Using the Rule Modification Field

Overview

The rule modification field lets you receive rules from the SecureTrack Rule Viewer and manage the process of adding or removing devices or services in the Source, Destination, or Service fields within the selected rules. Note that you can only submit rule modification tickets using the Rule Viewer or API.

Modify Objects in Source, Destination, or Service Fields

If the ticket includes more than one rule, select and expand a rule to modify it.

Click the Action button for the Source, Destination, or Service field and select one of the following: 

Create New Object

  1. In the Create New Object dialog, for Source or Destination fields, enter:

    • Type: Host, Network, or Address Range

    • Name

    • IP address

    • An optional comment.

      For details of valid characters, see Input Validation.

  2. For the Service field, enter:

    • Protocol: TCP, UDP or ICMP

    • Name

      For details of valid characters, see Input Validation.

    • Port

    • (Optional) comment

      For details of valid characters, see Input Validation.

  3. Click OK.

    The new object is added to the list of objects for the rule with a link to view its properties.

  4. Click the link to view or modify the properties of the new object.

    You can edit the object name, IP, or comment.

Select Existing Object

The selected object can be added or cleared from the Source, Destination, or Service fields.

In the Select Network/Service Object dialog, you can filter the list by Type, Name, or Device.

For Source or Destination objects, the Type includes: Any Type, Host, Network, Address Range, and Group. For Service objects, the Type includes: Any Type, TCP, UDP, ICMP and SCTP.

Existing objects that are present in the rule are displayed at the top of the list, including objects created during the request handling process. The other objects in the list (from the relevant policy) can be added to the rule.

When choosing an existing object in Select Network Object for a Rule Modification ticket, if you use the Type filter to search for specific objects and then change the filter to Any Type, objects which were selected from the bottom of the initial search may seem to have disappeared if the new results display more than 100 items. When you click OK to save your changes and return to the ticket, the objects you selected appear in the relevant rule fields as expected.

Handle a Rule Modification Ticket

General Information

  • A single ticket can include up to 300 rules with 40 changes per rule, for a maximum of 1000 changes on all the rules in the request.

  • Supported Source and Destination objects for this action include IPv4 network objects, single IP addresses, a range of IP addresses (subnets), and groups.

  • Supported Service objects and service object groups include the following protocols: TCP, UDP, ICMP and SCTP

  • Rule names that are part of a ticket in a Rule Modification workflow should not be changed, as this may affect the results in Designer.

  • Changes to rules - including rule name and configured details - should not be made outside of a SecureChange ticket.

  • In addition to being a poor security practice, changing the source or destination to Any is not supported.

  • The Rule Preview area of a Rule Modification ticket displays the revision information as of the time the ticket appears as a draft in SecureChange. The Select Network Object screen displays the real time objects, based on the most recent revision.

  • If a rule in the ticket was deleted (for example, via the device interface or as part of a different ticket), when you attempt to modify it, you will receive notification that the rule does not exist.

  • New objects can only be created on the policy where the rule is located. It is not possible to create a global object in a hierarchical environment (such as Palo Alto Panorama or Fortnet FortiManager) and add the object to a rule on a sibling policy.

  • You can add or remove network objects, including hosts, subnets, and network object groups. Adding or removing implicit objects or removing objects from an LDAP Group is not supported.

Unsupported Features and Actions

The following features and actions are not supported for Rule Modification: 

  • Removing all services from a rule

  • Map rule to ticket

  • Dynamic assignment by script

Duplicate Objects

Designer will fail when you try to create a new object with:

  • A name that is identical to the name of another object on the device:

    • For example, you will receive an error message when you try to create and add a new subnet object called "myObject" with IP 1.1.1.0/24, when the device already has a subnet named "myObject" with IP 2.2.2.0/24 (or even a host or range named "myObject")

    or

  • A name that uses unsupported characters or formats

    • You cannot edit a new object in the SecureChange user interface: To resolve the issue, remove the illegal object from the ticket and create an object with a unique name that uses supported characters and formats.

There is no validation to prevent creating and adding duplicated objects to a rule. If you create and add a new object with an address that is identical to the address of another object on the policy, provisioning will fail for the Check Point devices. Even though provisioning the policy will succeed for other devices, this is not considered good practice.

Changes Outside the Ticket Scope

  • A Rule Modification ticket is "blind" to changes on new revisions received for rules after it was opened: If objects are added or removed from rule outside of the ticket, the rule preview on the ticket is not updated. Thus, it is theoretically possible to submit a request to remove objects from a rule that were already removed, or to add objects that were already added.

  • If a ticket to add an object from the policy to a rule is submitted via the Rule Modification workflow, and the same object was removed from the policy outside the ticket scope, it will not be possible to complete the action via the SecureChange user interface. Because the object no longer exists on the policy, the validation for adding the object to a rule will fail for both Designer and provisioning, even though the object is still displayed as a candidate in the interface.

    • In this situation, use the Rule Modification REST API to undo the request to add the non-existent object to the rule. If you try via the user interface, the object continues to be displayed as a candidate.

Supported Devices

The following devices are supported for full automation process:

  • Check Point R80.x

  • Palo Alto Panorama advanced mode

  • Fortinet FortiManager advanced mode

  • Cisco ASA and Cisco FMC

  • Juniper SRX

The following devices are supported for Commit actions:

  • Check Point R80.x

  • Palo Alto Panorama advanced mode

  • Fortinet FortiManager advanced mode