a CMS via the REST interface
1 Configure CMS authentication to FireFlow.
See Configuring Authentication to FireFlow (on page 236).
2 Use the CMS to create change requests in FireFlow as desired.
See Creating Change Requests via the REST Interface (on page 237).

Configuring Authentication to FireFlow


The REST interface does not support HTTP authentication. Therefore, in order for the CMS to authenticate
to FireFlow, the CMS must obtain a valid session token and then submit the session cookie with each
request. You can generate a session cookie by submitting the default login form with the username as the
"user" parameter and the password as the "pass" parameter.
For example, the following Perl code generates a session cookie:
my $is_cookie_exist = 0;
# first login to fireflow and create cookie
sub setCookie{
unless ($is_cookie_exist) {
log_print ("Info", "Trying to login to $FireFlow_URL/");
# initialize the usaragent and the cookie jar
$ua = LWP::UserAgent->new;
$ua->timeout($MaxHttpRequestTimeoutInSeconds);
$cookieJar = HTTP::Cookies ->new( ignore_discard => 1 );
$ua->cookie_jar($cookieJar);
# first go to the login page - just for getting the cookie
$response = $ua->post( $FireFlow_URL . '/');
if (!$response->is_success) {
log_print ("Error", "failed to connect to FireFlow server");
return $response;
}
# now login to FireFlow
$response = $ua->post( $FireFlow_URL . '/',
[ 'user' => $access_user,
'pass' => $access_password,
]
);
if (!$response->is_success) {
log_print ("Error", "failed to connect to FireFlow server");
return $response;
}
$is_cookie_exist = 1;
}
}

236

Chapter 18

Integrating FireFlow with External Change Management Systems

Creating Change Requests via the REST Interface


To create a new change request in FireFlow via the REST interface

On the FireFlow server, post the following:


on0 FireFlow/REST/1.0/ticket/new requestContent
Where requestContent contains the change request details in the following format:
key1: value1
key2: value2
...

For information on the available keys and their values, refer to the following table.
For example, you can create a change request by posting the following:
on0 /FireFlow/REST/1.0/ticket/new
Queue: 1
Requestor: req@algosec.com
Subject: Creating ticket via REST
CF.{Requested Source}: 1.1.1.1
CF.{Requested Source}: 2.2.2.2
CF.{Requested Destination}: 3.3.3.3
CF.{Requested Service}: ssh
CF.{Requested Service}: https
REST Change Request Creation Keys
Set this key...

To this value...

Requestor

The email address of the change requestor.


This key is mandatory.

Queue

The queue to which the change request belongs.


This key is mandatory.

Subject

A title for the change request.


This key is optional.

Status

The change request's status.


This key is optional.

Owner

The change request's owner.


This key is optional.

Due

The date by which this change request should be resolved, in the following format:
YYYY-MM-DD HH:MM:SS
This key is optional.

Priority

A number indicating this request's priority, where 0 indicates lowest priority.


This key is optional.

237

AlgoSec FireFlow

CF.{customField}

Release 6.3

The value of customField, which is a custom field supported by FireFlow.


You can create a change request key for any of the built-in custom fields listed in the
following table. For example, the following key specifies that the requested service
is SSH:
CF.{Requested Service}: ssh
In addition, you can create a change request key for a user-defined custom field
belonging to any the following categories: additional for object, additional for traffic,
additional for source, additional for destination, and additional for service. To do so,
use the following format:
CF.{__REQUESTED__fieldName}
Where fieldName is the name of the user-defined custom field. For example, the
following key specifies that the custom field "Application" is Syslog.
CF.{__REQUESTED__Application}: syslog
If desired, you can use the same custom field multiple times when creating a single
change request. For example, if you include all of the following keys, the change
request will have SSH, HTTPS, and TCP/7 as requested services:
CF.{Requested Service}: ssh
CF.{Requested Service}: https
CF.{Requested Service}: tcp/7
This field is optional.

REST Change Request Built-in Custom Fields


Set this custom field...

To this value...

Expires

The date on which this change request will expire, in the following format:
YYYY-MM-DD HH:MM:SS

Requested Source

The IP address, IP range, network, device object, or DNS name of the connection
source.

Requested Destination

The IP address, IP range, network, device object, or DNS name of the connection
destination.

Requested Service

The device service or port for the connection (for example "http" or "tcp/123").

Requested Action

The device action to perform for the connection. This can be either of the following:

Allow - Allow the connection.


Drop - Block the connection.

Requested Source NAT

The source NAT value, if the connections source should be translated.

Requested Destination NAT

The destination NAT value, if the connections destination should be translated.

Requested Port Translation

The port value, if the connections port should be translated.

Workflow

The change request's workflow.

Owning Group

The group to which the change request should be assigned.

Requested NAT Type

The type of NAT. This can have the following values:


Static
Dynamic

CMS ticket id

The ID number of a related change request in the CMS.

238

Chapter 18

Integrating FireFlow with External Change Management Systems

Firewall Name

The name of the device.

Form Type

The request template type. This can have the following values:
Object Change
Traffic Change
Generic Change

Requested Object Action

The requested action in an object change request. This can have the following values:
AddIPsToObject
RemoveIPsFromObject
NewObject
DeleteObject

Requested Object Name

The object's name in an object change request.

Requested IPs To Add

The IP addresses to add to an object in an object change request.

Requested IPs To Remove

The IP addresses to remove from an object in an object change request.

Requested Object Scope

The object scope in an object change request.

Integrating FireFlow via a CMS's Web Service


FireFlow can be integrated with a CMS via the CMS's Web service. A Web service is an API that can be
accessed and executed over the network, thus allowing FireFlow to perform remote operations on the CMS.
Supported operations are described in XML format in the Web service's WSDL (Web Services Description
Language) file, and FireFlow refers to this file when performing operations on the CMS.
FireFlow uses the Web service to perform the following operations:

Creating a change request


When a requestor opens a change request in FireFlow, FireFlow uses the Web service to create a new
change request in the CMS.
Updating a change request's status
At certain stages during the FireFlow change request lifecycle (for example, Approve and Resolve),
FireFlow uses the Web service to change the change request's status in the CMS.

If you are not sure whether your CMS includes a Web service and a WSDL file, or if you need other
assistance in integrating FireFlow with a Web service, contact AlgoSec Professional Services.

Web Service Integration Steps


To integrate FireFlow with a CMS via a Web service
1 Determine the full URL to the Web service's WSDL file.
2 Create a new directory under /usr/share/fireflow/local/WebServiceClient, and name it
after the Web service.
3 Use the following command to create Perl classes from the WSDL file:
wsdl2perl.pl -b /usr/share/fireflow/local/WebServiceClient/WebServiceName/ -p WebServiceName
WsdlUrl
Where:
239

AlgoSec FireFlow

Release 6.3

WebServiceName is the name of the Web service, and


WsdlUrl is the full URL to the Web service's WSDL file.
New directories are created under
/usr/share/fireflow/local/WebServiceClient/WebServiceName/. For example:
WebServiceNameAttr, WebServiceNameInterfaces, WebServiceNameTypes, and so on.
4 Use the examples located under /usr/share/fireflow/local/WebServiceClient/ to write a
Perl class that inherits from WebServices::Base and implements the following sub-routines:
getSOAPModule
getServerActionsForStatus
BuildParamsHashForAction
handleResponseHASH
5 Configure FireFlow to use a Web service.
See Configuring FireFlow to Use a Web Service (on page 240).

Configuring FireFlow to Use a Web Service


To configure FireFlow to use a Web service
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item WebServicesModule and set it to the name of the Perl class you created.
4 If the Web service requires authentication, do the following:
Add the configuration item WebServicesUsername and set it to the user name to use when
authenticating to the Web service.
Add the configuration item WebServicesPasswordEncrypted and set it to the password to use
when authenticating to the Web service.
5 Save the file.
6 Restart FireFlow.
See Restarting FireFlow (on page 11).
7 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
8 In the main menu, click Advanced Configuration.

240

Chapter 18

Integrating FireFlow with External Change Management Systems

The Advanced Configuration page appears.

9 At the top of the workspace, click Global.


The Admin/Global configuration page appears.

10 Click Scrips.

241

AlgoSec FireFlow

The Modify scrips which apply to all queues page appears.

11 Click 320 On Non Sub Ticket Create Notify WebService.

242

Release 6.3

Chapter 18

Integrating FireFlow with External Change Management Systems

The Modify a scrip that applies to all queues page appears.

12 In the Stage drop-down list, select TransactionBatch.


13 Click Update.
The Modify scrips which apply to all queues page reappears.
14 Click 330 On Non Sub Ticket Status Change Notify WebService.
The Modify a scrip that applies to all queues page appears.
15 In the Stage drop-down list, select TransactionCreate.
16 Click Update.

243

AlgoSec FireFlow

Release 6.3

Integrating FireFlow via Email


FireFlow can be integrated with a CMS via email. In this situation, when a requestor opens a change request
in the CMS, a new change request is automatically created in FireFlow. Network operations and information
security users can then work with the new change request, in the same way as they would work with a
change request that originated in FireFlow.
To ensure that a relationship is maintained between the original CMS change request and the new FireFlow
change request, the CMS passes the CMS change request ID number to FireFlow, and FireFlow passes the
FireFlow change request ID number to the CMS. This information is used to associate the CMS change
request and the FireFlow change request with each other.
At certain stages during the FireFlow change request lifecycle, most importantly when it is resolved,
FireFlow notifies the CMS of the change request's status change. Thus communication between the CMS
and FireFlow runs in both directions, as shown in the following table.
CMS

FireFlow

Create Change Request

Create Change Request

Notified

Approve Change Request

Notified and Closed

Resolve Change Request

The following example describes an email-based integration between FireFlow and BMC Remedy Change
Management Application.
Note: The instructions provided are specific to Remedy Action Request System 7.1.00 and may vary for
different Remedy versions.
For information on integrating FireFlow with other change management systems, contact AlgoSec.

Email Integration Steps


To integrate FireFlow with BMC Remedy via email
1 Prepare email addresses and a Remedy user.
See Preparation (on page 245).
2 Configure FireFlow for use with Remedy.
See Configuring FireFlow for Use with Remedy (on page 245).
3 Configure the Remedy incoming mailbox.
See Configuring the Remedy Incoming Mailbox (on page 246).
4 Configure the Remedy outgoing mailbox.
See Configuring the Remedy Outgoing Mailbox (on page 247).
5 Configure Remedy email security.
See Configuring Remedy Email Security (on page 248).
6 Configure the Remedy filter.
See Configuring the Remedy Filter (on page 249).

244

Chapter 18

Integrating FireFlow with External Change Management Systems

Preparation
Email Addresses
Use the table below to record email addresses used by both Remedy and FireFlow to receive change request
submissions and send change request updates.
FireFlow Email Address
Remedy Email Address

Remedy User
Create or select an existing Remedy user that will perform actions on behalf of FireFlow, then choose an
alpha-numeric string to serve as a security key for this user. Use the table below to record the user's
username, password, and security key.
Username
Password
Security Key

Configuring FireFlow for Use with Remedy


To configure FireFlow for use with Remedy
1 Log in to the FireFlow server using the username "root" and the related password.
2 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
3 Add the configuration item ExternalCMSEmail, and set its value to the email address of the Remedy
Server to which FireFlow should send its emails, and which FireFlow should notify upon change request
closure.
For example:
Set($ExternalCMSEmail, 'remedy@my.organization.com');

To specify that FireFlow should not send email and notifications to the Remedy Server, leave this item
empty.
4 Add the configuration item ExternalCMSSenderEmails, and set its value to a space-separated list of
email addresses, from which the Remedy Server is expected to send emails to FireFlow upon change
request creation.
For example:
Set(@ExternalCMSSenderEmails, qw(remedy@my.organization.com
remedy-alias@my.organization.com));

5 Save the file.


6 Restart FireFlow.
See Restarting FireFlow (on page 11).

245

AlgoSec FireFlow

7 Log in to FireFlow for advanced configuration purposes.


See Logging in for Advanced Configuration Purposes (on page 7).
8 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
9 At the top of the workspace, click Global.
The Admin/Global configuration page appears.
10 Click Scrips.
The Modify scrips which apply to all queues page appears.
11 Click 020 On Non Sub Ticket Create External Source Parse Text Fields From External System.
The Modify a scrip that applies to all queues page appears.
12 In the Stage drop-down list, select TransactionCreate.
13 Click Update.
The Modify scrips which apply to all queues page reappears.
14 Click 140 On Non Sub Ticket Close External Source Notify Other Recipients.
The Modify a scrip that applies to all queues page appears.
15 In the Email Template drop-down list, select Global template: Notify Remedy Ticket Close.
16 In the Stage drop-down list, select TransactionCreate.
17 Click Update.
The Modify scrips which apply to all queues page reappears.

Configuring the Remedy Incoming Mailbox


To configure the Remedy incoming mailbox
1 Open the BMC Remedy User.
2 Open the AR System Email Mailbox Configuration form in Search mode.
3 Choose the Incoming mailbox, and click the Advanced Configuration tab.

246

Release 6.3

Chapter 18

Integrating FireFlow with External Change Management Systems

The Advanced Configuration tab appears.

4 Configure the fields as follows:


In the Associated Mailbox Name list, select the name of the outgoing mailbox.
In the Email Action list, select Parse.
In the Reply With Result list, select No.
In the Enable Modify Actions list, select Yes.
In the Use Security Key list, select Yes.
In the Use Supplied User Information list, select Yes.
In the Use Email From Address list, select Yes.
Leave all other fields at their default settings.
5 Save your changes.

Configuring the Remedy Outgoing Mailbox


To configure the Remedy outgoing mailbox

1 Enter BMC Remedy User.


2 Open the AR System Email Mailbox Configuration form in Search mode.
3 Choose the Outgoing mailbox, and click the Advanced Configuration tab.

247

AlgoSec FireFlow

The Advanced Configuration tab appears.

4 Configure the fields as follows:


In the Associated Mailbox Name list, select the name of the incoming mailbox.
In the Delete Outgoing Notification Messages list, select No.
Leave all other fields at their default settings.
5 Save your changes.

Configuring Remedy Email Security


To configure Remedy email security

1 Enter BMC Remedy User.


2 Open the AR System Email Security form in Search mode.

248

Release 6.3

Chapter 18

Integrating FireFlow with External Change Management Systems

The form appears.

3 Configure the fields as follows:


In the Status list, select Enabled.
In the Key field, type the security key you prepared in Remedy User (on page 245).
In the User Name field, type the username you prepared in Remedy User (on page 245).
In the Force For Mailbox list, select No.
In the Force From Email Address list, select Yes.
In the Email Addresses field, type the FireFlow email address you prepared in Email Addresses (on
page 245).
Leave all other fields at their default settings.
4 Save your changes.

Configuring the Remedy Filter


When integrated with FireFlow, Remedy sends an email to FireFlow upon each change request submission.
The email serves two purposes:

When FireFlow receives the email, ticket creation is triggered.


When the ticket is resolved, FireFlow responds to this email, closing the original Remedy change.

In order to configure Remedy to send email upon change request submissions, you must specify a filter
using the following procedure.
Note: For more detailed instructions on how to configure Remedy for email integration, refer to the
Configuring the email engine for modify actions and Defining workflow to send email notifications
sections in the BMC Remedy Action Request System Administering BMC Remedy Email Engine
document. This document for version 7.0 is located here:
http://documents.bmc.com/supportu/documents/84/75/58475/58475.pdf

To configure Remedy filter

1 Enter BMC Remedy Administrator.


2 Create a new filter.

249

AlgoSec FireFlow

The Basic tab appears.

3 Configure the fields as follows:


In the Name field, type a name for the filter, for example "CHG:CreateFireFlowTicket".
In the Form Name area, select the CHG:Infrastructure Change check box.
In the Execute On area, select the Submit check box.
In the Run If area, type any qualification that fits all and only firewall change requests.
For example: 'Product Cat Tier 1(2)' = "Firewall".
Leave all other fields at their default settings.
4 Click the If Action tab.

250

Release 6.3

Chapter 18

Integrating FireFlow with External Change Management Systems

The If Action tab appears.

5 Configure the fields as follows:


In the New Action list, select Notify.
In the Text field, paste the exact text specified in Remedy Filter Text (on page 252).
In the User Name field, type the FireFlow email address you prepared in Email Addresses (on page
245).
In the Priority field, type the email's priority (between 1-10).
In the Mechanism list, select Email.
In the Fields tab, do the following:
In the Subject field, type a subject for the emails, such as "Request submitted by Remedy
$Infrastructure Change ID$".
In the Include Fields list, select Selected.
In the Fields area, select the following fields:
Description
Detailed Description
First Name
Infrastructure Change ID
Last Name
Middle Initial
Request ID
Submit Date
Submitter
In the Messages tab, in the Mailbox Name field, type the name of the outgoing mailbox.
Note: This field is required only if you are not using the default mailbox.

251

AlgoSec FireFlow

Release 6.3

Leave all other fields at their default settings.


6 Save your changes.

Remedy Filter Text


You must copy the following text verbatim into the Remedy filter in the BMC Remedy Administrator, in
order to enable FireFlow to close the Remedy change upon FireFlow ticket resolution.
The first paragraph can be modified, as it is meant for human readability only. The rest of the text includes
seven identical blocks that allow FireFlow to move the Remedy change throughout the full workflow until
Closed status, by responding to the email received from Remedy.
Replace <remedy server>, <username> and <password> with the relevant values for your installation.
This is an automatic email sent by BMC Remedy Change Management Application to notify that
change id $Infrastructure Change ID$ has been submitted.
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>

252

Chapter 18

Integrating FireFlow with External Change Management Systems

Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$

253

CHAPTER 19

Configuring the FireFlow Web Service


This section explains how to use the FireFlow Web service.

In This Chapter
Overview ............................................................................ 255
FireFlow Services ............................................................... 255
Data Types.......................................................................... 259

Overview
FireFlow has its own Web service. A Web service is an API that can be accessed and executed over the
network, thus allowing Web service clients, which are the machines used by authenticated FireFlow users, to
perform remote operations on the Web service server, which is FireFlow. Supported operations are
described in XML format in FireFlow's Web service's WSDL (Web Services Description Language) file,
available at https://<algosec_server>/WebServices/FireFlow.wsdl where
<algosec_server> is the AlgoSec server URL. Web clients refer to the WSDL file when performing
operations on FireFlow.

FireFlow Services
FireFlowAuthenticateRequest
Description
Authenticates a user.
Once authenticated, the client will receive a session identifier. This identifier will be required as proof of
authentication for future requests.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

opaque

String

No

A value that will be echoed in the response.


This value must be maximum 1024 characters in
length.

255

AlgoSec FireFlow

Release 6.3

Message Elements
Element

Type

Mandatory

Description

username

String

Yes

The clients username.

password

String

Yes

The clients password in cleartext.

Returns
A FireFlowAuthenticationResponse response. See FireFlowAuthenticationResponse (on page
257).

FireFlowCreateTicketRequest
Description
Creates a new FireFlow change request.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

sid

String

Yes

The clients session identifier.

onBehalfOf

String

No

The name of the user on whose behalf to act.


If acting on a user's behalf is not allowed, the
action will fail and the response will indicate the
reason.

opaque

String

No

A value that will be echoed in the response.


This value must be maximum 1024 characters in
length.

Element

Type

Mandatory

Description

template

String

Yes

The request template of the new change request.


In the current API version, this elament's value
must be Standard.

ticket

Ticket

Yes

A Ticket object. See Ticket (on page 259).

Message Elements

Returns
A FireFlowCreateTicketResponse response. See FireFlowCreateTicketResponse (on page 258).

256

Chapter 19

Configuring the FireFlow Web Service

FireFlowTerminateSessionRequest
Description
Terminates the current session.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

sid

String

Yes

The clients session identifier.

opaque

String

No

A value that will be echoed in the response.


This value must be maximum 1024 characters in
length.

Message Elements
None.

Returns
A FireFlowTerminateSessionResponse response. See FireFlowTerminateSessionResponse (on
page 258).

FireFlowAuthenticationResponse
Description
The response to an authentication attempt.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

opaque

String

No

A value that is echoed from the request.

Message Elements
Element

Type

Mandatory

Description

result

Integer

Yes

An indicator of the authentication's outcome. A


value of 1 indicates success.

sid

String

Yes

The session identifier.

message

String

No

A message describing the authentication's


outcome in English.

257

AlgoSec FireFlow

Release 6.3

FireFlowCreateTicketResponse
Description
A general response to various services.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

opaque

String

No

A value that is echoed from the request.

Message Elements
Element

Type

Mandatory

Description

result

Integer

Yes

An indicator of the authentication's outcome. A


value of 1 indicates success.

message

String

No

A message describing the authentication's


outcome in English.

ticketId

Integer

Yes

The newly created change request's ID number.

FireFlowTerminateSessionResponse
Description
The response to the session termination request.

Header Elements
Element

Type

Mandatory

Description

version

String

Yes

The API version.

opaque

String

No

A value that is echoed from the request.

Message Elements
Element

Type

Mandatory

Description

result

Integer

Yes

An indicator of the authentication's outcome. A


value of 1 indicates success.

sid

String

Yes

The terminated session's identifier.

message

String

No

A message describing the authentication's


outcome in English.

258

Chapter 19

Configuring the FireFlow Web Service

Data Types
Ticket
Description
A FireFlow change request.

Elements
Element

Type

Mandatory

Description

owner

String

No

The email address of the change request owner.

requestor

String

Yes

The email address of the requestor.

cc

List of Strings

No

A list of email addresses to which the FireFlow


system should send copies.

subject

String

Yes

The change request's title.

due

String

No

The date by which this change request should be


resolved, in the format: date, GMT

expire

String

No

The date on which this change request will expire,


in the format: date, GMT

priority

Integer

No

A number indicating this request's priority, where


0 indicates lowest priority.

refersTo

Integer

No

The ID number of a change request to which this


change request refers.

referredBy

Integer

No

The ID numbers of a change request that refer to


this change request.

externalId

String

No

The ID number of an external system change


request to which this change request should be
linked.

devices

List of Strings

No

A list of device names, on which the change


should be made.

description

String

No

A free text description of the issue.

trafficLines

List of
TrafficLine
objects

No

A list of traffic tuples. See TrafficLine (on page


260).

customFields

List of
CustomField
objects

No

A list of custom fields. See CustomField (on page


261).

259

AlgoSec FireFlow

Release 6.3

TrafficLine
Description
A traffic tuple in a FireFlow change request.

Elements
Element

Type

Mandatory

Description

trafficSource

List of
TrafficAddres
s objects

Yes

A list of source IP addresses. See TrafficAddress


(on page 260).

trafficDestinat List of
ion
TrafficAddres
s objects

Yes

A list of destination IP addresses. See


TrafficAddress (on page 260).

trafficService

List of
TrafficServic
e objects

Yes

A list of traffic services. See TrafficService (on


page 261).

nat

TrafficNAT

No

NAT for the defined traffic. See TrafficNAT (on


page 261).

action

Integer

Yes

The device action to perform for the connection.


This can be either of the following:

1. Allow the connection.


0. Block the connection.

Note: All traffic tuples in a change request must


have the same action.
customFields

List of
CustomField
objects

No

A list of custom fields. See CustomField (on page


261).

TrafficAddress
Description
An address in a traffic tuple.

Elements
Element

Type

Mandatory

Description

address

String

Yes

The IP address, IP range, network, device


object, or DNS name of the connection source.

customFields

List of
CustomField
objects

No

A list of custom fields. See CustomField (on


page 261).

260

Chapter 19

Configuring the FireFlow Web Service

TrafficService
Description
A service in a traffic tuple.

Elements
Element

Type

Mandatory

Description

service

String

Yes

The device service or port for the connection (for


example "http" or "tcp/123").

customFields

List of
CustomField
objects

No

A list of custom fields. See CustomField (on


page 261).

TrafficNAT
Description
Network Address Translation (NAT) information for a traffic tuple.

Elements
Element

Type

Mandatory

Description

source

String

Yes

The source NAT value after translation.

destination

String

Yes

The destination NAT value after translation.

port

String

Yes

Type the port value after translation.

type

Integer

No

The type of NAT. The possible values are:

0. Static NAT.
1. Dynamic NAT.

CustomField
Description
A custom field in a FireFlow change request.

Elements
Element

Type

Mandatory

Description

Key

String

Yes

The custom field's name.

value

String

Yes

The custom field's value.

261

CHAPTER 20

Using the AlgoSec FireFlow Copy


Customization Utility
AlgoSec FireFlow includes a copy customization utility that can be used to copy user customizations
between sites. This section explains how to use this utility.

In This Chapter
Overview ............................................................................ 263
Creating a Customizations File .......................................... 266
Loading a Customizations File to the Target Site .............. 267

Overview
The AlgoSec FireFlow copy customization utility can be used to copy the following user customizations
between sites:

Database entities
Configuration files
Translation files
Scripts for uploading change requests from file
Hook files
Web Service clients

Database Entities
The utility copies the following database entities:

Queues
The following information is copied for each queue:
Description
CorrespondAddress
CommentAddress
InitialPriority
FinalPriority
DefaultDueIn
SubjectTag
Disabled
Attributes: AdminGroupID, SecurityGroupID, NetworkGroupID, ReadOnlyGroupID,
ControllersGroupID (according to the ID of the created groups)

263

AlgoSec FireFlow

Release 6.3

Note: If a queue's name is changed on the original site, the utility will create both a queue with the
original name and a queue with the new name on the target site.

Groups
The following information is copied for each group:
Description
Disabled
Global rights, including rights for roles
Queue rights per queue, including rights for roles
Group rights
Home Page settings
The group's membership in other groups
Note: When updating FireFlow, global rights, queue rights, and group rights that are not in a
customization file will be revoked.
Note: If a group's name is changed on the original site, the utility will create both a group with the
original name and a group with the new name on the target site.
Note: Since the utility does not copy users and their group memberships, it will be necessary to define
the users as members of the new group on the target site.

Custom fields
All custom fields are copied, including those for change requests, users, and groups.
The following information is copied for each custom field:
Description
DisplayName
Type
ValuesClass
LookupType
Pattern
LinkValueTo
IncludeContentForValue
Category
DefaultValue
Disabled
HideIfEmpty
Note: When updating FireFlow, custom fields that do not appear in the customization file will be
removed. Furthermore, custom fields referring to queues, system group rights, or user-defined group
rights that do not appear in the customization file will be removed.
Note: If a custom field's name is changed on the original site, the utility will create both a custom field
with the original name and a custom field with the new name on the target site.

264

Request templates
The following information is copied for each request template:
Description
All defined values

Chapter 20

Using the AlgoSec FireFlow Copy Customization Utility

Note: If a request template's name is changed on the original site, the utility will create both a template
with the original name and a template with the new name on the target site.
Note: Request templates cannot be disabled; therefore, the utility will not remove them from the target
site.

Email templates
All email templates are copied, including both global and per queue.
The following information is copied for each email template:
Name
Description
Content
Note: Email templates cannot be disabled; therefore, the utility will not remove them from the target site.

Scrips
All scrips are copied, including both global and per queue.
The following information is copied for each scrip:
Description
Stage
CustomIsApplicableCode (in case of a user-defined condition)
CustomPrepareCode (in case of a user-defined action)
CustomCommitCode (in case of a user-defined action)
ScripAction name
ScripCondition name
Email Template name
Note: FireFlow scrips have no name; therefore, if two scrips have the same description, only one of them
will be updated.

Saved searches
Global Home Page settings

Configuration Files
The utility copies the following configuration files:

The workflow configuration file


/usr/share/fireflow/local/etc/site/Workflows_Config.xml

The utility overwrites this file on the target site.


All workflow files located under /usr/share/fireflow/local/etc/site/Workflows/
The utility overwrites everything in this folder on the target site.
The suggested source/destination addresses list
/usr/share/fireflow/local/etc/site/SuggestedAddressObjects_Config.xml

The utility overwrites this files on the target site.


The FireFlow site configuration file
/usr/share/fireflow/local/etc/site/FireFlow_SiteConfig.pm

265

AlgoSec FireFlow

Release 6.3

The utility adds all parameters in the file that do not include the words Email, Password, Address, or
FAUser to the the parallel file on the target site, that is, all user and password-related parameters are not
copied. Other parameters are updated or added to the end of the file on the target site.
The file on the original site is backed up before it is edited.

Translation Files
The utility copies all translation files located under /usr/share/fireflow/local/etc/site/po.

Upload Change Requests from File Scripts


The utility copies all scripts for uploading change requests from file, located under
/usr/share/fireflow/local/etc/site/bin.

Hook Files
The utility copies all hook files and related configuration files located under
/usr/share/fireflow/local/Hooks and /usr/share/fireflow/local/etc/site/Hooks.

Web Service Clients


The utility copies all Web service clients located under
/usr/share/fireflow/local/WebServiceClient/. It overwrites everything in this folder on the

target site.

Creating a Customizations File


In order to copy customizations from the original site to a target site, you must create a customizations file
using the following procedure.

To create a customizations file


1 On the original site, open a terminal and log in using the username "root" and the related password.
2 Enter the following command:
/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -d -f CustFile [-e]
For information on the command's flags, see the following table.
A customizations file is created containing the data described in Overview (on page 263), and saved to
the current directory.
Customizations Utility Flags
Flag

Description

-f CustFile

The name under which to save the customizations file.


The default value is
user_customizations_yyyy-mm-dd-hhmmss.tar.gz, where

266

Chapter 20

Using the AlgoSec FireFlow Copy Customization Utility

yyyy-mm-dd-hhmmss is a timestamp. For example:


user_customizations_2010-09-07-091318.tar.gz
Do not include disabled groups and disabled custom fields in the customizations file.

-e

Loading a Customizations File to the Target Site


Once you have created a customizations file, you can load it to the target site.

To load a customizations file to the target site


1 On the target site, open a terminal and log in using the username "root" and the related password.
Important: The "root" user must have read permissions for the customizations file; otherwise, loading the
file will fail.
2 Enter the following command:
/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -l -f CustFile [-u] [-r]
For information on the command's flags, see the following table.
The fireflow_backup utility runs and backs up FireFlow to the directory
/var/fireflow/backup.
Apache Web service and FireFlow workers both stop.
The customizations file is loaded to the target site. Data is overwritten and/or added as described in
Overview (on page 263).
Apache Web service restarts.
FireFlow workers start automatically every 5 minutes, as configured on the servers cron.
3 Refresh the workflows, by doing the following:
a) Access VisualFlow.
See Accessing VisualFlow (on page 74).
b) In the VisualFlow main menu, click Workflow Installation.
The Workflow Installation page appears.
A confirmation message appears.
c) Click OK.
d) Click Refresh Workflows.
The workflows are loaded into FireFlow.
Customizations Utility Flags
Flag

Description

-f CustFile

The name of the customizations file to load.


Note: The file must be located in the current directory.

-u

Update existing elements on the target site with data from the customizations file.
If this flag is not used, only new elements will be added.

-r

Remove database entities that do not appear in customizations file from the target site.
The entities will be marked as disabled.

267

Index
A
About VisualFlow 73
Accessing Online Help 78
Accessing VisualFlow 74, 136, 137, 139, 267
Action Condition Syntax 102, 105, 164
Action Tag Attributes 146, 149, 165
Adding Actions 95, 136, 137, 138, 140, 141
Adding Parallel Action Logic 103, 126
Adding SLA Notifications 189
Adding SLOs 129
Adding Statuses 87, 137, 139
Adding the 22, 23
Adding User Groups 29, 139
Adding User-Defined Custom Fields 44, 233
Adding Workflows 78, 136, 137, 139, 146
Adding/Removing Optional NAT Fields in
Change Requests 226, 228
Adding/Removing Standard NAT Fields in
Change Requests 223
Advanced Configuration Options 2
Advanced Configuration Tools 3
Assigning Global and Queue Rights to User
Groups 31, 33, 35
Automatically Sending Work Orders to an
Implementation Team 228

C
Comprehensive Example 86, 126, 146, 176
Condition Tag Attributes and Syntax 163
Condition Tag Syntax 144, 145
Configuration Files 265
Configuration Options 1
Configuring a Group's Global and Queue Rights
35, 139, 141
Configuring Authentication to FireFlow 236
Configuring Automatic Approval of Minor Rule
Changes 212
Configuring Automatic Initial Planning 205
Configuring Change Request Creation from File
2, 61, 62
Configuring FireFlow for Use with Remedy
244, 245
Configuring FireFlow to Use a Web Service 240
Configuring FireFlow's Default Interface
Language 220

Configuring Global Built-in Rights for Groups


178
Configuring Global Built-in Rights for Users
181
Configuring Global Rights for Groups 35, 178
Configuring Global Rights for Users 178, 181
Configuring Global User-Defined Rights for
Groups 181
Configuring Global User-Defined Rights for
Users 182
Configuring Group Rights for Custom Fields
31, 33, 36
Configuring Group Rights for FireFlow Fields
36, 39, 44
Configuring Group Rights for User-Defined
Custom Fields 36, 37, 43, 46
Configuring How Long the Device Objects List Is
Stored in Cache 214
Configuring Queue Built-in Rights for Groups
183
Configuring Queue Built-in Rights for Users
186
Configuring Queue Rights for Groups 35, 178,
183
Configuring Queue Rights for Users 178, 186
Configuring Remedy Email Security 244, 248
Configuring the 213
Configuring the Change Request History Order
200
Configuring the Date Format 210
Configuring the Default Authentication Action
226
Configuring the Default Due Date for Change
Requests Marked for Future Recertification
215
Configuring the Default Due Date for
Recertification Requests 215
Configuring the Default Due Date for Rule
Removal Requests 213
Configuring the FireFlow Web Service 3, 255
Configuring the Handling of NAT-Only Traffic
Changes 227
Configuring the List of User Properties 172, 216
Configuring the Maximum Rows Displayed in
Auto Matching Page Sub-Lists 201

AlgoSec FireFlow

Configuring the Maximum Rows Displayed in


Home Page Lists 200
Configuring the No-Login Web Form's Requestor
Field as Read-Only 212
Configuring the Order of User-Defined Custom
Fields 52
Configuring the Remedy Filter 244, 249
Configuring the Remedy Incoming Mailbox
244, 246
Configuring the Remedy Outgoing Mailbox
244, 247
Configuring the Risk Check Method for Change
Requests with Multiple Devices 207
Configuring the Time Frame for Items Displayed
in Auto Matching Page Lists 201
Configuring Whether Emails to Related Change
Requestors Include the Rule to be Removed
214
Configuring Whether the Standard Template
Appears in the Request Templates Page 210
Configuring Whether Traffic Fields Are
Mandatory 203
Configuring Work Order Creation for 204
Consulting Log Files 4
Contacting Technical Support 5
Controlling Whether Wizard Tabs Appear 57
Controlling Whether Wizard Tabs Appear for
Privileged Users and Requestors 57
Controlling Whether Wizard Tabs Appear in the
No-Login Form 57, 60
Creating a Customizations File 266
Creating Change Requests via the REST
Interface 236, 237
CustomField 259, 260, 261
Customizing Pre-defined Search Results 13, 22
Customizing the Appearance of Pre-defined
Search Results 22
Customizing the Common Services List 56
Customizing the FireFlow Home Page 2, 13
Customizing the Home Page Globally 13, 14
Customizing the Home Page per Group 13, 18,
31, 33, 92, 160, 206
Customizing the Source, Destination, and Service
Wizards 2, 55
Customizing the Suggested Sources/Destinations
List 55

D
Data Types 259
Database Entities 263

Release 6.3

Deleting Actions 94, 128, 136, 138, 141


Deleting SLA Notifications 197
Deleting SLOs 132
Deleting Statuses 94
Deleting Workflows 133, 165
Disabling Change Request Creation from File
64
Disabling Privileged Users 25
Disabling User Groups 41
Disabling User-Defined Custom Fields 51
Disabling Workflows 165
Discarding Workflow Changes 73, 135

E
Editing Actions 127, 136, 138, 140
Editing FireFlow Fields 49
Editing SLA Notifications 194
Editing SLOs 94, 132
Editing Statuses 93
Editing the Workflow Configuration File 143,
147
Editing User Groups 32
Editing User-Defined Custom Fields 49
Editing Workflows 87, 136, 137, 139
Email Addresses 245, 249, 251
Email Integration Steps 244
Enabling Privileged Users 27
Enabling User Groups 41
Enabling User-Defined Custom Fields 51
Enabling/Disabling Automatic Creation of
Requestors upon Authentication 211, 233
Enabling/Disabling Inclusion of User-Defined
Custom Traffic Fields in Flat Tickets 106,
108, 113, 115, 216
Enabling/Disabling Multiple Traffic Rows in
Change Requests 202
Enabling/Disabling Sub-Request Traffic
Modification 203
Enabling/Disabling Traffic Field Validation
203, 204
Enabling/Disabling Translation of Object IP
Addresses and Ports in Work Orders 205
Enabling/Disabling User Group Authentication
during Initial Planning 227
Example
Adding Another Approve Stage 139
Allowing the Network Group to Approve
Change Requests 137
Removing the Notify Requestor Stage 136
Examples 136

Chapter 20

Exiting VisualFlow 78

F
FireFlow Advanced Configuration 1
FireFlow Services 255
FireFlowAuthenticateRequest 255
FireFlowAuthenticationResponse 256, 257
FireFlowCreateTicketRequest 256
FireFlowCreateTicketResponse 256, 258
FireFlowTerminateSessionRequest 257
FireFlowTerminateSessionResponse 257, 258
Flat Ticket Example 69, 105, 116, 169, 170,
171, 174, 175, 176
Flat Ticket Nodes 105, 106

G
GetExternalRisks 169
GetFirewallGroupName 170
GetRealGroupName 171
GetRequestorSearches 172
Getting Started with VisualFlow 74
GetWorkFlowName 174

H
Hiding Change Request Fields 202
Hook Files 266
Hook Functions 168, 169

I
Importing User Data from an LDAP Server 3,
211, 233
Installing Workflows 73, 134, 136, 139, 141
Integrating FireFlow via a CMS's Web Service
235, 239
Integrating FireFlow via Email 235, 244
Integrating FireFlow via the REST Interface
235
Integrating FireFlow with External Change
Management Systems 3, 235
Introduction 1

L
Loading a Customizations File to the Target Site
267
Logging in for Advanced Configuration Purposes
3, 7, 14, 18, 22, 23, 25, 27, 29, 32, 33, 35, 41,
44, 49, 51, 52, 57, 66, 74, 136, 137, 139, 178,
181, 183, 189, 194, 196, 197, 228, 240, 246

Index

M
Managing Email Subscriptions to SLA
Notifications 196
Managing Group Members 31, 33
Modifying Email Templates 66
Modifying FireFlow Email Templates 2, 65
Modifying FireFlow Interface Text 3, 222
Modifying Workflows 164

O
Overriding FireFlow System Defaults 2, 199
Overriding Specific System Default Settings
199, 200
Overriding System Default Settings 60, 199
Overview 13, 43, 61, 65, 71, 133, 143, 167, 177,
189, 235, 255, 263, 266, 267

P
Preparation 244, 245

R
Remedy Filter Text 251, 252
Remedy User 245, 249
Reordering Actions 128, 137, 140
Reordering Statuses 94, 137, 140
Reordering Workflows 133
Replacing the Logo 2, 218
REST Interface Integration Steps 236
Restarting FireFlow 4, 11, 56, 60, 63, 64, 127,
135, 136, 139, 141, 144, 147, 165, 166, 168,
199, 200, 201, 202, 203, 204, 205, 207, 210,
211, 212, 213, 214, 215, 216, 217, 221, 222,
227, 228, 231, 240, 245
Reverting to System Defaults 231
Reverting to the System Default Workflow via
XML 166

S
Setting the Default Workflow 133
Status Tag Attributes 146, 160, 165
SuggestCommentSuffix 174
SuggestHostName 175
Supported Boolean Operators 81, 86, 106, 126,
145
Supported Comparison Operators 106, 125
Supported Fields 81, 145

T
The VisualFlow User Interface 75

AlgoSec FireFlow

Ticket 256, 259


TrafficAddress 260
TrafficLine 259, 260
TrafficNAT 260, 261
TrafficService 260, 261
Translation Files 266

U
Upload Change Requests from File Scripts 266
Using Hooks 2, 167
Using Hooks to Control Parameters 167
Using the AlgoSec FireFlow Copy Customization
Utility 263

V
ValidateTicket 175
ValidateWorkOrderEdit 176
Viewing Individual Workflows' XML Files 134
Viewing the Workflow Configuration File 134
Viewing the Workflow XML 134
Viewing Workflow Layouts 75, 76

W
Web Service Clients 266
Web Service Integration Steps 239
Workflow Condition Syntax 81
Workflow Configuration File Structure 134,
144
Workflow File Structure 134, 146, 148
Workflow Tag Attributes 143, 144, 147
Working with Actions 80, 87, 95
Working with Custom Fields 1, 37, 43
Working with Rights 2, 172, 177
Working with SLA Notifications 1, 129, 189
Working with SLAs 80, 87, 129
Working with Statuses 80, 87
Working with User Groups 1, 29, 233
Working with Users 25
Working with Workflows in VisualFlow 2, 32,
71, 143, 181, 183
Working with Workflows via XML 2, 73, 143

Release 6.3