On this page
Designer
|
This KC page is intended for SecureChange handlers who are responsible for processing change requests. |
Overview
Designer is a SecureChange tool that analyzes a change request and generates suggestions and instructions for implementing the required policy changes. Designer behavior depends on workflow configuration, device capabilities, and automation settings.
Designer runs as part of a SecureChange workflow and must be enabled in the relevant step.
Key ideas
Designer evaluates the request against current device policies and generates results that you can review and provision.
Designer behavior depends on the workflow type. For details about workflow types and their behavior, see About Workflows.
Designer output is structured as follows:
- Suggestions describe the overall design needed to implement the request.
- Instructions are the specific actions required, such as creating or modifying rules or objects.
- You can customize suggestions and instructions, depending on the device and Designer type.
Designer can be used with two interfaces:
- Inline Designer, where results appear directly in the ticket
- OPM Designer, where results open in a separate detailed results page
The interface depends on the target device.
Using designer
You use Designer while processing a ticket.
-
Go to Tickets.
-
Open a ticket.
-
Click Designer.
When you run Designer, the ticket shows a status indicator that reflects the result:
-
If Designer is disabled, it might not be enabled in the workflow step or required fields might be missing.
-
!DSR indicates that Designer ran successfully but did not generate any suggestions.
-
XDSR indicates that Designer ran but an automatic update failed and the ticket requires manual review.
-
-
Review Designer suggestions, grouped by vendor, device, and policy.
Designer behavior depends on the rule optimization setting configured in the workflow properties.
-
Continue based on the Designer interface:
- Inline Designer: Results appear directly in the ticket.
- OPM Designer: Click Designer results to open the detailed results page.
Customization behavior
Designer allows you to customize suggested values before provisioning.
Customization lets you adjust how the recommended changes are applied, based on the device and policy context.
Depending on device support, you can customize items such as rule placement, object selection, rule names, logging settings, or comments.
Available customization options are shown directly in the Designer results.
Workflow configuration and prerequisites
Workflow owners configure Designer availability when creating or editing workflows.
To use Designer:
- The workflow must allow Designer in the relevant step.
- Permissions must be granted for the specific actions allowed in that step, such as design, update, or commit.
These permissions are controlled at the field level. In the workflow step configuration, the access request field must have the Designer tool option enabled under Show. The selected option determines whether users can run Designer and which actions are allowed, such as design, update, or commit, depending on user permissions and device support. If the Designer tool is not enabled for the field, the Designer option does not appear in the ticket.
- Rule optimization options are configured in workflow properties.
Workflow owners manage this configuration. For details, see:
Rule optimization behavior
Designer supports two rule optimization modes:
-
Optimize policy for reuse (default) Designer attempts to reuse or modify existing rules to keep the policy concise.
-
Create new policy rule for each access request Designer creates a new rule for every request, even if an existing rule could be reused.
These options are configured in the workflow properties, under Designer and Verifier options, and must be enabled before they can be selected per access request, depending on permissions.
Managing revisions and conflicts
Designer results are generated based on a specific policy revision. New revisions can affect previously generated suggestions.
Designer handles revisions as follows:
- If a true conflict is detected, such as an object name collision, Designer requires redesign.
- Conflict detection is automatic and applies only to supported devices.
Supported devices for conflict checks include:
- Check Point CMA/SMC
- Cisco ASA/IOS
- Cisco Firewall Management Center (FMC)
- Fortinet FortiManager
- Juniper SRX
- Palo Alto Panorama
- VMware NSX
When multiple handlers edit the same device using dynamic assignment, conflict checks are not supported.
Behavior in auto-steps
In automated workflow steps:
- Designer runs without user interaction.
- New revisions are ignored unless a conflict is detected.
- If a conflict is found, the auto-step fails and the ticket requires manual handling.
Device support and APIs
- Device support and provisioning capabilities are listed in SecureChange Features by Vendor.
- Designer APIs are available for retrieving and customizing Designer results.
- API behavior differs between Inline and OPM Designer implementations.
For API details, see the SecureChange REST API documentation.
Troubleshooting designer
If Designer does not run, returns unexpected results, or fails during automation, you can use the Designer Debug tool to collect diagnostic data for investigation.
Related topics
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague