Remove Access Requests

Designer can also handle access requests that remove network access (decommission requests). For example, access may be removed if it is no longer required or when a ticket expires.

When a ticket includes both add and remove requests, each request is listed separately in Designer:

• Access requests to add access are shown in green
• Access requests to remove access are shown in orange

Designer suggests whether to remove or modify rules, or to update network groups, depending on the request.

Special Cases Handled by the Manage Related Rules Feature

Designer may skip certain rules by default, depending on the request and environment. These rules are marked as Ignored in the Manage Related Rules window.

Designer ignores the following scenarios by default when the Access Request action is Remove:

• The access path includes NAT
• The access request overlaps with another SecureApp connection
• The destination includes a URL category (not relevant for Palo Alto devices)

To include these rules in Designer suggestions:

1. Click Manage Related Rules.
2. Clear the Ignore checkbox next to the rule.
3. Click OK.
4. Click Redesign to recalculate suggestions.

This lets you override the default exclusions and ensure all relevant rules are considered.

Example Workflow: Access Request

The steps below show how Designer helps you review and apply changes for an access request ticket.

1. Open or create an access request and click Designer.

   

   If there is no Designer button, check if Designer was enabled in this step of the workflow configuration.

2. If your access request contains an AWS instance, select Security Groups for the VPC.

3. Review the Designer recommendations, organized by vendor > device > policy > access request.

   

   If a later access request requires the same changes as an earlier one, Designer notes that no duplicate changes will be implemented.

4. Designer assigns names to new servers, services, or rules using these guidelines:

   • Creates names in the format host_<ip> or subnet_<ip>

   • If the request came from SecureApp, Designer uses the SecureApp name

   • If an "i" icon appears next to the recommendation, then Designer has modified the name assigned in SecureApp to meet the vendor's requirements. For example if you created a new connection with the name “Connection 1” the Designer changes it to “Connection1” if spaces are not allowed.

     Click to view the original name.

5. In the recommendations, you can edit the following values (unless a new revision was received from the device):

   These values cannot be changed if a new revision was received from the device.

   • Object names

   • Rule names

   • Rule location (before/after a specific rule, or as the last rule)

   • Logging levels

6. For supported vendors, you can also edit comments or rule names, see SecureChange Features by Vendor.

7. For NSX devices, when adding new rules, if the access request has a Security Group as a Source or Destination, Designer provides more specific suggestions based on the relevant security groups instead of using DFW. Click the Applied to field to select the relevant security groups.

8. For Decommission Access Requests, if related rules exist, click Manage Related Rules to review them and adjust the Ignore setting if needed, then Redesign.

9. Click View rule to preview the firewall rule. Use Customize rule to choose alternate objects if multiple match the access request.

   Example: if the access request specifies IP 1.1.1.1 and multiple objects with that IP exist, you can select the specific object to use in the Designer results.

   1. Click View rule.

      

   2. Click Customize rule.

      

   3. Click to change the editable object.

      

   4. Select a different object to use in the rule.

      

   5. Click Update.

10. Click to save the change or to cancel the change that you entered.

11. If you have permissions, to implement the changes:

    • Check Point:

      1. Click Update Policy or to update all policies at one time click Update All Policies. The updated policies are saved in CMA/SmartCenter.

         To have the Update Policy option, enabling the Designer to apply changes directly to Check Point policies, you need to configure SecureTrack to use an OPSEC object that has Read/Write permissions.

         

      2. Use Check Point SmartDashboard to install the policies.

    • Cisco ASA, Cisco IOS, and Juniper SRX:

      • Click Commands > Update Device.

        To have the Update Device option, enabling the Designer to apply changes directly to Cisco devices, you need to configure SecureTrack to monitor the devices via SSHv2.

        

    • Juniper NetScreen:

      1. Click Commands > Copy Commands.

      2. Paste the commands on to the device's CLI.

      

    • Palo Alto/Panorama:

      • Click Update devices.

        

12. Click Close to return to the ticket.

    If you click Close and save the progress on the task, the designer results are saved.

    You can click next to the access request to see the results, and other handlers can click in this step to see the results.

13. Once you have implemented the changes recommended by Designer, you can run Verifier to confirm that the changes were implemented, see Verifying Access Requests.

How Do I Get Here?

SecureChange>Tickets> Search for or open a ticket >Designer