Using Designer

This KC page is intended for SecureChange handlers who are responsible for processing change requests.

Overview

Designer Behavior by Workflow

Designer makes recommendations based on the workflow type:

• Access Request Workflow: Recommends objects, rules, and other changes to implement the request. If the request does not use topology, Designer only runs when a target is defined (not Any). When using the internet object, Designer substitutes it with a vendor-specific internet object (e.g., ANY or a configured SecureTrack object). When application identities are used, Designer considers the associated service and SecureApp group configuration.
• Decommission Network Object Workflow: Suggests how to remove a server from rules or groups. Designer may recommend deleting a rule if it becomes irrelevant.
• Server Clone Workflow: Lists the rules and groups referencing the original server and suggests adding the cloned server.
• Modify Group: Suggests which objects to add or remove from the group, or whether to create a new group.
• Rule Modification: Recommends changes to the rule base, such as updating the source, destination, or service.
• Rule Decommission Workflow: Suggests how to safely remove an unneeded rule from the policy.

Device Experience and UI Types

Designer results appear in one of two ways, depending on the device type:

• OPM devices open in the new Designer UI (Designer Detailed Results page).

  Supported OPM devices include:

  • Azure Firewall
  • Azure NSG
  • Arista EOS
  • Cisco Meraki
  • Zscaler ZIA
  • HP Aruba CX-10K
  • Huawei Firewall
  • Versa

• All other devices open in the inline Designer view on the ticket page.

The sections below describe each interface in more detail.

Inline Designer View (Standard UI)

Designer results appear directly in the ticket page once you click Designer. All recommendations are grouped by vendor, device, and policy in the same interface.

You can:

• View results directly in the ticket view
• Set rule placement (as last rule or before a specific rule ID)
• Add or modify service groups in rules (only on supported devices)
• Add rule tags (only on supported devices)
• Use View Rule and View Policy to inspect existing rules and related policies (if available)
• Review and modify fields such as object names, rule names, rule location, logging, or comments (available fields vary by device)
• Click View AR and related rules to understand related rules

Designer Detailed Results Page (New UI)

Designer results open in a separate view after you click Designer results. All recommendations are grouped by device policy and access request.

The new Designer UI is available only on supported devices. For details, see SecureChange Features by Vendor.

Using Designer

1. Go to Tickets. Search using the search bar (creates a new search) or select from saved searches..

2. Select a ticket from the list.

3. Click Designer.

   • If Designer is disabled, the ticket may be missing required fields or unsupported for that step.
   • If Designer runs but returns no suggestions, a yellow status label !DSR appears. If device update fails, a red XDSR appears with the message Device update failed. These indicators help identify when a ticket needs manual review.

4. Review results grouped by vendor > device > policy. The results depend on the Advanced Rule Customization setting:

   • Optimize policy: Designer may suggest modifying existing rules or groups.
   • Create new policy rule for each access request: Designer creates a new rule for each request.

   Changing this setting resets all Designer and Verifier results.

5. Continue based on the Designer view:

   • Inline designer view (standard UI): Edit object names, rule names, rule location, or logging. Use View Rule, View Policy, or View AR and related rules as needed.

   • Designer detailed results page (new UI): Click Designer Results to open the page. Review suggestions grouped by device and access request.

To apply Designer’s suggestions or confirm that changes were implemented, see Updating and Committing Policy Changes and Verifying Access Requests.

Device Support and API

To see which devices support Designer or provisioning, see SecureChange Features by Vendor.

To explore available Designer APIs, go to the SecureChange REST API documentation and click Tickets.

If a device does not support provisioning, you must apply Designer's suggestions manually.

Managing Revisions and Conflicting Tickets

Designer’s suggestions are always based on the current revision of the device policy. Suggestions may become outdated when a new revision is received on the device, or when another ticket with Designer results is updated automatically using Update Device in SecureChange.

To reduce cases where suggestions are marked as outdated, SecureChange compares Designer results across tickets on the same device. If a ticket is updated automatically and no conflicts are found with other tickets, those other tickets are not marked as outdated when the new revision arrives on the device.

SecureChange checks Designer results every time you open an existing suggestion or run Update. If the revision is outdated or a conflict is detected, a warning message appears. You can then choose:

• Update devices: Apply the original suggestions even if they are based on an older revision.

• Redesign: Rerun Designer to calculate new suggestions for devices with detected dependencies, while keeping existing Designer results for unaffected devices.

Behavior in Auto-Step

In Auto-Step, Designer does not mark new revisions or fail the automatic update process, so that updates can run with zero-touch automation. However, if a conflict is found against another ticket that was updated, the step will fail. The default handler for that step then sees a notification when opening Designer results.

Supported Devices

Conflict checks are supported for:

• Check Point CMA/SMC
• Cisco ASA/IOS
• Cisco Firewall Management Center (FMC)
• Fortinet FortiManager
• Juniper SRX
• Palo Alto Panorama
• VMware NSX

When multiple handlers edit the same device in dynamic assignment, the conflict check is not supported.

Troubleshoot Designer Issues

You can use the Designer Debug tool to help the Tufin development team investigate and resolve issues related to Designer and Verifier behavior in access requests. This tool gathers backend data and logs relevant to ticket handling and suggestion generation.

For details, see your internal support procedures or contact Tufin Support.

Remove Access Requests

Designer can also handle access requests that remove network access (decommission requests). For example, access may be removed if it is no longer required or when a ticket expires.

When a ticket includes both add and remove requests, each request is listed separately in Designer:

• Access requests to add access are shown in green
• Access requests to remove access are shown in orange

Designer suggests whether to remove or modify rules, or to update network groups, depending on the request.

Special Cases Handled by the Manage Related Rules Feature

Designer may skip certain rules by default, depending on the request and environment. These rules are marked as Ignored in the Manage Related Rules window.

Designer ignores the following scenarios by default when the Access Request action is Remove:

• The access path includes NAT
• The access request overlaps with another SecureApp connection
• The destination includes a URL category (not relevant for Palo Alto devices)

To include these rules in Designer suggestions:

1. Click Manage Related Rules.
2. Clear the Ignore checkbox next to the rule.
3. Click OK.
4. Click Redesign to recalculate suggestions.

This lets you override the default exclusions and ensure all relevant rules are considered.

Example Workflow: Access Request

The steps below show how Designer helps you review and apply changes for an access request ticket.

1. Open or create an access request and click Designer.

   

   If there is no Designer button, check if Designer was enabled in this step of the workflow configuration.

2. If your access request contains an AWS instance, select Security Groups for the VPC.

3. Review the Designer recommendations, organized by vendor > device > policy > access request.

   

   If a later access request requires the same changes as an earlier one, Designer notes that no duplicate changes will be implemented.

4. Designer assigns names to new servers, services, or rules using these guidelines:

   • Creates names in the format host_<ip> or subnet_<ip>

   • If the request came from SecureApp, Designer uses the SecureApp name

   • If an "i" icon appears next to the recommendation, then Designer has modified the name assigned in SecureApp to meet the vendor's requirements. For example if you created a new connection with the name “Connection 1” the Designer changes it to “Connection1” if spaces are not allowed.

     Click to view the original name.

5. In the recommendations, you can edit the following values (unless a new revision was received from the device):

   These values cannot be changed if a new revision was received from the device.

   • Object names

   • Rule names

   • Rule location (before/after a specific rule, or as the last rule)

   • Logging levels

6. For supported vendors, you can also edit comments or rule names, see SecureChange Features by Vendor.

7. For NSX devices, when adding new rules, if the access request has a Security Group as a Source or Destination, Designer provides more specific suggestions based on the relevant security groups instead of using DFW. Click the Applied to field to select the relevant security groups.

8. For Decommission Access Requests, if related rules exist, click Manage Related Rules to review them and adjust the Ignore setting if needed, then Redesign.

9. Click View rule to preview the firewall rule. Use Customize rule to choose alternate objects if multiple match the access request.

   Example: if the access request specifies IP 1.1.1.1 and multiple objects with that IP exist, you can select the specific object to use in the Designer results.

   1. Click View rule.

      

   2. Click Customize rule.

      

   3. Click to change the editable object.

      

   4. Select a different object to use in the rule.

      

   5. Click Update.

10. Click to save the change or to cancel the change that you entered.

11. If you have permissions, to implement the changes:

    • Check Point:

      1. Click Update Policy or to update all policies at one time click Update All Policies. The updated policies are saved in CMA/SmartCenter.

         To have the Update Policy option, enabling the Designer to apply changes directly to Check Point policies, you need to configure SecureTrack to use an OPSEC object that has Read/Write permissions.

         

      2. Use Check Point SmartDashboard to install the policies.

    • Cisco ASA, Cisco IOS, and Juniper SRX:

      • Click Commands > Update Device.

        To have the Update Device option, enabling the Designer to apply changes directly to Cisco devices, you need to configure SecureTrack to monitor the devices via SSHv2.

        

    • Juniper NetScreen:

      1. Click Commands > Copy Commands.

      2. Paste the commands on to the device's CLI.

      

    • Palo Alto/Panorama:

      • Click Update devices.

        

12. Click Close to return to the ticket.

    If you click Close and save the progress on the task, the designer results are saved.

    You can click next to the access request to see the results, and other handlers can click in this step to see the results.

13. Once you have implemented the changes recommended by Designer, you can run Verifier to confirm that the changes were implemented, see Verifying Access Requests.

How Do I Get Here?

SecureChange>Tickets> Search for or open a ticket >Designer