Automated Change Design

Overview

Automate the design of security policy changes with intelligent recommendations that account for existing rules and objects - reusing or modifying them as needed.

As your infrastructure evolves, you must update and adapt your security policies to support new access requirements. These changes may involve opening or closing traffic between specific sources and destinations, updating existing rules, or documenting changes that were already implemented. SecureChange automates this challenge through access requests and workflows that standardize how security policy changes are requested, reviewed, and implemented.

Designer is integrated into the SecureChange workflow and access lifecycle to automate the design phase of these changes. Designer provides intelligent recommendations that account for existing rules and objects, reusing or modifying them as needed.

• Automatically calculates the policy changes required on the relevant network devices

• Analyzes existing rules and objects, and determines whether they can be reused or must be modified

• Generates consistent, implementation-ready rule designs

Automated Change Design guides you through using Designer to automate security policy change design.
Designer’s capabilities vary depending on whether the platform supports read/write access, API integration, or vendor-specific features. For more information, see SecureChange features by vendor.

To apply the policy changes recommended by Designer to your devices, see Automated Change Provisioning.

Why this matters

• Reduce manual effort when designing security policy changes, reducing error and increasing productivity

• Improves consistency and accuracy of rule design across devices and platforms

• Ensures governance through standardized design logic

Who this is for

• Network engineers responsible for configuring Designer-related steps in workflows, and reviewing generated rule designs

• Change Managers monitoring workflows for consistency, compliance, and approvals

• Security analysts validating that generated rules align with policy requirements

• Operational specialists driving workflow adoption and standardization across team

Key capabilities

Automated Change Design leverages key features in SecureChange to automate design changes in security policies:

• Access Request Workflow to define the connectivity required for the Access Request

• Use Designer to recommend changes to objects and rules needed to implement the Access Request

Prerequisites

• Successful completion of:

  • Network Mapping and Visualization, to view the network topology and device relationships required to accurately design policy changes.

  • Infrastructure Change Management, which establishes the workflows and processes used to request, review, and track security policy changes.

• Knowledge of:

  • Processing tickets, as automated change design operates within ticket-based workflows.

  • Managing access requests, as access requests are the primary input for generating automated security policy designs.

Step 1: Explore Designer

Before using Designer, understand how Designer can automate rule creation and modification within workflows.

Designer supports three modes to suit different levels of automation and control:

• Design Only: This mode creates the proposed without updating the actual firewall configuration. Ideal for review and approval workflows.

• Update: This mode applies the recommended policy changes to the device, either a single device or to the management device.

• Commit: For management devices, pushes the current set of policies to the child firewalls managed by it.

See Using Designer.

Step 2: Configure Designer

Configure Designer to fine tune the generated rule. You can either configure Designer options as part of the workflows defaults, or configure them manually during the design phase.

The options include:

• Editing basic fields such as Source, Destination, Service/App-ID, Rule Name and Comments.

• Advanced design options such as enabling logging for the rule, optimizing the rule's position in the rulebase, viewing the current policy, and other options based on the specific device type.

See:

Configuring workflow properties

Configuring Security Profile Groups

Configuring log forwarding profiles

Set default log level for Cisco ASA in Designer (if needed)

Step 3. Set Designer step mode

Within the workflow, you can configure the operation mode for the Designer step. The mode you select must be aligned with the organization's level of trust in automation and policy governance.

• Manual step: The implementer manually reviews and updates the proposed rule design.

• Auto step:  SecureChange executes the Designer logic automatically with no manual intervention.

See Configuring step properties.

What's next

Automated Change Provisioning