Why Restrictions on Firewall tables?

Suggy · 3 weeks ago

Why Firewalls related tables like

'Palo Alto Firewall Devices' [cmdb_ci_firewall_device_palo_alto]

Cisco Firewall Devices [cmdb_ci_firewall_device_cisco]

We want to create few firewalls in those tables, but NEW button is disabled OOTB.

We want to delete few entries, but Delete option is disabled

We wanted to see the audit (History-> List) but audit is disabled.

Why so?

PS - Its a new customer instance. Same behavior in all instances.

M Iftikhar · 3 weeks ago

Hi @Suggy ,

The Palo Alto Firewall Device table (cmdb_ci_firewall_device_palo_alto) and Cisco Firewall Device table (cmdb_ci_firewall_device_cisco) are vendor-specific extension tables that extend from the Firewall Device table. These tables are designed to be populated automatically by Discovery, using the respective vendor's Discovery pattern which is why New/Delete and Audit options are disabled out-of-the-box.

I found these official community doc which may help u :
https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/service-mapping/...

https://www.servicenow.com/docs/bundle/xanadu-it-operations-management/page/product/service-mapping/...

I also found a a similar scenario question discussed in the community :
https://www.servicenow.com/community/developer-forum/new-button-missing-on-newly-created-ci-class/m-...

Thanks & Regards,
Muhammad Iftikhar

If my response helped, please mark it as the accepted solution so others can benefit as well.

Suggy · 3 weeks ago

@M Iftikhar There are several tables which Discovery populates.

Tables like Applications, Software installations etc all are meant to populated by discovery but still we have option of manually creating the CIs on those tables.

Why exclusive this firewall class this restriction is there? Thats my question.

And why AUDIT is disabled? Thats a basic function required.

Selva Arun · 2 weeks ago

@Suggy I investigated the technical details behind both restrictions you mentioned:

Delete Functionality: Delete access is disabled at the table definition level. The cmdb_ci_firewall_device_palo_alto table has "Can delete" set to false in the database schema. This prevents deletion to protect network topology integrity and Discovery correlation.

Audit Functionality: I checked the data dictionary for this table and found that audit is set to "false" for all fields. This is out-of-the-box behavior from ServiceNow - the table schema itself disables change tracking.

Why These Restrictions Exist: Both limitations stem from the table being part of the "CMDB CI Class Models" application, designed specifically for Discovery automation. Unlike general application tables, firewall device tables:

Maintain complex CI relationships (Network Adapters, IP Addresses, Router Interfaces)
Are populated by specialized Discovery patterns via SNMP
Require network topology data integrity

My Perspective: Based on the technical evidence, these appear to be intentional design decisions by ServiceNow rather than bugs. The restrictions are built into the table architecture to support Discovery workflows rather than manual CMDB administration.

Recommendation: For the definitive business reasoning behind these design choices, I'd suggest opening a case with ServiceNow Support. They can provide official clarification on whether these restrictions can be safely modified and the specific rationale behind the audit limitation.

The technical evidence shows these are deliberate architectural choices, but ServiceNow Support would have the authoritative explanation.

If you believe the solution provided has adequately addressed your query, could you please mark it as 'Helpful' and 'Accept it as a Solution'? This will help other community members who might have the same question find the answer more easily.

Thank you for your consideration.

Selva Arun

Suggy · 2 weeks ago

Hello, anyone?