Firewall rule requests using agentic workflows
The Firewall Management Task Creation agentic workflow provides a path to request one or more firewall rules through natural language prompts in the Now Assist panel.
Multiple rule configuration support
You can request multiple firewall rule configurations in a single conversation with the agentic workflow. The workflow parses each rule individually, evaluates conformance for each one, and creates one parent firewall task with individual configuration tasks for all rules. This approach reduces the number of tasks to track and simplifies the approval process.
Risk analysis and conformance checking
The workflow reads your natural-language request, extracts the required parameters—source IP, destination IP, protocol, traffic direction, action, and conformance type—and prompts you for any values you did not provide. Before creating a rule task, the workflow runs a risk analysis based on the request data and the specified conformance framework. When you request multiple rules, the workflow provides individual conformance feedback for each rule, such as "Out of 3 rules, 2 are non-conforming, 1 is conforming." The risk analysis returns one of three levels:
- Low: The workflow creates the rule task and attaches the risk analysis.
- Medium or High: The workflow reports the risk level in the Now Assist panel and asks whether you want to continue. You can choose to proceed with all rules or select specific ones. If you confirm, the workflow creates the rule task and attaches the risk analysis. If you decline, the workflow skips task creation. The created task includes the AI assessment so the approver can evaluate the risk.
Workflow process
Request firewall rules using agentic workflow
Use the Firewall Management Task Creation agentic workflow to request one or more firewall rules through natural language prompts in the Now Assist panel.
Before you begin
- Install and configure the Firewall Audits and Reporting application.
- Install the AI Agents for Discovery plugin. This plugin is part of the AI Agent Bundle and requires a separate subscription.
- Discover the Panorama firewall managers and devices, and verify that Discovery has populated the Panorama Firewall Address Objects table.
Role required: firewall_admin
About this task
You can request multiple firewall rule configurations in a single conversation. The workflow creates one parent firewall task with individual configuration tasks for each rule. For information about how the workflow evaluates risk and determines whether to create a rule task, see Firewall rule requests using agentic workflows.
Procedure
Approve firewall rule requests
Review AI-generated firewall rule requests, evaluate risk analysis, and approve or reject requests with device group assignment.
Before you begin
Role required: none. Approval access is granted to members of the approval group specified on the rule task. The admin user can edit the approver list on the rule task.
About this task
A firewall rule task can contain multiple rule configurations, each represented as an individual configuration task under the parent task. Requests created from the agentic workflow include an AI assessment that summarizes each rule request and indicates whether the request is good to approve. Approvers can use this assessment instead of manually evaluating each parameter. Before approval, the workflow posts a chat message indicating that the device group can't be automatically determined. A device group is a logical bundle of devices on which the rule is created. The approver, who is familiar with the firewall infrastructure, must specify the device group on which to apply the rule.
Procedure
Result
If the configuration tasks are approved:
- The Firewall Audits and Reporting application verifies whether each requested rule already exists on Panorama.
- For rules that don't exist, the assignment group works on the request and marks the configuration tasks Close Complete.
- A change request is created with an implementation plan that contains the source IP, destination IP, traffic flow, action, port, protocol, and device group for all approved rules.
Implement firewall rules on Panorama
Automatically implement approved firewall rules on Panorama servers through the change management process.
Before you begin
Role required: none. Implementation access is granted to members of the assignment group on the change request.
About this task
When a firewall rule task contains multiple rule configurations, each configuration is validated individually as a subtask. If a rule already exists on the Panorama server, the configuration task is marked as Closed Incomplete with a work note indicating the rule was not recreated. If a rule does not exist, the configuration task proceeds to the approval and implementation process.
The instance calls a REST API to create and commit the rule, so the assignment group does not have to log in to Panorama manually. When the request is created from the Service Catalog instead of the agentic workflow, the implementation step is not automated. In that case, a member of the assignment group must log in to Panorama, create the rule manually, and mark the change request as Review.
Procedure
Result
All approved rules are created and committed on the Panorama server for the specified device group. The work notes on the change request confirm the result for each rule and include the rule names.