Options for Decommissioning

Details
Category: Basics

Using Tufin SecureChange, there are some options for Decommission. Sometimes it is not clear, what is meant by the different workflow types. So here you find a brief description.

 

Access Request

When having an Access Request Workflow, new access "from - to" can be requested if the action is "accept".
Using the other option "remove" allows to decommission access "from - to".

In the example shown above, the access from 10.1.1.0/24 to 10.2.2.0/24 using the protocol https is no more needed. Because it is an Access Request ticket, many IP addresses can be used here. Besides this, more than one Access Request can be defined within one ticket. The requester does not need to care which firewalls are involved and which firewall rules are affected. So the removal of "access" might affect many firewalls and rules, respectively.

 

Rule Decommission

A ticket for a Rule Decommission Workflow always starts in Tufin SecureTrack, not in SecureChange. The ticket is opened for a specific rule configured on one firewall device. This must not be mixed up with an Access Request.
Please consider the configuration requirements, e.g. the SecureTrack user needs to be authorized to open such a ticket in SecureChange.
First, the rule is selected in the Rule Viewer.

Clicking on the button on the right side opens a menu where the option "Decommission rule" can be selected. The next step is to provide a subject for a ticket and select the workflow. Now, a new ticket is created in SecureChange, allowing to check and submit the request.

 

 Decommission of network objects

A third option for decommissioning is the use of a Decommission network object Workflow. This kind of workflow is used to remove network objects from rules and groups. So after having the ticket closed, the selected object is no more in use.
Hint: If an object that shall be removed is "last in cell", SecureChange Designer recommends removing the whole rule. This is because if the "last in cell" object is removed, the usual firewall configuration replaces the lost object with "any" by default.

The network, server, or address range needs to be provided manually.
Please regard that the object is not removed from the Firewall Management. It's still there, but unused.