On This Page
Change Browser
Overview
The Change Browser shows you at-a-glance the most recent revision changes in your network.
You can select a device to show the revisions for that device, or you can select a group of devices from the tree to show the recent revisions for all of the devices in the group.
The revisions are shown in a table that you can sort by column headers, including by device name, policy name, date the policy was changed on the device, or the date the policy was received by SecureTrack.
IPv6 is not supported for this TOS feature.
Revision Authorization
In the Change chart, you can quickly see that revisions are made as a result of requests in your ticketing system. If you manage your access requests in SecureChange, you can configure SecureTrack to monitor authorized revisions so that:
- When a policy is changed to allow traffic that was previously blocked by the policy, SecureTrack searches for SecureChange tickets that match the newly allowed traffic. If it finds matching tickets, the tickets are associated with the revision and listed in the Change chart.
- When a policy is changed to block traffic that was previously allowed by the policy, SecureTrack searches for SecureChange tickets that match the newly blocked traffic. If it finds matching tickets, the tickets are associated with the revision and listed in the Change chart.
Traffic can be blocked by adding it to a drop rule or removing it from an allow rule.
- If all of the changed traffic is associated with tickets, the revision is marked Authorized. If not, the revision is marked Unauthorized.
- You can manually change the authorization status. A tooltip shows the name of the administrator that changed the authorization status and when the status was changed.
SecureTrack automatically associates a SecureChange ticket with the revision if:
- The ticket has an access request that at least partially matches the traffic changes in the revision
- The target of the access request is Any with Topology disabled, or the same as the device from which the revision was received
- The ticket is open (You can also configure authorization to include tickets that were closed within the last 3, 6, 9 or 12 months.)
- The ticket is authorized, meaning that it either:
- Has at least one step with the Approve/Decline field and the final step with this field is Approved
- Does not have any steps with the Approve/Decline field but the ticket has passed to the last step of the workflow
SecureTrack automatically marks each revision as, either:
-
Authorized without tickets: There are no rule changes in the revision or there is a rule change that does not impact network traffic, such as a change to a rule comment.
-
Authorized with tickets: All of the changed traffic matches at least one associated SecureChange ticket.
-
Unauthorized with tickets: Tickets are associated with the revision, but not all of the changed traffic matches at least one associated SecureChange ticket.
-
Unauthorized without tickets: No tickets are associated with the changed traffic in the revision.
-
Pending: The revision has not completed. If this status does not change within a day, contact Tufin Support.
Limitation
When a rule in a revision includes NAT objects, it might not be authorized automatically, even though the policy change was requested and generated from a SecureChange ticket. The presence of NAT objects prevents the revision ticket mapping from recognizing the change.
Change the Authorization Status for a Revision
This procedure can only be performed by a Multi-Domain Administrator or by a Super Administrator.
- In the Change chart, hover over the revision.
- In the Authorized column, click on the Edit icon.
- Select Authorized or Unauthorized.
- Click Confirm.
The revision is marked with the new Authorization status with a Configured icon () and a tooltip that shows who changed the authorization last and when it was changed:
How Do I Get Here?
In SecureTrack, go to Browser > Changes.