AlgoSec FireFlow v6.3 Advanced Configuration Guide

AlgoSec FireFlow
Advanced Configuration Guide

Release 6.3
Printed on 2 September, 2012
Copyright 2003-2012 AlgoSec Systems Ltd. All rights reserved

AlgoSec and FireFlow are registered trademarks of AlgoSec Systems Ltd. and/or its affiliates in the U.S.
and certain other countries.
Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient,
SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,
SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard,
SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
Reporter, SmartView Status, SmartViewTracker, UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1
SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or
registered trademarks of Check Point Software Technologies Ltd. or its affiliates.
Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, are trademarks or registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.
All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.
Specifications subject to change without notice.
Limited Liability Statement
In no event will AlgoSec Systems Ltd be liable for any loss of data; lost opportunity for profits; cost of
cover; or special, incidental, consequential or indirect damages arising from the use of this software.
Proprietary & Confidential Information
This document contains proprietary information. Neither this document nor said proprietary information
shall be published, reproduced, copied, disclosed, or used for any purpose other than the review and
consideration of this material without written approval from AlgoSec Systems Ltd., 1900 Campus
Commons Drive, Suite 100, Reston, VA 20191.
The software contains proprietary information of AlgoSec Systems Ltd; it is provided under a license
agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse
engineering of the software is prohibited.
Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec Systems Ltd. and the client and
remains the exclusive property of AlgoSec Systems Ltd. If you find any problems in the documentation,
please report them to us in writing. AlgoSec Systems Ltd. does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Systems Ltd.
AlgoSec Systems Ltd.
1900 Campus Commons Drive, Suite 100
Reston, VA 20191
Contents
Introduction ................................................................................................................................................... 1
FireFlow Advanced Configuration ............................................................................................................................................... 1
Configuration Options ................................................................................................................................................................. 1
Advanced Configuration Options ................................................................................................................................................ 2
Advanced Configuration Tools .................................................................................................................................................... 3
Consulting Log Files ................................................................................................................................................................... 4
Contacting Technical Support ..................................................................................................................................................... 5
Logging in for Advanced Configuration Purposes .................................................................................... 7

Restarting FireFlow..................................................................................................................................... 11
Customizing the FireFlow Home Page ...................................................................................................... 13
Overview ................................................................................................................................................................................... 13
Customizing the Home Page Globally ...................................................................................................................................... 14
Customizing the Home Page per Group ................................................................................................................................... 18
Customizing Pre-defined Search Results ................................................................................................................................. 22
Customizing the Appearance of Pre-defined Search Results ........................................................................................... 22
Adding the "Certify Change Requests" Button to Pre-Defined Search Results ................................................................. 23
Working with Users..................................................................................................................................... 25

Disabling Privileged Users ........................................................................................................................................................ 25
Enabling Privileged Users ......................................................................................................................................................... 27
Working with User Groups ......................................................................................................................... 29

Adding User Groups ................................................................................................................................................................. 29
Editing User Groups.................................................................................................................................................................. 32
Managing Group Members ....................................................................................................................................................... 33
Assigning Global and Queue Rights to User Groups................................................................................................................ 35
Configuring a Group's Global and Queue Rights .............................................................................................................. 35
Configuring Group Rights for Custom Fields ............................................................................................................................ 36
Configuring Group Rights for User-Defined Custom Fields............................................................................................... 37
Configuring Group Rights for FireFlow Fields ................................................................................................................... 39
Disabling User Groups .............................................................................................................................................................. 41
Enabling User Groups............................................................................................................................................................... 41
Working with Custom Fields ...................................................................................................................... 43

Overview ................................................................................................................................................................................... 43
Adding User-Defined Custom Fields......................................................................................................................................... 44
Editing User-Defined Custom Fields ......................................................................................................................................... 49
Editing FireFlow Fields.............................................................................................................................................................. 49
Disabling User-Defined Custom Fields ..................................................................................................................................... 51
Enabling User-Defined Custom Fields ...................................................................................................................................... 51
AlgoSec FireFlow
Release 6.3
Configuring the Order of User-Defined Custom Fields ............................................................................................................. 52
Customizing the Source, Destination, and Service Wizards ................................................................... 55

Customizing the Suggested Sources/Destinations List ............................................................................................................ 55
Customizing the Common Services List ................................................................................................................................... 56
Controlling Whether Wizard Tabs Appear ................................................................................................................................ 57
Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors .............................................................. 57
Controlling Whether Wizard Tabs Appear in the No-Login Form ...................................................................................... 60
Configuring Change Request Creation from File ..................................................................................... 61

Overview ................................................................................................................................................................................... 61
Configuring Change Request Creation from File ...................................................................................................................... 62
Disabling Change Request Creation from File.......................................................................................................................... 64
Modifying FireFlow Email Templates ........................................................................................................ 65

Overview ................................................................................................................................................................................... 65
Modifying Email Templates ....................................................................................................................................................... 66
Working with Workflows in VisualFlow..................................................................................................... 71

Overview ................................................................................................................................................................................... 71
About VisualFlow ...................................................................................................................................................................... 73
Getting Started with VisualFlow ................................................................................................................................................ 74
Accessing VisualFlow ........................................................................................................................................................ 74
The VisualFlow User Interface .......................................................................................................................................... 75
Viewing Workflow Layouts................................................................................................................................................. 76
Accessing Online Help ...................................................................................................................................................... 78
Exiting VisualFlow ............................................................................................................................................................. 78
Adding Workflows ..................................................................................................................................................................... 78
Workflow Condition Syntax ....................................................................................................................................................... 81
Supported Fields ............................................................................................................................................................... 81
Supported Boolean Operators ........................................................................................................................................... 86
Comprehensive Example .................................................................................................................................................. 86
Editing Workflows ..................................................................................................................................................................... 87
Working with Statuses .............................................................................................................................................................. 87
Adding Statuses ................................................................................................................................................................ 87
Editing Statuses................................................................................................................................................................. 93
Reordering Statuses .......................................................................................................................................................... 94
Deleting Statuses .............................................................................................................................................................. 94
Working with Actions................................................................................................................................................................. 95
Adding Actions................................................................................................................................................................... 95
Action Condition Syntax .................................................................................................................................................. 105
Adding Parallel Action Logic ............................................................................................................................................ 126
Editing Actions ................................................................................................................................................................. 127
Reordering Actions .......................................................................................................................................................... 128
Deleting Actions............................................................................................................................................................... 128
Working with SLAs .................................................................................................................................................................. 129
Adding SLOs ................................................................................................................................................................... 129
Editing SLOs.................................................................................................................................................................... 132
Deleting SLOs ................................................................................................................................................................. 132
Reordering Workflows............................................................................................................................................................. 133
Contents
Setting the Default Workflow................................................................................................................................................... 133
Deleting Workflows ................................................................................................................................................................. 133
Viewing the Workflow XML ..................................................................................................................................................... 134
Viewing Individual Workflows' XML Files ........................................................................................................................ 134
Viewing the Workflow Configuration File ......................................................................................................................... 134
Installing Workflows ................................................................................................................................................................ 134
Discarding Workflow Changes ................................................................................................................................................ 135
Examples ................................................................................................................................................................................ 136
Example: Removing the Notify Requestor Stage ............................................................................................................ 136
Example: Allowing the Network Group to Approve Change Requests ............................................................................ 137
Example: Adding Another Approve Stage ....................................................................................................................... 139
Working with Workflows via XML ............................................................................................................ 143

Editing the Workflow Configuration File .................................................................................................................................. 143
Workflow Configuration File Structure ............................................................................................................................. 144
Workflow Tag Attributes .................................................................................................................................................. 144
Condition Tag Syntax ...................................................................................................................................................... 145
Comprehensive Example ................................................................................................................................................ 146
Adding Workflows ................................................................................................................................................................... 146
Workflow File Structure ................................................................................................................................................... 148
Action Tag Attributes ....................................................................................................................................................... 149
Status Tag Attributes ....................................................................................................................................................... 160
Condition Tag Attributes and Syntax ............................................................................................................................... 163
Modifying Workflows ............................................................................................................................................................... 164
Disabling Workflows................................................................................................................................................................ 165
Deleting Workflows ................................................................................................................................................................. 165
Reverting to the System Default Workflow via XML ............................................................................................................... 166
Using Hooks .............................................................................................................................................. 167

Overview ................................................................................................................................................................................. 167
Using Hooks to Control Parameters ....................................................................................................................................... 167
Hook Functions ....................................................................................................................................................................... 169
GetExternalRisks ............................................................................................................................................................. 169
GetFirewallGroupName ................................................................................................................................................... 170
GetRealGroupName ........................................................................................................................................................ 171
GetRequestorSearches ................................................................................................................................................... 172
GetWorkFlowName ......................................................................................................................................................... 174
SuggestCommentSuffix ................................................................................................................................................... 174
SuggestHostName .......................................................................................................................................................... 175
ValidateTicket .................................................................................................................................................................. 175
ValidateWorkOrderEdit .................................................................................................................................................... 176
Comprehensive Example ........................................................................................................................................................ 176
Working with Rights ................................................................................................................................. 177

Overview ................................................................................................................................................................................. 177
Configuring Global Rights for Groups ..................................................................................................................................... 178
Configuring Global Built-in Rights for Groups.................................................................................................................. 178
Configuring Global User-Defined Rights for Groups ....................................................................................................... 181
Configuring Global Rights for Users ....................................................................................................................................... 181
Configuring Global Built-in Rights for Users .................................................................................................................... 181
Configuring Global User-Defined Rights for Users .......................................................................................................... 182
AlgoSec FireFlow
Release 6.3
Configuring Queue Rights for Groups..................................................................................................................................... 183

Configuring Queue Built-in Rights for Groups ................................................................................................................. 183
Configuring Queue Rights for Users ....................................................................................................................................... 186
Configuring Queue Built-in Rights for Users.................................................................................................................... 186
Working with SLA Notifications ............................................................................................................... 189

Overview ................................................................................................................................................................................. 189
Adding SLA Notifications ........................................................................................................................................................ 189
Editing SLA Notifications......................................................................................................................................................... 194
Managing Email Subscriptions to SLA Notifications ............................................................................................................... 196
Deleting SLA Notifications ...................................................................................................................................................... 197
Overriding FireFlow System Defaults ..................................................................................................... 199

Overriding System Default Settings ........................................................................................................................................ 199
Overriding Specific System Default Settings .......................................................................................................................... 200
Configuring the Maximum Rows Displayed in Home Page Lists..................................................................................... 200
Configuring the Change Request History Order .............................................................................................................. 200
Configuring the Maximum Rows Displayed in Auto Matching Page Sub-Lists................................................................ 201
Configuring the Time Frame for Items Displayed in Auto Matching Page Lists .............................................................. 201
Enabling/Disabling Multiple Traffic Rows in Change Requests ....................................................................................... 202
Hiding Change Request Fields ........................................................................................................................................ 202
Enabling/Disabling Sub-Request Traffic Modification...................................................................................................... 203
Configuring Whether Traffic Fields Are Mandatory ......................................................................................................... 203
Enabling/Disabling Traffic Field Validation ...................................................................................................................... 204
Configuring Work Order Creation for "No Action Required" Change Requests .............................................................. 204
Enabling/Disabling Translation of Object IP Addresses and Ports in Work Orders......................................................... 205
Configuring Automatic Initial Planning ............................................................................................................................. 205
Configuring the Risk Check Method for Change Requests with Multiple Devices .......................................................... 207
Configuring the Date Format ........................................................................................................................................... 210
Configuring Whether the Standard Template Appears in the Request Templates Page ................................................ 210
Enabling/Disabling Automatic Creation of Requestors upon Authentication ................................................................... 211
Configuring the No-Login Web Form's Requestor Field as Read-Only ........................................................................... 212
Configuring Automatic Approval of Minor Rule Changes ................................................................................................ 212
Configuring the "From" Address in Dashboard Emails .................................................................................................... 213
Configuring the Default Due Date for Rule Removal Requests....................................................................................... 213
Configuring How Long the Device Objects List Is Stored in Cache................................................................................. 214
Configuring Whether Emails to Related Change Requestors Include the Rule to be Removed ..................................... 214
Configuring the Default Due Date for Change Requests Marked for Future Recertification ........................................... 215
Configuring the Default Due Date for Recertification Requests ...................................................................................... 215
Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields in Flat Tickets ....................................................... 216
Configuring the List of User Properties............................................................................................................................ 216
Replacing the Logo.......................................................................................................................................................... 218
Configuring FireFlow's Default Interface Language ........................................................................................................ 220
Modifying FireFlow Interface Text ................................................................................................................................... 222
Adding/Removing Standard NAT Fields in Change Requests ........................................................................................ 223
Adding/Removing Optional NAT Fields in Change Requests ......................................................................................... 226
Configuring the Default Authentication Action ................................................................................................................. 226
Enabling/Disabling User Group Authentication during Initial Planning ............................................................................ 227
Configuring the Handling of NAT-Only Traffic Changes .................................................................................................. 227
Automatically Sending Work Orders to an Implementation Team ................................................................................... 228
Reverting to System Defaults ................................................................................................................................................. 231
Contents
Importing User Data from an LDAP Server ............................................................................................. 233

Integrating FireFlow with External Change Management Systems ...................................................... 235
Overview ................................................................................................................................................................................. 235
Integrating FireFlow via the REST Interface ........................................................................................................................... 235
REST Interface Integration Steps .................................................................................................................................... 236
Configuring Authentication to FireFlow............................................................................................................................ 236
Creating Change Requests via the REST Interface ........................................................................................................ 237
Integrating FireFlow via a CMS's Web Service ....................................................................................................................... 239
Web Service Integration Steps ........................................................................................................................................ 239
Configuring FireFlow to Use a Web Service.................................................................................................................... 240
Integrating FireFlow via Email................................................................................................................................................. 244
Email Integration Steps ................................................................................................................................................... 244
Preparation ...................................................................................................................................................................... 245
Configuring FireFlow for Use with Remedy ..................................................................................................................... 245
Configuring the Remedy Incoming Mailbox ..................................................................................................................... 246
Configuring the Remedy Outgoing Mailbox ..................................................................................................................... 247
Configuring Remedy Email Security ................................................................................................................................ 248
Configuring the Remedy Filter ......................................................................................................................................... 249
Remedy Filter Text .......................................................................................................................................................... 252
Configuring the FireFlow Web Service ................................................................................................... 255

Overview ................................................................................................................................................................................. 255
FireFlow Services ................................................................................................................................................................... 255
FireFlowAuthenticateRequest ......................................................................................................................................... 255
FireFlowCreateTicketRequest ......................................................................................................................................... 256
FireFlowTerminateSessionRequest ................................................................................................................................ 257
FireFlowAuthenticationResponse .................................................................................................................................... 257
FireFlowCreateTicketResponse ...................................................................................................................................... 258
FireFlowTerminateSessionResponse.............................................................................................................................. 258
Data Types.............................................................................................................................................................................. 259
Ticket ............................................................................................................................................................................... 259
TrafficLine ........................................................................................................................................................................ 260
TrafficAddress ................................................................................................................................................................. 260
TrafficService................................................................................................................................................................... 261
TrafficNAT ....................................................................................................................................................................... 261
CustomField .................................................................................................................................................................... 261
Using the AlgoSec FireFlow Copy Customization Utility ...................................................................... 263

Overview ................................................................................................................................................................................. 263
Database Entities ............................................................................................................................................................ 263
Configuration Files........................................................................................................................................................... 265
Translation Files .............................................................................................................................................................. 266
Upload Change Requests from File Scripts .................................................................................................................... 266
Hook Files........................................................................................................................................................................ 266
Web Service Clients ........................................................................................................................................................ 266
Creating a Customizations File ............................................................................................................................................... 266
Loading a Customizations File to the Target Site ................................................................................................................... 267
AlgoSec FireFlow
Release 6.3
Index........................................................................................................................................................... 269
CHAPTER 1
Introduction
This section introduces the AlgoSec FireFlow advanced configuration options and tools, as well as this
guide.
In This Chapter
FireFlow Advanced Configuration ..................................... 1
Configuration Options ........................................................ 1
Advanced Configuration Options ....................................... 2
Advanced Configuration Tools .......................................... 3
Consulting Log Files .......................................................... 4
Contacting Technical Support ............................................ 5
FireFlow Advanced Configuration

FireFlow comes with several built-in advanced configuration options. For example, it is possible to
customize FireFlow's look and feel or integrate FireFlow with other change management systems.
This guide discusses the various advanced configuration options available and the tools used to implement
them. It is intended for professional integrators and other technical users.
Configuration Options
You can perform the following customizations of FireFlow:
Adding, editing, and deleting requestors

Refer to the AlgoSec FireFlow User Guide, Managing Requestors in the Web Interface and Managing
Requestors in the Requestor Database.
Adding, editing, and deleting users
Refer to the AlgoSec FireFlow User Guide, Managing Privileged Users.
Adding, editing, and deleting user groups
See Working with User Groups (on page 29).
Adding, editing, and deleting custom fields
See Working with Custom Fields (on page 43).
Adding, editing, and deleting SLA notifications
See Working with SLA Notifications (on page 189).
AlgoSec FireFlow
Release 6.3
Advanced Configuration Options

You can perform the following advanced customizations of FireFlow:
Customizing the FireFlow Home page

See Customizing the FireFlow Home Page (on page 13).
Customizing the Source, Destination, and Services wizards
See Customizing the Source, Destination, and Service Wizards (on page 55).
Configuring change request creation from spreadsheet files attached to change requests
See Configuring Change Request Creation from File (on page 61).
Modifying existing email templates
See Modifying FireFlow Email Templates (on page 65).
Adding, editing, and deleting workflows
A change request's workflow determines which lifecycle stages it will pass through. You can customize
change request lifecycles, by creating new workflows, and by disabling or deleting the built-in
workflows. Furthermore, you can modify the set of conditions determining when each workflow should
be assigned.
You can modify workflows via the VisualFlow interface or via XML files. See Working with
Workflows in VisualFlow (on page 71) and Working with Workflows via XML (on page 143).
Customizing the FireFlow risk check
The FireFlow default traffic change request lifecycle includes the Approve stage, in which a risk check
is performed to determine whether implementing the change specified in a change request would
introduce risks. The risk check is based on device analyses produced by AlgoSec Firewall Analyzer
(AFA), a comprehensive device analysis solution that is a companion product of FireFlow.
It is possible to customize the FireFlow risk check, by configuring AFA to treat certain types of traffic as
non-threatening trusted traffic when it produces the devices analyses. This enables you to eliminate
false-alarms triggered by traffic that is necessary for the organization. In addition, you can create Risk
Profiles that specify the severity level of individual risks. FireFlow risk check will then use your custom
Risk Profiles to detect risks of your preferred risk level classification.
For information on configuring trusted traffic and Risk Profiles in AFA, refer to the AlgoSec Firewall
Analyzer User Guide.
Using hooks to control FireFlow parameters
You can streamline the change request lifecycle, by using hooks to control certain parameters, such as
the name of the workflow to assign the change request in the Request stage, or the device group against
which to check traffic. FireFlow will extract the desired parameters on the fly.
See Using Hooks (on page 167).
Configuring rights
See Working with Rights (on page 177).
Overriding FireFlow system defaults
See Overriding FireFlow System Defaults (on page 199).
Replacing the logo and/or texts in the FireFlow user interface
You can replace the logo in the FireFlow user interface with the organization's logo. See Replacing the
Logo (on page 218).
Introduction
In addition, you can replace the text that appear throughout the FireFlow user interface, either with
custom texts, or with translations into any language. See Modifying FireFlow Interface Text (on page
222).
Integrating FireFlow with a third-party Change Management System
See Integrating FireFlow with External Change Management Systems (on page 235).
Using the FireFlow Web service
See Configuring the FireFlow Web Service (on page 255).
Configuring the import of user data from an LDAP server into FireFlow
See Importing User Data from an LDAP Server (on page 233).
Performing change request migration
AlgoSec provides an API for performing a one-time migration of historic change requests from an
existing Change Management System to FireFlow. For further information, contact AlgoSec.
Customizing the incoming email parsing format
In organizations where submitting requests to FireFlow via email is supported, all request emails must
confirm to the following format by default:
Source: <source>
Destination: <destination>
Service: <service>
Action: <action>
where:
<source> is the IP address, IP range, network, device object, or DNS name of the connection
source.
<destination> is the IP address, IP range, network, device object, or DNS name of the
connection destination.
<service> is the device service or port for the connection.
<action> is the device action to perform for the connection. This can be either of the following:
allow - Allow the connection.
drop - Block the connection.
If desired, you can change the required format for request emails. For further information, contact
AlgoSec.
Advanced Configuration Tools

Advanced FireFlow customization is performed using the following tools:
FireFlow user interface

In order to perform advanced configurations via the FireFlow user interface, you must log in as a
FireFlow configuration administrator. See Logging in for Advanced Configuration Purposes (on page
7).
Original and override configuration files
AlgoSec FireFlow
Release 6.3
FireFlow includes a set of original configuration files that contain various FireFlow default settings. In
order to modify the default settings in a particular file, you create an override configuration file whose
content is copied from the original file and modified to suit your needs. If the override file exists,
FireFlow ignores the original file and refers only to the override file.
In order to access original and override files, you must log in to the FireFlow server via SSH with the
username "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is
"algosec".
FireFlow restart utility
FireFlow includes a utility for restarting it after certain configuration changes are made. In order to use
this utility, you must log in to the FireFlow server via SSH with the username "root". The default
password for this user on an AlgoSec Hardware Appliance or a VM is "algosec". For further
information, see Restarting FireFlow (on page 11).
AlgoSec Firewall Analyzer user interface
In order to perform advanced configurations via the AlgoSec Firewall Analyzer user interface, you must
log in as an AFA administrator. For information on logging in to AlgoSec Firewall Analyzer, refer to the
AlgoSec FireFlow User Guide, Logging into the AlgoSec Firewall Analyzer Web Interface, or the
AlgoSec Firewall Analyzer User Guide.
Consulting Log Files

You can download a ZIP containing all FireFlow log files.
If desired, you can also access the following log files directly:
/usr/share/fireflow/var/log/fireflow.log. The main FireFlow log file.

/usr/share/fireflow/local/VisualFlow/log/production.log. The VisualFlow log file.
/var/log/httpd/error_log. The Apache error log file.
Note: In order to access these log files directly, you must log in to the FireFlow server via SSH with the
username "root". The default password for this user on an AlgoSec Hardware Appliance or a VM is
"algosec".
To download FireFlow logs

1 Log in to FireFlow.
2 In the toolbar, click Info.
The Info dialog box opens.
Introduction
3 Click Download Support Zip.

A ZIP file called FireFlow_support.zip is downloaded to your computer.
4 Click OK.
Contacting Technical Support

To contact AlgoSec Technical Support
1 Open any Web browser, and navigate to:
http://www.algosec.com/en/support/submit_service_request.php
2 Open a ticket.
3 Attach relevant logs to the ticket:
AFA or FireFlow logs, if the ticket concerns these products
HA logs, if the ticket concerns HA-related issues. For information on collecting these logs, refer to
the AlgoSec Hardware Appliance User Guide.
CHAPTER 2
Logging in for Advanced Configuration

Purposes
You can perform advanced configurations via the FireFlow user interface, when logged in as a FireFlow
configuration administrator. A FireFlow configuration administrator is a privileged user with FireFlow
Administrator - Allow FireFlow Advanced Configuration permissions. These permissions are granted in
AlgoSec Firewall Analyzer. For information, refer to the AlgoSec FireFlow User Guide, Adding and
Editing Users.
Note: After completing initial configuration, it is recommended to revoke FireFlow Administrator - Allow
FireFlow Advanced Configuration permissions for all users, in order to avoid accidental changes to the
configuration.
To log into FireFlow for advanced configuration purposes

1 In your browser's Address field, type https://<algosec_server>/algosec/ where
<algosec_server> is the AlgoSec server URL.
The AlgoSec Security Suite page appears.
2 Click FireFlow.
AlgoSec FireFlow
The FireFlow Login page appears.
3 Enter your username and password in the fields provided.

4 If the Domain field appears, type the name of the domain.
This field only appears when domains are enabled.
To login as management do not enter a domain name.
5 Click Login.
Release 6.3
Chapter 2
Logging in for Advanced Configuration Purposes
The FireFlow Home Page appears.
Advanced configuration settings can be accessed by clicking the Configuration and Advanced
Configuration main menu items. When domains are enabled, domain level administrators will not see the
Advanced Configuration option in the main menu.
CHAPTER 3
Restarting FireFlow
After making certain FireFlow configuration changes, it is necessary to restart all FireFlow workers that are
running background tasks, as well as restart Apache. The FireFlow restart utility enables you to perform all
the necessary restart actions with a single command.
Note: The procedures that require restarting FireFlow are marked as such in this guide.
To restart FireFlow
1 Log in to the FireFlow server using the username "root" and the related password.
2 Enter the following command:
restart_fireflow
All FireFlow workers that are currently running background tasks are restarted.
Apache is restarted.
11
CHAPTER 4
Customizing the FireFlow Home Page

This section explains how to customize the FireFlow Home page.
In This Chapter
Overview ............................................................................ 13
Customizing the Home Page Globally ............................... 14
Customizing the Home Page per Group ............................. 18
Customizing Pre-defined Search Results ........................... 22
Overview
If desired, you can customize the Home page on any of the following levels:
Globally
Global customization affects the Home page of all users. It enables adding or removing any screen
element.
See Customizing the Home Page Globally (on page 14).
Per group
Per-group customization affects the Home page of all users belonging to a specific user group. It enables
adding screen elements to the Home page, but not removing those that were added via global
customization.
See Customizing the Home Page per Group (on page 18).
Per user
Per-user customization affects the Home page of a specific user only. It enables adding screen elements
to the Home page, but not removing those that were added via global or per-group customization.
Refer to the AlgoSec FireFlow User Guide, Customizing the FireFlow Home Page.
Elements that can be added to the Home page include the following:
Pre-defined search results

FireFlow includes a set of pre-defined search results that you can include on the Home page. If desired,
you can customize them as described in Customizing Pre-defined Search Results (on page 22).
Custom search results
In order to include custom search results, you must save them under "FireFlow's saved searches". For
information on saving search results, refer to the AlgoSec FireFlow User Guide, Saving Searches.
Charts
In order to include a chart, you must save it under "FireFlow's saved searches". For information on
saving charts, refer to the AlgoSec FireFlow User Guide, Saving Charts.
Refresh fields
13
AlgoSec FireFlow
Release 6.3
Customizing the Home Page Globally

By default, the Home page is globally configured to include the Change Request I own pre-defined search
results and a Refresh field. If desired, you can add or remove elements.
Note: Elements that are added to the Home page via global customization cannot be removed via per-group
or per-user customization.
Note: When domains are enabled, domain level administrators will not see the Advanced Configuration
option in the main menu. To login as management do not enter a domain name.
To customize the Home page globally

1 Log in to FireFlow for advanced configuration purposes.
See Logging in for Advanced Configuration Purposes (on page 7).
2 In the main menu, click Advanced Configuration.
The Advanced Configuration page appears.
3 Click Global.
14
Chapter 4
The Admin/Global configuration page appears.
4 Click FireFlow Home Page.

The FireFlow Home Page appears.
5 For each element you want to add to the Home page, do the following:
a) In the Available list box, select the element you want to add.
15
AlgoSec FireFlow
Release 6.3
For information on each element, see the following table.

b) Click
.
The selected element moves to the right list box. The order that the elements appear in the box
represents the order in which they will appear in the Home page.
c) To move the element up or down in the box, select the element and click the
buttons.
d) To delete the element, select it and click Delete.
Your changes are saved.
or
Home Page Elements

Select this element...
To add this to the Home page...
"N" Soon to be due change

requests
Pre-defined search results consisting of a list of open change requests in the system
that have a due date that has passed, that is the current date, or that is the day after the
current date.
"N" Change Requests owned

by Controllers group
Pre-defined search results consisting of a list of change requests in the system that
are owned by the Controllers group.

by Network group
are owned by the Network group.

by Security group
are owned by the Security group.
"N" Change Requests Relevant Pre-defined search results consisting of a list of change requests in the system that
to My Groups
are relevant to the user groups to which you belong.
"N" Change Requests that are
due to be recertified
Pre-defined search results consisting of a list of traffic change requests in the system
that expired, and which should be recertified.
"N" Change Requests Flagged Pre-defined search results consisting of a list of change requests in the system that
by Requestor as "Change Does have been flagged by the requestor as "Change Does Not Work".
Not Work"
"N" Change Requests that
Received Requestor's
Response
are currently in the Validate stage and received the requestor's confirmation that the
requested change was implemented successfully.
"N" Change Requests to

Approve
are currently in the Approve stage.
"N" Change Requests to Create Pre-defined search results consisting of a list of change requests in the system that
Work Order
are currently in the Implement stage and awaiting a work order to be created.
Expire in the Next 30 days
will expire within the next 30 days.

Implement
are currently in the Implement stage and awaiting implementation.
"N" Change Requests to Plan
Pre-defined search results consisting of all change requests in the system that are
currently in the Plan stage.

Review
are currently in the Review stage and awaiting a controller's review.
16
Chapter 4
"N" Change Requests to Send

Removal Notification to Rule
Requestors
are currently in the Approve stage, and for which a rule removal notification will be
sent to the rule's traffic requestors.

Validate
are currently in the Validate stage.
"N" Change Requests Waiting Pre-defined search results consisting of a list of change requests in the system that
for Removal Response from
are currently in the Approve stage and awaiting confirmation from the rules traffic
Rule Requestors
requestors that the requested rule removal is approved.
for Requestor's Response
are currently in the Validate stage and awaiting the requestor's confirmation that the
"N" New Change Requests
are new and still in the Request stage, and whose traffic has already been checked
against devices.
"N" New Recertification

Requests
Pre-defined search results consisting of a list of recertification requests in the system

that are new and still in the Request stage.
"N" Open Change Requests
are currently open.
"N" Parent Recertification

Requests Pending Sub
Requests Implementation
Pre-defined search results consisting of a list of parent recertification request in the

system that are currently in the Implement stage and awaiting implementation of the
relevant sub-requests.
"N" Parent Requests Pending

Sub Request Implementation
Pre-defined search results consisting of a list of parent requests in the system that are
currently in the Implement stage and awaiting implementation of the relevant
sub-requests.
"N" Recertification Requests

to Create Work Order

that are currently in the Implement stage and awaiting a work order to be created.

to Implement

that are currently in the Implement stage and awaiting implementation.

to Plan
Pre-defined search results consisting of all recertification requests in the system that
are currently in the Plan stage.
"N" Recertification Requests Pre-defined search results consisting of a list of recertification requests in the system
to Send Recertify Notification that are currently in the Approve stage, and for which a recertification notification
to Traffic Requestors
will be sent to the traffic requestors.
to Validate

that are currently in the Validate stage.

Waiting for Recertify
Response from Traffic
Requestors

that are currently in the Approve stage and awaiting confirmation from the traffic
requestors that the requested recertification is approved.
"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system that
were rejected.
"N" Resolved Change
Requests
have been resolved.
"N" Total New Change

Requests
Pre-defined search results consisting of a list of all change requests in the system that
are new and still in the Request stage, including change requests whose traffic has
not yet been checked against devices.
17
AlgoSec FireFlow
Release 6.3
Bookmarked Change Requests A list of change requests that the user bookmarked.
My Change Requests
are owned by you.
RefreshHomepage
Controls for refreshing the page.
Unowned Change Requests
currently have no owner.
Saved Search Name
A custom search that was saved under "FireFlow's saved searches", and which is
available to your user role.
For information on saving searches, see Saving Searches.
Chart Name
A chart that was saved under "FireFlow's saved searches", and which is available to
your user role.
For information on saving charts, see Saving Charts.
Search for chart Chart Name
A custom search on which a certain chart is based.
Customizing the Home Page per Group

By default, the Home page for a user group is configured to include certain pre-defined search results, as
well as the globally configured elements. If desired, you can add or remove elements.
Note: Elements that were added to the Home page via global customization cannot be removed via per-group
customization. Likewise, elements that are added to the Home page via per-group customization cannot be
removed via per-user customization.
To customize the Home page for a specific user group

2 In the main menu, click Configuration.
18
Chapter 4
The FireFlow Configuration page appears.
3 Click Groups.
The Select a group page appears.
4 (Optional) To search for the desired group, do the following:
19
AlgoSec FireFlow
Release 6.3
a) In the Find groups whose area, select the desired options in the drop-down lists, and type the search
string in the field provided.
b) To include disabled groups in the search, select the Include disabled groups in listing check box.
c) Click Go.
The groups matching the search criteria are displayed.
5 Click the desired group's name.
The Editing membership for group page appears.
6 In the main menu, click FireFlow Home Page.
20
Chapter 4
The FireFlow Home Page for the selected group appears.
7 For each element you want to add to the Home page, do the following:
For information on each element, see Home Page Elements (page 16).
b) Click
.
represents the order in which they will appear in the Home page.
Note: All custom elements will appear above the globally added pre-defined search results in the
Home page.
buttons.
8 To reset the page's fields to their default values, click Reset to default.
or
21
AlgoSec FireFlow
Release 6.3
Customizing Pre-defined Search Results

The pre-defined search results described in Home Page Elements (page 16) represent specific saved
searches. For example, "N" New Change Requests represents an advanced search for all change requests
with the status "New", and it displays search results in descending order sorted according to the LastUpdated
column.
If desired, you can customize the pre-defined search results' appearance, so as to include different columns,
sort order, number of results rows, and so on. See Customizing the Appearance of Pre-defined Search
Results (on page 22).
You can also add the Certify Change Requests button to pre-defined search results that consist of resolved
traffic change requests, so as to enable users to create recertification requests. See Adding the "Certify
Change Requests" Button to Pre-Defined Search Results (on page 23).
Customizing the Appearance of Pre-defined Search Results

To customize pre-defined search results' appearance
2 In the main menu, click Advanced Search.
The Query Builder page appears.
3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant
pre-defined search.
22
Chapter 4
4 Click Load.
The search is loaded.
5 In the Display Columns area, modify the search results' appearance as desired.
For information, refer to the AlgoSec FireFlow User Guide, Column Format Fields.
6 Click Save.
The pre-defined search's definition is modified.
Adding the "Certify Change Requests" Button to Pre-Defined Search

Results
To customize pre-defined search results' appearance
2 In the main menu, click Advanced Search.
The Query Builder page appears.
3 In the Load saved search drop-down list, under FireFlow's saved searches, select the relevant
pre-defined search.
4 Click Load.
The search is loaded.
5 In the main menu, click Edit Search - Advanced.
6 In the Format field, add:
/ALLOW_RECERTIFICATION
7 Click Apply.
The Query Builder page reappears with your changes.
8 Click Save.
The pre-defined search's definition is modified.
23
CHAPTER 5
Working with Users

This section explains how to enable and disable privileged users in FireFlow. For information on adding,
editing, and deleting privileged users, refer to the AlgoSec FireFlow User Guide, Managing Privileged
Users.
In This Chapter
Disabling Privileged Users ................................................. 25
Enabling Privileged Users .................................................. 27
Disabling Privileged Users

If desired, you can disable a privileged user, so that they no longer appears in the FireFlow interface.
Note: Values that were entered for a user before they were disabled are retained in the FireFlow database.
Note: Users that are deleted from AlgoSec Firewall Analyzer and FireFlow are demoted to requestors and
disabled. Refer to the AlgoSec FireFlow User Guide, Deleting Users.
To disable a privileged user

25
AlgoSec FireFlow
3 Click Users.
The Select a user page appears.
4 (Optional) To search for the desired user, do the following:
26
Release 6.3
Chapter 5
Working with Users
a) In the Find all users whose area, select the desired options in the drop-down lists, and type the search
b) Click Go.
The users matching the search criteria are displayed.
5 Click on the desired user's name.
The Modify the user page appears.
6 Clear the User enabled check box.

7 Click Save.
The user is disabled.
Enabling Privileged Users

You can re-enable a disabled user.
To enable a privileged user

27
AlgoSec FireFlow
Release 6.3
3 Click Users.
The Select a user page appears.
4 Search for the desired user, by doing the following:
a) In the Find all users whose area, select the desired options in the drop-down lists, and type the search
b) Select the Include disabled users in search check box.
c) Click Go.
The users matching the search criteria are displayed.
5 Click on the desired user's name.
The Modify the user page appears.
6 Select the User enabled check box.
7 Click Save.
The user is enabled.
28
CHAPTER 6
Working with User Groups

This section explains how to add user groups to FireFlow. It also describes how to edit and disable user
groups.
In This Chapter
Adding User Groups........................................................... 29
Editing User Groups ........................................................... 32
Managing Group Members ................................................ 33
Assigning Global and Queue Rights to User Groups ......... 35
Configuring Group Rights for Custom Fields .................... 36
Disabling User Groups ....................................................... 41
Enabling User Groups ........................................................ 41
Adding User Groups

To add a user group
29
AlgoSec FireFlow
3 Click Groups.
4 In the main menu, click Create.
30
Release 6.3
Chapter 6
The Create a new group page appears.
5 Complete the fields using the information in Group Fields (page 31).
6 Click Save.
7 Specify which users and groups should be members in the new user group.
See Managing Group Members (on page 33).
Note: If desired, this step can be skipped and performed later on, as described in the AlgoSec FireFlow
User Guide, Adding Users to FireFlow User Groups.
8 If you did not copy settings from another group, or if you copied settings and would like to modify them,
do the following:
a) Customize the group's Home page.
See Customizing the Home Page per Group (on page 18).
b) Assign global and queue rights to the user group.
See Assigning Global and Queue Rights to User Groups (on page 35).
c) Configure the group's rights for each custom field.
See Configuring Group Rights for Custom Fields (on page 36).
Group Fields
In this field...
Do this...
Name
Type a name for the group.
Description
Type a description of the group.
Group LDAP DN
Type the DN of the group in the LDAP server.

For example: "cn=network_users,ou=organization,o=mycompany,c=us"
31
AlgoSec FireFlow
Release 6.3
Enabled
Select this option.
Copy Group Rights and

Home Page Settings from
group
To assign this group the same settings as another group, select the group from which to
copy settings.
The following settings will be copied from the selected group:
Group rights
Global permissions
Queue permissions
Rights for custom fields
Home page settings
Note: It is recommended to select this option when creating a new group, as it
significantly shortens the group creation process.
Revoke rights which were

not granted to this group
To revoke any group rights that were assigned to this group, but which are not assigned
to the group in the Copy Group Rights and Home Page Settings from group field, select
this option.
This field only appears when editing a user group.
Editing User Groups

Note: Do not change any of the pre-defined Admin user group's settings. This group consists of the AlgoSec
administrators and is only used by FireFlow internally.
Note: If you change the name of a pre-defined user group (Network, Security, Controllers, or Read-Only),
you must also change the group's name in all workflows. For information, see Working with Workflows in
VisualFlow (on page 71).
To edit a user group

2 To edit the group's name, description, and whether it should inherit its settings from another group, do
the following:
a) In the main menu, click Configuration.
b) Click Groups.
c) (Optional) To search for the desired group, do the following:
1. In the Find groups whose area, select the desired options in the drop-down lists, and type the
search string in the field provided.
2. To include disabled groups in the search, select the Include disabled groups in listing check box.
3. Click Go.
d) Click the desired group's name.
e) In the main menu, click Basics.
32
Chapter 6
3
4
5
6
f) The Modify the group page appears.

Complete the fields using the information in Group Fields (page 31).
g) Click Save.
To edit the group's members, see Managing Group Members (on page 33).
To customize the group's Home page, see Customizing the Home Page per Group (on page 18).
To assign global and queue rights to the group, see Assigning Global and Queue Rights to User Groups
(on page 35).
To configure the group's rights for custom fields, see Configuring Group Rights for Custom Fields (on
page 36).
Managing Group Members

To manage a group's members
3 Click Groups.
c) Click Go.
33
AlgoSec FireFlow
Release 6.3
6 To add users and/or groups:

a) In the Add members area, select the desired users and groups.
b) Click Save.
The users and/or groups are added to the user group and appear in the Current members area.
Note: Members of this user group will see the Home page elements configured for this user group.
7 To remove users and/or groups:
a) In the Current members list, select the check boxes next to the desired users and/or groups.
b) Click Save.
The users and/or groups are removed from the new user group and appear in the Add members area.
8 To specify the group member to which change requests should automatically be assigned, when they are
sent to this user group:
a) In the Group Default Assignee area, click Change.
The Select Default Assignee window opens.
b) Select the desired group member.

c) Click OK.
34
Chapter 6
Note: If you do not specify a user, then the first member of the group will become the default assignee.
9 Click Save.
Assigning Global and Queue Rights to User Groups

A user group can be assigned global rights, which are rights for actions that can be performed on all change
requests or actions that are not related to change requests, and queue rights, which are rights for actions that
can only be performed on change requests belonging to a certain queue.
FireFlow allows you to assign these rights to a user group in the following ways:
By viewing a single user group and then assigning it the desired global and queue rights
See Configuring a Group's Global and Queue Rights (on page 35).
By viewing all global rights and then assigning them to the desired user group
See Configuring Global Rights for Groups (on page 178).
By viewing all queue rights and then assigning them to the desired user group
See Configuring Queue Rights for Groups (on page 183).
Configuring a Group's Global and Queue Rights

To configure a user group's global and queue rights
3 Click Groups.
c) Click Go.
6 In the main menu, click Rights.
35
AlgoSec FireFlow
Release 6.3
The Editing rights for group page appears.
The Editing Rights on Global actions area enables you to grant rights for global actions, and the Editing
Rights on Queue actions area enables you to grant rights for queue rights.
7 To assign rights, do the following in the relevant area:
a) In the New rights list box, select the rights you want to assign this group.
To select multiple rights, press Ctrl while you click on the desired rights.
b) Click Modify Rights.
The selected rights appear in the Current rights area.
8 To revoke rights, do the following in the relevant area:
a) In the Current rights area, select the check boxes next to the rights you want to revoke.
b) Click Modify Rights.
The selected rights are removed from the Current rights area.
Configuring Group Rights for Custom Fields

You can configure group rights for the following types of custom fields:
36
User-defined custom fields

See Configuring Group Rights for User-Defined Custom Fields (on page 37).
FireFlow fields
See Configuring Group Rights for FireFlow Fields (on page 39).
Chapter 6
For information on both types of custom fields, see Working with Custom Fields (on page 43).
Configuring Group Rights for User-Defined Custom Fields

To configure a group's rights for a user-defined custom field
2 Click User Defined Custom Fields.
The Select a Custom Field page appears.
3 Click on the desired custom field's name.
37
AlgoSec FireFlow
The Editing Custom Field page appears.
4 In the main menu, click Group Rights.

The Modify group rights for custom field page appears.
38
Release 6.3
Chapter 6
5 Complete the fields using the information in Modify Group Rights Fields (page 39).
6 Click Submit.
Modify Group Rights Fields
In this field...
Do this...
System groups
In this area, select the level of rights that each system (built-in) group should have for
this field.
The system groups are:
Everyone. Represents all users, including both privileged and unprivileged users.
Privileged. Represents all information security and network operations users, as
well as any user-defined user groups.
Unprivileged. Represents requestors.
The available levels of rights are:
AdminCustomField. Users in this group can view and modify the field's
definition (for example, they can modify the field's name, disable it, and so on).
ModifyCustomField. Users in this group can modify the field's value, but cannot
view the field.
SeeCustomField. Users in this group can view the field, but cannot modify its
value.
(no value). Users in this group cannot view or modify the field.
User defined groups
In this area, select the level of rights that each user-defined user group should have
for the field.
The available levels of rights are:
AdminCustomField. Users in this group can view and modify the field's
definition (for example, they can modify the field's name, disable it, and so on).
ModifyCustomField. Users in this group can modify the field's value, but cannot
view the field.
SeeCustomField. Users in this group can view the field, but cannot modify its
value.
(no value). Users in this group cannot view or modify the field.
Reset
Click this button to remove all your unsaved modifications to the fields on this page.
Configuring Group Rights for FireFlow Fields

To configure a group's rights for a FireFlow field
39
AlgoSec FireFlow
2 Click FireFlow Fields.

The Select a FireFlow Field page appears.
3 Click on the desired FireFlow field's name.
40
Release 6.3
Chapter 6

5 Complete the fields using the information in Modify Group Rights Fields (page 39).
6 Click Submit.
Disabling User Groups

If desired, you can disable a user group, so that it no longer appears in the FireFlow interface.
Note: Values that were entered for the user group before it was disabled are retained in the FireFlow
database.
To disable a user group

3 Click Groups.
b) Click Go.
6 In the main menu, click Basics.
The Modify the group page appears.
7 Clear the Enabled check box.
8 Click Save.
Enabling User Groups

You can re-enable a disabled user group.
To enable a user group

3 Click Groups.
41
AlgoSec FireFlow
5
6
7
8
42
Release 6.3

Search for the desired group, by doing the following:
b) Select the Include disabled groups in listing check box.
c) Click Go.
Click the desired group's name.
In the main menu, click Basics.
The Modify the group page appears.
Select the Enabled check box.
Click Save.
CHAPTER 7
Working with Custom Fields

This section explains how to work with custom fields.
In This Chapter
Overview ............................................................................ 43
Adding User-Defined Custom Fields ................................. 44
Editing User-Defined Custom Fields ................................. 49
Editing FireFlow Fields ...................................................... 49
Disabling User-Defined Custom Fields.............................. 51
Enabling User-Defined Custom Fields............................... 51
Configuring the Order of User-Defined Custom Fields ..... 52
Overview
FireFlow includes two types of custom fields:
User-defined custom fields

You can define custom fields and add them to change requests, users, or user groups throughout the
FireFlow user interface. For example, you can add a budget number field in change requests or an
extension number field for users. In addition, it is possible to add custom fields to a change request's
traffic fields.
Custom fields can also be added to object changes in a change request.
You can edit, disable, configure the order of, and configure groups rights for custom fields. For
information on configuring a custom field's group rights, see Configuring Group Rights for
User-Defined Custom Fields (on page 37).
FireFlow fields
43
AlgoSec FireFlow
Release 6.3
FireFlow comes with a set of built-in custom fields called FireFlow fields. You can modify the display
name and description of such fields. In addition, you can configure groups rights for them, as described
in Configuring Group Rights for FireFlow Fields (on page 39).
Adding User-Defined Custom Fields

Note: You cannot add user-defined custom fields that have the same name as a built-in FireFlow field. To
view a list of built-in FireFlow fields, click Advanced Configuration > FireFlow Fields.
To add a user-defined custom field

44
Chapter 7

The Create a Custom Field page appears.
5 Complete the fields using the relevant information in Custom Field Page Fields (page 46).
6 Click Create.
Additional fields appears.
45
AlgoSec FireFlow
Release 6.3
7 Complete the fields using the relevant information in Custom Field Page Fields (page 46).
8 Click Save.
If the new field is a list (that is, you chose one of the "Select" options in the Type field), and you chose to
specify which values should be included in the list in the Values area of this page (that is, you chose
Provide list of values below in the Field values source field), additional fields appear in the Value area.
Do any of the following:
To add more values to the list, do the following for each value you want to add:
1. Complete the new fields using the relevant information in Create a Custom Field Page Fields
(page 46).
2. Click Save.
The value is added, and additional fields appear in the Value area.
To delete existing values from the list, do the following:
1. Select the check box next to each value you want to delete.
2. Click Save.
The specified values are deleted.
The new field appears throughout the FireFlow user interface.
Note: By default, all user groups (including the Unprivileged group) are granted SeeCustomField and
ModifyCustomField rights for the new custom field, except for the Read-Only group, which is granted only
SeeCustomField rights. The Admin group is also granted AdminCustomField rights for the new custom
field. If you would like to modify group rights for the new custom field, see Configuring Group Rights for
User-Defined Custom Fields (on page 37).
Custom Field Page Fields
In this field...
Do this...
Name
Type a name to represent the field internally.

This field is mandatory and must be filled in with a unique value containing any of the
following: letters, digits, hyphen, underscore, dots, and spaces.
Note that this is not the name that users will see in the FireFlow interface.
Description
Type a description of the field.

This description will appear as a tooltip, when you mouse-over the custom field's name
in the Create Change Request page.
Display Name
Type the name that should represent the field in the FireFlow interface.
Category
Select the field's category. This can be any of the following:

additional. Allows creating a custom field for change requests, users, or user groups.
additional for object. Allows creating a custom field for each object change in an
object change request. For example, select this category if you want to add a
comment field to each object change in a change request.
additional for traffic. Allows creating a custom field for each traffic change in a
traffic change request. For example, select this category if you want to add a
comment field to each line of traffic in a change request.
additional for source. Allows creating a custom field that appears below a traffic
change request's Source field. For example, select this category if you want to add a
comment field next to a traffic source.
46
Chapter 7
additional for destination. Allows creating a custom field that appears below a traffic
change request's Destination field. For example, select this category if you want to
add a comment field next to a traffic destination.
additional for service. Allows creating a custom field that appears below a traffic
change request's Service field. For example, select this category if you want to add a
comment field next to a traffic service.
Type
Select the field's type. This can be any of the following:

Fill in one wikitext area. Allows entering multi-line blocks of wikitext
Upload one image. Allows uploading one image file
Upload multiple images. Allows uploading multiple image files
Select date. Allows selecting a date
Upload one file. Allows uploading one file
Upload multiple files. Allows uploading multiple files
Text-1. Allows entering a large block of text
Select one value. Allows selecting one value from a list
Enter one value. Allows entering one line of text in the field
Enter multiple values (one per line). Allows entering multiple values in the field,
each one on a separate line
Select or enter one value. Allows selecting one value from a list or entering one
value
Select one value from drop down. Allows selecting one values from a drop-down list
Select multiple values using control key. Allows selecting multiple values from a
list, by pressing Ctrl while clicking on the desired values
Enter one value with autocompletion. Allows entering one value that is automatically
completed
Enter multiple values with autocompletion. Allows entering multiple values that are
automatically completed
Field values source
If the new field is a list (that is, you chose one of the "Select" options in the Type field),
select the source of the values that should appear in the list. This can be any of the
following:
Provide list of values below. The list of values specified in the Value area at the
bottom of this page
Firewall names
Firewall hostgroup names
Firewall service group names
Available Workflows
Applies To
Select one of the following:

Change Requests. The custom field should appear in change requests.
Users. The custom field should appear for users.
Groups. The custom field should appear for user groups.
47
AlgoSec FireFlow
Link values to
Release 6.3
If you want the field's value to link to a Web page, enter the URL that should open upon
clicking the link.
The URL can include parameters, which FireFlow will replace as follows:
FireFlow will replace this parameter...
With this...
__id__
The record ID
__CustomField__
The custom field's value
For example, if you specify the URL

https://Third-party_system/show_ticket?id=__CustomField__,
then the field's value will be a link. If the field's value for a specific change request is
123, then clicking on the link will open a browser displaying the Web page
https://3rd_party_system/show_ticket?id=123.
Include page
If you want the field to display a Web page, enter the URL of the desired Web page.
The URL can include the same parameters as Link values to.
For example, if you specify the URL
https://Third-party_system/show_ticket?id=__CustomField__,
and the field's value for a specific change request is 123, then the field will display the
Web page https://3rd_party_system/show_ticket?id=123.
Default Value
Type a default value for the field.

Note: FireFlow does not check whether the specified default value is valid for the field.
Validation
Select the form of validation to perform for this field. This can be any of the following:
(?#Mandatory). The field is mandatory. FireFlow will require this field to be filled
in.
(?#Digits).^[d\.]+$. The field's value must be a number.
(?#Year).^[12]\d{3}$. The field's value must be a year.
None. To specify that FireFlow should not perform validation for the field, do not
select a value.
Hide custom field if it has

empty value
Select this option to indicate that the custom field should only appear in the FireFlow
interface if it has a value.
Enabled
Select this check box to enable the field.

If you do not enable the field, it will not appear in the FireFlow user interface.
Values
If the new field is a list (that is, you chose one of the "Select" options in the Type field),
and you chose to specify which values should be included in the list in the Values area of
this page (that is, you chose Provide list of values below in the Field values source field),
then specify the desired values using the fields in this area.
Sort
Type a whole number indicating the value's position in the list. For example, if the value
should appear first in the list, type 1.
Name
Type the name of the value.
Description
Type a description of the value.
48
Chapter 7
Editing User-Defined Custom Fields

To edit an existing user-defined custom field
4 Click on the desired field's name.
5 Modify the fields as desired, using the information in Custom Field Page Fields (page 46).
6 Click Save.
Editing FireFlow Fields

For the FireFlow fields, you may change only the display name and description. Any other change will
cause FireFlow to behave unpredictably.
To edit a FireFlow field

49
AlgoSec FireFlow

3 Click FireFlow Fields.

50
Release 6.3
Chapter 7
4 Click on the desired custom field's name.

5 In the Description field, type a description of the custom field.
This description will appear as a tooltip, when you mouse-over the custom field's name in the Create
Change Request page.
6 In the Display Name field, type the name that should represent the field in the FireFlow interface.
7 Click Save.
Disabling User-Defined Custom Fields

If desired, you can disable a user-defined custom field, so that it no longer appears in the FireFlow interface.
Note: Values that were entered for a custom field before it was disabled are retained in the FireFlow
database.
To disable an existing user-defined custom field

4 (Optional) To filter the displayed fields, do the following:
a) In the Only show custom fields for area, select the desired option in the drop-down list.
b) Click Go.
The fields matching the filter criteria are displayed.
6 Clear the Enabled check box.
7 Click Save.
Enabling User-Defined Custom Fields

You can re-enable a disabled user-defined custom field.
To enable a user-defined custom field

51
AlgoSec FireFlow
Release 6.3
4 Select the Include disabled custom fields in listing check box.

5 (Optional) To filter the displayed fields, in the Only show custom fields for area, select the desired option
in the drop-down list.
6 Click Go.
8 Select the Enabled check box.
9 Click Save.
Configuring the Order of User-Defined Custom Fields

When multiple user-defined custom fields are defined for change requests, you can configure the order in
which they should appear in change requests.
To configure the order of user-defined custom fields in change requests

4 In the main menu, click Order.
The Order Custom Fields page appears with all user-defined custom fields, divided according to
category: custom fields for change requests, services, traffic requests, object requests, users, and groups.
52
Chapter 7
Within each category, the fields are listed in the order that they will appear in the FireFlow Web
interface.
5 In each category, do one or more of the following:

To move a change request up in the list, click Move up next to it.
To move a change request down in the list, click Move down next to it.
Note: These links only appear when there is more than one custom field in the category.
The fields will appear in the specified order.
53
CHAPTER 8
Customizing the Source, Destination, and

Service Wizards
When defining traffic in a request or change request, users can select objects in the Source Wizard,
Destination Wizard, and Service Wizard. This section explains how to customize these wizards in the
following ways:
Customize the list of suggested sources/destinations in the Source Wizard/Destination Wizard's

Suggested tab
Customize the list of common services in the Service Wizard's Common tab
Control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and the
Services Wizard's Common tab appear for different types of users
In This Chapter
Customizing the Suggested Sources/Destinations List ...... 55
Customizing the Common Services List ............................ 56
Controlling Whether Wizard Tabs Appear ........................ 57
Customizing the Suggested Sources/Destinations List

When defining traffic in a request or change request, double-clicking in the Source or Destination field
opens the Choose Source Wizard or Choose Destination Wizard. The Suggested tab of these wizards displays
a list of suggested sources/destinations, for example "email server" or "my computer", enabling the user to
specify a source/destination without knowing its IP address.
You can customize this list as desired, and even remove the Suggested tab entirely.
To customize the suggested sources/destinations list

2 Under the directory /usr/share/fireflow/local/etc/, locate the file
SuggestedAddressObjects_Config.xml.
55
AlgoSec FireFlow
Release 6.3
Note: This is the original suggested sources/destinations list file, and it can be used to revert to defaults,
as needed. Do not modify this file.
3 Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the original
file into an override file that is also called SuggestedAddressObjects_Config.xml.
4 Open the override file.
5 To add a suggested source/destination to the list, add the following tags, anywhere between <objects>
and </objects>:
<object name="objectName">
<value>objectValue</value>
</object>
Where:
objectName is the source/destination name that should appear in the Suggested list.
objectValue is the value to which FireFlow should resolve the source/destination name.
For example, to add the source/destination "lab", which FireFlow should resolve to IP address
192.168.2.0/24, add the following:
<object name="lab">
<value>192.168.2.0/24</value>
</object>
Note: The source/destination "my computer" is built-in. FireFlow resolves it to the IP address of the
user's computer, which FireFlow automatically detects from the browser.
6
7
8
9
To remove a suggested source/destination from the list, delete the relevant tags.
To remove the Suggested tab from the wizards, delete the contents of this file.
Save the override file.
Restart FireFlow.
See Restarting FireFlow (on page 11).
Customizing the Common Services List

When defining traffic in a request or change request, double-clicking in the Choose Service field opens the
Service Wizard. The Common tab of this wizard displays a list of common services suggested
sources/destinations, for example "http" or "all_tcp_ports", enabling the user to specify a service without
knowing its protocol or port.
56
Chapter 8
Customizing the Source, Destination, and Service Wizards
You can customize this list as desired, by adding, editing, and deleting custom services in AlgoSec Firewall
Analyzer. For instructions, refer to the AlgoSec Firewall Analyzer User Guide.
Controlling Whether Wizard Tabs Appear

You can control whether the Source Wizard/Destination Wizard's Suggested and Firewall Object tabs and the
Services Wizard's Common tab appear for various types of users, including:
Privileged users
See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).
Requestors
See Controlling Whether Wizard Tabs Appear for Privileged Users and Requestors (on page 57).
Anonymous users using the No-Login Web form
See Controlling Whether Wizard Tabs Appear in the No-Login Form (on page 60).
By default, these tabs appear for all types of users.
Controlling Whether Wizard Tabs Appear for Privileged Users and

Requestors
To control whether tabs appear for privileged users and requestors
57
AlgoSec FireFlow
3 Click Global.
4 Click Group Rights.
58
Release 6.3
Chapter 8
Customizing the Source, Destination, and Service Wizards
The Modify global group rights page appears.
5 Locate the desired user group.

Note: For requestors, the relevant group is Unprivileged.
6 To allow users in this user group to view tabs, do any of the following in the New rights list box next to
the group:
To allow users in this group to view the Source/Destination Wizard's Suggested tab, select
SeeSuggestedAddressObjects.
To allow users in this group to view the Source/Destination Wizard's Firewall Object tab, select
SeeFirewallAddressObjects.
To allow users in this group to view the Services Wizard's Common tab, select
SeeCommonServiceObjects.
7 To prevent users in this user group from viewing tabs, do any of the following in the Current rights area
under the group:
To prevent users in this group from viewing the Source/Destination Wizard's Suggested tab, select
the SeeSuggestedAddressObjects check box.
To prevent users in this group from viewing the Source/Destination Wizard's Firewall Object tab,
select the SeeFirewallAddressObjects check box.
To prevent users in this group from viewing the Services Wizard's Common tab, select the
SeeCommonServiceObjects check box.
8 Click Modify Group Rights.
59
AlgoSec FireFlow
Release 6.3
Controlling Whether Wizard Tabs Appear in the No-Login Form

To control whether wizard tabs appear in the No-Login Web form
2 Under the directory /usr/share/fireflow/local/etc/, open the file FireFlow_Config.pm.
Note: This is the original system settings file, and it is required for reverting to system default settings.
Do not modify this file.
3 Under the directory /usr/share/fireflow/local/etc/site/, open the
FireFlow_SiteConfig.pm override file.
Note: If this file does not exist, create it as described in Overriding System Default Settings (on page
199).
4 Copy the following configuration items from the FireFlow_Config.pm file into the
FireFlow_SiteConfig.pm file:
To control whether the Source/Destination Wizard's Suggested tab appears, copy the configuration
item AllowAnonymousUserSeeSuggestedAddressObjects.
To control whether the Source/Destination Wizard's Firewall Object tab appears, copy the
configuration items AllowAnonymousUserSeeFirewallAddressObjects.
To control whether the Services Wizard's Common tab appears, copy the configuration item
AllowAnonymousUserSeeCommonServiceObjects.
5 In the FireFlow_SiteConfig.pm file, set these configuration items' values to one of the following:
1 - Display this tab. This is the default.
0 - Do not display this tab.
For example, to remove the Common tab, set the configuration item as follows:
Set($AllowAnonymousUserSeeCommonServiceObjects, 1);
6 Close the file FireFlow_Config.pm.

Note: Do not save changes to this file.
7 Save the file FireFlow_SiteConfig.pm.
8 Restart FireFlow.
60
CHAPTER 9
Configuring Change Request Creation

from File
This section explains how to configure change request creation from file.
In This Chapter
Overview ............................................................................ 61
Configuring Change Request Creation from File ............... 62
Disabling Change Request Creation from File................... 64
Overview
Requestors can create new change requests from files attached to change requests. The process is as follows:
1 The requestor chooses a request template that supports creating change requests from file, such as
FireFlow's built-in sample template "240: Sample - Upload change requests from Excel". The requestor
then attaches a file specifying the desired change's details.
Note: In order to support creating change requests from file, a request template's Create change requests
from file field must be set to "Yes", and the Request Type field must be set to "Traffic Change".
2 The requestor submits the change request.
3 FireFlow runs a parsing script that converts the attached file to XML format.
If the parsing script is configured for single change request creation, then all traffic lines in the file are
interpreted as multiple traffic lines in a single change request. If the script is configured for multiple
change request creation, then each traffic line in the file is interpreted as a separate change request, (and
the change requests will all be linked to each other via their Depends On field).
4 FireFlow converts the XML to one or more change requests.
By default, FireFlow uses an out-of-the-box parsing script,
/usr/share/fireflow/local/bin/parse_excel_example.pl, which supports creating multiple
change requests from file, where all of the change request data is on a single worksheet and the file format is
one of the following:
xls (Microsoft Excel up to 2003)

xlsx (Microsoft Excel 2007 and up)
sxc (OpenOffice 1.0 Spreadsheet)
ods (OpenOffice Spreadsheet)
csv (Coma-separated text values)
If desired, you can configure change request creation from file in the following ways:
Enable the creation of change requests from files in additional formats

Configure whether multiple or single change requests are created from each file
61
AlgoSec FireFlow
Release 6.3
Enable/disable file validity enforcement

By default, FireFlow automatically checks uploaded files for errors. If an error is detected in a file,
FireFlow alerts the requestor and halts change request creation for this file, until the error has been fixed.
If desired, you can disable validity enforcement, in which case change requests will be created only from
valid lines in the file.
Enable/disable automatic change request creation
By default, FireFlow automatically creates change requests from uploaded files. If desired, you can
require change request creation to be triggered manually later in the change request workflow, when a
certain button is clicked. For information on how to perform this customization, contact AlgoSec
Support.
Disable change request creation from file (both automatic and manual)
You can view a sample worksheet filled with data that is expected by the out-of-the-box parsing script under
/usr/share/fireflow/local/extras/Firewall Rules Request Example.xls.
Configuring Change Request Creation from File

Note: If you are using multiple parsing scripts, you must perform this procedure for each script.
To configure change request creation from file

1 To enable the creation of change requests from files in a format that is not supported by the default
parsing script, obtain a custom parsing script from AlgoSec Professional Services.
3 Do one of the following:
To work with the default parsing script, copy parse_excel_example.pl from
/usr/share/fireflow/local/bin/ to /usr/share/fireflow/local/etc/site/bin/.
To work with a custom parsing script, save the custom script under
/usr/share/fireflow/local/etc/site/bin.
4 Give the parsing script execute permissions, by running the following command:
chmod a+x [script-name]
Where script-name is the name of the parsing script.
5 Under the directory /usr/share/fireflow/local/etc/site/, open
FireFlow_SiteConfig.pm.
6 Locate the configuration item AttachmentParsingScripts, and set it to the path of the parsing
script.
For example:
Set($AttachmentParsingScripts, {
"/usr/share/fireflow/local/etc/site/bin/custom_parsing_script1.pl" =>
["xls", "xlsx", "sxc", "ods", "csv"],});
If you have multiple parsing scripts, add them as follows:

Set($AttachmentParsingScripts, {
["xls", "xlsx", "sxc", "ods", "csv"],
["xml"],});
62
Chapter 9
7 To enable/disable automatic creation of change requests from files, do the following:

a) Add the configuration item AutoCreateTicketsFromAttachments.
b) Do one of the following:
To enable automatic creation of change requests from uploaded files, set the configuration item's
value to 1.
This is the default value.
To require manual triggering of change request creation from uploaded files, set the
configuration item's value to 0.
For example, the following enables automatic creation of change requests from file:
Set($AutoCreateTicketsFromAttachments,'1');
8 To enable/disable validity enforcement for uploaded files, do the following:

a) Add the configuration item ForceValidAttachmentsBeforeCreateTickets.
To enable validity enforcement of uploaded files, set the configuration item's value to 1.
To disable validity enforcement of uploaded files, set the configuration item's value to 0.
For example, the following enables validity enforcement of uploaded files:
Set($ForceValidAttachmentsBeforeCreateTickets,'1');
9 Save the file.

10 To configure whether multiple change requests or a single change request is created from a file, do the
following:
a) Under /usr/share/fireflow/local/etc/site/bin/, open the parsing script.
b) Locate the following lines:
# In this example: Multiple tickets mode
my $mode = $MULTIPLE_TICKETS_MODE;
# Set mode to $SINGLE_TICKETS_MODE if you wish to work in single ticket mode
# my $mode = $SINGLE_TICKETS_MODE;
c) Uncomment the my $mode line that reflects the mode you want to use, and comment the my $mode
line that reflects the mode you do not want to use.
d) For example, to create a single change request from file, modify the lines as follows:
# In this example: Multiple tickets mode
# my $mode = $MULTIPLE_TICKETS_MODE;
# Set mode to $SINGLE_TICKETS_MODE if you wish to work in single ticket mode
my $mode = $SINGLE_TICKETS_MODE;
11 Save the script.

12 Restart FireFlow.
63
AlgoSec FireFlow
Release 6.3
Disabling Change Request Creation from File

To disable change request creation from file
3 Locate the configuration item AttachmentParsingScripts, and remove the parsing script(s) from
it, as follows:
For example:
Set($AttachmentParsingScripts, {});
4 Save the file.

5 Restart FireFlow.
64
CHAPTER 10
Modifying FireFlow Email Templates

This section explains how to modify the email templates on which FireFlow bases the emails it sends to
users.
In This Chapter
Overview ............................................................................ 65
Modifying Email Templates ............................................... 66
Overview
FireFlow sends emails to users upon various events in the change request lifecycle. It uses the following a
set of templates to create the emails' content.
FireFlow Templates
This template...
Is used to send emails to...
And is used when...
Transaction
Change request owners
A reply is written for an item in a change

request's history.
A comment is written for an item in a
change request's history.
A change request's owner is changed.
Correspondence
Requestors
A reply is written for an item in a change

request's history.
Resolved
Requestors
A change request is resolved.
Autoreply
Requestors
A new change request is created.
Notify External System Ticket An external Change Management

Close
System (CMS)
A change request is resolved.
If desired, you can modify these templates.

Note: Other templates appear in the FireFlow interface; however, they are not used for FireFlow emails and
should therefore be ignored.
Note: It is possible to customize which events trigger email sending and to whom the emails are sent. For
further information, contact AlgoSec.
65
AlgoSec FireFlow
Modifying Email Templates

To modify an email template
3 Click Global.
66
Release 6.3
Chapter 10
4 Click Email Templates.
67
AlgoSec FireFlow
The Modify templates which apply to all queues page appears.
5 Click on the name of the desired template.
68
Release 6.3
Chapter 10
The Modify template page appears.
6 In the Content field, type the template's content.

You can use variables in the template. For a list of popular variables and their explanations, see Email
Template Variables (page 69).
Note: Do not modify the Name and Description fields.
Note: The email template variables that include Perl code (appearing in curly braces {}) are subject to
Perl syntax.
7 To reset the template to its default settings, click Reset.
8 Click Update.
Email Template Variables
This variable...
Represents...
For example...
{$Ticket->id}
The change request ID number
364
{$Ticket->Subject}
The change request subject
Need to open device ports for project

Armageddon
{$Ticket->Status}
The change request status
plan
{$Ticket->RequestorAddresses}
The requestor's email address
john.doe@mycompany.com
{$Ticket->OwnerObj->Name}
The change request owner's username ned.netop
{$Ticket->getTicketAsXML()}
The change request in XML format (a See Flat Ticket Example (on page 116).
flat ticket)
69
AlgoSec FireFlow
Release 6.3
{$RT::WebURL}Ticket/Display.ht The URL at which the change request https://fireflow-demo.algosec.com/FireF

ml?id={$Ticket->id}
is displayed
low/Ticket/Display.html?id=136
{$Transaction->CreatedAsString}
70
The date and time at which the email Mon Nov 17 16:58:44 2008
is sent
CHAPTER 11
Working with Workflows in VisualFlow

This section explains how to add, edit, and delete workflows in VisualFlow. It also explains how to modify
the set of conditions determining when each workflow should be assigned.
VisualFlow is the new and recommended method of working with workflows.
In This Chapter
Overview ............................................................................ 71
About VisualFlow .............................................................. 73
Getting Started with VisualFlow ........................................ 74
Adding Workflows ............................................................. 78
Workflow Condition Syntax .............................................. 81
Editing Workflows ............................................................. 87
Working with Statuses........................................................ 87
Working with Actions ........................................................ 95
Working with SLAs ........................................................... 129
Reordering Workflows ....................................................... 133
Setting the Default Workflow ............................................ 133
Deleting Workflows ........................................................... 133
Viewing the Workflow XML ............................................. 134
Installing Workflows .......................................................... 134
Discarding Workflow Changes .......................................... 135
Examples ............................................................................ 136
Overview
FireFlow assigns each change request to a workflow that controls the change request's lifecycle, including
the actions that can be performed on the change request, the behavior associated with each action, and the
possible change request statuses. In order to determine which workflow to use for a change request,
FireFlow performs the following steps:
1 FireFlow refers to the template that the requestor selected for the change request.
2 If the template specifies a workflow, FireFlow assigns the change request to that workflow.
3 If the template does not specify a workflow, then FireFlow refers to a set of conditions that determine
which workflow should be assigned.
4 If FireFlow fails to assign a workflow based on the set of conditions, then FireFlow assigns the change
request to the default workflow (which, by default, is the Standard workflow).
71
AlgoSec FireFlow
Release 6.3
FireFlow comes with the following set of built-in workflows, located under
/usr/share/fireflow/local/etc/Workflows/:
Built-In Workflows
Workflow
File Name
Description
Standard
Standard_Config.xml
This is the default workflow,

resulting in the default change
request lifecycle. Used by traffic
change requests.
Generic
Generic_Config.xml
This workflow is used for change

requests that are not related to
traffic. As such, no device change
planning or matching of device
changes to the change request are
required, and these stages (Plan
and Match) are omitted.
Request
Approve
Implement
Validate
Resolved
Audit
Multi-Approval
Multi-Approval_Conf
ig.xml

requests that require approval
from multiple users. It therefore
includes an extra stage (Review)
that is performed by a controller
user.
Request
Plan
Approve
Review
Implement
Validate
Match
Resolved
Audit
Parallel-Approva Parallel-Approval_C
onfig.xml
l

requests that require approval
from two users in parallel. It
therefore includes an extra change
request approval stage called
Review that is performed by a
controller.
Request
Plan
Approve
Review
Implement
Validate
Resolved
Audit
Change-Object
Change-Object_Confi
g.xml

requests for modifying device
objects.
Request
Approve
Implement
Validate
Resolved
Audit
Rule-Removal
Rule-Removal_Config
.xml

requests that are for removing
device rules.
Request
Approve
Implement
72
Lifecycle Stages
Request
Plan
Approve
Implement
Validate
Match
Resolved
Audit
Chapter 11
Web-Filter
Web-Filter_Config.x
ml
Request-Recertif Request-Recertifica
tion_Config.xml
ication
Validate
Resolved

requests that are for filtering Web
connections. It is relevant for Blue
Coat devices only.
Request
Plan
Approve
Implement
Validate
Match
Resolved
Audit
Request
Approve
Implement
Validate
Resolved
Audit
This workflow is used to

determine whether an Allow rule
that was added to a device policy
as the result of an expired traffic
change request is still relevant. If
the rule is no longer relevant, a
rule removal request is created to
remove it.
You cannot modify the built-in workflows; however, you can create new ones as desired. For you
convenience, FireFlow allows you to create variations of existing workflows (both built-in and custom
ones), by duplicating the relevant workflow and then modifying it.
Furthermore, you can modify the set of conditions determining which workflow should be assigned, when
the template does not specify a workflow.
You can work with workflows in the following ways:
By using VisualFlow, an interface that is accessible from FireFlow (highly recommended)

By working directly with workflow XML files (not recommended, as manual changes may be
overwritten by VisualFlow, if performed incorrectly)
This section explains how to work with workflows using VisualFlow. For information on working with
workflows via XML, see Working with Workflows via XML (on page 143).
About VisualFlow
VisualFlow enables you to add, edit, and delete custom workflows in a Web interface, without any need to
manually edit the workflow XML files.
All workflow changes are saved locally as drafts. In order for the changes to take effect, you must install the
workflows on FireFlow. The changes are exported to the workflow XML files (overwriting the existing
settings), which are then imported to FireFlow. See Installing Workflows (on page 134).
If you have not yet installed your changes, you can choose to discard them. VisualFlow will be refreshed
from the existing workflow XML files. See Discarding Workflow Changes (on page 135).
73
AlgoSec FireFlow
Getting Started with VisualFlow

This section contains all the information you need in order to get started using VisualFlow.
Accessing VisualFlow
To access VisualFlow
3 Click VisualFlow.
74
Release 6.3
Chapter 11
VisualFlow opens in a new browser tab, displaying the List of Workflows page.
The VisualFlow User Interface

The VisualFlow user interface consists of the following major elements:
Main menu. Used for navigating between the VisualFlow pages.

Workspace. Displays the VisualFlow page selected in the main menu. When viewing a specific
workflow, the workspace includes the workflow's layout. See Viewing Workflow Layouts (on page 76).
When domains are enabled, there is a Domains column in the workflows list.
75
AlgoSec FireFlow
Release 6.3
Toolbar. Displays your username and a link to information about the VisualFlow version.
Viewing Workflow Layouts

A workflow's layout is a graph that includes all actions and statuses in the workflow, each of which can be
clicked for further viewing and editing.
To view a workflow layout
1 In the VisualFlow main menu, click Workflows.

The List of Workflows page appears.
Click on the desired workflow's name.
Next to the desired workflow, click Edit.
The Edit Workflow page opens with the workflow's details, and the Layout area displays the workflow's
layout.
76
Chapter 11
For information on the various layout elements, click Show legend or see the following table.
3 To zoom in, click the
icon.
The workflow layout is magnified. Use the scroll bar to view the desired part of the layout.
4 To zoom out, click the
icon.
The workflow layout returns to its regular size.
5 To print the workflow layout:
a) Click
.
The workflow layout opens in a new tab.
b) Use your browser's Print button to print the layout.
6 To view only the layout elements that are related to a specific action or status, click on the desired
action/status.
The Edit Action or Edit Status page appears, and the Layout area displays only those elements that are
directly related to the selected action/status.
Workflow Layout Elements

This element...
Represents...
A single workflow stage.
A status.
Click to edit the status's details.
A status that is currently being edited.
An action.
An action that is currently being edited.

Indicates that an action can be clicked for editing.
Indicates that an action cannot be clicked for editing.
77
AlgoSec FireFlow
Release 6.3
A conditional action.
A parallel action.
Accessing Online Help

To access online help
At the top of the workspace, click Help.

The online help opens.
Exiting VisualFlow
To exit VisualFlow
Close the browser tab.
Adding Workflows
Adding new workflows is done by creating a copy of an existing workflow and then modifying the copy.
To add a custom workflow

The List of Workflows page appears. When domains are enabled, there is a Domains column in the
workflows list.
2 Next to an existing workflow on which you would like to base the new workflow, click Duplicate.
A confirmation message appears.
3 Click OK.
A new workflow appears at the bottom of the workflows list. Its name is
OriginalWorkflow-Copy-Number, where:
OriginalWorkflow is the name of the workflow you copied.
Number is a number used to differentiate between copies of the duplicated workflow.
78
Chapter 11
For example, if you duplicated the Standard workflow, and there is already a workflow called
Standard-Copy-1, then the new workflow will be called Standard-Copy-2.
A message at the top of the screen informs you that changes have been made to the workflows.
Next to the new workflow, click Edit.
Click on the workflow's name.
79
AlgoSec FireFlow
Release 6.3
The Edit Workflow page opens with the workflow's details.
5 In the Edit workflow details area, complete the fields using the information in Workflow Details Fields
(page 80).
When domains are enabled, there is a Domains selection box in the Edit workflow details area.
6 Click Save Draft.
7 Add, edit, and delete workflow statuses as desired.
See Working with Statuses (on page 87).
8 Add, edit, and delete workflow actions as desired.
See Working with Actions (on page 95).
9 Add, edit, and delete SLOs in the workflow's SLA as desired.
See Working with SLAs (on page 129).
Workflow Details Fields
In this field...
Do this...
Name
Type a name for the workflow.
Domains
Specify the domains in which the workflow should be available, by doing one of the
following:
To specify that the workflow should be available in all domains, select the All check
box.
To specify that the workflow should be available only in specific domains, clear the
All check box, then hold down the Ctrl key while clicking on the desired domains'
80
Chapter 11
names.
Description
Type a description of the workflow.
Configuration File
Type a prefix for the workflow file name associated with this workflow. The workflow
file is named Prefix_Config.xml, where Prefix is the string you enter in this field.
By default, the prefix is the workflow's name.
Enabled
Specify whether this workflow should be enabled, by choosing one of the following:
Yes. The workflow is enabled and will appear in the FireFlow interface.
No. The workflow is disabled. It will not appear in the FireFlow interface, and no
change requests will have this workflow.
The default value is Yes.
Condition
Type the condition under which a workflow should be assigned to change requests,
when the change request's template does not specify a workflow.
For information on the required syntax, see Workflow Condition Syntax (on page 81).
Workflow Condition Syntax

A workflow's Condition field contains a query that specifies the condition under which the workflow should
be assigned to change requests. The query is composed of pairs in the following format:
field = 'value'
Where field is a supported field in FireFlow, and value is the field's value. For information on supported
fields, see Supported Fields (on page 81). For example, the following query specifies that the change
request status must be "new":
Status = 'new'
You can use != to indicate "not". For example, the following query specified that the change request must
not be "new":
Status != 'new'
It is possible to use Boolean operators between field-value pairs. For a list of supported operators, see
Supported Boolean Operators (on page 86). For example, the following query specifies that the change
request status must be "new", and the owner must be John Smith:
Status = 'new' AND Owner = 'John Smith'
For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,
the following query specifies that the change request status must be "new" or "plan", and the owner must be
John Smith or Sue Michaels.
(Status = 'new' OR Status = 'plan') AND (Owner = 'John Smith' OR Owner = 'Sue
Michaels')
Supported Fields
There are two types of supported fields:
Standard fields
81
AlgoSec FireFlow
Release 6.3
These fields should be written as they appear in Standard Fields (page 82). For example:
Subject = 'Allow Web Access'
Custom fields
These fields include those listed in Custom Fields (page 84), as well as any fields added by users. They
should be used in the following format:
'CF.{field}'
Where field is the name of the custom field.
For example:
'CF.{Firewall Brand}' = 'Check Point'
Standard Fields
Field
Description
Id
The change request ID number.
Subject
The change request subject.
Content
Text that appears in the original change request description or in a comment or reply
added to the change request.
Content-Type
The file type of an attachment attached to the change request.
Filename
The filename of an attachment for the change request.
Status
The change request status.
Owner
The user who is the current change request owner.
Creator
The user who is the change request creator.
LastUpdatedBy
The user who last updated the change request.
Requestor.EmailAddress
The requestor's email address.
Requestor.Name
The requestor's username.
Requestor.RealName
The requestor's full name.
Requestor.Nickname
The requestor's nickname.
Requestor.Organization
The requestor's organization.
Requestor.Address1
The requestor's primary mailing address.
Requestor.Address2
The requestor's secondary mailing address.
Requestor.WorkPhone
The requestor's office telephone number.
Requestor.HomePhone
The requestor's home telephone number.
Requestor.MobilePhone
The requestor's mobile telephone number.
Requestor.PagerPhone
The requestor's pager telephone number.
Requestor.id
The requestor's ID.
Cc.EmailAddress
The email address of a user who receives copies of email messages for the change
request.
Cc.Name
The username of a user who receives copies of email messages for the change
request.
82
Chapter 11
Cc.RealName
The full name of a user who receives copies of email messages for the change
request.
Cc.Nickname
The nickname of a user who receives copies of email messages for the change
request.
Cc.Organization
The organization of a user who receives copies of email messages for the change
request.
Cc.Address1
The primary mailing address of a user who receives copies of email messages for the
change request.
Cc.Address2
The secondary mailing address of a user who receives copies of email messages for
the change request.
Cc.WorkPhone
The office telephone number of a user who receives copies of email messages for the
change request.
Cc.HomePhone
The home telephone number of a user who receives copies of email messages for the
change request.
Cc.MobilePhone
The mobile telephone number of a user who receives copies of email messages for
the change request.
Cc.PagerPhone
The pager telephone number of a user who receives copies of email messages for the
change request.
Cc.id
The ID of a user who receives copies of email messages for the change request.
Owner.EmailAddress
The owner's email address.
Owner.Name
The owner's username.
Owner.RealName
The owner's full name.
Owner.Nickname
The owner's nickname.
Owner.Organization
The owner's organization.
Owner.Address1
The owner's primary mailing address.
Owner.Address2
The owner's secondary mailing address.
Owner.WorkPhone
The owner's office telephone number.
Owner.HomePhone
The owner's home telephone number.
Owner.MobilePhone
The owner's mobile telephone number.
Owner.PagerPhone
The owner's pager telephone number.
Owner.id
The owner's ID.
Created
The date on which the change request was created.
Resolved
The date on which the change request was resolved.
Last.Updated
The date on which the change request was last updated.
Due
The change request's due date.
Priority
The change request's priority.
RefersTo
The ID numbers of change requests to which this change request refers, separated by
spaces.
83
AlgoSec FireFlow
ReferredToBy
Release 6.3
The ID numbers of change requests that refer to this change request, separated by
spaces.
Custom Fields
Field
Description
Expires
The date on which this change request will expire.
Requested Source
The IP address, IP range, network, device object, or DNS name of the connection
source, as specified in the original request.
Requested Destination
destination, as specified in the original request.
Requested Service
The device service or port for the connection, as specified in the original request.
Requested Action
The device action to perform for the connection, as specified in the original request.
Requested Source NAT
The source NAT value to which the connection's source should be translated, as
specified in the original request.
Ticket Template Name
The name of the change request's template.
Requested Destination NAT
The destination NAT value to which the connection's destination should be

translated, as specified in the original request.
Requested Port Translation
The port value to which the connection's port should be translated, as specified in the
original request.
Workflow
The workflow assigned to the change request.
Owning Group
The user group that currently owns the change request.
Requested NAT Type
The type of NAT (Static or Dynamic), as specified in the original request.
CMS ticket id
The ID number of a related change request in an external change management

system that is integrated with FireFlow.
Firewall Name
The name of the device.
Firewall IP Address
The IP address of the device.
Firewall Brand
The device vendor.
Firewall Management Server
The device management server name.
Firewall Policy
The device security policy.
Firewall Last Report
The last report generated for the device.
Firewall Last Report Date
The date and time at which the last report for this device was generated.
Change Description
The change description.
Change Source
source, as planned during the Plan stage.
Change Destination
destination, as planned during the Plan stage.
Change Service
The device service or port for the connection, as planned during the Plan stage.
Change Action
The device action to perform for the connection, as planned during the Plan stage.
84
Chapter 11
Change Source NAT
The source NAT value to which the connection's source should be translated, as
planned during the Plan stage.
Change Destination NAT
The destination NAT value to which the connection's destination should be

translated, as planned during the Plan stage.
Change Port Translation
The port value to which the connection's port should be translated, as planned during
the Plan stage.
Change NAT Type
The type of NAT (Static or Dynamic), as planned during the Plan stage.
Change Implementation Notes The words that appear in the change request's implementation notes, if the change
request has completed the Implement stage.
Request Risk Check Result
The number and/or and severity of risks that implementation of the planned change
would entail.
Initial Plan Result
The results of initial planning.
Form Type
The type of form used for the change request (Traffic Change, Object Change, or
Generic Change).
Change Validation Result
The results of change validation.
Risks Number
The number of risks detected for the planned change, if the change request has
completed the risk check in the Approve stage.
Risks Details
Details about the risks detected for the planned change, if the change request has
completed the risk check in the Approve stage.
Translated Source
The change request's source, as translated to IP addresses.
Requested Object Action
The requested action for an object change request (AddIPsToObject /

RemoveIPsFromObject / NewObject / DeleteObject).
Translated Destination
The change request's destination, as translated to IP addresses.
Change Object Action
The action for an object change request, as specified during the Plan stage
(AddIPsToObject / RemoveIPsFromObject / NewObject / DeleteObject).
Translated Service
The change request's service, as translated to ports.
Requested Object Name
An object's name, as specified in the original object change request.
Automatically Implemented
An indication of whether the requested change should be automatically

implemented.
Change Object Name
An object's name, as specified for an object change request in the Plan stage.
Already Works Firewalls
The devices on which the requested change already works.
Requested IPs To Add
The IP addresses to add to an object, as specified in the original object change

request.
Change IPs To Add
The IP addresses to add to an object, as specified for an object change request in the
Plan stage.
Requested IPs To Remove
The IP addresses to remove from an object, as specified in the original object change
request.
Change IPs To Remove
The IP addresses to remove from an object, as specified for an object change request
in the Plan stage.
Requested Object Scope
The object scope, as specified in the original object change request.
Change Object Scope
The object scope, as specified for an object change request in the Plan stage.
85
AlgoSec FireFlow
Release 6.3
Is Work Order Editable
An indication of whether the work order is editable.
Is Active Change Applicable
An indication of whether ActiveChange can be used to implement the requested

change.
Object Change Validation

Result
The results of object change validation.
Create tickets from attachment An indication of whether the change request was created from a file.
Affected Rules Result
The device rules that are affected by a suggested object change request.
Firewall Provider-1
The name or IP address of the Provider-1 managing the device.

This field is relevant for Check Point devices only.
Supported Boolean Operators

Operator
Description
AND
Both of the field-value pairs joined by this operator must be true.

In the following example, the condition is only met for new change requests owned
by John Smith:
OR
One or both of the field-value pairs joined by this operator must be true.
In the following example, the condition is met for change requests that are new,
change requests that are owned by John Smith, and new change requests owned by
John Smith:
Status = 'new' OR Owner = 'John Smith'
Comprehensive Example
In the following example, the workflow will be assigned when the change request's template does not
specify a workflow, and one of the following conditions are met:
The change request's priority is greater than 7.

The requestor's email address includes the string "company.com".
The value of the custom field called "Project" is "Infrastructure".
(Priority > 7) OR (Requestor.EmailAddress LIKE 'company.com') OR ('CF.{Project}'

= 'Infrastructure')
86
Chapter 11
Editing Workflows
Note: You can edit the workflow details of built-in workflows; however, you cannot change their statuses
and actions.
To edit an existing workflow

Next to the new workflow, click Edit.
3 To edit the workflow's details, do the following:
a) In the Edit workflow details area, complete the fields using the information Workflow Details Fields
(page 80).
When domains are enabled, there is a Domains selection box in the Edit workflow details area.
b) Click Save Draft.
4 To add, edit, and delete workflow statuses, see Working with Statuses (on page 87).
5 To add, edit, and delete workflow actions, see Working with Actions (on page 95).
6 To add, edit, and delete SLOs in the workflow's SLA, see Working with SLAs (on page 129).
Working with Statuses

You can add, edit, reorder, and delete statuses in a workflow.
Adding Statuses
To add a status

2 Next to the desired workflow, click Edit.
3 In the VisualFlow main menu, click Statuses.
87
AlgoSec FireFlow
The Available statuses page appears.
4 Click New Status.
88
Release 6.3
Chapter 11
The Edit Status page appears.
5 Complete the fields using the information in Status Fields (page 91).
89
AlgoSec FireFlow
If you expanded the Advanced area, additional fields appear.
6 Click Save Draft.

The status is added to the workflow's list of available statuses and to the workflow.
90
Release 6.3
Chapter 11
The Outbound Actions and Inbound Actions areas appear.
7 Add, edit, or delete actions for this status.

See Working with a Status's Actions.
8 Click Save Draft.
The status is added to the workflow's list of available statuses and to the workflow.
Status Fields
In this field...
Do this...
Name
Type the name of the status as it appears in the FireFlow interface. This is also a unique
key.
The name can include up to 50 characters of Latin character set. Spaces are allowed.
This field is mandatory.
Note: Some statuses cannot be renamed. When editing such a status, this field is
read-only.
Stage
The name of the image used in the lifecycle diagram at the top of the change request
page.
91
AlgoSec FireFlow
Release 6.3
Responsible group
Select the single user group responsible for change requests in this status.
Note: Usually, this group is configured to see these change requests in its Home page
(see Customizing the Home Page per Group (on page 18)).
When an action is performed on the change request, and the action transitions the
change request to a new status for which the change request owner is not responsible, the
change request is re-assigned to the default assignee of the new statuss responsible
group, and the current user is re-directed to their Home page.
If you want to designate a new responsible group for the status, first create the group in
the FireFlow Configuration page, then access VisualFlow again. The new group will
appear in this list, and you can select it.
Additional responsible
groups
DD - Needs further
explanation for groups
under domains
All user groups that are responsible for change requests in this status, other than the
group specified in the Responsible group field.
This field is read-only, and it only appears for statuses that are the source status of a
parallel action.
Enabled
Specify whether this status should be enabled, by choosing one of the following:
Yes. The status is enabled and will appear in the FireFlow interface.
No. The status is disabled. It will not appear in the FireFlow interface, and no change
requests will have this status.
Note: Some statuses cannot be disabled. When editing such a status, this field either does
not appear or is read-only.
Advanced
Expand this area to display the Advanced fields.
Allow editing traffic fields
Specify whether it is possible to plan the change when a change request is in this status.
Planning the change involves modifying any of the following fields:
Source
Destination
Service
Action
NAT
Choose one of the following:
Yes. These fields can be modified.
No. These fields cannot be modified.
The default value is No.
Next status when mail or

comment is received from
requestor
Select the next status to assign the change request, when incoming correspondence from
the change requests unprivileged requestor to the change request occurs.
If this field is not set, then the change request status will not change upon incoming
correspondence.
This field only appears for statuses where an email response is possible.
Await Requestor's
Response
Specify whether a change request should appear in the Change Requests Awaiting
Response page for unprivileged users.
92
Chapter 11
Mark change request as

closed
Specify whether a change request in this status is considered "closed", by choosing one
of the following:
Yes. Consider the change request "closed", and display it in the Closed Change
Requests tab in the FireFlow requestor interface.
No. Do not consider the change request "closed".
This field does not appear for the "new" status.
Stage still incomplete
Specify whether there are additional statuses that a change request must achieve before
completing the stage, by choosing one of the following:
Yes. There are additional statuses that a change request must achieve before
completing this stage.
No. This is the last status in the stage. The stage will be marked with a check mark.
This field must be set to No for exactly one status per stage.
Status after new
Select the status to which the change request should transition after it has been assigned
an owner.
This field only appears for the "new" status.
Editing Statuses
To edit statuses

To go directly to the desired status, click the status in the workflow layout.
To select the status from a list of statuses:
1. In the VisualFlow main menu, click Statuses.
2. Next to the desired status, click Edit.
The Edit Status page appears.
4 Complete the fields using the information in Status Fields (page 91).
5 Add, edit, or delete actions for this status.
See Working with a Status's Actions.
6 Click Save Draft.
93
AlgoSec FireFlow
Release 6.3
Reordering Statuses
You can control the order in which statuses appear in a workflow's list of available statuses.
To reorder statuses

4 In the list of statuses, click

the list.
next to a status you want to move, and drag it to the desired location in
Deleting Statuses
To delete a status

4 Next to the desired status, click Delete.
Note: Some statuses cannot be deleted. These statuses do not have a Delete link next to them.
Note: If a status is the source or target of an action, or if the status is used in one or more SLOs, you must
disassociate those actions/SLOs from the status before you can delete it. See Deleting Actions (on page
128) and Editing SLOs (on page 132).
5 Click OK.
The status is deleted from the workflow's list of available statuses and from the workflow.
94
Chapter 11
Working with Actions

Adding Actions
To add an action

In the VisualFlow main menu, click Actions.
The Available actions page appears with a list of actions used in the workflow.
In the workflow layout, click on a status to which you want to add an action.
95
AlgoSec FireFlow
Release 6.3
The Edit Status page appears with a list of inbound and outbound actions for the status.

To add a new action from scratch, in the New Action drop-down list, select the new action's type.
An action's type describes what it does. For information on available action types, see Action Types
(page 100).
To add a new action that is based on an existing action:
1. Next to the desired existing action, click Duplicate.
2. Click OK.
The new action is named OriginalAction-Copy-Number, where:
OriginalAction is the name of the action you copied.
Number is a number used to differentiate between copies of the duplicated action.
For example, if you duplicated an action called Risk Check, and there is already an action called
Risk Check-Copy-1, then the new action will be called Risk Check-Copy-2.
96
Chapter 11
The Edit Action page appears.
5 Complete the fields using the information in Action Fields (page 101).
97
AlgoSec FireFlow
98
Release 6.3
Chapter 11
99
AlgoSec FireFlow
Release 6.3
6 If you set the Parallel field to Yes, set the action's responsible groups by doing the following:
a) Click the Set responsible groups link.
The Responsible groups dialog box appears.
The Responsible group field displays the user group responsible for change requests in this status.
b) In the Additional responsible groups list, select the additional user groups responsible for change
requests in this status.
To select multiple user groups, press Ctrl while you click on the desired user groups.
c) Click OK.
7 Click Save Draft.
The action is added to the list of actions.
Action Type
This action type...
Does this...
Change status
Changes the status of the change request
Internal comment
Adds a comment to the change request that is hidden from the requestor.
Reply to user
Adds a comment to the change request that is seen by the requestor. Includes sending an
email to the requestor. Includes sending an email to the requestor.
Modify custom field
Allows a user to modify one or more custom fields.
Take ownership
Assigns the user ownership of a change request.
Assign
Allows a user to assign ownership of a change request to another user.
Initial plan
Performs initial planning. Relevant only for traffic change requests.

It is recommended to consult with AlgoSec before using this action type.
Risk check
Performs a risk check. Relevant only for traffic change requests.

Implementation plan
Creates a work order.

Manual reconcile
Opens a dialog box that allows a user to manually match the change request with a
change record. Relevant only for traffic change requests.
No change record
Opens a dialog box that allows a user to manually match the change request, while
specifying that there is no associated change record. Relevant only for traffic change
requests.
100
Chapter 11

Change validation
Performs validation of a traffic change request. Relevant only for traffic change
requests.
Review work order
Enables a user to view an existing work order and edit it. Relevant controls will appear
in UI only for Check Point and Juniper devices. Relevant only for traffic change
requests.
Active change
Enables a user to implement planned changes via ActiveChange. Relevant controls will
appear in UI only for Check Point devices using OPSEC. Relevant only for traffic
change requests.
Object change validation
Performs validation of an object change request. Relevant only for object change
requests.
Affected rules
Finds affected rules for an object change request. Relevant only for object change
requests.
Related tickets
Finds change requests that are related to a change request. Relevant only for rule
removal requests.
Notify requestors
Enables a user to notify other users regarding the impending removal/disablement of a

device rule. Relevant only for rule removal requests.
View correspondence
Allows a user to view correspondences with other users regarding the impending
removal/disablement of a device rule. Relevant only for rule removal requests.
Rule removal validation
Performs validation of a rule removal request. Relevant only for rule removal requests.
Action Fields
In this field...
Do this...
Name
A unique key value for the action. Used when the action's behavior is to be overridden
for a specific status.
This field is mandatory. It is only available when working with a workflow's list of
actions.
Type
Select the action's type, which describes what it does. See Action Types (page 100).
This field is mandatory. It is only available when working with a workflow's list of
actions.
Category
Type the action's category.

You can create categories and assign similar actions to them. When editing an action,
the Edit action details area will display links to other actions belonging to the same
category.
101
AlgoSec FireFlow
Release 6.3
Source status
Use the fields in this area to specify the status or statuses from which the change request
must transition, before this action can be performed.
Target status
Use the fields in this area to specify the status or statuses to which the change request
will transition when the action is performed.
Required action right
Specify whether the user must be granted a specific right, in order for the action to
appear in the Other drop-down list, by selecting the relevant right.
Note: This is a cosmetic issue only. Actions that require the user to have a specific right
will not succeed if the user does not have the right.
Return to homepage
Specify whether the user should be re-directed to the Home page after executing the
action, by choosing one of the following:
Yes. Redirect the user to the Home page.
No. The user should remain on the current page.
Enabled
Specify whether this action should be enabled, by choosing one of the following:
Yes. The action is enabled and will appear in the FireFlow interface.
No. The action is disabled and will not appear in the FireFlow interface.
Display action button
Specify whether the action should be available via an explicit button next to the Other
drop-down list, by choosing one of the following:
Yes. Make the action available via a button. The button will always be visible,
unless the Display action button when field is empty field is set to a field name.
No. Do not make the action available via a button.
Advanced
Expand this area to display the Advanced fields.
Conditional target status
Use the fields in this area to specify a set of conditional target statuses that the change
request can transition to.
FireFlow will check the conditions in the order listed; therefore, if the first condition is
met, FireFlow will not check the second condition, and so on.
If none of the conditions are met, the change request will transition to the status
specified in the Edit action details area's Target status field, by default.
Target status
Select a new status that the change request should transition to when the action is
performed, if the condition(s) in the Condition field are met.
Condition
Type an XQL query specifying the conditions under which the change request will
transition to the status specified in the Target Status field.
For example, to specify the condition that the number of risks must be zero, type:
Ticket[RisksNumber = "0"]
For information on the required query syntax, see Action Condition Syntax (on page
105).
Message to user
Type a message that should appear onscreen when transitioning to the new status.
Click this button to add another conditional target status.
102
Chapter 11
Parallel
Specify whether the action will be performed in parallel to a second, identical action.
Yes. The action will be performed in parallel to a second, identical action.
No. The action will be performed sequentially to all other actions.
It is possible to add more parallel action logic. See Adding Parallel Action Logic (on
page 126).
This field is enabled only for statuses of the following types: Change status, Internal
comment, and Reply to user.
action completed when
The strategy used to determine whether the parallel action has been completed.
To specify that the action should be considered completed only when all responsible
groups have performed it, select all.
If desired, you can configure other strategies. For example, you can configure a strategy
specifying that if a specific group performs the action, then the action should be
considered completed; otherwise, FireFlow should wait for all other groups to perform
the action. For information on configuring additional strategies, contact AlgoSec.
Display action button when Specify whether the action should be available via an explicit button next to the Other
field is empty
drop-down list only if a specific change request field is empty, by selecting the relevant
change request field.
current user is not the
drop-down list only if the current user is not the change request's owner. Choose one of
owner
the following:
Yes. Display the action button if the current user is not the change request's owner.
No. Do not make displaying the action button dependent on whether the current user
is the change request's owner.
change request is
drop-down list only if the change request is not assigned to a user. Choose one of the
unassigned
following:
Yes. Display the action button if the change request is not assigned to a user.
No. Do not make displaying the action button dependent on whether the change
request is assigned to a user.
field value is true
drop-down list only if a specific change request field's value is "true", by selecting the
relevant change request field.
This is useful for actions that are restricted to certain devices types. For example, editing
a work order can only be done for is Check Point devices; therefore, this action should
only be available if a custom field called "Check Point" is set to "true".
Modify Field Title
Type the message that should appear when this action is performed, instructing the user
to complete the field specified in the Field Name field.
This field is only relevant if the Type field's value is Modify custom field.
Field Name
If the action requires a field's value as input, select the field's name.
To select multiple fields, hold down the CTRL key while clicking on the desired fields.
This field is only relevant if the Type field's value is Modify custom field.
103
AlgoSec FireFlow
Release 6.3
Display in workflow layout Specify whether the action should be displayed in the workflow layout when viewing a
workflow, by choosing one of the following:
Yes. Display the action in the workflow layout.
No. Do not display the action in the workflow layout.
Note: When viewing a status for which this action is an outbound action, the action will
be displayed in the workflow layout, regardless of this attribute's value.
Applies to change requests Select the check boxes next to the types of change requests for which the action is
of type
relevant, and for which the action should appear.
This can be one or more of the following:
Regular. The action is relevant to regular change requests.
A regular change request is relevant to only one device.
Parent. The action is relevant to parent requests.
A parent request is relevant to multiple devices and has a sub-request for each
device.
Sub request. The action is relevant to sub-requests. A sub-request is relevant to one
device, out of the multiple devices that are relevant to its parent request.
If you do not select any of the check boxes, the action will be relevant to all change
request types.
User confirmation needed
Specify whether a confirmation message should appear when a user performs the action,
by choosing one of the following:
Yes. Display a message when the action is performed.
No. Do not display a message when the action is performed.
Mail content
Type the default text that will appear in the main message box when commenting on a
change request or replying to the user.
This field is relevant only for actions of the type Reply to user and Internal comment.
Set 'auto-matching status'
Specify whether after the action is performed, the change request's "auto-matching
status" should be set to a specific value, and the change request should be displayed in
the Auto Matching page, by selecting the relevant status.
Traffic fields required
Specify whether certain change request fields are mandatory, in which case if the fields
are not filled in when the action is performed, a message will appear prompting the user
the fill them in. The fields in question are:
Source
Destination
Service
Action
Firewall
Yes. These fields are mandatory.
No. These fields are optional.
104
Chapter 11
Hide from 'Other' actions

menu
Specify whether the action should not appear in the Other drop-down list, if it is not
available via an explicit button next to the Other drop-down list. Choose one of the
following:
Yes. Hide this action in the Other drop-down list, if it does not appear via an explicit
button.
No. Display this action in the Other drop-down list, regardless of whether it
appears via an explicit button,
Allow this action for

unprivileged users
Specify whether unprivileged users should be allowed to perform this action, by

choosing one of the following:
Yes. Allow unprivileged users to perform this action.
No. Do not allow unprivileged users to perform this action.
Return to homepage and

display sub requests
Specify whether after the action is performed on a parent request, the user should be
redirected to the Home page, which displays a list of the parent request's sub-requests.
Yes. Redirect the user to the Home page with a list of the parent request's
sub-requests.
This field is relevant only for actions of the type Change status, Reply to user and
Internal comment.
Return to parent request
Specify whether after the action is performed on a sub-request, the user should be
redirected to the parent request, by choosing one of the following:
Yes. Redirect the user to the parent request.
Action Condition Syntax

In order to specify a condition under which a change request will transition to a new status when an action is
performed, you must compose an XQL query. The XQL query can include the following:
Elements
An element may be any node in the XML of a change request, called a flat ticket. A flat ticket's root node
is <Ticket>, which is written in an XQL query as Ticket.
In order to specify a sub-node, use "/". For example, to specify a flat ticket's <Firewall> node, write:
Ticket/Firewall
You can use an asterisk "*" to specify a wildcard. For example, to specify any sub-node of Firewall,
write:
Ticket/Firewall/*
For information about available flat ticket nodes, see Flat Ticket Nodes (on page 106). For an example
of a flat ticket, see Flat Ticket Example (on page 116).
Filters
In order to apply a condition to an element, use square brackets "[ ]" in the following format:
Element[condition]
105
AlgoSec FireFlow
Release 6.3
Where condition is a sub-query specifying the desired condition.

For example, to specify that the device brand must be Juniper Netscreen, write the following:
Ticket/Firewall[Brand = "Juniper Netscreen"]
Comparison operators
Elements in a sub-query may be compared via comparison operators in the following format:
element operator "value"
Where operator is a supported comparison operator, and value is the element's desired value.
In the previous example, the sub-query used the = operator as follows:
Brand = "Juniper Netscreen"
For a list of supported comparison operators, see Supported Comparison Operators (on page 125).
Boolean operators
It is possible to use Boolean operators between sub-queries. For example, the following query specifies
that the change request must be assigned to the Standard workflow, and the status must be "new":
Ticket[Workflow = "Standard"] $and$ Ticket[Status = "new"]
For more intricate queries, you can use parentheses to group sub-queries. For example, the following
query specifies that the change request must be assigned to the Standard workflow, and the change
request status must be "new" or "plan".
Ticket[Workflow = "Standard"] $and$ (Ticket[Status = 'new'] $or$
Ticket[Status = 'plan'])
For a list of supported Boolean operators, see Supported Boolean Operators (on page 126).
Flat Ticket Nodes

The following table lists the standard flat ticket nodes in alphabetical order.
Note: These nodes represent the various change request fields.
If you configured custom fields, there will also be a node for each custom field, and those nodes can be used
as elements in XQL queries.
Flat Ticket Nodes
Node
Description
Sub-nodes
Action
The action to perform for the connection.
If inclusion of user-defined custom

traffic fields in flat tickets is enabled,
then this node will have the following
sub-nodes:
Value.
A node for each custom field. Each
such node will have its own Value
sub-node.
See Enabling/Disabling Inclusion of
User-Defined Custom Traffic Fields in
Flat Tickets (on page 216).
Sub-node of PlannedTraffic and

RequestedTraffic.
106
Chapter 11
AffectedRulesResult
The device rules that will be affected by the None

requested change.
Sub-node of Ticket.
Relevant for object change requests only.
AlreadyWorksFirewalls
The names of devices on which the

requested change already works.
None
Sub-node of Ticket.
Relevant for traffic change requests only.
AutomaticallyImplemented
Indicates whether the requested change

should be automatically implemented.
None
Sub-node of Ticket.
Brand
The device vendor.
None
Sub-node of Firewall.
Cc
Email addresses to which the FireFlow

system will send copies of all email
messages regarding this request.
None
Sub-node of Ticket.
ChangeFullData
The change description.
None
Sub-node of Ticket.
ChangeImplementationNote The change request's implementation notes, None
s
if the change request has completed the
Implement stage.
Sub-node of Ticket.
City
The city in which the change request owner

or requestor is located, depending on the
parent node.
None
Sub-node of Owner and Requestor.

None
ClosedAt
The date and time when the change request

was closed.
Sub-node of Ticket.
CMSticketid
The ID number of a related change request in None

an external change management system that
is integrated with FireFlow.
Sub-node of Ticket.
code
The code number of a risk.

Sub-Node of Risk.
None
Country
The country in which the change request

None
owner or requestor is located, depending on
the parent node.
107
AlgoSec FireFlow
Created
Release 6.3

was created.
None
Sub-node of Ticket.
Createticketsfromattachmen Indicates whether the change request was
t
created from a file.
None
Sub-node of Ticket.
Description
The description of the change request.
None
Sub-node of Ticket.
description
The description of a risk.

Sub-Node of Risk.
None
Destination
The IP address, IP range, network, device

object, or DNS name of the connection
destination.

sub-nodes:
Value.
sub-node.

RequestedTraffic.
Due
The date by which this change request

should be resolved.
None
Sub-node of Ticket.
EmailAddress
The email address of the change request

None
owner or requestor, depending on the parent
node.
Expires
The date on which this change request will

expire.
None
Sub-node of Ticket.
Firewall
Information about the device on which the

change will be implemented, if the change
request has completed the Plan stage.
Sub-node of Ticket.
FormType
Brand
IPAddress
LastReport
LastReportDate
ManagementServer
Name
Policy
The change request's form type (Traffic

None
Change / Object Change / Generic Change).
Sub-node of Ticket.
108
Chapter 11
HomePhone
The home telephone number of the change None

request owner or requestor, depending on the
parent node.
Id
The ID number of the change request or the None

change request owner, depending on the
parent node.
Sub-node of Ticket and Owner.

ImplementaionDate
The date on which the change request was

implemented.
None
Sub-node of Ticket.
InitialPlanStartTime
The amount of time that has elapsed since

initial planning, in UNIX time.
None
Sub-node of Ticket.
IPAddress
The IP address of the device.
None
IPsToAdd
The IP addresses to add to the device object. None

RequestedTraffic.
IPsToRemove
The IP addresses to remove from the device None

object.
RequestedTraffic.
IsActiveChangeApplicable
Indicates whether ActiveChange can be used None

to automatically implement the requested
change.
Sub-node of Ticket.
IsWorkOrderEditable
Indicates whether the work order is editable. None

Sub-node of Ticket.
LastReport
The last report generated for the device.
None
LastReportDate
The date and time at which the last report for None
this device was generated.
LastUpdated

was last updated.
None
Sub-node of Ticket.
LastUpdatedBy
The username of the person who last updated None

the change request.
Sub-node of Ticket.
109
AlgoSec FireFlow
ManagementServer
Release 6.3
The name of the device's management

server.
None
Name
None
name
The name of a risk.
None
Sub-Node of Risk.
New
Indicates whether the change request is new. None

Sub-node of Ticket.
ObjectChangeValidationRes The results of object change validation.

ult
Sub-node of Ticket.
None
ObjectName
None
The name of the device object.

RequestedTraffic.
Organization
The organization to which the change

request owner or requestor belongs,
depending on the parent node.
None

Owner
The change request owner's username and

email address.
Sub-node of Ticket.
OwningGroup
The name of the user group that currently

owns the change request.
Sub-node of Ticket.
110
City
Country
EmailAddress
HomePhone
Id
Organization
RealName
None
Chapter 11
PlannedTraffic
The changes planned during the Plan stage.

Sub-node of Ticket.
Policy
The device security policy.
Action
Destination
IPsToRemove
IPsToAdd
ObjectName
Requestedaction
RuleDisplayId
RuleId
RuleRemovalRelatedTickets
RuleRemovalRelatedTicketsReque
stors
RuleRemovalRuleAction
RuleRemovalUserstoNotify
Scope
Service
Source
None
Priority
A number indicating this request's priority,

where 0 indicates lowest priority.
None.
Sub-node of Ticket.
RealName
The full names of the change request owner None

or requestor, depending on the parent node.
Requestedaction
The action the user selected to perform on

the rule (remove or disable).
None

RequestedTraffic.
Relevant for rule removal requests only.
RequestedTraffic
The changes requested during the Request

stage.
Sub-node of Ticket.
Action
Destination
IPsToRemove
IPsToAdd
ObjectName
Requestedaction
RuleDisplayId
RuleId
RuleRemovalRelatedTickets
RuleRemovalRelatedTicketsReque
stors
RuleRemovalUserstoNotify
Scope
Service
Source
111
AlgoSec FireFlow
Requestor
Release 6.3
Information about the requestor.

Sub-node of Ticket.
Risk
A risk that implementation of the planned

change would entail.
Sub-node of RiskDetails.
RisksDetails
The results of the risk check, if the change

request has completed the Check stage.
City
Country
EmailAddress
HomePhone
Organization
RealName
code
description
name
severity
Risk
Sub-node of Ticket.
RisksNumber
The total number of risks that

implementation of the planned change
would entail.
None
Sub-node of Ticket.
RuleDisplayId
The rule ID as displayed to users.
None

RequestedTraffic.
RuleId
The rule ID as displayed in reports.

RequestedTraffic.
RuleRemovalRelatedTickets FireFlow change requests with traffic that

intersects that of the rule slated to be
removed/disabled.
RequestedTraffic.
None
None
RuleRemovalRelatedTickets The requestors of FireFlow change requests None

Requestors
with traffic that intersects that of the rule
slated to be removed/disabled.
RequestedTraffic.
112
The action to perform on the rule in the

device policy (for example, allow or drop).
RequestedTraffic.
None
Chapter 11
RuleRemovalUserstoNotify FireFlow users to notify regarding the rule's None

upcoming removal/disablement.
RequestedTraffic.
Scope
The scope of the change (Local / Global).
None

RequestedTraffic.
Service
The device service or port for the

connection.
RequestedTraffic.

sub-nodes:
Value.
sub-node.
severity
The severity of a risk.

Sub-Node of Risk.
None
Source

object, or DNS name of the connection
source.

sub-nodes:
Value.
sub-node.

RequestedTraffic.
Status
The change request's status.
None
Sub-node of Ticket.
Subject
The change request's subject.

Sub-node of Ticket.
None
Ticket
The root node of a flat ticket.
AffectedRulesResult
AlreadyWorksFirewalls
AutomaticallyImplemented
Cc
ChangeFullData
ChangeImplementationNotes
ClosedAt
CMSticketid
113
AlgoSec FireFlow
Release 6.3
TicketTemplateName
The name of the change request's template.
Createticketsfromattachment
Description
Due
Expires
Firewall
FormType
Id
ImplementaionDate
InitialPlanStartTime
IsActiveChangeApplicable
IsWorkOrderEditable
LastUpdated
LastUpdatedBy
New
ObjectChangeValidationResult
Owner
OwningGroup
Planned Traffic
Priority
RequestedTraffic
Requestor
RiskDetails
RisksNumber
Status
Subject
TicketTemplateName
TrafficChangeTime
TranslatedDestination
TranslatedService
TranslatedSource
Workflow
None
Sub-node of Ticket.
TrafficChangeTime
The amount of time that has elapsed since

the traffic was changed, in UNIX time.
None
Sub-node of Ticket.
TranslatedDestination
The change request's destination, as

translated to IP addresses.
None
Sub-node of Ticket.
TranslatedService
The change request's destination, as

translated to ports.
Sub-node of Ticket.
114
None
Chapter 11
TranslatedSource
The change request's source, as translated to None

IP addresses.
Sub-node of Ticket.
Value
The value of this node's parent node.
None
Sub-node of Action, Destination,

Service, and Source.
Relevant only when inclusion of
user-defined custom traffic fields in flat
tickets is enabled. See Enabling/Disabling
Inclusion of User-Defined Custom Traffic
Fields in Flat Tickets (on page 216).
Workflow
The change request's assigned workflow.
None
Sub-node of Ticket.
115
AlgoSec FireFlow
Release 6.3
Flat Ticket Example

A flat ticket is a change request in XML format.
Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Enabled)
<Ticket>
<AdditionalResponsibleGroups></AdditionalResponsibleGroups>
<AffectedRulesResult></AffectedRulesResult>
<AlreadyWorksFirewalls></AlreadyWorksFirewalls>
<ApplicationDefaultServices>tcp/21/*</ApplicationDefaultServices>
<AutomaticallyImplemented>No</AutomaticallyImplemented>
<CMSticketid></CMSticketid>
<CategorytoUpdate></CategorytoUpdate>
<Cc></Cc>
<ChangeCategory></ChangeCategory>
<ChangeFullData>{"zoneSpanning":null,"acl":null,"from
Zone":null,"recommendation_new_format":1,"report":&qu
ot;eliezer-13656","origRuleScript":"fwrules51","
firewall":"fw3","tuples":{"tuple-1":{"
orig_rules":"orig_rules.html","suggestions":{"ad
d":[{"source":["192.168.3.186"],"sourceReq"
:"192.168.3.186","data_time":"saved-2012-04-01-133038
","destination":["10.10.10.2-10.10.10.3"],"statu
s":"N/A","srvReq":"ftp","service"
:["tcp/21"],"destReq":"10.10.10.2,10.10.10.3",&q
uot;tuples":"1"}]},"noActionRequired":1}},"actio
n":["Allow"],"queryURL":"https://192.168.2.245:4
43/~eliezer/algosec/session-1802f5044ffe48d097279d515a6fa864/work/fw3-18947/qu
ery-18947/query.html","ticket":"1320","toZone&qu
ot;:null}</ChangeFullData>
<ChangeImplementationNotes></ChangeImplementationNotes>
<ChangeURL></ChangeURL>
<ChangeUserGroup></ChangeUserGroup>
<ChangeWebAction>Allow</ChangeWebAction>
<ClosedAt></ClosedAt>
<Created>Sun Apr 01 13:46:28 2012</Created>
<Createticketsfromattachment>No</Createticketsfromattachment>
<Customer>Example Customer</Customer>
<Description></Description>
<Due>Sun Apr 01 2012</Due>
<Expires>Tue May 01 2012</Expires>
<Firewall>
116
Chapter 11
<Brand>Check Point</Brand>
<IPAddress>10.132.32.1</IPAddress>
<LastReport>eliezer-13656</LastReport>
<LastReportDate>2012-03-31 21:34:09</LastReportDate>
<ManagementServer>m_10_132_31_1</ManagementServer>
<Name>fw3</Name>
<Policy>yaara_10.W</Policy>
</Firewall>
<FormType>Traffic Change</FormType>
<Id>1320</Id>
<InitialPlanStartTime>1333277359.81826</InitialPlanStartTime>
<IsActiveChangeApplicable>1</IsActiveChangeApplicable>
<IsWorkOrderEditable>true</IsWorkOrderEditable>
<LastUpdated>Sun Apr 01 13:54:55 2012</LastUpdated>
<LastUpdatedBy>eliezer.weiss+locadmin@algoseclabs.com</LastUpdatedBy>
<Moshe></Moshe>
<ObjectChangeValidationResult></ObjectChangeValidationResult>
<OrganizationMethodology></OrganizationMethodology>
<Owner>
<City>tel aviv</City>
<Country></Country>
<EmailAddress>eliezer.weiss+locnet@algoseclabs.com</EmailAddress>
<HomePhone></HomePhone>
<Id>67</Id>
<Organization>Algosec</Organization>
<RealName>local network</RealName>
</Owner>
<OwningGroup>Network</OwningGroup>
<PendingResponsibleGroups></PendingResponsibleGroups>
<PlannedTraffic>
<Action>
<Value>Allow</Value>
</Action>
<Destination>
<Value>10.10.10.2</Value>
</Destination>
<Destination>
117
AlgoSec FireFlow
Release 6.3
</Destination>
<DestinationNAT>165.13.12.11</DestinationNAT>
<NATType>Static</NATType>
<PortTranslation>tcp/8080</PortTranslation>
<Service/Application>
<Value>tcp/21</Value>
</Service/Application>
<Source>
<Value>192.168.3.186</Value>
</Source>
<SourceNAT>178.16.1.18</SourceNAT>
<application>mail server</application>
</PlannedTraffic>
<Priority>0</Priority>
<RecertificationCandidateDevices></RecertificationCandidateDevices>
<RecertificationRelatedTicketsCalculationDate></RecertificationRelatedTicketsC
alculationDate>
<RecertificationStatus>Stand by</RecertificationStatus>
<RecertifiedTrafficTicket></RecertifiedTrafficTicket>
<RecommendReimplement></RecommendReimplement>
<RequestedCategory></RequestedCategory>
<RequestedTraffic>
<Action>
<Value>Allow</Value>
</Action>
<Destination>
</Destination>
<Destination>
</Destination>
<DestinationNAT>165.13.12.11</DestinationNAT>
<NATType>Static</NATType>
<PortTranslation>tcp/8080</PortTranslation>
<Service/Application>
118
Chapter 11
<Value>ftp</Value>
</Service/Application>
<Source>
<Value>192.168.3.186</Value>
</Source>
<SourceNAT>178.16.1.18</SourceNAT>
<application>mail server</application>
</RequestedTraffic>
<RequestedURL></RequestedURL>
<RequestedUserGroup></RequestedUserGroup>
<RequestedWebAction>Allow</RequestedWebAction>
<Requestor>
<City></City>
<Country></Country>
<EmailAddress>eliezer.weiss+locadmin@algoseclabs.com</EmailAddress>
<Id>65</Id>
<Organization>Algosec</Organization>
<RealName>Local FireFlow admin</RealName>
</Requestor>
<RiskLevel>No Risk</RiskLevel>
<RisksDetails></RisksDetails>
<RisksNumber>0</RisksNumber>
<Status>validate</Status>
<Subject>FTP access to mail servers</Subject>
<TicketTemplateID></TicketTemplateID>
<TicketTemplateName></TicketTemplateName>
<TrafficChangeTime></TrafficChangeTime>
<TranslatedDestination>10.10.10.2-10.10.10.3</TranslatedDestination>
<TranslatedService>tcp/21</TranslatedService>
<TranslatedSource>192.168.3.186</TranslatedSource>
<Workflow>Standard-With-SLA</Workflow>
<reportpdf>6208</reportpdf>
</Ticket>
Traffic Change Flat Ticket (Inclusion of User-Defined Custom Traffic Fields Disabled)
119
AlgoSec FireFlow
<Ticket>
<AddTraffic>Yes</AddTraffic>
<Cc></Cc>
<Created>Mon Jun 28 07:21:13 2010</Created>
<Due></Due>
<Firewall>
<Brand>Juniper Netscreen</Brand>
<LastReport>michal-8247</LastReport>
<Name>192_168_2_53_root</Name>
<Policy>192_168_2_53_root.nsc</Policy>
</Firewall>
<Id>1567</Id>
<InitialPlanStartTime>1277717369.39996</InitialPlanStartTime>
<LastUpdated>Mon Jun 28 09:33:08 2010</LastUpdated>
<LastUpdatedBy>a123@algosec.com</LastUpdatedBy>
<Owner>
<City></City>
<Country></Country>
<EmailAddress>a123@algosec.com</EmailAddress>
<Id>25</Id>
<Organization></Organization>
<RealName>JohnSmith</RealName>
</Owner>
<PlannedTraffic>
<Action>Allow</Action>
<Destination>*</Destination>
<Service>*</Service>
<Source>*</Source>
</PlannedTraffic>
<RequestedTraffic>
<Action>Allow</Action>
120
Release 6.3
Chapter 11
<Destination>*</Destination>
<Service>ssh</Service>
<Source>*</Source>
</RequestedTraffic>
<Requestor>
<City></City>
<Country></Country>
<RealName>JaneBrown</RealName>
</Requestor>
<RisksDetails>
<Risk>
<code>I01</code>
<description>"Any" service can enter your
network</description>
<name>I01-inbound-any</name>
<severity>high</severity>
</Risk>
</RisksDetails>
<RisksNumber>3</RisksNumber>
<Status>check</Status>
<Subject></Subject>
<TrafficChangeTime>1277717369.02893</TrafficChangeTime>
<Workflow>Standard</Workflow>
<CustomField1>1</CustomField1>
</Ticket>
Object Change Flat Ticket

<Ticket>
<AffectedRulesResult>The change will affect 1 rules: 12 in device
Kartiv</AffectedRulesResult>
<AlreadyWorksFirewalls></AlreadyWorksFirewalls>
<AutomaticallyImplemented></AutomaticallyImplemented>
<CMSticketid></CMSticketid>
<Cc></Cc>
121
AlgoSec FireFlow
<ChangeFullData></ChangeFullData>
<ChangeImplementationNotes></ChangeImplementationNotes>
<Created>Mon Feb 14 08:22:13 2011</Created>
<Createticketsfromattachment>No</Createticketsfromattachment>
<Due></Due>
<Expires></Expires>
<Firewall>
<Name>Kartiv</Name>
<Policy>Standard.W</Policy>
</Firewall>
<FormType>Object Change</FormType>
<Id>2128</Id>
<ImplementaionDate></ImplementaionDate>
<InitialPlanStartTime></InitialPlanStartTime>
<IsActiveChangeApplicable>1</IsActiveChangeApplicable>
<LastUpdated>Mon Feb 14 08:22:52 2011</LastUpdated>
<LastUpdatedBy></LastUpdatedBy>
<New></New>
<ObjectChangeValidationResult></ObjectChangeValidationResult>
<Owner>
<City></City>
<Country></Country>
<Id>25</Id>
<RealName>m</RealName>
</Owner>
122
Release 6.3
Chapter 11
<PlannedTraffic>
<Action>Remove IPs from Object</Action>
<IPsToRemove>10.10.17.3</IPsToRemove>
<ObjectName>a_10.10.17.2-3</ObjectName>
<Scope>Local</Scope>
</PlannedTraffic>
<PlannedTraffic>
<IPsToRemove>10.40.17.0-10.40.17.255</IPsToRemove>
<ObjectName>RemoteAccess</ObjectName>
<Scope>Global</Scope>
</PlannedTraffic>
<RequestedTraffic>
<IPsToRemove>10.10.17.3</IPsToRemove>
<ObjectName>a_10.10.17.2-3</ObjectName>
<Scope>Local</Scope>
</RequestedTraffic>
<RequestedTraffic>
<IPsToRemove>10.40.17.0-10.40.17.255</IPsToRemove>
<ObjectName>RemoteAccess</ObjectName>
<Scope>Global</Scope>
</RequestedTraffic>
<Requestor>
<City></City>
<Country></Country>
</Requestor>
<RisksDetails></RisksDetails>
<RisksNumber></RisksNumber>
<Status>implement</Status>
<Subject>For NZ</Subject>
123
AlgoSec FireFlow
<TicketTemplateName>130: Object Change Request</TicketTemplateName>
<TrafficChangeTime></TrafficChangeTime>
<TranslatedDestination></TranslatedDestination>
<TranslatedService></TranslatedService>
<TranslatedSource></TranslatedSource>
<Workflow>Change-Object</Workflow>
</Ticket>
Rule Removal Flat Ticket

<Ticket>
<Firewall>
<Name>Kartiv</Name>
<Policy>Standard.W</Policy>
</Firewall>
<FormType>Rule Removal</FormType>
<Id>2128</Id>
<ImplementaionDate></ImplementaionDate>
<InitialPlanStartTime></InitialPlanStartTime>
<LastUpdated>Mon Feb 14 08:22:52 2011</LastUpdated>
<LastUpdatedBy></LastUpdatedBy>
<New></New>
<Owner>
<City></City>
<Country></Country>
<Id>25</Id>
</Owner>
124
Release 6.3
Chapter 11
<PlannedTraffic>
<Requestedaction>Remove Rule</Requestedaction>
</PlannedTraffic>
<RequestedTraffic>
<Requestedaction>Remove rule</Requestedaction>
<RuleDisplayId>1</RuleDisplayId>
<RuleId>57E7BF23-D6BD-498A-9DDA-9071ECC47E46</RuleId>
<RuleRemovalRelatedTickets>748</RuleRemovalRelatedTickets>
<RuleRemovalRelatedTicketsRequesotrs>65</RuleRemovalRelatedTicketsRequesotrs>
<RuleRemovalRelatedTicketsRequesotrs>37</RuleRemovalRelatedTicketsRequesotrs>
<RuleRemovalRuleAction>accept</RuleRemovalRuleAction>
<RuleRemovalUserstoNotify>65</RuleRemovalUserstoNotify>
<RuleRemovalUserstoNotify>37</RuleRemovalUserstoNotify>
</RequestedTraffic>
<Workflow>Rule-Removal</Workflow>
</Ticket>
Supported Comparison Operators

Supported Comparison Operators
Operator
Description
Equal
!=
Not equal
=~
Contains
!~
Does not contain
<
Less than
>
Greater than
125
AlgoSec FireFlow
Release 6.3

Operator
Description
$and$
Both of the sub-queries joined by this operator must be true.

In the following example, the condition is only met for new change requests with the
Standard workflow:
Ticket[Workflow = "Standard"] $and$ Ticket[Status = "new"]
$or$
One or both of the sub-queries pairs joined by this operator must be true.
In the following example, the condition is met for change requests that are new,
change requests owned by John Smith, and new change requests owned by John
Smith:
Ticket[Status = "new"] $or$ Ticket/Owner[RealName = "John
Smith"]
The following XQL query specifies that one of the following must be true, in order for the condition to be
satisfied.

Ticket[(Priority > 7)] $or$ Ticket/Requestor[EmailAddress =~ "company.com"] $or$

Ticket[Project = "Infrastructure"]
Adding Parallel Action Logic

By default, FireFlow allows you to specify whether an action will be performed in parallel to a second,
identical action.
If desired, you can add more logic for parallel actions. For example, you can add the following parallel
action logic:
50% of the responsible groups must meet certain criteria, in order to trigger this action.
The "Managers" user group must meet certain criteria in order to trigger this action.
To add parallel action logic

2 Under the directory usr/share/fireflow/local/etc/site/lib/, open the file
ParallelLogic.pm.
3 For each parallel logic you want to configure, add the following lines to the file:
sub parallel_ logicName
{
my $additionalGroups = shift;
126
Chapter 11
my $pendingGroups = shift;
}
Where logicName is the name of the parallel logic. This can be any string.
The function will receive the following parameters as input:
$additionalGroups - The additional responsible groups field after update
$pendingGroups - The pending responsible groups field after update
The function will return a Boolean value:
1 - The logic is satisfied, and the action will be triggered.
0 - The logic is not satisfied, and the action is still in parallel status.
4 Save the file.
5 Restart FireFlow.
Editing Actions
Editing an action will modify the action's default settings throughout all statuses in the workflow.
To edit an action

In the workflow layout, click on a status that uses the desired action as an inbound or outbound
action.
4 Click Edit next to the desired action.
The Edit Action page appears.
5 Complete the fields using the information in Action Fields (page 101).
6 If you set the Parallel field to all, set the action's responsible groups by doing the following:
a) Click the Click here to set the action's responsible groups link.
The Responsible groups dialog box appears.
The Responsible group field displays the user group responsible for change requests in this status.
b) In the Additional responsible groups list, select the additional user groups responsible for change
requests in this status.
To select multiple user groups, press Ctrl while you click on the desired user groups.
c) Click OK.
127
AlgoSec FireFlow
Release 6.3
7 Click Save Draft.
Reordering Actions
You can control the order in which actions appear in a workflow's list of actions.
To reorder actions

3 In the VisualFlow main menu, click Actions.
The Available actions page appears.
4 In the list of actions, click

the list.
next to an action you want to move, and drag it to the desired location in
Deleting Actions
To delete an action

In the workflow layout, click on a status that uses the desired action as an inbound or outbound
action.
4 Next to the desired action, click Delete.
5 Click OK.
The action is deleted from the list.
128
Chapter 11
Working with SLAs

FireFlow enables you to configure a Service Level Agreement (SLA) per workflow. An SLA is a formal
definition of the logical workflow stages that comprise a change request's lifecycle and, optionally, the
amount of time allotted for completing each of these stages and the change request lifecycle as a whole.
Hence, a separate SLA must be defined for each workflow.
In an SLA, each of the workflow stages is represented by a Service Level Objectives (SLO). An SLO
specifies the following:
The stage's starting point, which is when the change request enters a certain status
The stage's ending point, which is when the change request leaves a certain status
The stage's name
FireFlow uses the information specified in an SLO to measure the amount of time spent on the relevant
stage; and once the change request has completed its lifecycle, FireFlow can use all of the SLA's SLOs
together to calculate the amount of time spent on the entire lifecycle.
FireFlow then uses the calculated SLA information to generate reports on change requests that meet certain
criteria (for example, change requests in which have spent more than a certain number of days in a particular
stage), and display those reports in searches, charts, and dashboards. For information on configuring SLA
notifications, see Working with SLA Notifications (on page 189).
Adding SLOs
To add an SLO to a workflow's SLA

3 In the VisualFlow main menu, click SLA.
129
AlgoSec FireFlow
The Available SLA page appears with all of the SLOs comprising the workflow's SLA.
4 Click New SLO.
130
Release 6.3
Chapter 11
The Edit SLO page appears.
5 Complete the fields using the information in SLO Fields (page 131).
6 Click Save Draft.
The new SLO is added to the workflow's SLA.
SLO Fields
In this field...
Do this...
Name
Type the name of the SLO.

Enabled
Specify whether this SLO should be enabled, by choosing one of the following:
Yes. The SLO is enabled and will be used for SLA calculations.
No. The SLO is disabled. It will not be used for SLA calculations.
Statuses
Select one or more statuses that represent the starting point for the workflow stage
represented by this SLO. To select multiple statuses, hold down the Ctrl key while
clicking on the desired statuses. The selected statuses are highlighted in the diagram at
the top of the workspace.
Alternatively, click Enable visual edit, and then click on the desired statuses in the
diagram at the top of the workspace. The selected statuses appear in green. When
finished, click Finish visual edit.
131
AlgoSec FireFlow
Release 6.3
Time limit
To configure a time limit for the workflow stage represented by this SLO, type in the
number of time units in the field provided, and select the type of time unit in the
drop-down list.
Expiration target status
Select the status to which the change request should transition, when the specified time
limit has been exceeded.
This field is only enabled, if you configured a time limit for the SLO.
Clear on revisit
Specify whether when re-visiting the SLO or one of its statuses, the time counter should
be reset to zero, by choosing one of the following:
Yes. Reset the time counter, then begin timing from zero.
No. Resume timing, without resetting the time counter.
End trigger
Specify what event should trigger the end of the SLO, by choosing one of the following:
Change request leaves the status. End the SLO, when the change request leaves the
status.
Parallel action done by group. End the SLO, when a parallel action is performed by a
certain responsible group. You must select the desired responsible group in the
drop-down list provided.
This field appears only for SLOs that contain a status with a parallel action.
Editing SLOs
To edit an SLO in a workflow's SLA

4 Next to the desired SLO, click Edit.
The Edit SLO page appears.
5 Complete the fields using the information in SLO Fields (page 131).
6 Click Save Draft.
Deleting SLOs
To delete an SLO from a workflow's SLA

4 Next to the desired SLO, click Delete.
132
Chapter 11

5 Click OK.
The SLO is deleted.
Reordering Workflows
You can control the order in which workflows appear in VisualFlow.
To reorder workflows

2 In the list of workflows, click

location in the list.
next to a workflow you want to move, and drag it to the desired
Setting the Default Workflow

When FireFlow fails to assign a workflow based on a change requests template or workflow conditions, it
automatically uses the default workflow.
Only one workflow can be the set as the default workflow. By default, the Standard workflow is the default
workflow.
To set the default workflow

2 Next to the desired workflow, click Set as default.
The workflow is marked as the default workflow in the Default column.
Deleting Workflows
Note: You cannot delete built-in workflows. For a list of built-in workflows, see Overview (on page 71).
Important: If you delete a workflow, then any change requests that are assigned to that workflow will be
re-assigned to the default workflow the next time they are accessed. Furthermore, if their current status does
not exist in the default workflow, the change requests will transition to the "new" status.
To delete an existing workflow

2 Next to the desired workflow, click Delete.
3 Click OK.
133
AlgoSec FireFlow
Release 6.3
The workflow is deleted.

Viewing the Workflow XML

You can view changes to workflows, as they appear in the individual workflows' XML files and in the
workflow configuration file, Workflows_Config.xml.
Viewing Individual Workflows' XML Files

To view an individual workflow's XML file

3 Click View XML.
The workflow's XML file opens in a new tab.
For information on structure of workflows' XML files, see Workflow File Structure (on page 148).
Viewing the Workflow Configuration File

To view the workflow configuration file

2 Click View XML.
The workflow configuration file opens in a new tab.
For information on the structure of the workflow configuration file, see Workflow Configuration File
Structure (on page 144).
Installing Workflows
Installing workflows imports all workflow changes into FireFlow.
To install workflows
In the VisualFlow main menu, click Workflows.
In the VisualFlow main menu, click Workflow Installation.
134
Chapter 11
The Workflow Installation page appears.
2 Click Install All Workflows.

3 Click OK.
A backup of the previous workflows configuration is saved to
/usr/share/fireflow/local/etc/site/backup/YYYY_MM_DD_hh-mm-ss, where
YYYY_MM_DD_hh-mm-ss is a timestamp. For example: 2011_01_21_10-30-00
All workflow changes are imported into FireFlow.

The message informing you that changes have been made to the workflows disappears.
4 Restart FireFlow.
Discarding Workflow Changes

You can discard all workflow changes that have not yet been installed. This will reload the XML workflow
files that are currently in use by FireFlow into VisualFlow.
To discard workflow changes
1 In the VisualFlow main menu, click Workflow Installation.

2 Click OK.
3 Click Refresh Workflows.
All workflow changes are discarded.
135
AlgoSec FireFlow
Release 6.3
The message informing you that changes have been made to the workflows disappears.
Examples
Example: Removing the Notify Requestor Stage
The following comprehensive example describes how to modify a copy of the Standard workflow, so that
FireFlow does not wait for user acceptance after implementing change request.
Once implementation is complete, the Network user can simply resolve the change request (or re-implement
it, if an error was detected). Notification is only sent to the user upon the resolve action.
To configure this example

2 Access VisualFlow.
See Accessing VisualFlow (on page 74).
3 Add a new workflow based on the Standard workflow.
See Adding Workflows (on page 78).
The workflow "Standard-Copy-#" is created, where # represents the copy's number.
4 Edit the new workflow as follows:
Set the Name field to the workflow's name. For example, "MyStandard".
Set the Configuration File field to workflow's configuration file. For example, "MyStandard".
Set the Default field to yes.
See Editing Workflows (on page 87).
5 Delete the workflow's "Notify Requestor" action.
See Deleting Actions (on page 128).
6 Edit the workflow's "Resolve" action as follows:
Set the Type field's to Reply to user, so that mail can be sent to the requestor.
Set the Mail content field to "Your request has been implemented. It will be closed now.".
See Editing Actions (on page 127).
7 Add a "resolve" outbound action to the workflow's "Validate" status as follows:
Set the Display action button field to Yes, so that the "Resolve" button will appear for change
requests in the "Validate" stage.
Set the Display in workflow layout field to Yes, so that the outbound action will appear as an arrow in
the workflow layout.
See Adding Actions (on page 95).
8 Install the workflow.
See Installing Workflows (on page 134).
9 Log in to the FireFlow server via SSH, using the username "root" and the related password.
136
Chapter 11
Example: Allowing the Network Group to Approve Change Requests

The following comprehensive example describes how to modify a copy of the Standard workflow, to allow
Network users to approve change requests.
After initial planning, the change request achieves the new status "pre-check". Network users can then
decide whether to approve the change request, not approve it, or send it to a Security user.

5 Add a new status to the workflow as follows:
Set the Name field to "pre-check".
Set the Stage field to approve.
Set the Responsible group field to Network.
Set the Allow editing traffic fields field to yes.
Set the Stage still incomplete field to yes.
See Adding Statuses (on page 87).
6 Reorder the statuses so that the new "pre-check" status appears immediately before the "approve" status.
See Reordering Statuses (on page 94).
7 Add a new action to the workflow as follows:
Set the Name field to "send_to_security".
Set the Type field to Change status.
Set the Display Name field to "Send to Security".
Set the Target status field to approve.
Set the Required action right field to UserDefinedRight01.
Set the Applies to change requests of type field to Parent and Regular.
Set the Traffic fields required field to yes.
8 Reorder the actions so that the new "Send to Security" action appears immediately after the "Risk
Check" action.
See Reordering Actions (on page 128).
137
AlgoSec FireFlow
Release 6.3
9 Edit the "Initial Plan" action to transition the change request to the new "pre-check" status as follows:
Set the Target status field to pre-check.
10 Edit the "Risk Check" action to transition the change request to the new "pre-check" status as follows:
Set the Target status field to pre-check.
11 Add a "risk_check" outbound action to the "pre-check" status as follows:
Set the Display action button when field is empty field to Request Risk Check Result, so that the "Risk
Check" button will appear for change requests in the "pre-check" stage when this field is empty.
12 Add a "send_to_security" outbound action to the "pre-check" status as follows:
Set the Display action button field to Yes, so that the "Send to Security" button will appear for change
requests in the "pre-check" stage.
13 Add an "approve" outbound action to the "pre-check" status as follows:
Set the Display action button field to Yes, so that the "Approve" button will appear for change
14 Add a "re_plan" outbound action to the "pre-check" status as follows:
Set the Display Name field to "Not Approve", so that this button's name will appear for change
Set the Display action button field to Yes, so that the "Not Approve" button will appear for change
Set the User confirmation needed field to No, so that this action will not trigger an "Are you sure?"
pop-up for change requests in "pre-check" stage.
Set the Mail content field to "Your request has not been approved and needs to be re-planned", so that
this text will appear in emails sent to the requestor for change requests in "pre-check" stage.
15 Add a "re_implement" outbound action to the "pre-check" status as follows:
pop-up for change requests in "pre-check" stage.
16 Delete the "Risk Check" outbound action from the "approve" status, so that the risk check button will
not appear for change requests in "Approve" stage.
138
Chapter 11
17 Assign the UserDefinedRight01 global right to the Network user group.

Members of the Network group can now perform the "Send to Security" action.
18 Install the workflow.
19 Log in to the FireFlow server via SSH, using the username "root" and the related password.
Example: Adding Another Approve Stage

The following comprehensive example describes how to modify a copy of the Standard workflow, by
adding a second Approve stage to the lifecycle.
A new status, "second check", will be achieved after the first approve action. The second approve must then
be performed by the new "High Level Security" user group.

2 Add a user group as follows:
Set the Name field to "High Level Security".
Set the Description field to "High Level Security".
Set the Copy Group Rights and Home Page Settings from group field to Security.
See Adding User Groups (on page 29).
6 Add a new status for the workflow as follows:
Set the Name field to "second check".
Set the Stage field to approve.
Set the Responsible group field to High Level Security.
Set the Allow editing traffic fields field to yes.
Set the Stage still incomplete field to yes.
See Adding Statuses (on page 87).
139
AlgoSec FireFlow
Release 6.3
7 Reorder the statuses so that the new "second check" status appears immediately after the "approve"
status.
See Reordering Statuses (on page 94).
8 Add an "approve" outbound action to the "second check" status as follows:
Set the Display action button field to Yes, so that the "Approve" button will appear for change
requests in the "second check" stage.
9 Add a "re-plan" outbound action to the "second check" status as follows:
Set the Display Name field to "Reject", so that this button's name will appear for change requests in
the "second check" stage.
Set the Display action button field to Yes, so that the "Reject" button will appear for change requests
in the "second check" stage.
pop-up for change requests in "second check" stage.
Set the Mail content field to "Your request has been rejected and needs to be re-planned", so that this
text will appear in emails sent to the requestor for change requests in "second check" stage.
10 Add a "re-implement" outbound action to the "second check" status as follows:
pop-up for change requests in "second check" stage.
11 Add a new action to the workflow as follows:
Set the Name field to "first_approve".
Set the Type field to Internal comment.
Set the Display Name field to "First Approve".
Set the Target status field to second check.
Set the Required action right field to UserDefinedRight02.
Set the Applies to change requests of type field to Parent and Regular.
Set the Traffic fields required field to yes.
12 Reorder the workflow's actions, so that the new "First Approve" action immediately after the "Risk
Check" action.
See Reordering Actions (on page 128).
13 Edit the "Approve" action as follows:
Set the Display Name field to "Final Approve".
14 Add a "first_approve" outbound action to the "approve" status as follows:
140
Chapter 11
Set the Display action button field to Yes, so that the "First Approve" button will appear for change
requests in the "approve" stage.
Delete the "Final Approve" outbound action from the approve status.
Assign the UserDefinedRight02 global right to the Security user group.
Members of the Security group can now perform the "First Approve" action.
Install the workflow.
Log in to the FireFlow server via SSH, using the username "root" and the related password.
Restart FireFlow.
15
16
17
18
19
141
CHAPTER 12
Working with Workflows via XML

This section explains how to add, edit, and delete workflows by working directly with the workflow XML
files. It also explains how to modify the set of conditions determining when each workflow should be
assigned.
Warning: Working directly with workflow XML files is not recommended, as manual changes to the files
may be overwritten by VisualFlow if not performed correctly. VisualFlow is the recommended method of
working with workflows. For information on using VisualFlow, see Working with Workflows in
VisualFlow (on page 71).
For an overview of how FireFlow uses workflows and for information about built-in workflows, see
Overview (on page 71).
In This Chapter
Editing the Workflow Configuration File .......................... 143
Adding Workflows ............................................................. 146
Modifying Workflows ........................................................ 164
Disabling Workflows ......................................................... 165
Deleting Workflows ........................................................... 165
Reverting to the System Default Workflow via XML ....... 166
Editing the Workflow Configuration File

The workflow configuration file, Workflows_Config.xml, determines the following:
Which workflow should be assigned by default, when FireFlow fails to assign a workflow based on the
conditions
Whether a given workflow is enabled in FireFlow
The conditions in which a workflow should be assigned, when the change request's template does not
specify a workflow
To edit the workflow configuration file

1 Under the directory /usr/share/fireflow/local/etc/, locate the file
Workflows_Config.xml.
file into an override file that is also called Workflows_Config.xml.
4 Modify the workflow tags as desired.
See Workflow Tag Attributes (on page 144) for information on the workflow tag attributes.
143
AlgoSec FireFlow
Release 6.3
5 Add or modify condition tags to specify the conditions in which a workflow should be assigned, in
the event that the change request's template does not specify a workflow.
See Condition Tag Syntax (on page 145) for information on the condition tag's syntax.
6 Save the override file.
7 Restart FireFlow.
Workflow Configuration File Structure

The workflow configuration file has an XML structure that is defined by XML schema file
Workflows_Config.xsd, located under /usr/share/fireflow/local/etc/. The main structure of
the workflow configuration file is:
<WorkflowsConfig>
<workflows>

<workflow name="workflow_name_here">

<condition><![CDATA[condition_here]]></condition>
</workflow>
</workflows>
</WorkflowsConfig>
Workflow Tag Attributes

Each workflow tag in the XML file defines a workflow that can be assigned to change requests. The
following table explains each workflow tag attribute.
Workflow Tag Attributes
Name
Description
Possible Values
Permitted Change
name
The name of the workflow as it

should appear in the FireFlow
interface.
This attribute is mandatory.
Any short phrase
Any
description
A description of the workflow.

Any short phrase
Appears in the FireFlow
interface, in change requests that
are assigned to this workflow.
Any
144
Chapter 12
filename_prefix
The name of the workflow file

associated with this workflow,
without the file suffix.
The workflow file name,

without the "_Config.xml" file
suffix.
For example, when working
with the the Standard workflow,
the associated workflow file is
Standard_Config.xml.
Therefore, this attribute's value
should be "Standard".
There is no reason to
change this attribute. If
you do change it, then you
must ensure consistency
throughout the XML file.
default
Indicates whether the workflow

should be assigned by default,
when FireFlow fails to assign a
workflow based on the
conditions.
This attribute must be used in
exactly one workflow tag. By
default, it is used in the Standard
workflow's workflow tag.
This can be one of the

following:
1. This is the default
workflow.
0. This is not the default
workflow.
Any
enabled
Indicates whether the workflow

is enabled.
This attribute is optional.
Any
following:
1. The workflow is enabled.
0. The workflow is
disabled.
The default value is 1.
Condition Tag Syntax

The condition tag in the XML file defines the condition under which the workflow specified in the parent
workflow tag should be assigned to change requests. The condition tag's syntax is as follows:
<condition><![CDATA[condition]]></condition>
Where condition is a query specifying the desired condition. This query is composed of pairs in the
following format:
field = 'value'
Where field is a supported field in FireFlow, and value is the field's value. For information on supported
fields, see Supported Fields (on page 81). For example, the following query specifies that the change
request status must be "new":
Status = 'new'
You can use != to indicate "not". For example, the following query specified that the change request must
not be "new":
Status != 'new'
It is possible to use Boolean operators between field-value pairs. For a list of supported operators, see
Supported Boolean Operators (on page 86). For example, the following query specifies that the change
request status must be "new", and the owner must be John Smith:
145
AlgoSec FireFlow
Release 6.3
For more intricate queries, you can use parentheses to group field-value pairs and operators. For example,
the following query specifies that the change request status must be "new" or "plan", and the owner must be
John Smith or Sue Michaels.
(Status = 'new' OR Status = 'plan') AND (Owner = 'John Smith' OR Owner = 'Sue
Michaels')
In the following example, the Special workflow will be assigned when the change request's template does
not specify a workflow, and one of the following conditions are met:

<workflow name="Special" description="Tickets requiring special treatment"

filename_prefix="Special" enabled="1" >
<condition><![CDATA[(Priority > 7) OR (Requestor.EmailAddress LIKE
'company.com') OR ('CF.{Project}' = 'Infrastructure')]]></condition>
</workflow>
Adding Workflows
To add a custom workflow
2 Create the custom workflow, by doing the following:
a) Under the directory /usr/share/fireflow/local/etc/site/Workflows/, create a new
XML file with the required structure.
See Workflow File Structure (on page 148).
b) Add actions and statuses to the change request lifecycle.
See Action Tag Attributes (on page 149) and Status Tag Attributes (on page 160) for information
on the relevant tag attributes.
c) Save the file.
3 Add the custom workflow to the workflow configuration file, by doing the following:
a) Under the directory /usr/share/fireflow/local/etc/, locate the file
Note: This is the original system settings file, and it is required for reverting to system default
settings. Do not modify this file.
b) Under the directory /usr/share/fireflow/local/etc/site/, copy the contents of the
original file into an override file that is also called Workflows_Config.xml.
c) Open the override file.
d) Add a workflow tag for the new workflow.
146
Chapter 12
See Workflow Tag Attributes (on page 144) for information on the relevant tag attributes.
e) Save the override file.
4 Restart FireFlow.
5 Specify when the custom workflow should be used, by doing one or more of the following:
To assign change requests to the new workflow when a specific template is used, do one of the
following:
Modify an existing template to specify the new workflow.
Add a new template that specifies the new workflow.
For information on working with templates, refer to the AlgoSec FireFlow User Guide, Managing
Request Templates.
To assign change requests to the new workflow based on the workflow conditions, edit the
workflow configuration file and specify the conditions in which the workflow should be used.
See Editing the Workflow Configuration File (on page 143).
147
AlgoSec FireFlow
Release 6.3
Workflow File Structure

Workflow files have an XML structure that is defined by XML schema file
TicketLifeCycle_Config.xsd located under /usr/share/fireflow/local/etc/Workflows/.
The main structure of workflow files is:
<TicketStatusConfig>
<actions>

</actions>
<statuses>
<status name="status_name_here">
<actions>

</actions>
</status>

</statuses>
<conditions>

<condition conditionKey="unique_key_here"
GoToStatus="target_status_here" msgToUser="message_to_user_here">
<check><![CDATA[XQL_query]]></check>
</condition>

</conditions>
</TicketStatusConfig>
148
Chapter 12
Action Tag Attributes

Each action tag in the XML file configures an action's behavior. The following table explains each
action tag attribute.
Action Tag Attributes
Name
Description
Possible Values
title
The name of the action as it

Any short phrase
appears in the FireFlow interface.
Any
type
The action's type, which

describes what it does.
Actions of the
internal_comment
type can be changed to the
reply_to_user or
change_status type
and vice versa.
No other changes are
permitted to pre-defined
actions.

following:
change_status. Changes the
status of the change request
internal_comment. Adds a
comment to the change
request that is hidden from
the requestor.
reply_to_user. Adds a
comment to the change
request that is seen by the
requestor. Includes sending
an email to the requestor.
initial_plan. Performs initial
planning. Relevant only for
traffic change requests.
risk_check. Performs a risk
check. Relevant only for
implementation_plan.
Creates a work order.
manual_reconcile. Opens a
dialog box that allows a
user to manually match the
change request with a
change record. Relevant
only for traffic change
requests.
no_change_record. Opens a
dialog box that allows a
user to manually match the
change request, while
specifying that there is no
associated change record.
Relevant only for traffic
change requests.
change_validation.
Performs validation of a
traffic change request.
Permitted Change
149
AlgoSec FireFlow
Release 6.3
150
Relevant only for traffic

change requests.
object_change_validation.
Performs validation of an
object change request.
Relevant only for object
change requests.
affected_rules. Finds
affected rules for an object
change request. Relevant
only for object change
requests.
review_work_order. Enables
a user to view an existing
work order and edit it.
Relevant controls will
appear in UI only for Check
Point devices. Relevant
only for traffic change
requests.
active_change. Enables a
user to implement planned
changes via ActiveChange.
Relevant controls will
appear in UI only for Check
Point devices using
OPSEC. Relevant only for
modify_custom_field.
Allows a user to modify a
specific custom field.
take_ownership. Assigns
the user ownership of a
change request.
assign. Allows a user to
assign ownership of a
change request to another
user.
organize. Enables the user
to choose an organization
methodology. Relevant on
for Blue Coat-related
requests.
related_tickets. Enables the
user to search for change
requests whose traffic
intersects that of the rule
selected for
removal/disablement.
Relevant only for rule
removal and recertification
requests.
notify_requestors. Enables
Chapter 12
the user to notify the

requestors of related change
requests that the rule is
slated for
removal/disablement.
removal and recertification
requests.
view_correspondence.
Enables the user to view
responses received from
requestors. Relevant only
for rule removal and
recertification requests.
rule_removal_validation.
Enables the user to validate
the implemented rule
removal/disablement
against the change request.
removal requests.
recertification_validation.
Enables the user to
Relevant only for
recertification requests.
plan_removal. Enables the
user to plan the removal of
Allow traffic. Relevant only
for recertification requests.
recertify. Enables the user to
recertify a request. Relevant
only for traffic requests.
enabled
Indicates whether this action is

enabled in the FireFlow interface. following:
true
1
false
0
The default value is true.
Any
key
A unique key value for the

A short alpha-numeric string
action. Used when the action's
that is unique to the XML file
behavior is to be overridden for a
specific status.
change this attribute. If
you do change it, then you
must ensure consistency
throughout the XML file.
category
The action's category.

You can create categories and
assign similar actions to them.
Any
Any string
151
AlgoSec FireFlow
Release 6.3
transition_to_status The new status that the change

Any status name as defined in
request will transition to when
the <statuses> node
the action is performed.
This attribute can be used to
remove statuses from the
lifecycle. It is also important
when adding statuses in the
middle of the lifecycle (see the
example in Example: Adding
Another Approve Stage).
If the
transition_to_conditio
n attribute is set, then this
attribute represents the status that
the change request will transition
to if all conditions in
transition_to_conditio
n are false.
Change is permitted with

the following limitations:
Do not remove the
following statuses
from the lifecycle:
new, open, resolved,
rejected, deleted.
Do not change this
value so that the status
order is switched.
For example, the
change request must
not transition from
"new" to "implement"
to "check".
ticket_member_typ The types of change requests for This can be one or more of the There is no reason to
change this attribute.
e
which the action is relevant, and following:
for which the action should
Regular. The action is
appear.
relevant to regular change
requests.
A regular change request is
relevant to only one device.
Parent. The action is
relevant to parent requests.
A parent request is relevant
to multiple devices and has
a sub-request for each
device.
SubTicket. The action is
relevant to sub-requests. A
sub-request is relevant to
one device, out of the
multiple devices that are
relevant to its parent
request.
The default value is no value, in
which case the action will be
relevant to all change request
types.
Multiple values must be
separated by commas.
Relevant only for traffic change
requests. (Object change
requests do not have
sub-requests.)
recommend
152
Indicates whether the action is

"recommended". Recommended following:
Any
Chapter 12
actions are available via an
explicit button next to the Other
drop-down list.
true
1
false
0
The default value is false.

recommend_if_cus Indicates that the action should
tom_field_empty
be "recommended" (see
recommend) only if a specific
change request field is empty.
The name of a change request

Any
field.
Popular fields that may be used
are:
Request Risk Check Result.
The risk check's output
Firewall Name. The name of
the device assigned to the
change request
CMS ticket id. The ID of an
external Change
Management System (if
applicable)
Expires. The change
request's expiration date
For additional fields, contact
AlgoSec.
The default value is no value.
recommend_if_cus Indicates that the action should

tom_field_true
be available via an explicit button
next to the Other drop-down list,
only if a specific custom field's
value is true.
This is useful for actions that are
restricted to certain devices
types. For example, editing a
work order can only be done for
Check Point devices; therefore,
this action should only be
available if a custom field called
Is Work Order Editable is set to
"true". (FireFlow automatically
sets it to "true" only for Check
Point devices.)
The name of a custom field.

Any
Popular fields that may be used
are:
Is Work Order Editable.
Indicates whether the work
order can be edited.
Is Active Change Applicable.
Indicates whether
ActiveChange is relevant
recommend_if_cur Indicates whether the action

rent_user_is_not_o should be available via an
wner
drop-down list, only if the current
user is not the change request's
owner.

following:
true
1
false
0
Any
153
AlgoSec FireFlow
recommend_if_tick Indicates whether the action

et_belongs_to_no_ should be available via an
one
drop-down list only if the change
request is not assigned to a user.
Release 6.3

following:
true
1
false
0
Any

hide_from_actions Indicates that the action should
_menu_if_not_reco not appear in the Other
mmended
drop-down list, if it is not
available via an explicit button
next to the Other drop-down list.

following:
true
1
false
0
Any

need_user_confirm Indicates whether a confirmation
message should appear when a
user performs the action.

following:
true
1
false
0
Any

user_confirm_mess The confirmation message that
age
should appear when the user that
performs the action, if the
need_user_confirm attribute is
set to true.
154
Any text.
Any
The default confirmation
message is:
Are you sure you want
to <TITLE>?
Where <TITLE> is the title of
the action.
Chapter 12
require_login_with Indicates whether a valid

_valid_license
FireFlow license and a user that
was defined in AlgoSec Firewall
Analyzer is required, in order for
the action to appear in the Other
drop-down list.
Note: This is a cosmetic issue
only. Actions that involve
FireFlow Analytics will not
succeed if there is no valid
license or if the user logged in
was not defined in AlgoSec
Firewall Analyzer.

following:
true
1
false
0
require_ticket_righ Indicates whether the user must

t
be granted a specific right, in
order for the action to appear in
the Other drop-down list.
Note: This is not just a cosmetic
issue. Actions that require the
user to have a specific right will
not appear in the UI if the user
does not have the right.
Furthermore, even if they did
appear, they would not succeed,
unless the user had the right.
The name of a global right.
Popular rights that may be used change this attribute.
are:
AllowActiveChange
AllowAffectedRules
AllowApprove
AllowChangeValidation
AllowDeleteTicket
AllowImplementationDone
AllowImplementationPlan
AllowInitialPlan
AllowManualCheck
AllowNotifyRequestor
AllowObjectChangeValidat
ion
AllowReImplement
AllowRePlan
AllowReject
AllowRequestorResponse
AllowResolve
AllowReview
AllowRiskCheck
ModifyChanges
ModifyReconciliation
UserDefinedRight01
UserDefinedRight02
UserDefinedRight03
UserDefinedRight04
UserDefinedRight05
UserDefinedRight06
UserDefinedRight07
UserDefinedRight08
UserDefinedRight09
155
AlgoSec FireFlow
Release 6.3
UserDefinedRight10
For additional rights, contact
AlgoSec.
goto_homepage
Indicates whether the user should

be re-directed to the Home page
after executing the action.

following:
true
1
false
0
Any

goto_homepage_pr Indicates whether after the action
int_sub_tickets
is performed on a parent request,
the user should be redirected to
the Home page, which displays a
list of the parent request's
sub-requests.
This attribute is relevant only for
actions of the type
change_status,
reply_to_user and
internal_comment.

following:
true
1
false
0
goto_parent
Indicates whether after the action

is performed on a sub-request,
the user should be redirected to
the parent request.
actions of the type
change_status,
reply_to_user and
internal_comment.

following:
true
1
false
0
mandatory_fields_r Indicates whether certain change

equired
request fields are mandatory, in
which case if the fields are not
filled in when the action is
performed, a message will appear
prompting the user the fill them
in.
The fields in question are:
Source
Destination
Service
Action
Firewall

following:
true
1
false
0
156
Any
Chapter 12
mail_content
The default text that will appear Any text

in the main message box when
commenting on a change request
or replying to the user.
actions of the type
reply_to_user and
internal_comment.
transition_to_matc
h_status
Indicates whether after the action

is performed, the change
request's "match status" should
be set to a specific value, and the
change request should be
displayed in the Auto Matching
page.
actions of the type
change_status,
reply_to_user and
internal_comment.
VisualFlow_visible Indicates whether the action

should be displayed in the
workflow layout, when viewing a
workflow.
Note: When viewing a status for
which this action is an outbound
action, the action will be
displayed in the workflow layout,
regardless of this attribute's
value.
Any
This can be set to the following There is no reason to

values:
new
recheck
perfect match
id match
change is wider than
ticket
partially
implemented
pending
approved no change
unable to match
manually matched
already works
following:
true
1
false
0
Any
modify_custom_fie The message that should appear Any string.

ld_title
when this action is performed,
instructing the user to complete
the custom field specified in the
custom_field_name
attribute.
actions of the type
Any
157
AlgoSec FireFlow
Release 6.3
custom_field_name If the action requires a custom

Any custom field's name.
field's value as input, this
attribute indicates the custom
field's name.
actions of the type
Any
allow_unprivileged Indicates whether unprivileged

_users
users should be allowed to
perform this action.
actions of the type
change_status,
reply_to_user, and
internal_comment.

following:
true
1
false
0
Any
transition_to_condi The unique IDs of one or more

tion
conditions, under which change
requests should transition to a
particular status, when this action
is performed.
When multiple condition IDs are
specified, FireFlow will check
the conditions in order listed in
this attribute. When FireFlow
encounters a condition that is
true, it will stop checking any
additional conditions and
transition the change request to
the relevant status.
The conditionKey
attributes of one or more
conditions.
Multiple attributes must be
separated by commas (,).
158
Any
Chapter 12
In the following example, the action "Initial Plan" is of the type "initial_plan" (that is, it performs initial
planning). This action will appear in the FireFlow interface only if a valid FireFlow license exists, only for
regular and parent requests, and only for users that have been granted the right AllowInitialPlan.
Executing this action changes the change request status to "check".
<action title="Initial Plan"
type="initial_plan"
key="initial_plan"
transition_to_status="check"
require_login_with_valid_license="true"
require_ticket_right="AllowInitialPlan"
ticket_member_type="Parent,Regular" />
In the following example, the action "Re-Plan" is of the type "reply_to_user" (that is, it comments on the
change request and sends an email to the user). The default email text is "Your request needs to be
re-planned". When this action is executed, a confirmation message will appear prompting the user to
approve the change request before continuing. The change request's status changes to "open", which appears
as "plan" in the FireFlow interface. This action will appear only for regular and parent requests, and only for
users that have been granted the right AllowRePlan.
<action title="Re-Plan"
type="reply_to_user"
key="re_plan"
transition_to_status="open"
need_user_confirm="true"
mail_content="Your request needs to be re-planned"
require_ticket_right="AllowRePlan"
ticket_member_type="Parent,Regular" />
Note: The following pre-defined actions are always available in the Other drop-down list and can always be
performed on a change request, regardless of the changes made to the lifecycle:
Comment, Reply - appear at the beginning of the list
Duplicate, Save As Template - appear at the end of the list
Additional actions defined in the XML file appear between these two sets of actions in the Other drop-down
list.
159
AlgoSec FireFlow
Release 6.3
Status Tag Attributes

Each status tag in the XML file determines the change request's behavior when the change request is in
the status. The following table explains each status tag attribute.
Status Tag Attributes
Name
Description
Possible Values
Permitted Change
name
The name of the status as it

Up to 50 characters of Latin
appears in the FireFlow interface. character set. Spaces are allowed.
This is also a unique key.
Note: The status "open" appears
in the UI as "plan".
The status "reconcile" appears in
the UI as pending match.
The status "reconciled" appears
in the UI as "matched".
The status "check" appears in the
UI as "approve".
The status "implementation plan|
appears in the UI as "create work
order".
enabled
Indicates whether this status is

This can be one of the following: Any
enabled in the FireFlow interface. true
1
false
0
Change is permitted with the

following limitations:
Do not rename the
following statuses:
new, open, resolved,
rejected, deleted
Renaming the following
statuses requires
additional configuration
changes in the database
and/or
FireFlow_SiteConf
ig.pm file:
approved, implementation
plan, reconcile, reconciled.
Contact AlgoSec for
assistance.
The default value is true.

responsible
160
The single user group responsible Any user group name

for change requests in this status.
Note: Usually, this group is
configured to see these change
requests in its Home page (see
Customizing the Home Page per
Group (on page 18)).
When an action is performed on
the change request, and the action
transitions the change request to
a new status for which the change
request owner is not responsible,
the change request is re-assigned
to the default assignee of the new
statuss responsible group, and
the current user is re-directed to
their Home page.
Any
Chapter 12
additional_res Additional user groups

ponsibles
responsible for change requests
in this status.
A comma-separated list of
responsible groups
image
This can be one of the following: There is no reason to change

this attribute.
new
open
check
implement
validate
reconcile
resolved
rejected
deleted
The name of the image used in

the lifecycle diagram at the top of
the change request page.
image_not_co The lifecycle diagram uses

nsidered_visit variations of each image to
ed
indicate whether the change
request is currently in the status,
has previously been there
("visited"), or neither.
This attribute controls whether a
change request that has
previously been to this status
(and is currently not in this
status), is considered to have
"visited" this status or not.
Note: This attribute controls the
lifecycle images only.
allow_to_pla
n_change
incoming_cor
respondence_
transition_to_
status
Indicates whether it is possible to

plan the change when a change
request is in this status.
Planning the change involves
modifying any of the following
fields:
Source
Destination
Service
Action
NAT
Any

this attribute.
true
1
false
0
This can be one of the following:

true
1
false
0
Any
Important: Initial planning will
not succeed if the change
request's current status is
configured to have this
attribute set to false.
Indicates whether to change the Any status name defined in the

change request status to a
<statuses> node.
specific status, when incoming
correspondence from the change
requests unprivileged requestor
to the change request occurs.
If this attribute is not set, then the
Any
161
AlgoSec FireFlow
Release 6.3
change request status will not

change upon incoming
correspondence.
final
Indicates whether a change

request in this status is
considered "closed".
This mainly affects the
Open/Closed change request list
in the FireFlow requestor
interface.
show_in_wait Indicates whether a change

ing_tab
request should appear in the
Change Requests Awaiting
Response page for unprivileged
users.

this attribute.
true
1
false
0
This can be one of the following: Any

true
1
false
0
status_after_n The status to which the change

Any status name defined in the
ew
request should transition after it <statuses> node.
has been assigned an owner.
The default value is open.
This attribute is only relevant for
only"new" status.
162
There is no reason to change

this attribute.
Chapter 12
In addition, a status can have a nested <actions> tag that overrides global action attributes, when the
change request is in the status.
In the following example, the status "new" is assigned the "new" lifecycle image. The Network user group is
responsible for this status. While the change request is in this status, modification of traffic fields is allowed.
Also note that there is an action override: When the change request is in this status, the initial planning
action (identified using the key initial_plan which is equal to the key in the main <actions> node) is
recommended.
<status name="new" image="new" responsible="Network"
allow_to_plan_change="true">
<actions>
<action key=1348 recommend="true"/>

</actions>
</status>
Note: Most illegal changes to the XML file will cause the whole file to not be read. In this case, only the
default actions (comment, duplicate, etc.) will be available, and the FireFlow log file
/usr/share/fireflow/var/log/fireflow.log will describe the problem. Also, logging in as a
privileged user will cause the log snippet to be displayed onscreen in a warning message. Other local illegal
changes are detected only upon executing the specific action that contains the illegal change. In this case,
too, the FireFlow log file will explain the problem, once the action is attempted.
Note: Some changes that are listed in the preceding table as not permitted will not be detected by
FireFlow. They will simply cause erratic undocumented behavior by the system.
Condition Tag Attributes and Syntax

If an action tag's transition_to_condition attribute is set, then change requests will transition to a
particular status when the action is performed, provided certain conditions are met. The condition tag
defines the required conditions, as well as the status to which change requests should transition.
The following table explains each condition tag attribute.
Condition Tag Attributes
Name
GoToStatus
Description
Possible Values
The new status that the change
Any existing status name
request should transition to when
the action is performed, if the
condition(s) in the condition
attribute are met.
Permitted Change
Any
conditionKey
The condition's unique ID.
Any
Any string.
Cannot contain a comma ","
163
AlgoSec FireFlow
msgToUser
Release 6.3
The message that should appear

onscreen when transitioning to
the new status.
Any string.
Any
In addition to these attributes, every condition tag must contain one check sub-tag. The sub-tag's syntax
is as follows:
<check><![CDATA[query]]></check>
Where query is an XQL query specifying the desired condition's requirements. For information on the
required query syntax, see Action Condition Syntax (on page 105).
In the following example, when the RiskCheck action is performed, FireFlow will check the noRisks
condition first. If the number of risks equals zero, then FireFlow will transition the change request to the
"create work order" status (called "implementation plan" in the XML). It will not check the
priorityLessThan7 condition.
However, if the number of risks is different than zero, FireFlow will check the priorityLessThan7 condition.
If the change request priority is less than 7, FireFlow will transition the change request to "review" status. If
the change request priority is not less than 7, FireFlow will transition the change request to "approve" status
(called "check" in the XML).
<action title="RiskCheck" ...
transition_to_condition="noRisks,priorityLessThan7" transition_to_status="check"/>
<condition conditionKey="noRisks" GoToStatus="implementation plan" msgToUser="OK
to implement">
<check><![CDATA[Ticket[RisksNumber = "0"]]]></check>
</condition>
<condition conditionKey="priorityLessThan7" GoToStatus="review" msgToUser=Need
to be reviewed>
<check><![CDATA[Ticket[Priority < 7]]]></check>
</condition>
Modifying Workflows
FireFlow does not allow overriding the following built-in workflows, which are located in the directory
/usr/share/fireflow/local/etc/Workflows/:
164
Standard_Config.xml
Change-Object_Config.xml
Multi-Approval_Config.xml
Non-Firewall_Config.xml
Parallel-Approval_Config.xml
Request-Recertification_Config.xml
Rule-Removal_Config.xml
Standard-With-SLA_Config.xml
Chapter 12
Web-Filter_Config.xml
These workflows can only be disabled. See Disabling Workflows (on page 165).
If you want to modify a built-in workflow, copy it under a different name, then modify the newly named
workflow and disable the built-in one.
The following procedure can be used to modify custom workflows.
To modify a workflow
2 Under the directory /usr/share/fireflow/local/etc/site/Workflows/, open the desired
workflow file.
3 Make the desired modifications to the change request lifecycle.
You can add new actions and new statuses to the change request lifecycle. See Action Tag Attributes
(on page 149) and Status Tag Attributes (on page 160) for information on the relevant tag attributes.
4 Save the file.
5 Restart FireFlow.
Disabling Workflows
You can disable both built-in and custom workflows.
To disable a workflow
1 Under the directory usr/share/fireflow/local/etc/site/Workflows/, open the workflow
configuration file Workflows_Config.xml.
2 Locate the desired workflow's line, and add the following to it:
enabled="false"
3 For example, to disable the Custom workflow, change:

<workflow name="Custom" description="This is a custom workflow"
filename_prefix="Custom" />
to
<workflow name="Custom" enabled="false" description="This is a custom workflow"
filename_prefix="Custom" />
4 Save the file.

5 Restart FireFlow.
Deleting Workflows
Note: FireFlow allows deleting only custom workflows, not built-in workflows.
To delete a workflow
165
AlgoSec FireFlow
Release 6.3
2 In the directory /usr/share/fireflow/local/etc/site/Workflows/, remove the desired

workflow file.
3 In the directory /usr/share/fireflow/local/etc/site/Workflows/, open the file
4 Remove the line of the workflow you want to delete.
5 Restart FireFlow.
Reverting to the System Default Workflow via XML

To revert to the system default workflow settings
2 Under the directory /usr/share/fireflow/local/etc/site/Workflows/, remove all of the
workflow files.
3 Under the directory /usr/share/fireflow/local/etc/site/, remove the file
4 Restart FireFlow.
166
CHAPTER 13
Using Hooks
This section explains how to use hooks with FireFlow.
In This Chapter
Overview ............................................................................ 167
Using Hooks to Control Parameters ................................... 167
Hook Functions .................................................................. 169
Comprehensive Example.................................................... 176
Overview
It is possible to configure FireFlow to extract certain parameters on the fly, by using hooks. This helps
streamline the change request lifecycle and is particularly helpful for MSPs.
For example, during the Initial Plan stage of the change request lifecycle, FireFlow checks the requested
traffic against the ALL_FIREWALLS group, by default. If you have several customers, each of which is a
large organization with numerous devices, checking traffic against all of the devices of each organization is
unnecessary and time consuming. By using hooks, it is possible to configure FireFlow to check traffic only
against the devices of the organization that issued the change request.
You can use hooks to do the following:
Retrieve the name of the workflow to assign the change request in the Request stage
Retrieve the device group against which traffic should be checked in the Initial Plan stage
Retrieve the name of the user group responsible for the change request in each lifecycle stage
Retrieve appearing in the Requestors Web Interface
Validate a change request before its creation
Suggest host names to match IP addresses with no associated hostname in a work order
Add suffixes to add to suggested rule comments in a work order
Validate host names, groups, and comments in a manually edited work order
Run additional risk checks on external systems
Using Hooks to Control Parameters

To use hooks to control parameters
2 Under the /usr/share/fireflow/local/Hooks directory that implements the
FireFlow::Hooks package, create a Perl pm file.
167
AlgoSec FireFlow
Release 6.3
The file can have any name. For example, you can create the file
/usr/share/fireflow/local/Hooks/MyHooks.pm, which begins with the line:
package FireFlow::Hooks;
3 In the file you created, implement the desired hooking functions.

For information on the hooking functions, see Hook Functions (on page 169).
5 Add the configuration item HooksFileNames, and set its value to the name of the Perl pm file you
created.
For example:
Set(@HooksFileNames,(
"MyHooks"
));
6 Save the file.

7 Restart FireFlow.
168
Chapter 13
Using Hooks
Hook Functions
GetExternalRisks
Syntax
sub GetExternalRisks
Description
This function is called for every change request, after FireFlow has finished running a risk check. It receives
the change request as input, along with a list of devices on which a risk check should be run. The risk check
is run on an external system, and the function then returns the risk check results. These results are displayed
in FireFlow after the FireFlow risk check results, for example:
Input Parameters
$ticket
A Perl hash reference containing a single key called flatTicket, which

points to the flat ticket representation of the change request.
For an example of a flat ticket, see Flat Ticket Example (on page 116).
169
AlgoSec FireFlow
$firewall
Release 6.3
A Perl array reference containing an array of device names on which a risk

check should be run.
Note: These are the same devices on which the FireFlow risk check ran.
Return Values
A Perl hash reference containing the following keys:
RiskList. An array of all the risks that were detected, sorted from high to low severity, where each risk is
represented by a hash reference containing the risk's name, description, code, and severity.
profile. The risk check's profile.
high. The number of risks at the High severity level.
low. The number of risks at the Low severity level.
medium. The number of risks at the Medium severity level.
suspected high. The number of risks at the Suspected High severity level.
Note: If there are no risks at a certain severity level, the relevant key will have no value defined.
GetFirewallGroupName
Syntax
sub GetFirewallGroupName
Description
This function is called for every change request just before initial planning is executed on the change
request. It receives the change request as input and returns the name of the device group against which
FireFlow will check traffic in the Initial Plan stage.
Input Parameters
$context

Return Values
One of the following values:
The desired device group's name
This must be the group's real name, not its display name.
""
Use the default behavior: FireFlow will check traffic against the group
configured as $FAQueryDefaultGroup in the configuration file. (The
default is the ALL_FIREWALLS group.)
170
Chapter 13
Using Hooks
GetRealGroupName
Syntax
sub GetRealGroupName
Description
This function is called for every change request, when the change request transitions from one status to
another. It receives the change request as input, as well as the meta group name that the change request's
workflow specifies as the responsible group for the change requests new status. It returns the name of the
user group that is responsible for the change request in its current status.
Input Parameters
$context

$metaGroup
A user group name, as it appears in the workflow XML.

This may be a meta group's name. For example if the meta group's name is
"security", the hook may then return the user group "securityA" for requestors
of company A, and the user group "securityB" for requestors of company B,
where "securityA" and "securityB" are real user groups (not meta groups) that
exist in FireFlow.
Return Values
The desired user group's name
""
Use the default behavior: The user group specified in the workflow
configuration will be responsible for the change request.
171
AlgoSec FireFlow
Release 6.3
GetRequestorSearches
Syntax
sub GetRequestorSearches
Description
This function allows adding searches to the Requestors Web Interface. It receives the requestor's user
properties as input, as well as the name of the page in the Requestors Web Interface on which the search
should appear. It returns a search on the specified page.
Note: By default, requestors can only view change requests that they requested themselves. Therefore, if the
hook returns a search query with change requests that other users requested, those change requests will not
be displayed in the Requestor Web Interface. To enable the display of change requests requested by other
users, it is necessary to grant requestors more permissive rights. See Working with Rights (on page 177).
Input Parameters
$requestor
A hash reference to the requestor's user properties.

For a list of user properties that are included in the hash, and for information on
modifying the list of included properties, see Configuring the List of User
Properties (on page 216).
$friendly_status
The Requestors Web Interface page that is currently being displayed. This can
have the following values:
Open
Awaiting Response
Closed
Return Values
An array, in the following format:
my $search = {Field1 => Value1, Field2 => Value2, ...};
Where each field in the array is a hash reference representing a search.
Supported fields are:
172
Chapter 13
Using Hooks
Title
The search's title. This will appear in the Requestors Web Interface.
Format
A string containing a comma-separated list of columns that should be included

in the search results.
For example:
my $Format = qq{
'<B><A HREF="}. RT->Config->Get('WebPath')
.qq{/SelfService/Display.html?id=__id__">__id__</a><
/B>/TITLE:Id',
'<B><A HREF="}. RT->Config->Get('WebPath')
.qq{/SelfService/Display.html?id=__id__">__Subject__
</a>
</B>/TITLE:Subject',
'__CustomField.{Workflow}__',
Status,
OwnerName,
Priority,
CreatedRelative,
LastUpdatedRelative};
Query
An SQL query. For example:

Queue = 'Firewalls' AND id > 100 AND
Requestor.EmailAddress LIKE 'algosec.com'
Note: If a field is missing from the query, a warning will be written to the log
and the search will not be displayed.
OrderBy
An array of columns names, indicating the column by which search results

should be sorted by default.
The default value is ('LastUpdated'). This field is optional.
Order
An array indicating the default sort order of the search results. This can have
the following values:
ASC. Show the oldest search results first.

DESC. Show the most recent search results first.
The default is ('DESC'). This field is optional.

Rows
The number of search result rows to display per page.

The default value is null. This field is optional.
For example:
my $search = {
Title => "The title of the search",
Format => $Format,
Query => $Query,
Order => @Order,
OrderBy => @OrderBy,
Rows => $Rows;
173
AlgoSec FireFlow
Release 6.3
GetWorkFlowName
Syntax
sub GetWorkFlowName
Description
This function is called for every change request, when the change request is created and its workflow must
be determined. It receives the change request as input and returns the name of the workflow that FireFlow
should assign the change request.
Input Parameters
$context

Return Values
The desired workflow's name
""
Use the default behavior: Assign a workflow based on the configured

workflow conditions.
SuggestCommentSuffix
Syntax
sub SuggestCommentSuffix
Description
This function is called for every change request, in which the work order contains a suggested rule
comment. It receives the change request as input, as well as the original rue comment and the rule comment
suggested by FireFlow. It returns a suffix to be added to the rule comment suggested by FireFlow.
Input Parameters
$ticket

$origComment
The original rule comment.
$commentValue
The rule comment suggested by FireFlow.
Return Values
A suffix to be added to the rule comment suggested by FireFlow.
174
Chapter 13
Using Hooks
SuggestHostName
Syntax
sub SuggestHostName
Description
This function is called for every change request, in which the work order contains an IP address or subnet
that is not associated with a hostname. It receives the change request as input, as well as the IP
address/subnet and an indication of whether the IP address/subnet is a source or destination. It returns a
suggested hostname for the IP address/subnet.
Input Parameters
$ticket

$ip
The IP address or subnet that does not have an associated hostname.
$field
The IP address or subnet's function. This can have the following values:
Source
Destination
Return Values
A suggested hostname for the IP address/subnet.
ValidateTicket
Syntax
sub ValidateTicket
Description
This function is called for every change request that is created via the Web interface. It receives the change
request as input. It returns a return code and a list of error messages, so as to validate the change request.
Input Parameters
$ticket

Note: The hash will contain only data that was entered in the request form. The
ID field will be set to "New".
Return Values
A return code and a list of error messages.
175
AlgoSec FireFlow
Release 6.3
ValidateWorkOrderEdit
Syntax
sub ValidateWorkOrderEdit
Description
This function is called for every change request, in which the work order contains hostnames, host and
service groups, and/or comments that were manually edited. It receives the change request as input, as well
as the edited work order elements. It returns the elements that are invalid.
Input Parameters
$ticket

$validationHash
A Perl hash reference containing the work order elements that were manually
edited.
The hash contains the following elements:
objects - The objects names to be validated.

groups - The host and service groups to be validated.
comments - The comments to be validated.
Return Values
$invalidHash
A Perl hash reference containing the work order elements that were found to be
invalid.
For a comprehensive example, refer to the following files on the FireFlow server:
A sample Perl module is located under /usr/share/fireflow/local/Hooks/ExampleHooks.pm

The related XML data is located under
/usr/share/fireflow/local/etc/site/Hooks/Example_Config.xml
176
CHAPTER 14
Working with Rights

This section explains how to configure rights.
In This Chapter
Overview ............................................................................ 177
Configuring Global Rights for Groups ............................... 178
Configuring Global Rights for Users ................................. 181
Configuring Queue Rights for Groups ............................... 183
Configuring Queue Rights for Users .................................. 186
Overview
FireFlow enables you to assign rights to users and user group. Each right represents an action that the user or
user group can perform.
There are two types of rights:
Built-in rights
FireFlow includes a set of built-in rights that represent specific actions users can perform.
User-defined rights
FireFlow includes a set of user-defined rights that are labeled UserDefinedRight01 through
UserDefinedRight10. Unlike the built-in rights, which are tied to specific actions, user-defined rights can
be used to represent any custom action, in order to restrict the performance of those actions to certain
users.
For example, let's say you want to modify the Standard workflow so that it includes a custom action
called "First Approve", and you want to restrict this action to users who have "First Approval" rights. As
"First Approval" rights do not exist in the FireFlow system, you can decide that UserDefinedRight01 will
represent "First Approval" rights, and assign these rights to the desired user groups.
Note: You cannot rename user-defined rights.
When assigning rights to a user group, all members of the group (both users and sub-groups) will
automatically inherit the rights.
Note: It is recommended to assign rights to user groups, rather than to individual users. This approach
enables you to quickly configure a new user's rights, by simply adding the user to the desired group.
You can assign rights to the following types of user groups:
System groups
Includes Everyone, Privileged, and Unprivileged (requestors).
User roles
Includes Cc, Requestor, and Owner.
177
AlgoSec FireFlow
Release 6.3
Rights assigned to a user role are only relevant for users who are filling that role in relation to a specific
change request. For example, if you assign "ShowTicket" rights to the Requestor role, then a user who is
the requestor for a specific change request will be able to view that change request. The same user will
not be able to view other change requests for which they are not the requestor, unless the user also
belongs to a system or user-defined group with "ShowTicket" rights.
Note: The AdminCc user role is not in use and should be ignored.
User-defined groups
Includes Network, Security, and any other group defined by a user.
Rights can be assigned at either of the following levels:
Global
Assign rights at the global level for actions that should be performed on all change requests and for
actions that are not related to change requests. You can assign both user-defined and built-in rights.
See Configuring Global Rights for Groups (on page 178) and Configuring Global Rights for Users
(on page 181).
Queue
Assign rights at the queue level for actions that should only be performed on change requests belonging
to a certain queue.
Only built-in rights can be assigned at the queue level.
See Configuring Queue Rights for Groups (on page 183) and Configuring Queue Rights for Users (on
page 186).
Configuring Global Rights for Groups

Configuring Global Built-in Rights for Groups
Note: By default, both the Network and Security user groups can view matching output, but only the
Security user group can perform manual matching. Furthermore, both these user groups can view change
records in FireFlow and modify their summary or comment on the change records. If desired, you can
change these settings for these user groups or any other user group.
To configure global built-in rights for a group

178
Chapter 14
Working with Rights
3 Click Global.
4 Click Group Rights.
179
AlgoSec FireFlow
Release 6.3
5 Locate the desired group.

6 To assign rights, do the following:
a) In the New rights list box next to the desired user group, select the rights you want to assign this
group.
For information on some of the most commonly used global built-in rights, see Global Built-in
Rights (page 180).
Note: It is recommended to select rights similar to those of the pre-defined Security and/or Network
groups.
b) Click Modify Group Rights.
7 To revoke rights, do the following:
Global Built-in Rights
Right
Description
DeleteMatches
Allows users in the group to delete matching output for all change requests. This right is
required for manual matching.
ModifyChanges
Allows users in the group to modify or comment on change records.
180
Chapter 14
Working with Rights
ModifyMatches
Allows users in the group to modify matching output for all change requests. This right
is required for manual matching.
ShowChanges
Allows users in the group to view change records for all change requests.
ShowMatches
Allows users in the group to view matching output for all change requests.
Configuring Global User-Defined Rights for Groups

To configure global user-defined rights for a group
1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent the

right to perform a certain custom action.
For example, if you want to modify the Standard workflow so that it includes a custom action called
"First Approve", and you want to restrict this action to users who have "First Approval" rights, you
would choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.
2 Assign the user-defined right to the user groups that should be allowed to perform the custom action, by
doing the following:
a) Log in to FireFlow for advanced configuration purposes.
b) In the main menu, click Advanced Configuration.
c) Click Global.
d) Click Group Rights.
e) In the User defined groups area, for each group to which you want to assign the user-defined rights,
select the relevant rights in the New rights list box.
f) Click Modify Group Rights.
In our example, you would assign UserDefinedRight01 rights to the user groups that should be allowed to
perform the "First Approve" action.
3 Modify the custom action to restrict its use to users with the selected user-defined right.
For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page
71).
Configuring Global Rights for Users

Configuring Global Built-in Rights for Users
To configure global built-in rights for a user
3 Click Global.
181
AlgoSec FireFlow
Release 6.3

4 Click User Rights.
The Modify global user rights page appears.
5 Locate the desired user.

a) In the New rights list box next to the desired user, select the rights you want to assign this user.
For information on some of the most commonly used global built-in rights, see Global Built-in
Rights (page 180).
b) Click Modify User Rights.
Configuring Global User-Defined Rights for Users

To configure global user-defined rights for a user
1 Choose an unused user-defined right (UserDefinedRight01 through UserDefinedRight10) to represent the

right to perform a certain custom action.
182
Chapter 14
Working with Rights
For example, if you want to modify the Standard workflow so that it includes a custom action called
"First Approve", and you want to restrict this action to users who have "First Approval" rights, you
would choose UserDefinedRight01 to represent the right to perform the "First Approve" custom action.
2 Assign the user-defined right to the user that should be allowed to perform the custom action, by doing
the following:
a) Log in to FireFlow for advanced configuration purposes.
b) In the main menu, click Advanced Configuration.
c) Click Global.
d) Click User Rights.
The Modify global user rights page appears.
e) For each user to which you want to assign the user-defined rights, select the relevant rights in the
New rights list box.
f) Click Modify User Rights.
In our example, you would assign UserDefinedRight01 rights to the users that should be allowed to
perform the "First Approve" action.
3 Modify the custom action to restrict its use to users with the selected user-defined right.
For information on modifying workflow actions, see Working with Workflows in VisualFlow (on page
71).
Configuring Queue Rights for Groups

Configuring Queue Built-in Rights for Groups
To configure queue rights for a user group

2 Click Queues.
183
AlgoSec FireFlow
The Admin queues page appears.
3 Click Firewalls.
The Editing Configuration for queue Firewalls page appears.
184
Release 6.3
Chapter 14
Working with Rights
The Modify group rights for queue Firewalls page appears.
5 Locate the desired user group.

a) In the New rights list box next to the desired user group, select the rights you want to assign this
group.
For information on some of the most commonly used queue built-in rights, see Queue Built-in
Rights (page 186).
Note: It is recommended to select rights similar to those of the pre-defined Security and/or Network
groups.
Note: The list box includes rights for change request-related actions that can be performed via the
FireFlow interface. If a change request-related right is selected, the relevant option will appear as an
action button or in the Other drop-down list. For example, if you select the TakeTicket right for the
Network group, then members of the Network group will see the Take option in the Other drop-down
list. In contrast, if a change request-related right is not selected, the relevant action will not appear in the
Other drop-down list.
185
AlgoSec FireFlow
Release 6.3
Queue Built-in Rights

Right
Description
AllowActiveChange
Allows users in the group to implement changes on Check Point devices for which
ActiveChange is enabled, for change requests in the queue.
AllowAffectedRules
Allows users in the group to find affected rules of change object requests in the queue.
AllowApprove
Allows users in the group to approve change requests in the queue.
AllowChangeValidation
Allows users in the group to perform change validation for change requests in the queue.
AllowDeleteTicket
Allows users in the group to delete change requests in the queue.
AllowImplementationDone Allows users in the group to declare implementation as complete for change requests in
the queue.
AllowImplementationPlan
Allows users in the group to create a work order for change requests in the queue.
AllowInitialPlan
Allows users in the group to perform initial planning for change requests in the queue.
AllowManualCheck
Allows users in the group to perform a manual check for change requests in the queue.
Used by the built-in Generic workflow.
AllowNotifyRequestor
Allows users in the group to notify the requestor that change request validation is
required for change requests in the queue.
AllowObjectChangeValida Allows users in the group to perform change validation for object change requests in the
tion
queue.
AllowReImplement
Allows users in the group to re-implement change requests in the queue.
AllowRePlan
Allows users in the group to re-plan change requests in the queue.
AllowReject
Allows users in the group to reject change requests in the queue.
AllowRequestorResponse
Allows users in the group to respond to change requests in the queue, specifying that the
change works or does not work. This right is typically granted to the requestor role
instead of to a system or user-defined group.
AllowResolve
Allows users in the group to resolve change requests in the queue.
AllowReview
Allows users in the group to review change requests in the queue. Used by the built-in
Multi-Approval workflow.
AllowRiskCheck
Allows users in the group to perform risk checks for change requests in the queue.
Configuring Queue Rights for Users

Configuring Queue Built-in Rights for Users
To configure queue rights for a user group

2 Click Queues.
The Admin queues page appears.
186
Chapter 14
Working with Rights
3 Click Firewalls.
The Editing Configuration for queue Firewalls page appears.
4 In the main menu, click User Rights.
The Modify user rights for queue Firewalls page appears.
5 Locate the desired user.

a) In the New rights list box next to the desired user, select the rights you want to assign this user.
For information on some of the most commonly used queue built-in rights, see Queue Built-in
Rights (page 186).
Note: The list box includes rights for change request-related actions that can be performed via the
FireFlow interface. If a change request-related right is selected, the relevant option will appear as an
action button or in the Other drop-down list. For example, if you select the TakeTicket right for a user,
then that user will see the Take option in the Other drop-down list. In contrast, if a change request-related
right is not selected, the relevant action will not appear in the Other drop-down list.
187
CHAPTER 15
Working with SLA Notifications

This section explains how to configure SLA notifications.
In This Chapter
Overview ............................................................................ 189
Adding SLA Notifications.................................................. 189
Editing SLA Notifications .................................................. 194
Managing Email Subscriptions to SLA Notifications ........ 196
Deleting SLA Notifications ................................................ 197
Overview
FireFlow enables you to create custom pages displaying a specific set of SLO data. These pages are called
SLA notifications, and they can be made available to yourself only, certain user groups, or system-wide.
In addition, users can be subscribed to SLA notifications, so that they periodically receive the SLA
notifications' content via email.
Adding SLA Notifications

To add an SLA notification
189
AlgoSec FireFlow
3 Click SLA Notifications.

The SLA Notifications page appears.
190
Release 6.3
Chapter 15
The Create a new SLA notification page appears.
5 In the Name field, type a name for the SLA notification.

6 Click Save.
7 In the main menu, under the SLA notification's name, click Content.
The Modify the content of SLA notification page appears.
191
AlgoSec FireFlow
Release 6.3
8 For each element you want to add to the SLA notification, do the following:
For information on each element, see SLA Notification Elements (page 192).
b) Click
.
represents the order in which they will appear in the SLA notification.
buttons.
or
SLA Notification Elements

Select this element...
To add this to the SLA notification...
"N" Soon to be due change

requests
Pre-defined search results consisting of a list of open change requests in the system
that have a due date that has passed, that is the current date, or that is the day after the
current date.
"N" New Recertification

Requests

that are new and still in the Request stage.
"N" New Change Requests
are new and still in the Request stage, and whose traffic has already been checked
against devices.
"N" Open Change Requests
are currently open.
"N" Parent Recertification

Requests Pending Sub
Requests Implementation
Pre-defined search results consisting of a list of parent recertification request in the

system that are currently in the Implement stage and awaiting implementation of the
relevant sub-requests.
"N" Parent Requests Pending

Sub Request Implementation
Pre-defined search results consisting of a list of parent requests in the system that are
currently in the Implement stage and awaiting implementation of the relevant
sub-requests.

to Create Work Order

that are currently in the Implement stage and awaiting a work order to be created.

to Implement

that are currently in the Implement stage and awaiting implementation.

to Plan
Pre-defined search results consisting of all recertification requests in the system that
are currently in the Plan stage.
"N" Recertification Requests Pre-defined search results consisting of a list of recertification requests in the system
to Send Recertify Notification that are currently in the Approve stage, and for which a recertification notification
to Traffic Requestors
will be sent to the traffic requestors.
to Validate
192

that are currently in the Validate stage.
Chapter 15

Waiting for Recertify
Response from Traffic
Requestors

that are currently in the Approve stage and awaiting confirmation from the traffic
requestors that the requested recertification is approved.
"N" Rejected Change Requests Pre-defined search results consisting of a list of change requests in the system that
were rejected.
"N" Resolved Change
Requests
have been resolved.

by Controllers group
are owned by the Controllers group.

by Network group
are owned by the Network group.

by Security group
are owned by the Security group.
"N" Change Requests Relevant Pre-defined search results consisting of a list of change requests in the system that
to My Groups
are relevant to the user groups to which you belong.
"N" Change Requests that are
due to be recertified
Pre-defined search results consisting of a list of traffic change requests in the system
that expired, and which should be recertified.
"N" Change Requests Flagged Pre-defined search results consisting of a list of change requests in the system that
by Requestor as "Change Does have been flagged by the requestor as "Change Does Not Work".
Not Work"
"N" Change Requests that
Received Requestor's
Response
are currently in the Validate stage and received the requestor's confirmation that the

Approve
are currently in the Approve stage.
"N" Change Requests to Create Pre-defined search results consisting of a list of change requests in the system that
Work Order
are currently in the Implement stage and awaiting a work order to be created.
Expire in the Next 30 days
will expire within the next 30 days.

Implement
are currently in the Implement stage and awaiting implementation.
"N" Change Requests to Plan
Pre-defined search results consisting of all change requests in the system that are
currently in the Plan stage.

Review
are currently in the Review stage and awaiting a controller's review.
"N" Change Requests to Send

Removal Notification to Rule
Requestors
are currently in the Approve stage, and for which a rule removal notification will be
sent to the rule's traffic requestors.

Validate
are currently in the Validate stage.
for Removal Response from
are currently in the Approve stage and awaiting confirmation from the rules traffic
Rule Requestors
requestors that the requested rule removal is approved.
193
AlgoSec FireFlow
Release 6.3
for Requestor's Response
are currently in the Validate stage and awaiting the requestor's confirmation that the
"N" Total New Change
Requests
Pre-defined search results consisting of a list of all change requests in the system that
are new and still in the Request stage, including change requests whose traffic has
not yet been checked against devices.
Bookmarked Change Requests A list of change requests that the user bookmarked.
My Change Requests
are owned by you.
RefreshHomepage
Controls for refreshing the page.
Unowned Change Requests
currently have no owner.
Saved Search Name
A custom search that was saved under "FireFlow's saved searches", and which is
available to your user role.
For information on saving searches, see Saving Searches.
Chart Name
A chart that was saved under "FireFlow's saved searches", and which is available to
your user role.
For information on saving charts, see Saving Charts.
Search for chart Chart Name
A custom search on which a certain chart is based.
Editing SLA Notifications

To edit an SLA notification
4 Click on the name of the desired notification.
The SLA notification appears.
5 To modify the SLA notification's name, do the following:
a) In the main menu, under the SLA notification's name, click Basics.
194
Chapter 15
The Modify the SLA notification page appears.
b) In the Name field, type a name for the SLA notification.

c) Click Save.
6 To modify the SLA notification's content, do the following:
a) In the main menu, under the SLA notification's name, click Content.
The Modify the content of SLA notification page appears.
b) For each element you want to add to the SLA notification, do the following:
1. In the Available list box, select the element you want to add.
For information on each element, see SLA Notification Elements (page 192).
.
2. Click
represents the order in which they will appear in the SLA notification.
3. To move the element up or down in the box, select the element and click the
buttons.
4. To delete the element, select it and click Delete.
or
195
AlgoSec FireFlow
Release 6.3
Managing Email Subscriptions to SLA Notifications

By default, when you create an SLA notification, you are automatically subscribed to it, and emails
containing the SLA notification's content will be sent to the email address associated with your account. If
desired, you can configure FireFlow to send these emails to other recipients, and/or change the frequency
and time at which these emails are sent.
To manage a subscription to an SLA notification

5 In the main menu, under the SLA notification's name, click Email Subscription.
The Subscribe to SLA notification page appears.
6 Complete the fields using the information in the following table.

7 Click Subscribe.
196
Chapter 15
Email Subscription Fields

In this field...
Do this...
Frequency
Specify how often emails containing SLA notification content should be sent. This
can have the following values:
hourly. Emails will be sent once an hour.
daily. Emails will be sent once a day.
weekly. Emails will be sent once every specified number of weeks on the
specified day.
monthly. Emails will be sent once a month on the specified day of the month.
never. Emails will not be sent.
Hour
Select the hour in the displayed timezone, at which emails containing SLA
notification content should be sent.
Note: The timezone can be configured in your user settings. Refer to the AlgoSec
FireFlow User Guide, Configuring User Settings.
Rows
Select the number of change requests in each saved search that should appear in
emails containing dashboard content.
Recipient
Type a list of email addresses to which emails containing SLA notification contents
should be sent. The email addresses must be separated by commas.
If this field is left empty, emails will be sent only to the email address associated with
your FireFlow user account. However, if this field is filled in, emails will not be sent
to the email address associated with your FireFlow user account, unless you include
your email address in the list.
Deleting SLA Notifications

To delete an SLA notification
5 In the main menu, under the SLA notification's name, click Basics.
The Modify the SLA notification page appears.
6 Click Delete.
7 Click OK.
The SLA notification is deleted.
197
CHAPTER 16
Overriding FireFlow System Defaults

This section explains how to override the FireFlow system defaults.
In This Chapter
Overriding System Default Settings ................................... 199
Overriding Specific System Default Settings ..................... 200
Reverting to System Defaults ............................................. 231
Overriding System Default Settings

You can override default system settings, including timeout settings, log file settings, the default columns
displayed in search results, and more.
Note: The following is a general procedure that can be used to override the default settings of your choice.
For information on specific settings you can override, see Overriding Specific System Default Settings (on
page 200).
To override system default settings

2 Under the directory /usr/share/fireflow/local/etc/, locate the file FireFlow_Config.pm.
file into an override file called FireFlow_SiteConfig.pm.
5 For each setting you want to override, do the following:
a) Locate the relevant parameter in FireFlow_Config.pm.
The file includes detailed information about each parameter. For further information, contact
AlgoSec.
b) Copy the relevant code for the parameter.
c) Paste the code into FireFlow_SiteConfig.pm.
d) Make the desired modifications to the code.
6 Close the file FireFlow_Config.pm.
Note: Do not save changes to this file.
7 Save the file FireFlow_SiteConfig.pm.
8 Restart FireFlow.
199
AlgoSec FireFlow
Release 6.3
Overriding Specific System Default Settings

Configuring the Maximum Rows Displayed in Home Page Lists
By default, FireFlow shows a maximum of 10 rows in each change request list in the Home page. You can
modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > FireFlow
Home Page.
To configure the maximum rows displayed in Home page lists

3 Add the configuration item DefaultSummaryRows, and set its value to the desired number of rows in
each change request list in the Home page.
To specify an unlimited number of rows, set it to an empty string .
For example, to set the maximum number of rows to 5, add the following item:
Set($DefaultSummaryRows, '5');
4 Save the file.

5 Restart FireFlow.
Configuring the Change Request History Order

By default, FireFlow displays the change request history with the newest item appearing at the top, and
change request creation appearing at the bottom. You can reverse the order using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Settings.
To configure the change request history order

3 Add the configuration item OldestTransactionsFirst, and set its value to one of the following:
1 - Display change request histories with the newest items appearing at the bottom.
0 - Display change request histories with the newest items appearing at the top. This is the default.
For example, to display change request histories with the newest items appearing at the bottom, add the
following item:
Set($OldestTransactionsFirst, '1');
4 Save the file.

5 Restart FireFlow.
200
Chapter 16
Configuring the Maximum Rows Displayed in Auto Matching Page

Sub-Lists
By default, FireFlow shows a maximum of 100 rows in each sub-list in the Auto Matching page. You can
modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Auto
Matching.
To configure the maximum rows displayed in Auto Matching page sub-lists

3 Add the configuration item ChangesMaxRows, and set its value to the desired number of rows in each
sub-list in the Auto Matching page.
To specify an unlimited number of rows, set it to an empty string .
For example, to set the maximum number of rows to 50, add the following item:
Set($ChangesMaxRows, '50');
4 Save the file.

5 Restart FireFlow.
Configuring the Time Frame for Items Displayed in Auto Matching Page
Lists
By default, FireFlow shows matches made in the last 30 days in each sub-list in the Auto Matching page. You
can modify this system default using the following procedure.
Note: This system default can also be overridden by individual users via the page Preferences > Auto
Matching.
To configure the time frame for items displayed in Auto Matching page sub-lists
3 Add the configuration item ReconciliationLastDays, and set its value to the desired number of
days for which to display matches in each sub-list in the Auto Matching page.
To specify an unlimited number of days, set it to an empty string ''.
For example, to set the number of days to 365, add the following item:
Set($ReconciliationLastDays, '365');
4 Save the file.

5 Restart FireFlow.
201
AlgoSec FireFlow
Release 6.3
Enabling/Disabling Multiple Traffic Rows in Change Requests

By default, FireFlow allows users to add more traffic rows to a change request, by clicking Add More Traffic.
If desired, you can disable this option and remove the Add More Traffic button.
To enable/disable multiple traffic rows in change requests

3 Add the configuration item EnableMultipleTraffic.
To disable multiple traffic rows, set the configuration item's value to 0.
To enable multiple traffic rows, set the configuration item's value to 1.
For example, the following disables multiple traffic rows:
Set($EnableMultipleTraffic, '0');
5 Save the file.

6 Restart FireFlow.
Hiding Change Request Fields

If desired, you can hide the following change request fields:
Priority
Due
Describe the issue
Cc
Hidden fields will not be displayed in the FireFlow Web interface.

Note: Hidden fields are not removed from change requests; they are just not displayed. A hidden field can
still be assigned a value via the request template, and workflow conditions that rely upon a hidden field will
still work.
To hide change request fields

3 Add the configuration item HideFieldsFromTicket.
4 Set the configuration item's value to an array of fields to hide.
Supported fields are: Priority, Due, Describe the issue, and Cc.
Fields must be enclosed in quotation marks and separated by commas.
For example, the following hides the Priority, Describe the issue, and Cc fields:
Set ($HideFieldsFromTicket, ["Priority", "Describe the issue", "Cc"]);
The default value is empty list, meaning that none of the fields are hidden.
202
Chapter 16
5 Save the file.

6 Restart FireFlow.
Enabling/Disabling Sub-Request Traffic Modification

By default, FireFlow does not allow users to modify traffic specified in sub-requests. If desired, you can
enable sub-request traffic modification.
To enable/disable sub-request traffic modification

3 Add the configuration item ModifySubTicketChangeTraffic.
To enable sub-request traffic modification, set the configuration item's value to 1.
To disable sub-request traffic modification, set the configuration item's value to 0.
For example, the following enables modification:
Set($ModifySubTicketChangeTraffic,'1');
5 Save the file.

6 Restart FireFlow.
Configuring Whether Traffic Fields Are Mandatory

By default, all traffic fields in a change request (source, destination, service, and action fields) are
mandatory, and FireFlow automatically validates these fields to ensure they are filled in. If desired, you can
specify that traffic fields are optional.
Note: You can also disable automatic traffic field validation. See Enabling/Disabling Traffic Field
Validation (on page 204).
To configure whether traffic fields are mandatory

3 Add the configuration item AllTrafficFieldsMandatory.
To specify that traffic fields are optional, set the configuration item's value to 0.
To specify that traffic fields are mandatory, set the configuration item's value to 1.
For example, the following specifies that traffic fields are optional:
Set($AllTrafficFieldsMandatory, '0');
5 Save the file.

6 Restart FireFlow.
203
AlgoSec FireFlow
Release 6.3
Enabling/Disabling Traffic Field Validation

By default, FireFlow automatically validates traffic fields in change requests, to determine whether all
mandatory fields are filled in with appropriate values. If desired, you can disable validation of traffic fields.
To enable/disable traffic field validation

3 Add the configuration item ValidateTrafficFields.
To disable traffic field validation, set the configuration item's value to 0.
To enable traffic field validation, set the configuration item's value to 1.
For example, the following disables traffic field validation:
Set($ValidateTrafficFields, '0');
5 Save the file.

6 Restart FireFlow.
Configuring Work Order Creation for "No Action Required" Change

Requests
In the Implement stage of a traffic change request lifecycle, FireFlow creates a work order consisting of a
list of recommendations for implementing the requested change. If FireFlow detects that traffic is not routed
through the device, then the work order states that no action is required.
In some cases involving Layer-2 devices, routing information may be missing, causing FireFlow to
erroneously state that no action is required. You may therefore prefer to force FireFlow to create work
orders suggesting a rule to add to the device policy, even when it has determined that no action is required.
Note: Such work orders will include a disclaimer stating the following: "Routing information might be
missing. Recommendation could be incomplete.".
To configure work order creation for "No Action Required" change requests
3 Add the configuration item ForceCreateWorkOrderForNA.
To specify that work orders should state "No Action Required" when FireFlow detects that traffic is
not routed through the device, set the configuration item's value to 0.
To force FireFlow to create work orders suggesting a rule to add to the device policy, even when
FireFlow has determined that no action is required, set the configuration item's value to 1.
204
Chapter 16
For example, the following forces FireFlow to create work orders suggesting a rule to add to the device
policy, even if FireFlow determines that no action is required:
Set ($ForceCreateWorkOrderForNA, 1);
5 Save the file.

6 Restart FireFlow.
Enabling/Disabling Translation of Object IP Addresses and Ports in

Work Orders
In order to prepare a work order, FireFlow translates object IP addresses and ports into host names which are
then displayed in a list of recommendations for implementing the requested change. As translating the IP
address and ports may take several minutes in an environment containing many devices, you may prefer to
disable translation, so that object IP addresses and ports are displayed instead of host names.
To enable/disable translation of object IP addresses and ports in work orders

3 Add the configuration item ShowHostgroupsInWorkOrder.
To enable translation on object IP addresses and ports to host names in work orders, set the
To disable translation on object IP addresses and ports to host names in work orders, set the
For example, the following disables translation on object IP addresses and ports to host names in work
orders:
Set ($ShowHostgroupsInWorkOrder, 0);
5 Save the file.

6 Restart FireFlow.
Configuring Automatic Initial Planning

By default, immediately upon creation of a change request, FireFlow performs automatic initial planning, in
order to check the traffic specified in the change request against devices. If the traffic already works, then
FireFlow automatically closes the change request and sends the requestor an email indicating that the
change request was closed. Automatic initial planning is based on the most recent device configuration
available on the AlgoSec server (made available via the real-time monitoring mechanism).
If desired, you can change this behavior in the following ways:
Instruct FireFlow to check traffic at the end of the Plan stage, instead of at the end of the Request stage
Instruct FireFlow to refer to periodic AlgoSec Firewall Analyzer device reports when checking traffic
against devices, instead of referring to real-time monitoring data
205
AlgoSec FireFlow
Release 6.3
Disable automatic closing of change requests whose traffic already works
To configure automatic initial planning

3 To configure when traffic checking is performed, do the following:
a) Add the configuration item CallInitialPlanAsync.
To specify that FireFlow should perform traffic checking at the end of the Request stage, set the
To specify that FireFlow should perform traffic checking at the end of the Plan stage, set the
For example, the following instructs FireFlow to perform traffic checking at the end of the Request
stage:
Set($CallInitialPlanAsync,'1');
Note: New change requests appear in the Home page's New Change Requests list once traffic checking is
complete or when ten minutes have elapsed since the change request's creation, whichever occurs first.
Therefore, when traffic checking occurs at the end of the Request stage, new change requests appear in
the Home page, as soon as traffic checking is done; however, when traffic checking occurs at the end of
the Plan stage, ten minutes will pass before new change requests appear in the Home page.
In order to cause new change requests to appear in the Home page immediately, regardless of when
traffic checking occurs, customize the Network Operations group's Home page as follows: Remove the
"N" New Change Requests element, and add the "N" Total New Change Requests element. New change
requests will appear in the Home page's Total New Change Requests list immediately upon change
request creation.
For information on customizing a group's Home page, see Customizing the Home Page per Group (on
page 18).
4 To specify which data FireFlow should refer to when checking traffic against devices, do the following:
a) Add the configuration item UseMonitorDataForFirewallQuery.
To specify that FireFlow should refer to real-time monitoring data, set the configuration item's
value to 1.
To specify that FireFlow should refer to AlgoSec Firewall Analyzer reports, set the
For example, the following instructs FireFlow to refer to AlgoSec Firewall Analyzer monitoring
data:
Set($UseMonitorDataForFirewallQuery,'1');
5 To enable/disable automatic closing of change requests that already work, do the following:
a) Add the configuration item AutomaticCheckAlreadyWorks.
To enable automatic closing of change requests that already work, set the configuration item's
value to 1.
206
Chapter 16
To disable automatic closing of change requests that already work, set the configuration item's
value to 0.
For example, the following enables automatic closing of change requests that already work:
Set($AutomaticCheckAlreadyWorks,'1');
6 Save the file.

7 Restart FireFlow.
Configuring the Risk Check Method for Change Requests with Multiple
Devices
In the Approve stage of traffic change request's lifecycle, FireFlow performs a risk check, to determine
whether implementing the change specified in the change request would introduce risks. The risk check is
run on the device specified in the change request, using the Risk Profile that the device was assigned when
generating the last successful report in AlgoSec Firewall Analyzer.
When performing a risk check for a parent request with sub-requests, there are multiple devices and
potential multiple Risk Profiles involved. You can configure FireFlow to use any of the following risk check
methods:
One
FireFlow runs the risk check on one random device out of all the sub-request devices.
For example, let us assume that there are three sub-requests, as follows:
Sub-request
500
Device
Check Point A
Risk Profile
r1
501
Check Point B
r2
502
Cisco C
r1
FireFlow will select a device at random (such as Cisco C) and run the risk check on it (using Risk Profile
r1).
Only risk check results for the selected device will be displayed.
Profile
FireFlow runs the risk check on one random device per Risk Profile used by the sub-request devices.
207
AlgoSec FireFlow
Release 6.3
In our example, there are two Risk Profiles, r1 and r2. FireFlow will select a device at random (either
Check Point A or Cisco C) to run the risk check on using Risk Profile r1, and it will also run a risk check
on Check Point B using Risk Profile r2.
Risk check results will be displayed per risk profile.
208
All
FireFlow runs the risk check on each of the sub-request devices.
In our example, FireFlow will run a risk check on Check Point A, Check Point B, and Check Point C,
using their respective Risk Profiles.
Note that the risk check may take a while, and the results for each device may be similar.
Chapter 16
Risk check results will be displayed for each device.
To set the default risk check method for change requests with multiple devices
3 Add the configuration item RiskCheckOnParentTicket.
209
AlgoSec FireFlow
Release 6.3

To use the One method, set the configuration item's value to "one".
To use the Profile method, set the configuration item's value to "profile".
To use the All method, set the configuration item's value to "all".
For example, the following specifies that FireFlow should use the All method:
Set($RiskCheckOnParentTicket,"all");
5 Save the file.

6 Restart FireFlow.
Configuring the Date Format

When filling in a change requests due date or expiration date, and when searching for change requests
according to these date fields, users can specify the desired date in a variety of formats (for example, "20 Oct
09", "Oct 20 2009", "2009-10-20", and more). By default, FireFlow interprets inputted dates in the format
##/##/## as "dd/mm/yy" (for example, 10/11/09 is interpreted as the 10th of November, 2009). This system
default can be changed to "mm/dd/yy" (for example, 10/11/09 is interpreted as the 11th of October, 2009).
To configure the date format

3 Add the configuration item DateDayBeforeMonth, and set its value to one of the following:
1 - Interpret inputted dates in the format ##/##/## as "dd/mm/yy". This is the default.
0 - Interpret inputted dates in the format ##/##/## as "mm/dd/yy".
For example, to accept free-text date input as mm/dd/yy format, add the following item:
Set($DateDayBeforeMonth, 0);
4 Save the file.

5 Restart FireFlow.
Configuring Whether the Standard Template Appears in the Request

Templates Page
By default, FireFlow displays the Standard template as an option in the Request Templates page. If desired,
you can specify that the Standard template should not appear in this page.
Note: By default, FireFlow includes a single queue called Firewalls. When there are multiple queues, and
a user is allowed to create change requests in more than one queue, the Standard template does not appear.
(This is because a change request's template must specify the queue in which the change request is created,
and the Standard template does not include pre-filled fields.)
To configure whether the Standard template should appear

210
Chapter 16

3 Add the configuration item ShowStandardTemplate.
To specify that the Standard template should not appear in the Request Templates page, set the
To specify that the Standard template should appear in the Request Templates page, set the
For example, the following specifies that the Standard template should not appear:
Set($ShowStandardTemplate, '0');
5 Save the file.

6 Restart FireFlow.
Enabling/Disabling Automatic Creation of Requestors upon

Authentication
If RADIUS and/or LDAP authentication is configured, and a requestor who does not exist in FireFlow
attempts to log in to FireFlow, FireFlow will check the inputted user credentials against the RADIUS or
LDAP server. If the username and password pair exists in either database, then by default the requestor will
be automatically added to the FireFlow local user database and logged in.
Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP
server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow
and assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,
regardless of the AFA user role assigned. For information on importing user data from an LDAP server, see
Importing User Data from an LDAP Server (on page 233).
If desired, you can disable the automatic creation of requestors in FireFlow. Authenticated requestors will
be logged in, without being added to the local user database.
To enable/disable the automatic creation of requestors upon authentication

3 Add the configuration item AutoCreateRequestors.
To disable automatic creation of requestors, set the configuration item's value to 0.
To enable automatic creation of requestors, set the configuration item's value to 1.
For example, the following disables automatic creation of requestors:
Set($AutoCreateRequestors, 0);
5 Save the file.

6 Restart FireFlow.
211
AlgoSec FireFlow
Release 6.3
Configuring the No-Login Web Form's Requestor Field as Read-Only

FireFlow includes a No-Login Web form that allows users to submit requests without logging in to the
system. By default, the No-Login Web form contains an editable Requestor field, in which the requestor fills
in their email address. The requestor will then be notified by email of all changes made to the change
request.
You can change this system default to make the Requestor field read-only. In this situation, the requestor
accesses the No-Login Web form by clicking a link in another application at your organization which
automatically appends the requestor's email address to the URL. For example, the URL of the No-Login
Web form is https://<fireflow_server>/FireFlow/NewTicket; however, when the requestor's
email address is appended the URL becomes
https://<fireflow_server>/FireFlow/NewTicket?Requestors=some.requestor@some.or
ganization.com.
To configure the No-Login Web form's Requestor field as read-only

3 Add the configuration item EditableRequestorInNoAuthTickets, and set its value to one of the
following:
1 - The Requestor field is read-write. This is the default.
0 - The Requestor field is read-only.
For example, to make the Requestor field read-only, add the following item:
Set($EditableRequestorInNoAuthTickets, 0);
4 Save the file.

5 Restart FireFlow.
Configuring Automatic Approval of Minor Rule Changes

By default, FireFlow displays any device policy rule changes in the Auto Matching page and attempts to
match them to resolved change requests. This includes minor policy rule changes, such as enabling rule
logging or updating a rule name. You can modify this system default so that FireFlow automatically
approves minor policy rule changes. These minor changes will then appear in the Auto Matching page in the
Changes Without Request - Approved sub-list, without referring to a specific change request.
To configure automatic approval of minor rule changes

3 Add the configuration item IgnoreRuleFieldsInReconciliation, and set its value to a
space-separated list of device policy rule fields, for which any changes should be automatically
approved.
To specify that no changes should be automatically approved, set it to an empty list ().
212
Chapter 16
The supported policy rule fields are: FirewallName, FirewallRuleNum, Name, Comment, Source,
Destination, Service, SourceExpanded, DestinationExpanded, ServiceExpanded,
Action, Enable, Track, Time, Install, Vpn, FromZone, ToZone, ACL, Interface, SourceNat,
and DestinationNat.
Note: SourceExpanded, DestinationExpanded, and ServiceExpanded are the IP addresses (and
protocol/ports) represented by the rules object names. Therefore, for example, when adding Source to
IgnoreRuleFieldsInReconciliation, changes in a rules source object names will be approved
automatically, while changes to the actual source IP addresses will not.
For example, to configure FireFlow to automatically approve changes to rules that involve logging
and/or comments only, add the following item:
Set (@IgnoreRuleFieldsInReconciliation, qw(Track Comment));
4 Save the file.

5 Restart FireFlow.
Configuring the "From" Address in Dashboard Emails

Users who are subscribed to dashboards periodically receive the dashboard's content via email. By default,
the email's "From" field displays the FireFlow server's email address. If desired, you can change the email
address displayed in the "From" field of dashboard emails.
To change the "From" address in dashboard emails

3 Add the configuration item DashboardAddress, and set its value to the email address that should be
displayed in dashboard emails.
For example, to set the address to "admin@mycompany.com", add the following item:
Set($DashboardAddress, 'admin@mycompany.com');
Leave the configuration item's value empty to specify that the FireFlow server's email address should be
used.
4 Save the file.
5 Restart FireFlow.
Configuring the Default Due Date for Rule Removal Requests

When submitting a Rule Removal request, you must specify the complete the Due Date field with the date by
which requestors of related change requests must respond to a notification regarding the rule's impending
deletion. This field's default value is 14 days from the change request's creation. If desired, you can change
the default value.
To change the default due date for rule removal requests

213
AlgoSec FireFlow
Release 6.3

3 Add the configuration item DefaultRuleRemovalDue, and set its value to the number of days after
change request creation that the change request should be due.
For example, to specify that the default due date for rule removal requests should be seven days after
change request creation, add the following item:
Set($DefaultRuleRemovalDue,7);
4 Save the file.

5 Restart FireFlow.
Configuring How Long the Device Objects List Is Stored in Cache

By default, FireFlow stores a list of device objects in cache for three minutes. This list is displayed in the
Source and Destination wizards.
If desired, you can change the amount of time that the device objects list is stored in cache, by using the
following procedure.
To configure the amount of time the device objects list is stored in cache
3 Add the configuration item FirewallObjectRefreshTime, and set its value to the desired number of
seconds that the device objects list should be stored in cache.
For example, to set the time in cache to two minutes (120 seconds), add the following item:
Set($FirewallObjectRefreshTime,'120');
4 Save the file.

5 Restart FireFlow.
Configuring Whether Emails to Related Change Requestors Include the

Rule to be Removed
In the Approve stage of rule removal request's lifecycle, FireFlow sends an email to the requestors of change
requests with traffic intersecting that of the rule slated for removal, informing them that the rule will be
removed by a certain date. By default, the email includes a table displaying the rule in question. If desired,
you can specify that this table should not be included in the email.
To change the default due date for rule removal requests

3 Add the configuration item ShowRuleInfoWhenNotifyRuleToRemove.
214
Chapter 16
To specify that emails to related change requestors should include a table with the rule to be
removed, set the configuration item's value to 1.
To specify that emails to related change requestors should not include a table with the rule to be
removed, set the configuration item's value to 0.
For example, the following specifies that a table with the rule to be removed should not be included in
emails to related change requestors:
Set($ShowRuleInfoWhenNotifyRuleToRemove,0);
5 Save the file.

6 Restart FireFlow.
Configuring the Default Due Date for Change Requests Marked for
Future Recertification
When marking change requests for future recertification, the due date for the change request(s) is deferred to
365 days from the original due date, by default. If desired, you can change this default value.
To change the default due date for change requests marked for future recertification
3 Add the configuration item DefaultExpirationPeriod, and set its value to the number of days after
the original due date that the change request should be due.
For example, to specify that the default due date for such requests should be 90 days after the original
due date, add the following item:
Set($DefaultExpirationPeriod,90);
4 Save the file.

5 Restart FireFlow.
Configuring the Default Due Date for Recertification Requests

When recertifying a change request that is due for recertification, the due date for the recertification request
is 14 days from the present date, by default. If desired, you can change this default value.
To change the default due date for recertification requests

3 Add the configuration item RecertificationDaysToWaitForResponses, and set its value to the
number of days after change request creation that the change request should be due.
For example, to specify that the default due date for recertification requests should be seven days after
change request creation, add the following item:
Set($RecertificationDaysToWaitForResponses,7);
215
AlgoSec FireFlow
Release 6.3
4 Save the file.

5 Restart FireFlow.
Enabling/Disabling Inclusion of User-Defined Custom Traffic Fields in

Flat Tickets
By default, FireFlow automatically includes all user-defined custom traffic fields (that is, custom fields
belonging to the following categories: additional for traffic, additional for source, additional for destination,
and additional for service) in the XML of a change request (a flat ticket). If desired, you can disable inclusion
of such fields in flat tickets.
To enable/disable inclusion of user-defined custom traffic fields in flat tickets

3 Add the configuration item IncludeUserDefinedTrafficCustomFieldsInXML.
To disable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item's
value to 0.
To enable inclusion of user-defined custom traffic fields in flat tickets, set the configuration item's
value to 1.
For example, the following disables inclusion of user-defined custom traffic fields in flat tickets:
Set($IncludeUserDefinedTrafficCustomFieldsInXML, '0');
5 Save the file.

6 Restart FireFlow.
Configuring the List of User Properties

In order to display searches in the Requestors Web Interface, the GetRequestorSearches hook is used to
retrieve a list of the requestor's user properties as hash. By default, the following properties are included in
the list:
216
City
Country
EmailAddress
HomePhone
Id
Organization
RealName
Custom user fields. These fields will appear without spaces as hash keys. For example, a custom field
named "Custom Field" will appear as: "CustomField".
Chapter 16
For example, the user properties hash translated to XML format may appear as follows:
<User>
<City></City>
<Country></Country>
<EmailAddress>requestor1@mycompany.com</EmailAddress>
<Id>6894</Id>
<RealName>Rachel Requestor</RealName>
<CustomField></CustomField>
</User>
If desired, you can modify the list of user properties.
To configure the list of user properties

3 Add the following lines to the file:
# Set list of user columns that User::getUserAsHash should return (Relevant for
Hooks).
Set(@UserFieldsForHooksSearch,('Id', 'RealName', 'HomePhone', 'Organization',
'EmailAddress', 'City', 'Country'));
4 To add items to the user properties list, add the desired user properties to
@UserFieldsForHooksSearch, in single quotation marks, separated by commas.
You can add any of the properties listed in the following table.
For example, to include the user's nickname as a property, write:
Set(@UserFieldsForHooksSearch,('Id', 'RealName', 'HomePhone', 'Organization',
'EmailAddress', 'City', 'Country', 'Nickname'));
Note: You must use only supported properties. Otherwise, a warning will be written to the log and the
search will not be displayed.
5 To remove items from the user properties list, delete the relevant user properties from
@UserFieldsForHooksSearch.
6 Save the file.
7 Restart FireFlow.
Supported User Properties
Property
Description
Address1
The requestor's primary mailing address.
Address2
The requestor's secondary mailing address.
AuthSystem
The type of authentication to use for the requestor.
City
The requestor's city.
217
AlgoSec FireFlow
Release 6.3
Comments
Comments about the requestor.
Country
The requestor's country.
Created
The date on which the requestor was added to FireFlow.
Creator
The user who added the requestor to FireFlow.
EmailAddress
The requestor's email address.
HomePhone
The requestor's home telephone number.
Id
The requestor's ID number.
Lang
The requestor's desired FireFlow interface language.
LastUpdated
The date on which the requestor's properties were last updated in

FireFlow.
LastUpdatedBy
The user who last updated the requestor's properties in FireFlow.
MobilePhone
The requestor's mobile telephone number.
Name
The requestor's username.
Nickname
The requestor's nickname.
Organization
The requestor's organization.
PagerPhone
The requestor's pager number.
Password
The requestor's password.
RealName
The requestor's full name.
Signature
The requestor's signature.
State
The requestor's state.
TimeZone
The requestor's time zone.
WorkPhone
The requestor's work telephone number.
Zip
The requestor's zip code.
Replacing the Logo

You can replace the logo that appears in the top-left corner of every FireFlow page.
Note: Replacing the logo by setting the FireFlow_SiteConfig.pm override file's LogoImageFileName
configuration itemthe method that was used until version 2.5is no longer supported, as of version 6.0. If
you used this method in the past, you must replace the logo once again, using the following method.
To replace the logo

1 Create a logo file.
The file must be in GIF, JPG, or PNG format, and it must be 115 pixels in width and 50 pixels in height.
It is important to use these exact dimensions, so that the logo image is not distorted.
2 Log into AlgoSec Firewall Analyzer (AFA).
For instructions, refer to the AlgoSec Firewall Analyzer User Guide.
3 In the toolbar, click Administration.
218
Chapter 16
The Administration page appears with the Options tab displayed.
4 Click the Display tab.
219
AlgoSec FireFlow
The Display tab appears.
Select the Enable Custom Logo check box.

Click Browse and browse to the custom logo file.
Click Open.
Click OK.
The custom logo is uploaded.
A success message appears.
9 Click OK.
5
6
7
8
To remove a custom logo
1 In the toolbar, click Administration.

The Administration page appears with the Options tab displayed.
2 Click the Web GUI tab.
The Web GUI tab appears.
3 Clear the Enable Custom Logo check box.
4 Click OK.
The custom logo is removed, and the AlgoSec logo reappears in the Web interface.
Configuring FireFlow's Default Interface Language

FireFlow's default interface language is English. If desired, you can change the default language.
To configure FireFlow's default interface language

220
Release 6.3
Chapter 16

3 Add the configuration item DefaultLang, and set its value to the code for the desired language.
See the following table for language codes.
For example, to configure French as the default language, add the following item:
Set($DefaultLang, 'fr');
4 Save the file.

5 Restart FireFlow.
Language Codes
Language
Code
Chinese (PRC)
zh_CN
Chinese (Taiwan)
zh_TW
Croatian
hr
Czech
cs
Danish
da
Dutch
nl
English
en
Finnish
fi
French
fr
German
de
Hebrew
he
Hungarian
hu
Indonesian
id
Italian
it
Japanese
ja
Norwegian Bokmal
nb
Polish
pl
Portuguese
pt
Portuguese (Brazillian)
pt_BR
Russian
ru
Spanish
es
Swedish
sv
Turkish
tr
221
AlgoSec FireFlow
Release 6.3
Modifying FireFlow Interface Text

You can modify the text appearing in the FireFlow interface in the following ways:
Change the language

For example, you can change the interface language to French, Spanish, or any other language.
Change the wording
For example, you can change the name of the "Change Requests Waiting for User Accept" list to
"Change Requests Waiting to be Accepted".
To modify the FireFlow interface text

1 Under /usr/share/fireflow/local/po or /usr/share/fireflow/lib/RT/I18N, open the
*.po file of the language whose texts you want to translate or change.
2 In any text editor, create a language file encoded in UTF-8.
3 Add the following lines at the start of the new language file you created:
msgid ""
msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
Note: These must be the first three lines of the file.

4 For each string you want to translate or change, copy the relevant msgid lines from the *.po file you
opened into the language file you created.
The msgid lines represent the original text.
5 In the language file you created, after each msgid line, add a msgstr line specifying the desired text.
For example, to translate the text on the No Change Record button into French, the file should include the
following lines:
msgid "No Change Record"
msgstr "Aucun enregistrement de modification"
To translate the Add More Files link to French, the file should include the following lines:
msgid "Add More Files"
msgstr "Ajouter d'autres fichiers"
You can also translate text that includes placeholders (in the format %x), by including the same
placeholders in the translation. For example:
msgid "Owner changed from %1 to %2"
msgstr "Propritaire chang de %1 en %2"
6 Close the original *.po file without saving changes.

7 Save the new file as XX.po, where XX is a two-letter abbreviation of the language used in the file or
some other indication of the file's use.
9 Place the language file on the FireFlow server, under the directory
/usr/share/fireflow/local/etc/site/po/.
Note: You can use scp to copy the file from your own computer to the FireFlow server.
222
Chapter 16
FireFlow will refer to the new *.po file for strings. If a string does not appear in the file, FireFlow will
refer to the original English-language *.po file for the missing string.
Adding/Removing Standard NAT Fields in Change Requests

You can remove all standard NAT fields from change requests. The standard NAT fields include:
Source NAT
Destination NAT
NAT Type
Port Translation
Note: The following procedure will remove the standard NAT fields for all users except FireFlow
configuration administrators. If it is necessary to remove these fields for FireFlow configuration
administrators as well, contact AlgoSec Professional Services.
To add/remove standard NAT fields in change requests

2 For each of the NAT-related FireFlow fields listed in the table below, do the following:
a) Click FireFlow Fields.
223
AlgoSec FireFlow
b) Click on the field's name.

c) In the main menu, click Group Rights.

224
Release 6.3
Chapter 16
d) In each user group's Current rights area, select the SeeCustomField and ModifyCustomField check
boxes.
Note: These check boxes might not appear for all user groups.
e) Click Submit.
NAT-related FireFlow Fields
FireFlow Field
Description
Change Destination NAT: Change

destination NAT
Displays the destination NAT value to which the connection's destination

should be translated, as planned during the Plan stage.
Change NAT Type: Change NAT

type
Displays the type of NAT (Static or Dynamic), as planned during the Plan
stage.
Change Port Translation: Change port Displays the port value to which the connection's port should be translated, as
planned during the Plan stage.
translation
Change Source NAT: Change source Displays the source NAT value to which the connection's source should be
NAT
translated, as planned during the Plan stage.
Requested Destination NAT:
Requested destination NAT
Displays the destination NAT value to which the connection's destination

should be translated, as specified in the original request.
Requested NAT Type: Requested

NAT type
Displays the type of NAT (Static or Dynamic), as specified in the original

request.
Requested Port Translation:

Requested port translation
Displays the port value to which the connection's port should be translated, as
specified in the original request.
225
AlgoSec FireFlow
Requested Source NAT: Requested

source NAT
Release 6.3
Displays the source NAT value to which the connection's source should be
translated, as specified in the original request.
Adding/Removing Optional NAT Fields in Change Requests

You can configure FireFlow to display separate fields for source NAT, destination NAT, and port
translation before and after translation. In this case, the existing Source NAT, Destination NAT, and Port
Translation fields will display the values before translation, and the following new fields will display the
values after translation:
Source after NAT

Destination after NAT
Port after Translation
The new NAT fields will appear below the standard NAT fields throughout the FireFlow Web interface, for
example in work orders or when editing a change request.
To add optional NAT fields

1 On the original site, open a terminal and log in using the username "root" and the related password.
/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -e
The optional NAT fields are added to the FireFlow Web interface.
To remove optional NAT fields

/usr/share/fireflow/local/sbin/additional_NAT_fields.pl -d
The optional NAT fields are removed from the FireFlow Web interface.
Configuring the Default Authentication Action

FireFlow enables you to specify the default authentication action used for Check Point devices. FireFlow
will display the configured authentication action in the Action field of work orders for Check Point-related
change requests.
To configure the default authentication action

3 Add the configuration item DefaultAuthAction, and set its value to one of the following:
User Auth - User Authentication.
Session Auth - Session Authentication.
Client Auth - Client Authentication.
For example, to make the default User Authentication, add the following item:
Set($DefaultAuthAction, "User Auth");
4 Save the file.
226
Chapter 16
5 Restart FireFlow.
Enabling/Disabling User Group Authentication during Initial Planning

By default, when the default authentication action used for Check Point devices is set to User
Authentication, FireFlow performs user group authentication during initial planning. If desired, you can
disable this.
To enable/disable user group authentication during initial planning

3 Add the configuration item ValidateUserInSource.
To enable user group authentication during initial planning, set the configuration item's value to 1.
To disable user group authentication during initial planning, set the configuration item's value to 0.
For example, the following enables user group authentication during initial planning:
Set($ValidateUserInSource,'1');
5 Save the file.

6 Restart FireFlow.
Configuring the Handling of NAT-Only Traffic Changes

By default, if a traffic change request already works, it is automatically closed during initial planning. If
desired, you can configure FireFlow to keep the change request open, if it includes NAT fields. In addition,
when handling of NAT-only traffic changes is enable, you can configure FireFlow to display NAT
information in work orders and to use NAT information in risk checks.
To configure handling of NAT-only traffic changes

3 Add the configuration item handleNATChanges.
To enable handling of NAT-only traffic changes, set the configuration item's value to 1.
To disable handling of NAT-only traffic changes, set the configuration item's value to 0. This is the
default value.
For example, the following enables handling of NAT-only traffic changes:
Set($handleNATChanges,'1');
5 If you enabled handling of NAT-only traffic changes, configure whether FireFlow should use NAT
information in risk checks, by doing the following:
a) Add the configuration item sendNATinformationInRiskCheck.
227
AlgoSec FireFlow
Release 6.3
b) Do one of the following

To enable using NAT information in risk checks, set the configuration item's value to 1.
To disable using NAT information in risk checks, set the configuration item's value to 0. This is
the default value.
For example, the following enables using NAT information in risk checks:
Set($sendNATinformationInRiskCheck,'1');
Note: When this feature is enabled, the Source NAT and Destination NAT fields will be used in risk
checks. However, if the optional Source after NAT field is enabled, it will be used instead of the Source
NAT field. Likewise, if the optional Destination after NAT field is enabled, it will be used instead of the
Destination NAT field. For information on these optional fields, see Adding/Removing Optional NAT
Fields in Change Requests (on page 226). If you enabled handling of NAT-only traffic changes,
configure whether FireFlow should display NAT information in work orders, by doing the following:
c) Add the configuration item showAllNatTable.
d) Do one of the following
To enable displaying NAT information in work orders, set the configuration item's value to 1.
To disable displaying NAT information in work orders, set the configuration item's value to 0.
For example, the following enables displaying NAT information in work orders:
Set($showAllNatTable,'1');
6 Save the file.

7 Restart FireFlow.
Automatically Sending Work Orders to an Implementation Team

Sometimes, changes on devices are implemented by a group of people who have no access to the FireFlow
system. In this case, you can configure FireFlow to automatically generate a work order in PDF format and
send it to the implementation team via email, each time a work order is created.
To automatically send work orders to an implementation team

2 Enable generating work orders in PDF format, by doing the following:
a) In the main menu, click Advanced Configuration.
b) Click Global.
228
Chapter 16
c) Click Scrips.
The Modify scrips which apply to all queues page appears.
d) Click 550 On completion of Create Work Order Create Summary PDF.

229
AlgoSec FireFlow
Release 6.3
The Modify a scrip that applies to all queues page appears.
e) In the Stage field, select TransactionCreate.

f) Click Update.
3 Enable automatic sending of emails with work orders in PDF format attached, by doing the following:
b) Click Global.
c) Click Scrips.
d) Click 560 On completion of Create Work Order Notify Work Order Recipient.
e) In the Stage field, select TransactionCreate.
f) Click Update.
4 To customize the email template used for sending work orders, do the following:
230
Chapter 16

b) Click Global.
c) Click Email Templates.
The Modify email templates which apply to all queues page appears.
d) Click Notify Work Order Summary.
The Modify email template Notify Work Order Summary page appears.
e) Edit the email content as desired.
f) Click Update.
5 Configure the email recipient, by doing one of the following:
When customizing the email template as described in the previous step, type the desired address in
the To field.
Configure the relevant parameter, by doing the following:
1. Log in to the FireFlow server using the username "root" and the related password.
2. Under the directory /usr/share/fireflow/local/etc/site/, open
3. Add the configuration item WorkOrderRecipientEmail and set its value to the desired email
address.
For example, the following specifies that work order should be sent to
ImplementationGroup@mycompany.com:
Set($WorkOrderRecipientEmail, 'ImplementationGroup@mycompany.com');
4. Save the file.

5. Restart FireFlow.
Note: If you configure the recipient email address using both methods, the address specified in the email
template will be used.
Reverting to System Defaults

To revert to the system defaults
2 In the directory /usr/share/fireflow/local/etc/site/, remove the file
3 In the directory /usr/share/fireflow/local/etc/site/po/, remove any *.po files.
4 Restart FireFlow.
231
CHAPTER 17
Importing User Data from an LDAP Server

If AlgoSec Firewall Analyzer is configured to authenticate users against an LDAP server (for example,
Microsoft Active Directory), you can configure AlgoSec Firewall Analyzer and FireFlow to import user
data from the LDAP server upon each login. For example, when a user logs in, FireFlow can import data
such as the user's telephone number.
AlgoSec Firewall Analyzer can import a user's full name, email address, and user role, while FireFlow can
import data for any user field that exists both in the LDAP server and in FireFlow. If you want to import an
LDAP field that does not exist in FireFlow, you can add a parallel custom field in FireFlow.
Note: Do not add custom fields that have the same name as an existing user field in FireFlow. Doing so will
cause importing data from the LDAP server to fail.
Note: Since data is imported only upon user login, the data stored for users who log in infrequently may be
outdated.
Note: If both automatic creation of requestors upon authentication and importing user data from an LDAP
server are enabled, then upon LDAP authentication, a requestor may be automatically created in FireFlow
and assigned an AFA user role. In this case, the user will remain a requestor and not a privileged user,
regardless of the AFA user role assigned. For information on automatic creation of requestors upon login,
see Enabling/Disabling Automatic Creation of Requestors upon Authentication (on page 211).
Note: A requestor cannot be converted to a privileged user and vice versa, by changing the user's AFA user
role or FireFlow user group via LDAP. These roles are permanent.
Note: When a requestor is automatically created upon first login, and the
Note: If you configured the import of user data from an LDAP server in a FireFlow version prior to 6.1, you
must re-configure it using the following procedure.
To import data from an LDAP database

1 In AFA, configure LDAP user authentication.
You must select the Fetch user data from LDAP check box, complete the fields in the Mapping to LDAP
Fields area, and then restart FireFlow.
Refer to the AlgoSec FireFlow User Guide, Configuring User Authentication.
2 To enable importing AFA user roles, add or edit the desired roles.
You must fill in the Role LDAP DN field.
Refer to the AlgoSec Firewall Analyzer User Guide, Adding and Editing User Roles.
3 To enable importing FireFlow user groups, add or edit the desired user groups.
You must fill in the Group LDAP DN field.
See Working with User Groups (on page 29).
4 To import user fields from the LDAP server, which do not exist in FireFlow, do the following:
a) For each user field that exists in the LDAP server but not in FireFlow, add a custom user field in
FireFlow.
See Adding User-Defined Custom Fields (on page 44).
b) On the AFA server, open /home/afa/.fa/config.
233
AlgoSec FireFlow
Release 6.3
c) Add the attribute LDAP_AttrCustom.

d) Set this attribute's value to a list of custom FireFlow fields and the parallel LDAP fields in the
following format:
FF_CustField1,LDAP_Attr1;FF_CustField2,LDAP_Attr2;...
Where:
FF_CustFieldX - The name of a user field in FireFlow to which you want to import data. This
can be a a built-in field or a user-defined custom field.
LDAP_AttrX - The name of a user field in the LDAP server from which you want to import
data.
In order to map a user-defined custom field called "Department" to an LDAP attribute called
"department", set the following value:
LDAP_AttrCustom=Department,department
Note: In this example, the LDAP server field names are taken from Active Directory. If a different
LDAP server is used, the names must be changed accordingly.
e) Save the file.
234
CHAPTER 18
Integrating FireFlow with External

Change Management Systems
This section explains how to integrate FireFlow with an external Change Management System.
In This Chapter
Overview ............................................................................ 235
Integrating FireFlow via the REST Interface ..................... 235
Integrating FireFlow via a CMS's Web Service ................. 239
Integrating FireFlow via Email .......................................... 244
Overview
FireFlow can be integrated with an organization's main Change Management System (CMS), such as BMC
Remedy, HP Service Center and Service Manager (formerly Peregrine), and more. Communication between
the two systems can be based on the following protocols:
REST interface
The CMS can use the REST interface to create change requests in FireFlow via HTTP.
See Integrating FireFlow via the REST Interface (on page 235).
Web service
FireFlow can establish a uni-directional connection with a CMS's Web service. This enables FireFlow to
send the CMS requests to open a change request or update its status.
See Integrating FireFlow via a CMS's Web Service (on page 239).
Email
FireFlow can send email messages to the CMS and receive requests to open a change request or update
its status via email. If the CMS has these same capabilities, it is possible to achieve an email-based
integration.
Email is the easiest protocol to configure and allows for bi-directional communication.
See Integrating FireFlow via Email (on page 244).
Regardless of the protocol selected, integrating FireFlow with a CMS requires customization on both sides.
Integrating FireFlow via the REST Interface

FireFlow can be integrated with a CMS via the REST interface. The REST interface is an HTTP-based API
that can be used by the CMS to create change requests in FireFlow via HTTP.
If you need other assistance in using the REST interface, contact AlgoSec Professional Services.
235
AlgoSec FireFlow
Release 6.3
REST Interface Integration Steps

To integrate FireFlow with a CMS via the REST interface
1 Configure CMS authentication to FireFlow.
See Configuring Authentication to FireFlow (on page 236).
2 Use the CMS to create change requests in FireFlow as desired.
See Creating Change Requests via the REST Interface (on page 237).
Configuring Authentication to FireFlow

The REST interface does not support HTTP authentication. Therefore, in order for the CMS to authenticate
to FireFlow, the CMS must obtain a valid session token and then submit the session cookie with each
request. You can generate a session cookie by submitting the default login form with the username as the
"user" parameter and the password as the "pass" parameter.
For example, the following Perl code generates a session cookie:
my $is_cookie_exist = 0;
# first login to fireflow and create cookie
sub setCookie{
unless ($is_cookie_exist) {
log_print ("Info", "Trying to login to $FireFlow_URL/");
# initialize the usaragent and the cookie jar
$ua = LWP::UserAgent->new;
$ua->timeout($MaxHttpRequestTimeoutInSeconds);
$cookieJar = HTTP::Cookies ->new( ignore_discard => 1 );
$ua->cookie_jar($cookieJar);
# first go to the login page - just for getting the cookie
$response = $ua->post( $FireFlow_URL . '/');
if (!$response->is_success) {
log_print ("Error", "failed to connect to FireFlow server");
return $response;
}
# now login to FireFlow
$response = $ua->post( $FireFlow_URL . '/',
[ 'user' => $access_user,
'pass' => $access_password,
]
);
if (!$response->is_success) {
log_print ("Error", "failed to connect to FireFlow server");
return $response;
}
$is_cookie_exist = 1;
}
}
236
Chapter 18
Integrating FireFlow with External Change Management Systems
Creating Change Requests via the REST Interface

To create a new change request in FireFlow via the REST interface
On the FireFlow server, post the following:

on0 FireFlow/REST/1.0/ticket/new requestContent
Where requestContent contains the change request details in the following format:
key1: value1
key2: value2
...
For information on the available keys and their values, refer to the following table.
For example, you can create a change request by posting the following:
on0 /FireFlow/REST/1.0/ticket/new
Queue: 1
Requestor: req@algosec.com
Subject: Creating ticket via REST
CF.{Requested Source}: 1.1.1.1
CF.{Requested Source}: 2.2.2.2
CF.{Requested Destination}: 3.3.3.3
CF.{Requested Service}: ssh
CF.{Requested Service}: https
REST Change Request Creation Keys
Set this key...
To this value...
Requestor
The email address of the change requestor.

This key is mandatory.
Queue
The queue to which the change request belongs.

This key is mandatory.
Subject
A title for the change request.

This key is optional.
Status
The change request's status.

Owner
The change request's owner.

Due
The date by which this change request should be resolved, in the following format:
YYYY-MM-DD HH:MM:SS
Priority
A number indicating this request's priority, where 0 indicates lowest priority.

237
AlgoSec FireFlow
CF.{customField}
Release 6.3
The value of customField, which is a custom field supported by FireFlow.

You can create a change request key for any of the built-in custom fields listed in the
following table. For example, the following key specifies that the requested service
is SSH:
In addition, you can create a change request key for a user-defined custom field
belonging to any the following categories: additional for object, additional for traffic,
additional for source, additional for destination, and additional for service. To do so,
use the following format:
CF.{__REQUESTED__fieldName}
Where fieldName is the name of the user-defined custom field. For example, the
following key specifies that the custom field "Application" is Syslog.
CF.{__REQUESTED__Application}: syslog
If desired, you can use the same custom field multiple times when creating a single
change request. For example, if you include all of the following keys, the change
request will have SSH, HTTPS, and TCP/7 as requested services:
CF.{Requested Service}: https
CF.{Requested Service}: tcp/7
This field is optional.
REST Change Request Built-in Custom Fields

Set this custom field...
To this value...
Expires
The date on which this change request will expire, in the following format:
YYYY-MM-DD HH:MM:SS
Requested Source
source.
Requested Destination
destination.
Requested Service
The device service or port for the connection (for example "http" or "tcp/123").
Requested Action
The device action to perform for the connection. This can be either of the following:
Allow - Allow the connection.

Drop - Block the connection.
Requested Source NAT
The source NAT value, if the connections source should be translated.
Requested Destination NAT
The destination NAT value, if the connections destination should be translated.
Requested Port Translation
The port value, if the connections port should be translated.
Workflow
The change request's workflow.
Owning Group
The group to which the change request should be assigned.
Requested NAT Type
The type of NAT. This can have the following values:

Static
Dynamic
CMS ticket id
The ID number of a related change request in the CMS.
238
Chapter 18
Firewall Name
Form Type
The request template type. This can have the following values:
Object Change
Traffic Change
Generic Change
Requested Object Action
The requested action in an object change request. This can have the following values:
AddIPsToObject
RemoveIPsFromObject
NewObject
DeleteObject
Requested Object Name
The object's name in an object change request.
Requested IPs To Add
The IP addresses to add to an object in an object change request.
Requested IPs To Remove
The IP addresses to remove from an object in an object change request.
Requested Object Scope
The object scope in an object change request.
Integrating FireFlow via a CMS's Web Service

FireFlow can be integrated with a CMS via the CMS's Web service. A Web service is an API that can be
accessed and executed over the network, thus allowing FireFlow to perform remote operations on the CMS.
Supported operations are described in XML format in the Web service's WSDL (Web Services Description
Language) file, and FireFlow refers to this file when performing operations on the CMS.
FireFlow uses the Web service to perform the following operations:
Creating a change request

When a requestor opens a change request in FireFlow, FireFlow uses the Web service to create a new
change request in the CMS.
Updating a change request's status
At certain stages during the FireFlow change request lifecycle (for example, Approve and Resolve),
FireFlow uses the Web service to change the change request's status in the CMS.
If you are not sure whether your CMS includes a Web service and a WSDL file, or if you need other
assistance in integrating FireFlow with a Web service, contact AlgoSec Professional Services.
Web Service Integration Steps

To integrate FireFlow with a CMS via a Web service
1 Determine the full URL to the Web service's WSDL file.
2 Create a new directory under /usr/share/fireflow/local/WebServiceClient, and name it
after the Web service.
3 Use the following command to create Perl classes from the WSDL file:
wsdl2perl.pl -b /usr/share/fireflow/local/WebServiceClient/WebServiceName/ -p WebServiceName
WsdlUrl
Where:
239
AlgoSec FireFlow
Release 6.3
WebServiceName is the name of the Web service, and

WsdlUrl is the full URL to the Web service's WSDL file.
New directories are created under
/usr/share/fireflow/local/WebServiceClient/WebServiceName/. For example:
WebServiceNameAttr, WebServiceNameInterfaces, WebServiceNameTypes, and so on.
4 Use the examples located under /usr/share/fireflow/local/WebServiceClient/ to write a
Perl class that inherits from WebServices::Base and implements the following sub-routines:
getSOAPModule
getServerActionsForStatus
BuildParamsHashForAction
handleResponseHASH
5 Configure FireFlow to use a Web service.
See Configuring FireFlow to Use a Web Service (on page 240).
Configuring FireFlow to Use a Web Service

To configure FireFlow to use a Web service
3 Add the configuration item WebServicesModule and set it to the name of the Perl class you created.
4 If the Web service requires authentication, do the following:
Add the configuration item WebServicesUsername and set it to the user name to use when
authenticating to the Web service.
Add the configuration item WebServicesPasswordEncrypted and set it to the password to use
when authenticating to the Web service.
5 Save the file.
6 Restart FireFlow.
240
Chapter 18
9 At the top of the workspace, click Global.

10 Click Scrips.
241
AlgoSec FireFlow
11 Click 320 On Non Sub Ticket Create Notify WebService.
242
Release 6.3
Chapter 18
12 In the Stage drop-down list, select TransactionBatch.

13 Click Update.
The Modify scrips which apply to all queues page reappears.
14 Click 330 On Non Sub Ticket Status Change Notify WebService.
15 In the Stage drop-down list, select TransactionCreate.
16 Click Update.
243
AlgoSec FireFlow
Release 6.3
Integrating FireFlow via Email

FireFlow can be integrated with a CMS via email. In this situation, when a requestor opens a change request
in the CMS, a new change request is automatically created in FireFlow. Network operations and information
security users can then work with the new change request, in the same way as they would work with a
change request that originated in FireFlow.
To ensure that a relationship is maintained between the original CMS change request and the new FireFlow
change request, the CMS passes the CMS change request ID number to FireFlow, and FireFlow passes the
FireFlow change request ID number to the CMS. This information is used to associate the CMS change
request and the FireFlow change request with each other.
At certain stages during the FireFlow change request lifecycle, most importantly when it is resolved,
FireFlow notifies the CMS of the change request's status change. Thus communication between the CMS
and FireFlow runs in both directions, as shown in the following table.
CMS
FireFlow
Create Change Request
Create Change Request
Notified
Approve Change Request
Notified and Closed
Resolve Change Request
The following example describes an email-based integration between FireFlow and BMC Remedy Change
Management Application.
Note: The instructions provided are specific to Remedy Action Request System 7.1.00 and may vary for
different Remedy versions.
For information on integrating FireFlow with other change management systems, contact AlgoSec.
Email Integration Steps

To integrate FireFlow with BMC Remedy via email
1 Prepare email addresses and a Remedy user.
See Preparation (on page 245).
2 Configure FireFlow for use with Remedy.
See Configuring FireFlow for Use with Remedy (on page 245).
3 Configure the Remedy incoming mailbox.
See Configuring the Remedy Incoming Mailbox (on page 246).
4 Configure the Remedy outgoing mailbox.
See Configuring the Remedy Outgoing Mailbox (on page 247).
5 Configure Remedy email security.
See Configuring Remedy Email Security (on page 248).
6 Configure the Remedy filter.
See Configuring the Remedy Filter (on page 249).
244
Chapter 18
Preparation
Email Addresses
Use the table below to record email addresses used by both Remedy and FireFlow to receive change request
submissions and send change request updates.
FireFlow Email Address
Remedy Email Address
Remedy User
Create or select an existing Remedy user that will perform actions on behalf of FireFlow, then choose an
alpha-numeric string to serve as a security key for this user. Use the table below to record the user's
username, password, and security key.
Username
Password
Security Key
Configuring FireFlow for Use with Remedy

To configure FireFlow for use with Remedy
3 Add the configuration item ExternalCMSEmail, and set its value to the email address of the Remedy
Server to which FireFlow should send its emails, and which FireFlow should notify upon change request
closure.
For example:
Set($ExternalCMSEmail, 'remedy@my.organization.com');
To specify that FireFlow should not send email and notifications to the Remedy Server, leave this item
empty.
4 Add the configuration item ExternalCMSSenderEmails, and set its value to a space-separated list of
email addresses, from which the Remedy Server is expected to send emails to FireFlow upon change
request creation.
For example:
Set(@ExternalCMSSenderEmails, qw(remedy@my.organization.com
remedy-alias@my.organization.com));
5 Save the file.

6 Restart FireFlow.
245
AlgoSec FireFlow

9 At the top of the workspace, click Global.
10 Click Scrips.
11 Click 020 On Non Sub Ticket Create External Source Parse Text Fields From External System.
13 Click Update.
14 Click 140 On Non Sub Ticket Close External Source Notify Other Recipients.
15 In the Email Template drop-down list, select Global template: Notify Remedy Ticket Close.
17 Click Update.
Configuring the Remedy Incoming Mailbox

To configure the Remedy incoming mailbox
1 Open the BMC Remedy User.
2 Open the AR System Email Mailbox Configuration form in Search mode.
3 Choose the Incoming mailbox, and click the Advanced Configuration tab.
246
Release 6.3
Chapter 18
The Advanced Configuration tab appears.
4 Configure the fields as follows:

In the Associated Mailbox Name list, select the name of the outgoing mailbox.
In the Email Action list, select Parse.
In the Reply With Result list, select No.
In the Enable Modify Actions list, select Yes.
In the Use Security Key list, select Yes.
In the Use Supplied User Information list, select Yes.
In the Use Email From Address list, select Yes.
Leave all other fields at their default settings.
5 Save your changes.
Configuring the Remedy Outgoing Mailbox

To configure the Remedy outgoing mailbox
1 Enter BMC Remedy User.

2 Open the AR System Email Mailbox Configuration form in Search mode.
3 Choose the Outgoing mailbox, and click the Advanced Configuration tab.
247
AlgoSec FireFlow
The Advanced Configuration tab appears.

In the Associated Mailbox Name list, select the name of the incoming mailbox.
In the Delete Outgoing Notification Messages list, select No.
Configuring Remedy Email Security

To configure Remedy email security
1 Enter BMC Remedy User.

2 Open the AR System Email Security form in Search mode.
248
Release 6.3
Chapter 18
The form appears.

In the Status list, select Enabled.
In the Key field, type the security key you prepared in Remedy User (on page 245).
In the User Name field, type the username you prepared in Remedy User (on page 245).
In the Force For Mailbox list, select No.
In the Force From Email Address list, select Yes.
In the Email Addresses field, type the FireFlow email address you prepared in Email Addresses (on
page 245).
Configuring the Remedy Filter

When integrated with FireFlow, Remedy sends an email to FireFlow upon each change request submission.
The email serves two purposes:
When FireFlow receives the email, ticket creation is triggered.

When the ticket is resolved, FireFlow responds to this email, closing the original Remedy change.
In order to configure Remedy to send email upon change request submissions, you must specify a filter
using the following procedure.
Note: For more detailed instructions on how to configure Remedy for email integration, refer to the
Configuring the email engine for modify actions and Defining workflow to send email notifications
sections in the BMC Remedy Action Request System Administering BMC Remedy Email Engine
document. This document for version 7.0 is located here:
http://documents.bmc.com/supportu/documents/84/75/58475/58475.pdf
To configure Remedy filter
1 Enter BMC Remedy Administrator.

2 Create a new filter.
249
AlgoSec FireFlow
The Basic tab appears.

In the Name field, type a name for the filter, for example "CHG:CreateFireFlowTicket".
In the Form Name area, select the CHG:Infrastructure Change check box.
In the Execute On area, select the Submit check box.
In the Run If area, type any qualification that fits all and only firewall change requests.
For example: 'Product Cat Tier 1(2)' = "Firewall".
4 Click the If Action tab.
250
Release 6.3
Chapter 18
The If Action tab appears.

In the New Action list, select Notify.
In the Text field, paste the exact text specified in Remedy Filter Text (on page 252).
In the User Name field, type the FireFlow email address you prepared in Email Addresses (on page
245).
In the Priority field, type the email's priority (between 1-10).
In the Mechanism list, select Email.
In the Fields tab, do the following:
In the Subject field, type a subject for the emails, such as "Request submitted by Remedy
$Infrastructure Change ID$".
In the Include Fields list, select Selected.
In the Fields area, select the following fields:
Description
Detailed Description
First Name
Infrastructure Change ID
Last Name
Middle Initial
Request ID
Submit Date
Submitter
In the Messages tab, in the Mailbox Name field, type the name of the outgoing mailbox.
Note: This field is required only if you are not using the default mailbox.
251
AlgoSec FireFlow
Release 6.3

Remedy Filter Text

You must copy the following text verbatim into the Remedy filter in the BMC Remedy Administrator, in
order to enable FireFlow to close the Remedy change upon FireFlow ticket resolution.
The first paragraph can be modified, as it is meant for human readability only. The rest of the text includes
seven identical blocks that allow FireFlow to move the Remedy change throughout the full workflow until
Closed status, by responding to the email received from Remedy.
Replace <remedy server>, <username> and <password> with the relevant values for your installation.
This is an automatic email sent by BMC Remedy Change Management Application to notify that
change id $Infrastructure Change ID$ has been submitted.
Server: <remedy server>
User Name: <username>
Password: <password>
Key: FireFlow
Action: Modify
Form: CHG:Infrastructure Change
Request ID: $Request ID$
Key: FireFlow
Action: Modify
Key: FireFlow
Action: Modify
252
Chapter 18
Key: FireFlow
Action: Modify
Key: FireFlow
Action: Modify
Key: FireFlow
Action: Modify
Key: FireFlow
Action: Modify
253
CHAPTER 19
Configuring the FireFlow Web Service

This section explains how to use the FireFlow Web service.
In This Chapter
Overview ............................................................................ 255
FireFlow Services ............................................................... 255
Data Types.......................................................................... 259
Overview
FireFlow has its own Web service. A Web service is an API that can be accessed and executed over the
network, thus allowing Web service clients, which are the machines used by authenticated FireFlow users, to
perform remote operations on the Web service server, which is FireFlow. Supported operations are
described in XML format in FireFlow's Web service's WSDL (Web Services Description Language) file,
available at https://<algosec_server>/WebServices/FireFlow.wsdl where
<algosec_server> is the AlgoSec server URL. Web clients refer to the WSDL file when performing
operations on FireFlow.
FireFlow Services
FireFlowAuthenticateRequest
Description
Authenticates a user.
Once authenticated, the client will receive a session identifier. This identifier will be required as proof of
authentication for future requests.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
opaque
String
No
A value that will be echoed in the response.

This value must be maximum 1024 characters in
length.
255
AlgoSec FireFlow
Release 6.3
Message Elements
Element
Type
Mandatory
Description
username
String
Yes
The clients username.
password
String
Yes
The clients password in cleartext.
Returns
A FireFlowAuthenticationResponse response. See FireFlowAuthenticationResponse (on page
257).
FireFlowCreateTicketRequest
Description
Creates a new FireFlow change request.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
sid
String
Yes
The clients session identifier.
onBehalfOf
String
No
The name of the user on whose behalf to act.

If acting on a user's behalf is not allowed, the
action will fail and the response will indicate the
reason.
opaque
String
No

length.
Element
Type
Mandatory
Description
template
String
Yes
The request template of the new change request.

In the current API version, this elament's value
must be Standard.
ticket
Ticket
Yes
A Ticket object. See Ticket (on page 259).
Message Elements
Returns
A FireFlowCreateTicketResponse response. See FireFlowCreateTicketResponse (on page 258).
256
Chapter 19
FireFlowTerminateSessionRequest
Description
Terminates the current session.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
sid
String
Yes
The clients session identifier.
opaque
String
No

length.
Message Elements
None.
Returns
A FireFlowTerminateSessionResponse response. See FireFlowTerminateSessionResponse (on
page 258).
FireFlowAuthenticationResponse
Description
The response to an authentication attempt.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
opaque
String
No
A value that is echoed from the request.
Message Elements
Element
Type
Mandatory
Description
result
Integer
Yes
An indicator of the authentication's outcome. A

value of 1 indicates success.
sid
String
Yes
The session identifier.
message
String
No
A message describing the authentication's

outcome in English.
257
AlgoSec FireFlow
Release 6.3
FireFlowCreateTicketResponse
Description
A general response to various services.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
opaque
String
No
Message Elements
Element
Type
Mandatory
Description
result
Integer
Yes

message
String
No

outcome in English.
ticketId
Integer
Yes
The newly created change request's ID number.
FireFlowTerminateSessionResponse
Description
The response to the session termination request.
Header Elements
Element
Type
Mandatory
Description
version
String
Yes
The API version.
opaque
String
No
Message Elements
Element
Type
Mandatory
Description
result
Integer
Yes

sid
String
Yes
The terminated session's identifier.
message
String
No

outcome in English.
258
Chapter 19
Data Types
Ticket
Description
A FireFlow change request.
Elements
Element
Type
Mandatory
Description
owner
String
No
The email address of the change request owner.
requestor
String
Yes
The email address of the requestor.
cc
List of Strings
No
A list of email addresses to which the FireFlow

system should send copies.
subject
String
Yes
The change request's title.
due
String
No
The date by which this change request should be

resolved, in the format: date, GMT
expire
String
No
The date on which this change request will expire,

in the format: date, GMT
priority
Integer
No
A number indicating this request's priority, where

0 indicates lowest priority.
refersTo
Integer
No
The ID number of a change request to which this

change request refers.
referredBy
Integer
No
The ID numbers of a change request that refer to

this change request.
externalId
String
No
The ID number of an external system change

request to which this change request should be
linked.
devices
List of Strings
No
A list of device names, on which the change

should be made.
description
String
No
A free text description of the issue.
trafficLines
List of
TrafficLine
objects
No
A list of traffic tuples. See TrafficLine (on page

260).
customFields
List of
CustomField
objects
No
A list of custom fields. See CustomField (on page

261).
259
AlgoSec FireFlow
Release 6.3
TrafficLine
Description
A traffic tuple in a FireFlow change request.
Elements
Element
Type
Mandatory
Description
trafficSource
List of
TrafficAddres
s objects
Yes
A list of source IP addresses. See TrafficAddress

(on page 260).
trafficDestinat List of
ion
TrafficAddres
s objects
Yes
A list of destination IP addresses. See

TrafficAddress (on page 260).
trafficService
List of
TrafficServic
e objects
Yes
A list of traffic services. See TrafficService (on

page 261).
nat
TrafficNAT
No
NAT for the defined traffic. See TrafficNAT (on

page 261).
action
Integer
Yes
The device action to perform for the connection.

This can be either of the following:
1. Allow the connection.

0. Block the connection.
Note: All traffic tuples in a change request must

have the same action.
customFields
List of
CustomField
objects
No
A list of custom fields. See CustomField (on page

261).
TrafficAddress
Description
An address in a traffic tuple.
Elements
Element
Type
Mandatory
Description
address
String
Yes

object, or DNS name of the connection source.
customFields
List of
CustomField
objects
No
A list of custom fields. See CustomField (on

page 261).
260
Chapter 19
TrafficService
Description
A service in a traffic tuple.
Elements
Element
Type
Mandatory
Description
service
String
Yes
The device service or port for the connection (for

example "http" or "tcp/123").
customFields
List of
CustomField
objects
No
A list of custom fields. See CustomField (on

page 261).
TrafficNAT
Description
Network Address Translation (NAT) information for a traffic tuple.
Elements
Element
Type
Mandatory
Description
source
String
Yes
The source NAT value after translation.
destination
String
Yes
The destination NAT value after translation.
port
String
Yes
Type the port value after translation.
type
Integer
No
The type of NAT. The possible values are:
0. Static NAT.
1. Dynamic NAT.
CustomField
Description
A custom field in a FireFlow change request.
Elements
Element
Type
Mandatory
Description
Key
String
Yes
The custom field's name.
value
String
Yes
The custom field's value.
261
CHAPTER 20
Using the AlgoSec FireFlow Copy

Customization Utility
AlgoSec FireFlow includes a copy customization utility that can be used to copy user customizations
between sites. This section explains how to use this utility.
In This Chapter
Overview ............................................................................ 263
Creating a Customizations File .......................................... 266
Loading a Customizations File to the Target Site .............. 267
Overview
The AlgoSec FireFlow copy customization utility can be used to copy the following user customizations
between sites:
Database entities
Configuration files
Translation files
Scripts for uploading change requests from file
Hook files
Web Service clients
Database Entities
The utility copies the following database entities:
Queues
The following information is copied for each queue:
Description
CorrespondAddress
CommentAddress
InitialPriority
FinalPriority
DefaultDueIn
SubjectTag
Disabled
Attributes: AdminGroupID, SecurityGroupID, NetworkGroupID, ReadOnlyGroupID,
ControllersGroupID (according to the ID of the created groups)
263
AlgoSec FireFlow
Release 6.3
Note: If a queue's name is changed on the original site, the utility will create both a queue with the
original name and a queue with the new name on the target site.
Groups
The following information is copied for each group:
Description
Disabled
Global rights, including rights for roles
Queue rights per queue, including rights for roles
Group rights
Home Page settings
The group's membership in other groups
Note: When updating FireFlow, global rights, queue rights, and group rights that are not in a
customization file will be revoked.
Note: If a group's name is changed on the original site, the utility will create both a group with the
original name and a group with the new name on the target site.
Note: Since the utility does not copy users and their group memberships, it will be necessary to define
the users as members of the new group on the target site.
Custom fields
All custom fields are copied, including those for change requests, users, and groups.
The following information is copied for each custom field:
Description
DisplayName
Type
ValuesClass
LookupType
Pattern
LinkValueTo
IncludeContentForValue
Category
DefaultValue
Disabled
HideIfEmpty
Note: When updating FireFlow, custom fields that do not appear in the customization file will be
removed. Furthermore, custom fields referring to queues, system group rights, or user-defined group
rights that do not appear in the customization file will be removed.
Note: If a custom field's name is changed on the original site, the utility will create both a custom field
with the original name and a custom field with the new name on the target site.
264
Request templates
The following information is copied for each request template:
Description
All defined values
Chapter 20
Using the AlgoSec FireFlow Copy Customization Utility
Note: If a request template's name is changed on the original site, the utility will create both a template
with the original name and a template with the new name on the target site.
Note: Request templates cannot be disabled; therefore, the utility will not remove them from the target
site.
Email templates
All email templates are copied, including both global and per queue.
The following information is copied for each email template:
Name
Description
Content
Note: Email templates cannot be disabled; therefore, the utility will not remove them from the target site.
Scrips
All scrips are copied, including both global and per queue.
The following information is copied for each scrip:
Description
Stage
CustomIsApplicableCode (in case of a user-defined condition)
CustomPrepareCode (in case of a user-defined action)
CustomCommitCode (in case of a user-defined action)
ScripAction name
ScripCondition name
Email Template name
Note: FireFlow scrips have no name; therefore, if two scrips have the same description, only one of them
will be updated.
Saved searches
Global Home Page settings
Configuration Files
The utility copies the following configuration files:
The workflow configuration file

/usr/share/fireflow/local/etc/site/Workflows_Config.xml
The utility overwrites this file on the target site.

All workflow files located under /usr/share/fireflow/local/etc/site/Workflows/
The utility overwrites everything in this folder on the target site.
The suggested source/destination addresses list
/usr/share/fireflow/local/etc/site/SuggestedAddressObjects_Config.xml
The utility overwrites this files on the target site.

The FireFlow site configuration file
/usr/share/fireflow/local/etc/site/FireFlow_SiteConfig.pm
265
AlgoSec FireFlow
Release 6.3
The utility adds all parameters in the file that do not include the words Email, Password, Address, or
FAUser to the the parallel file on the target site, that is, all user and password-related parameters are not
copied. Other parameters are updated or added to the end of the file on the target site.
The file on the original site is backed up before it is edited.
Translation Files
The utility copies all translation files located under /usr/share/fireflow/local/etc/site/po.
Upload Change Requests from File Scripts

The utility copies all scripts for uploading change requests from file, located under
/usr/share/fireflow/local/etc/site/bin.
Hook Files
The utility copies all hook files and related configuration files located under
/usr/share/fireflow/local/Hooks and /usr/share/fireflow/local/etc/site/Hooks.
Web Service Clients

The utility copies all Web service clients located under
/usr/share/fireflow/local/WebServiceClient/. It overwrites everything in this folder on the
target site.
Creating a Customizations File

In order to copy customizations from the original site to a target site, you must create a customizations file
using the following procedure.
To create a customizations file

/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -d -f CustFile [-e]
For information on the command's flags, see the following table.
A customizations file is created containing the data described in Overview (on page 263), and saved to
the current directory.
Customizations Utility Flags
Flag
Description
-f CustFile
The name under which to save the customizations file.

The default value is
user_customizations_yyyy-mm-dd-hhmmss.tar.gz, where
266
Chapter 20
Using the AlgoSec FireFlow Copy Customization Utility
yyyy-mm-dd-hhmmss is a timestamp. For example:

user_customizations_2010-09-07-091318.tar.gz
Do not include disabled groups and disabled custom fields in the customizations file.
-e
Loading a Customizations File to the Target Site

Once you have created a customizations file, you can load it to the target site.
To load a customizations file to the target site

1 On the target site, open a terminal and log in using the username "root" and the related password.
Important: The "root" user must have read permissions for the customizations file; otherwise, loading the
file will fail.
/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -l -f CustFile [-u] [-r]
For information on the command's flags, see the following table.
The fireflow_backup utility runs and backs up FireFlow to the directory
/var/fireflow/backup.
Apache Web service and FireFlow workers both stop.
The customizations file is loaded to the target site. Data is overwritten and/or added as described in
Overview (on page 263).
Apache Web service restarts.
FireFlow workers start automatically every 5 minutes, as configured on the servers cron.
3 Refresh the workflows, by doing the following:
a) Access VisualFlow.
b) In the VisualFlow main menu, click Workflow Installation.
c) Click OK.
d) Click Refresh Workflows.
The workflows are loaded into FireFlow.
Customizations Utility Flags
Flag
Description
-f CustFile
The name of the customizations file to load.

Note: The file must be located in the current directory.
-u
Update existing elements on the target site with data from the customizations file.
If this flag is not used, only new elements will be added.
-r
Remove database entities that do not appear in customizations file from the target site.
The entities will be marked as disabled.
267
Index
A
About VisualFlow 73
Accessing Online Help 78
Accessing VisualFlow 74, 136, 137, 139, 267
Action Condition Syntax 102, 105, 164
Action Tag Attributes 146, 149, 165
Adding Actions 95, 136, 137, 138, 140, 141
Adding Parallel Action Logic 103, 126
Adding SLA Notifications 189
Adding SLOs 129
Adding Statuses 87, 137, 139
Adding the 22, 23
Adding User Groups 29, 139
Adding User-Defined Custom Fields 44, 233
Adding Workflows 78, 136, 137, 139, 146
Adding/Removing Optional NAT Fields in
Change Requests 226, 228
Adding/Removing Standard NAT Fields in
Change Requests 223
Advanced Configuration Options 2
Advanced Configuration Tools 3
Assigning Global and Queue Rights to User
Groups 31, 33, 35
Automatically Sending Work Orders to an
Implementation Team 228
C
Comprehensive Example 86, 126, 146, 176
Condition Tag Attributes and Syntax 163
Condition Tag Syntax 144, 145
Configuration Files 265
Configuration Options 1
Configuring a Group's Global and Queue Rights
35, 139, 141
Configuring Authentication to FireFlow 236
Configuring Automatic Approval of Minor Rule
Changes 212
Configuring Automatic Initial Planning 205
2, 61, 62
Configuring FireFlow for Use with Remedy
244, 245
Configuring FireFlow to Use a Web Service 240
Configuring FireFlow's Default Interface
Language 220
Configuring Global Built-in Rights for Groups

178
Configuring Global Built-in Rights for Users
181
Configuring Global Rights for Groups 35, 178
Configuring Global Rights for Users 178, 181
Configuring Global User-Defined Rights for
Groups 181
Configuring Global User-Defined Rights for
Users 182
Configuring Group Rights for Custom Fields
31, 33, 36
Configuring Group Rights for FireFlow Fields
36, 39, 44
Configuring Group Rights for User-Defined
Custom Fields 36, 37, 43, 46
Configuring How Long the Device Objects List Is
Stored in Cache 214
Configuring Queue Built-in Rights for Groups
183
Configuring Queue Built-in Rights for Users
186
Configuring Queue Rights for Groups 35, 178,
183
Configuring Queue Rights for Users 178, 186
Configuring Remedy Email Security 244, 248
Configuring the 213
Configuring the Change Request History Order
200
Configuring the Date Format 210
Configuring the Default Authentication Action
226
Configuring the Default Due Date for Change
Requests Marked for Future Recertification
215
Configuring the Default Due Date for
Recertification Requests 215
Configuring the Default Due Date for Rule
Removal Requests 213
Configuring the FireFlow Web Service 3, 255
Configuring the Handling of NAT-Only Traffic
Changes 227
Configuring the List of User Properties 172, 216
Configuring the Maximum Rows Displayed in
Auto Matching Page Sub-Lists 201
AlgoSec FireFlow
Configuring the Maximum Rows Displayed in

Home Page Lists 200
Configuring the No-Login Web Form's Requestor
Field as Read-Only 212
Configuring the Order of User-Defined Custom
Fields 52
Configuring the Remedy Filter 244, 249
Configuring the Remedy Incoming Mailbox
244, 246
Configuring the Remedy Outgoing Mailbox
244, 247
Configuring the Risk Check Method for Change
Requests with Multiple Devices 207
Configuring the Time Frame for Items Displayed
in Auto Matching Page Lists 201
Configuring Whether Emails to Related Change
Requestors Include the Rule to be Removed
214
Configuring Whether the Standard Template
Appears in the Request Templates Page 210
Configuring Whether Traffic Fields Are
Mandatory 203
Configuring Work Order Creation for 204
Consulting Log Files 4
Contacting Technical Support 5
Controlling Whether Wizard Tabs Appear 57
Controlling Whether Wizard Tabs Appear for
Privileged Users and Requestors 57
Controlling Whether Wizard Tabs Appear in the
No-Login Form 57, 60
Creating a Customizations File 266
Creating Change Requests via the REST
Interface 236, 237
CustomField 259, 260, 261
Customizing Pre-defined Search Results 13, 22
Customizing the Appearance of Pre-defined
Search Results 22
Customizing the Common Services List 56
Customizing the FireFlow Home Page 2, 13
Customizing the Home Page Globally 13, 14
Customizing the Home Page per Group 13, 18,
31, 33, 92, 160, 206
Customizing the Source, Destination, and Service
Wizards 2, 55
Customizing the Suggested Sources/Destinations
List 55
D
Data Types 259
Database Entities 263
Release 6.3
Deleting Actions 94, 128, 136, 138, 141

Deleting SLA Notifications 197
Deleting SLOs 132
Deleting Statuses 94
Deleting Workflows 133, 165
Disabling Change Request Creation from File
64
Disabling Privileged Users 25
Disabling User Groups 41
Disabling User-Defined Custom Fields 51
Disabling Workflows 165
Discarding Workflow Changes 73, 135
E
Editing Actions 127, 136, 138, 140
Editing FireFlow Fields 49
Editing SLA Notifications 194
Editing SLOs 94, 132
Editing Statuses 93
Editing the Workflow Configuration File 143,
147
Editing User Groups 32
Editing User-Defined Custom Fields 49
Editing Workflows 87, 136, 137, 139
Email Addresses 245, 249, 251
Email Integration Steps 244
Enabling Privileged Users 27
Enabling User Groups 41
Enabling User-Defined Custom Fields 51
Enabling/Disabling Automatic Creation of
Requestors upon Authentication 211, 233
Enabling/Disabling Inclusion of User-Defined
Custom Traffic Fields in Flat Tickets 106,
108, 113, 115, 216
Enabling/Disabling Multiple Traffic Rows in
Change Requests 202
Enabling/Disabling Sub-Request Traffic
Modification 203
Enabling/Disabling Traffic Field Validation
203, 204
Enabling/Disabling Translation of Object IP
Addresses and Ports in Work Orders 205
Enabling/Disabling User Group Authentication
during Initial Planning 227
Example
Adding Another Approve Stage 139
Allowing the Network Group to Approve
Change Requests 137
Removing the Notify Requestor Stage 136
Examples 136
Chapter 20
Exiting VisualFlow 78
F
FireFlow Advanced Configuration 1
FireFlow Services 255
FireFlowAuthenticateRequest 255
FireFlowAuthenticationResponse 256, 257
FireFlowCreateTicketRequest 256
FireFlowCreateTicketResponse 256, 258
FireFlowTerminateSessionRequest 257
FireFlowTerminateSessionResponse 257, 258
Flat Ticket Example 69, 105, 116, 169, 170,
171, 174, 175, 176
Flat Ticket Nodes 105, 106
G
GetExternalRisks 169
GetFirewallGroupName 170
GetRealGroupName 171
GetRequestorSearches 172
Getting Started with VisualFlow 74
GetWorkFlowName 174
H
Hiding Change Request Fields 202
Hook Files 266
Hook Functions 168, 169
I
Importing User Data from an LDAP Server 3,
211, 233
Installing Workflows 73, 134, 136, 139, 141
Integrating FireFlow via a CMS's Web Service
235, 239
Integrating FireFlow via Email 235, 244
Integrating FireFlow via the REST Interface
235
Integrating FireFlow with External Change
Management Systems 3, 235
Introduction 1
L
Loading a Customizations File to the Target Site
267
Logging in for Advanced Configuration Purposes
3, 7, 14, 18, 22, 23, 25, 27, 29, 32, 33, 35, 41,
44, 49, 51, 52, 57, 66, 74, 136, 137, 139, 178,
181, 183, 189, 194, 196, 197, 228, 240, 246
Index
M
Managing Email Subscriptions to SLA
Notifications 196
Managing Group Members 31, 33
Modifying Email Templates 66
Modifying FireFlow Email Templates 2, 65
Modifying FireFlow Interface Text 3, 222
Modifying Workflows 164
O
Overriding FireFlow System Defaults 2, 199
Overriding Specific System Default Settings
199, 200
Overriding System Default Settings 60, 199
Overview 13, 43, 61, 65, 71, 133, 143, 167, 177,
189, 235, 255, 263, 266, 267
P
Preparation 244, 245
R
Remedy Filter Text 251, 252
Remedy User 245, 249
Reordering Actions 128, 137, 140
Reordering Statuses 94, 137, 140
Reordering Workflows 133
Replacing the Logo 2, 218
REST Interface Integration Steps 236
Restarting FireFlow 4, 11, 56, 60, 63, 64, 127,
135, 136, 139, 141, 144, 147, 165, 166, 168,
199, 200, 201, 202, 203, 204, 205, 207, 210,
211, 212, 213, 214, 215, 216, 217, 221, 222,
227, 228, 231, 240, 245
Reverting to System Defaults 231
Reverting to the System Default Workflow via
XML 166
S
Setting the Default Workflow 133
Status Tag Attributes 146, 160, 165
SuggestCommentSuffix 174
SuggestHostName 175
Supported Boolean Operators 81, 86, 106, 126,
145
Supported Comparison Operators 106, 125
Supported Fields 81, 145
T
The VisualFlow User Interface 75
AlgoSec FireFlow
Ticket 256, 259

TrafficAddress 260
TrafficLine 259, 260
TrafficNAT 260, 261
TrafficService 260, 261
Translation Files 266
U
Upload Change Requests from File Scripts 266
Using Hooks 2, 167
Using Hooks to Control Parameters 167
Using the AlgoSec FireFlow Copy Customization
Utility 263
V
ValidateTicket 175
ValidateWorkOrderEdit 176
Viewing Individual Workflows' XML Files 134
Viewing the Workflow Configuration File 134
Viewing the Workflow XML 134
Viewing Workflow Layouts 75, 76
W
Web Service Clients 266
Web Service Integration Steps 239
Workflow Condition Syntax 81
Workflow Configuration File Structure 134,
144
Workflow File Structure 134, 146, 148
Workflow Tag Attributes 143, 144, 147
Working with Actions 80, 87, 95
Working with Custom Fields 1, 37, 43
Working with Rights 2, 172, 177
Working with SLA Notifications 1, 129, 189
Working with SLAs 80, 87, 129
Working with Statuses 80, 87
Working with User Groups 1, 29, 233
Working with Users 25
Working with Workflows in VisualFlow 2, 32,
71, 143, 181, 183
Working with Workflows via XML 2, 73, 143
Release 6.3

AlgoSec FireFlow v6.3 Advanced Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AlgoSec FireFlow v6.3 Advanced Configuration Guide

Uploaded by

Copyright:

Available Formats

AlgoSec FireFlow

Advanced Configuration Guide

Printed on 2 September, 2012

Copyright 2003-2012 AlgoSec Systems Ltd. All rights reserved

Logging in for Advanced Configuration Purposes .................................................................................... 7

Working with Users..................................................................................................................................... 25

Working with User Groups ......................................................................................................................... 29

Working with Custom Fields ...................................................................................................................... 43

Configuring the Order of User-Defined Custom Fields ............................................................................................................. 52

Customizing the Source, Destination, and Service Wizards ................................................................... 55

Configuring Change Request Creation from File ..................................................................................... 61

Modifying FireFlow Email Templates ........................................................................................................ 65

Working with Workflows in VisualFlow..................................................................................................... 71

Working with Workflows via XML ............................................................................................................ 143

Using Hooks .............................................................................................................................................. 167

Working with Rights ................................................................................................................................. 177

Configuring Queue Rights for Groups..................................................................................................................................... 183

Working with SLA Notifications ............................................................................................................... 189

Overriding FireFlow System Defaults ..................................................................................................... 199

Importing User Data from an LDAP Server ............................................................................................. 233

Configuring the FireFlow Web Service ................................................................................................... 255

Using the AlgoSec FireFlow Copy Customization Utility ...................................................................... 263

FireFlow Advanced Configuration

Adding, editing, and deleting requestors

Advanced Configuration Options

Customizing the FireFlow Home page

Advanced Configuration Tools

FireFlow user interface

Consulting Log Files

/usr/share/fireflow/var/log/fireflow.log. The main FireFlow log file.

To download FireFlow logs

3 Click Download Support Zip.

Contacting Technical Support

Logging in for Advanced Configuration

To log into FireFlow for advanced configuration purposes

The FireFlow Login page appears.

3 Enter your username and password in the fields provided.

Logging in for Advanced Configuration Purposes

The FireFlow Home Page appears.

Customizing the FireFlow Home Page

Pre-defined search results

Customizing the Home Page Globally

To customize the Home page globally

Customizing the FireFlow Home Page

The Admin/Global configuration page appears.

4 Click FireFlow Home Page.

For information on each element, see the following table.

Home Page Elements

To add this to the Home page...

"N" Soon to be due change

"N" Change Requests owned

"N" Change Requests owned

"N" Change Requests owned

"N" Change Requests to

"N" Change Requests to

"N" Change Requests to Plan

"N" Change Requests to

Customizing the FireFlow Home Page

"N" Change Requests to Send

"N" Change Requests to

"N" New Recertification

Pre-defined search results consisting of a list of recertification requests in the system

"N" Open Change Requests

"N" Parent Recertification