Firewall rule requests

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Use Service Catalog to request new firewall policies and rules.

    Figure 1. Firewall rule request workflow
    Request new firewall rule

    Request new firewall rule

    Request a new firewall rule using the Service Catalog to manage various IP addresses, enhance network security, and accommodate evolving business requirements.

    Before you begin

    Ensure that the Firewall Audits and Reporting catalog is enabled.

    Role required: firewall_admin

    About this task

    Administrators initiate tasks, which are automatically directed to the risk team for assessment and approval. Following approval, firewall admins implement these changes through automated workflows.

    Procedure

    1. Navigate to All > Service Catalog > Firewall Rules.
    2. Select Request Firewall Rule.
      Figure 2. Request Firewall Rule
      Request firewall form.
    3. Enter the appropriate information for the following mandatory fields:
    • Source IP address
    • Destination IP address
    • Assignment Group

      Must have the sn_disco_firewall.firewall_user role.

    • Approval Group

      Must have the approver_user role.

    1. Enter or select any required details.
    2. Select Submit.
      The firewall rule task is created.

    What to do next

    Verify the new rule task. Navigate to Rule Requests > Rule Requests Task. Your request should be visible in the list.

    Approve firewall requests

    Approval of firewall requests gives you controlled access and compliance. Members of the approver group can review and approve firewall audits and new firewall requests.

    Before you begin

    Role required: Members of the specified approver group approval_group specified in the rule task. The admin user can edit the approvers list in the Rule Request Task.

    Procedure

    1. Navigate to All > Self Service > My Approvals.
    2. Select the green checkmark to approve.

    Result

    • The Assignment group works on the request and marks it as Close Complete.
    • Once the assignment_group marks the request Close Complete, if the change request plugin is activated, a background sub-flow creates a change request.
      Note:
      The change request is created only if the rule task is Approved and in Close Complete state.
    The Firewall rule task security policy M2M corresponds to the related list Security policies in Rule task. Firewall administrators can add description or tag fields in a security policy on a Panorama device. They can also add firewall rule task numbers or change request numbers while creating or modifying security policies on Panorama. When the next discovery runs, the M2M table populates the mapping between:
    • Firewall rule task and firewall security policy
    • Firewall security policy and business service if the business service is provided during the Firewall rule task request