Access Requests

Overview

You can change rules defined on your network devices' security policies by opening a SecureChange access request ticket. In each ticket you request to open or close traffic between your desired source and destination. You can also open tickets to document changes that were already made. Access Requests can be basic, with changes to hosts, subnets, or ranges over services and ports, or advanced, with changes to NAT addresses, LDAP groups, network and service objects / groups imported from the devices, or the internet object.

A service/application identity is used to connect sources and destinations, such as Facebook Apps (NG applications/application aware). See Tufin Predefined Application Identities for a full list.

You can perform the following actions via access request:

  • Accept: Request to allow the specified traffic connectivity in the security policies deployed on the network.

  • Remove: Request to decommission the specified traffic from the security policies deployed on the network.

  • Drop: The Drop action is only used for documenting changes manually made to the device.

For access requests that are initiated from SecureApp, see Requests from SecureApp.

Using Topology Intelligence

Topology mode provides recommendations based on topology intelligence. You can activate or deactivate topology mode for each access request.

If your request is created based on a workflow that has topology disabled, topology is disabled for all access requests. See Configuring Workflow Properties.
You cannot use topology for access requests that include: ANY, class A network, non-continuous mask, IPv6.

    • When topology is enabled, SecureChange finds the devices and subpolicies that are relevant to the access request and lets the Designer suggest firewall changes with the correct IP addresses.
      For NAT environments, NAT translations will be accounted for in the calculations.

      Activating topology allows you to utilize TOS Aurora's suite of automatic tools, such as Risk Analysis, Designer or Verifier to help you implement the changes listed in a request.

    • - When topology is disabled (non topology mode), you must manually choose the devices and subpolicies that are relevant to the access request and specify the correct IP addresses. Designer will calculate the rule changes required on the policies you selected. We recommend using non topology mode when the topology map is not yet fully constructed. Using access requests in topology mode with an incomplete topology may give incorrect results.

      For NAT environments, NAT translations will be accounted for in the calculations. You may need to create one access request with an IP address before NAT and another access request with an IP address after NAT. The topology setting can be changed in any step but access request details that are not supported for topology are lost when you change the setting.

Creating a Change Request

  1. If you want use to use topology intelligence, make sure topology mode is active. See Using Topology Mode.

  2. To add a new AR to the ticket, click on Settings > Add New Access Request.

    A new line appears in the ticket draft.

    The maximum number of ARs per ticket is 300.
  3. Click Submit.

    The request appears in My Requests list.

    When you create a new request, TOS assigns it an ID number. Note that ID numbers are not always sequential.