Automated Change Provisioning

Overview

Automate the provisioning of approved security policy changes across firewalls and cloud platforms to ensure speed, accuracy, and compliance.

Automated Change Provisioning guides you through using SecureChange to apply approved security policy changes to supported devices. It takes the implementation-ready policy changes that Designer generates during the automated design phase and provisions those approved changes to the relevant devices.

Why this matters

• Reduce manual intervention during the implementation phase.

• Improve the accuracy and speed of rule deployment.

• Ensure approved changes are pushed to the relevant devices without unnecessary delay.

• Align deployment with approved change windows.

Who this is for

• Network engineers responsible for executing and validating provisioning workflows.

• Change managers responsible for monitoring provisioning compliance with change windows.

• Security operation managers responsible for reviewing audit logs for governance.

• Operational specialists driving workflow adoption and standardization across teams.

Key capabilities

Automated Change Provisioning leverages:

• SecureTrack workflows to automatically provision changes

Prerequisites

Successful completion of:

• Infrastructure Change Management, to enforce consistent, policy-driven processes for infrastructure lifecycle events.

• Rule and Group Management, to enforce standardized processes for rule and group changes through automated workflows.

• Automated Path Identification and Target Selection, to enforce security policy changes with automated path discovery and target selection, reducing manual effort and risk of misconfiguration.

• Automated Proactive Risk Assessment, to assess risk before access changes are approved and implemented.

Step 1: Confirm device support for automated provisioning

SecureChange supports automated provisioning on supported devices and management platforms. Before you configure provisioning, confirm that the relevant vendor and platform support Update and Commit, where applicable.

See SecureChange features by vendor.

Step 2: Understand update and commit behavior

Provisioning applies Designer policy changes through Update. The behavior differs depending on whether the target is a directly managed device or a management device.

Directly managed devices

• Update applies the approved changes directly to the firewall or security group.

• The changes are enforced immediately, so no separate commit is required.

Management devices

• Update saves the approved changes on the management device.

• The changes are not enforced on the managed firewalls until you run Commit.

• Commit pushes the saved changes from the management device to its child firewalls.

• Commit is available only on supported management devices.

This distinction matters because it determines whether provisioning ends with Update or requires an additional Commit phase.

See Update and commit policy changes.

Step 3: Change windows for automated provisioning

You can align provisioning with change windows to control when committed changes are pushed to managed firewalls. This helps enforce approved maintenance windows and change governance.

Change windows are configured in SecureTrack and used to automatically commit provisioned changes on supported management devices according to a defined schedule.

See Change Windows.

Step 4: Provision approved changes in workflow

Changes are provisioned when the SecureChange workflow reaches the implementation phase. SecureChange maintains a full audit trail of provisioning activity, including who triggered the push, the result, and time of execution.

On step completion:

• Rule changes are pushed from the management system to the physical or virtual firewalls, either automatically or manually based on the step mode configured in the workflow.

• Retains the rule validation logic, target selection, and device access control configured during design.