Firewall rule requests

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use Service Catalog to request new firewall policies and rules.

    Figure 1. Firewall rule request workflow
    Request new firewall rule

    Request new firewall rule

    Request a new firewall rule using Service Catalog to manage various IP addresses and enhance network security and accommodate evolving business requirements.

    Before you begin

    Ensure that the Firewall Audits and Reporting catalog is enabled.

    Role required: firewall_admin

    About this task

    Administrators initiate tasks, which are automatically directed to the risk team for assessment and approval. Following approval, firewall admins smoothly implement changes, all orchestrated through automated workflows.

    Procedure

    1. Navigate to All > Service Catalog > Firewall Rules.
    2. Select Request Firewall Rule.
      Figure 2. Request Firewall Rule
      Request firewall form.
    3. Enter the appropriate information for the following mandatory fields.
    • Source IP address
    • Destination IP address
    • Assignment Group

      Must have the sn_disco_firewall.firewall_user role.

    • Approval Group

      Must have the approver_user role.

    1. Enter or select any details that is required.
    2. Select Submit.
      The firewall rule task is created.

    What to do next

    To verify the new rule task, navigate to Rule Requests > Rule Requests Task. Your request should be visible in the list.

    Approve firewall requests

    Approval of firewall requests ensures controlled access and compliance, with members of the approver group empowered to review and approve firewall audit and new firewall requests.

    Before you begin

    Role required: Members of the specified approver group approval_group that is specified in the rule task.

    Procedure

    1. Navigate to All > Self Service > My Approvals.
    2. Select the green check mark to approve.

    Result

    • The Assignment group then works on the request and marks it as Close Complete.
    • Once the assignment_group marks the request Close Complete, a background sub-flow runs to create a change request if the change request plugin is activated.
      Note:
      The change request is created only if the rule task is in Approved and in Close Complete state.
    The Firewall rule task security policy M2M corresponds to the related list Security policies in Rule task. Firewall administrators can add description or tag fields in a security policy on a Panorama device. They can also add firewall rule task numbers or change request numbers while creating or modifying security policies on Panorama. When the next discovery runs, the M2M table populates the mapping between:
    • Firewall rule task and firewall security policy
    • Firewall security policy and business service if the business service is provided during the Firewall rule task request