Linking to Ticketing Systems

Overview

TOS Aurora can associate a change request ticket with a rule. This facilitates keeping track of what changes were made, by whom, and whether those changes were authorized.

A ticket is a change request, or other rule-related activity, that is tracked in a ticketing system such as SecureChange, BMC Remedy AR System, HP Service Center, or CA Service Desk Manager.

You can see the link between your revisions and the tickets in your ticketing system with either:

Revision Authorization Based on SecureChange Tickets

Every time SecureTrack pulls a revision from one of its monitored devices, it will seek to determine if the change is authorized. SecureTrack authorizes revisions based on whether the change was requested by a SecureChange ticket. This check is an automatic stage in SecureTrack’s revision retrieval process.

SecureTrack automatically associates a SecureChange ticket with the revision if:

  • The ticket has an access request that at least partially matches the traffic changes in the revision.
  • The target of the access request is Any with Topology disabled, or the same as the device from which the revision was received.
  • The ticket is open. (You can also configure authorization to include tickets that were closed within the last 3, 6, 9 or 12 months.)
  • The ticket is approved. Either:
    • It has at least one step with the Approve/Decline field and the final step with this field is Approved.
    • It does not have any steps with the Approve/Decline field but the ticket has passed to the last step of the workflow.

You can see which revisions have been authorized in SecureTrack: Browser>Changes.

SecureTrack automatically marks each revision as:

  • Authorized without tickets: There are no rule changes in the revision or there is a rule change that does not impact network traffic, such as a change to a rule comment.
  • Authorized with tickets: All the changed traffic matches at least one associated SecureChange ticket.
  • Unauthorized with tickets: Tickets are associated with the revision, but not all the changed traffic matches at least one associated SecureChange ticket.
  • Unauthorized without tickets : No tickets are associated with the changed traffic in the revision.

Display ID From an External Ticketing System

If you are using an external ticketing system, you can map individual tickets to the revisions that they authorized. Mapping allows you to track who authorized a change that was made to a device. This is especially helpful when you are preparing for an audit. When a ticket ID is included in the rules or objects in security policies monitored by SecureTrack, SecureTrack recognizes it in all policy views, including report results. SecureTrack shows the ticket ID as a hyperlink according to the ticket ID pattern configured in this page. When there is a revision that includes a new ticket ID, SecureTrack also adds a hyperlink for the new ticket ID.

Mapping works by linking each device rule with the ticket that authorized it. You can view the list of device rules in the Rule Viewer. For each rule, you can click on the ticket icon to see the linked ticket.

SecureTrack looks for the ticket ID in these fields:

Vendor

Ticket Field

Check Point

comment

Cisco

access rule description

Fortinet

security policy comment

Juniper

JunOS SRX, J-series

JunOS M, MX

Netscreen

 

security policy name

firewall term name

security policy name

Palo Alto

security policy rule name, security policy rule description

Display Ticket ID in a Revision

  1. Check the box Automatically Link Revisions to SecureChange Tickets.

  2. Choose between:

    • Authorize and link revisions to open SecureChange tickets

    • Authorize and link revisions to either open SecureChange tickets or to tickets that were closed within 3 months: This option links revisions to open SecureTrack tickets as well as tickets that were closed in the last 3 months. You adjust the time frame to display tickets that were closed in the past 3, 6, 9 or 12 months. Note that increasing the time frame also increases your risk of performance issues due to system overload.

  3. Click Save.

    All future SecureTrack tickets will be automatically linked to the relevant Secure change ticket.

  1. Configure the fields:
    • Ticket ID Pattern (regular expression): You can enter case-sensitive regular expressions to match your ticket ID. For a complete reference on the syntax of supported regular expressions, please visit this page.
    • Convert to Standard Form: Select this to normalize ticket IDs and change them from one format to another. This is achieved by configuring an additional regular expression which will match part of the ticket ID, and creating a modified form of the ticket ID using a "C/C++" printf-like expression.
    • Link Ticket IDs to Ticketing System: Enter a URL pattern that can be used to view a specific ticket's details. Ticket IDs in rule Name and Comment fields will appear as URLs in displayed revisions. This setting is relevant only if the ticketing system has a web interface which can be accessed through a known URL.

    4. Click Save.

Ticket pattern matching occurs only when new revisions are received. If a change is made in the pattern above, the ticket ID associated with existing rules will change when the next revision is received. Additionally, the affected rules' Last Modified Date will be updated.

Examples

Example 1: Ticket ID with a hyperlink to the Ticketing System

My company's ticket ID format is "CR" followed by several digits. The URL to my Ticketing System for viewing a specific ticket is: https://1.2.3.4/remedy/<ticket ID>

The following configuration should be used in this case:

  • Ticket ID Pattern: CR[0-9]+
  • Convert to Standard Form: leave all values empty
  • Link Ticket IDs to Ticketing System: http://1.2.3.4/remedy/
Example 2: Multiple Ticket ID patterns with a hyperlink to the Ticketing System

My company's ticket ID formats are "CR or CHG followed by several digits". The URL to my Ticketing System for viewing a specific ticket is: https://1.2.3.4/remedy/ticket=<ticket ID digits without leading characters>

The following configuration should be used in this case:

  • Ticket ID Pattern: (CR|CHG)+[0-9]+

  • Convert to Standard Form:

    • Get the part that matches: [0-9]+

    • And print it to: %s

  • Link Ticket IDs to Ticketing System: http://1.2.3.4/remedy/ticket=

How Do I Get Here?

In SecureTrack, go to Admin > Ticketing.