Decommissioning Network Objects

This topic is intended for SecureChange requesters, responsible for creating change requests in SecureChange.

Use a workflow that includes a Decommission Network Object field Remove specified servers or other network objects from all firewall rules.

What Can I Do Here?

The actions available in a Decommissioning Network Objects step depend on how the workflow was set up, but typically you can do any of the following :

• Enter Decommission Network Object Request

• Investigate Decommission Impact

• Use Designer

• Verify Decommission Changes

Enter Decommission Network Object Request

The Decommission Network Object field can be in the first or any other step in the workflow so that a requester or handler can select the server to decommission:

1. Click in the server field.

   

   If you are in Multi-Domain Integrated mode, you can also select the domain that the servers are in. The default is to find the specified server in any domain.

   

2. Enter the name of a server, subnet, range of addresses, or enter a list of servers separated by comma or copied from Microsoft Excel.

   Addresses with non-continuous network masks are not supported.

   You can enter a server as a server name from a monitored firewall, a DNS name, or an IP address.

   To reduce the chance of performance issues, we recommend including up to five elements (server, subnet, range, list of servers) in a single ticket.

3. Click OK.

   When you click OK, the DNS and IP address values are checked for validity.

   

4. Click in the comment field and enter a comment.

5. Click outside the field to save the comment.

Investigate Decommission Impact

The Impact Analysis tool shows where the servers are used in firewall rules across all firewalls.

1. Click Impact Analysis:

   

2. Review the firewall rules where the servers are used, including the relevant domains when you are in Multi-Domain mode.

   

Use Designer

The handler can use the Designer to see how to change the firewall rules in order to decommission the servers:

1. Click Designer:

   

2. Review the designer instructions.

   The instructions can include:

   • Remove a rule

   • Remove a server from the source or destination of a rule

   • Remove a group from a rule

   Review the original Decommission Network Object request below the list of instructions.

   

3. Manually follow the instructions provided by the Designer.

   For devices where Provisioning is supported, Designer can implement these changes.

Verify Decommission Changes

The handler can verify that the servers were removed from the firewall rules:

1. Click Verifier:

   

2. Review any rules that the servers are still used in.

How Do I Get Here?

SecureChange > Tickets > Click a Decommission ticket.