Creating a Custom Workflow

Workflow Owner This topic is intended for SecureChange workflow owners, who are responsible for creating and maintaining workflows.

Overview

A workflow is a defined process for a request. When you initially create an empty workflow, it initially has a single step called Open Request which does not contain any fields. This gives you the flexibility to create as many steps as you need and to add required fields to each step. Each step includes a task that a user must do before the request moves to the next step.

These custom workflows require a SecureChange license. Users with SecureChange Basic can only create workflows from a pre-defined template.

The list of available fields is based on the type of workflow that you are creating, all workflows have access to Generic Fields and most workflows have a workflow-specific field. The following workflow types are available:

Workflow Type

Typical Use

Workflow-Specific Fields

Access Request

Design changes to firewall policies. Typically this workflow would require a user to enter details of the target, source, and destination of the access request. The workflow could also require the user to enter a business justification or other information required to approve the request.

Access Request Field

Access Request & Modify Group

A single workflow which users can use to request access or modify groups. This allows you to create a single workflow with these two commonly used capabilities available. The access request and modify group request must be in separate steps.

Access Request Field

Clone Network Object Policy

Clone server policies, objects, and all the existing connections of the original server to one or more servers. For example, this workflow is useful if you are decommissioning a server and need to clone its settings to a new server.

Clone network object policy Field

Generic

Workflows that do not have to be connected to your network configuration, for example you could create a generic workflow to monitor support tickets.

Generic Fields

Modify Group

Design a group object change and apply the change to a policy. Users are able to select a group of network objects from a device and select objects to add or remove from the group, or the ability to create new groups. The template could include the ability to add multiple Modify Group fields in a ticket in order to change multiple groups in the same ticket.

If the selected group is from a supported device, you can also implement the changes directly to the policy.

For tickets related to a Modify Group workflow, Tufin recommends that the number of groups in one ticket does not exceed 20 groups.

Modify Group Field

Rule Decommission

Decommission a rule that is no longer needed, for example a rule that is shadowed by a different rule.

Rule Decommission Field

Rule Modification

Update objects in the Source, Destination, or Service fields of a firewall rule for quick remediation.

Rule Modification Filed

Rule Recertification

Document and verify the need for a rule.

Rule Recertification Field

Decommission Network Object

Remove specified servers or other network objects from all firewall rules.

Decommission network object Field

What Can I Do Here?

Create a New Empty Workflow

  1. In SecureChange > Workflows, click New Workflow. The Workflow Properties dialog appears.

  2. Enter a name and description for the workflow. The name and description will be displayed in the list of workflows.

  3. Select a workflow Type. The type ensures that when you add fields to the workflow, only relevant fields will be available.

  4. Click OK. The workflow page appears.

  5. Set Workflow Properties, see Configuring Workflow Properties.

  6. Design your workflow, see Configuring Workflow Steps.