Add a Rule Change

You can manually add rule changes to a ticket. To add a rule change, complete the following steps.

If your device is not licensed, it will not appear in the list of suggested devices or the list of additional devices.

  1. Select a ticket with a Task of Design.
  2. In the Change Plan section, click Add Change > Rule Change.
  3. On the Rule Change: Define Properties page, complete the following steps.
    1. In the Description box, type a short description of the change.
    2. Under Task, select an option:
      • Add a new rule
      • Add an existing rule to the change plan
      • Modify an existing rule
      • Delete a rule
    3. In the Device box, select the device to rule is on.
    • In the Policy box, select the policy for the rule change.
    1. Click Next.
  4. On the Rule Change: Select Position / Rule page, complete one of the following options.
    1. Under Where would you like to create the new rule?, select At the end of the policy, Above the selected rule, or the Below the selected rule.
    2. If you select Above the selected rule or Below the selected rule, select a rule from the list of available rules.
    3. Click Next.
  5. On the Rule Change: Build / Review Rule page, in the Create the new rule menu, the Source, Destination, and Service fields will be automatically filled with the values from the requirement, represented by orange tokens. These values have not been matched.
  6. On the Rule Change: Build / Review Rule page, complete the following steps.
    1. In the Create the new rule menu, click the orange icon in the Source field.

    An orange token indicates a change input that cannot be resolved (matched) to an existing or newly created object.

    1. Click on the orange tokens to search for existing objects to replace the non matched.
    2. Select Source, Destination, Service, Source Zone, and Destination Zone from the list.

      3. For Service field: Added enhanced syntax to specify port ranges for inline services containing TCP and UDP protocols. The following relations are now supported: lt, lte, gt, gte. For example, when you enter tcp lt 80 in the Service field and press Enter, the value will automatically change to tcp/0-79.

      For Cisco ASA: If the Source, Destination, or Service field for the rule change has more than one value, you will be notified with an error message: "Only one value supported for this field. Please create a Group containing these members.

    3. Optional for devices that support setting a Schedule Object. In the Schedule box, select when to define active periods for the rule.
    4. Optional for Palo Alto Network devices with applied vendor tag. In the Vendor Tags box, select a vendor tag to associate or disassociate applied vendor tags for the rule.

      A recent revision with vendor tags applied is required.

    5. In the Rule Name box, type a rule name.
    6. In the Action box, select Accept or Drop.
    7. In the Log box, select Enabled or Disabled.
    8. Optional. In the Security Group Profile box, select a group to associate the rule to.
    9. Optional In the Log Forwarding Profile box, select a profile to use when forwarding logs.
    10. Optional. In the Comments box, type a comment.

    A comment on rules created on the Palo Alto firewall is a concatenation of the Change Control Number, Owner, Justification, and Comment field. These fields combined cannot exceed 255 characters.

    1. In the Other Configuration Changes box, type any additional configuration changes.
  7. Click Save.

  1. If no additional changes are needed for the requirement, click Complete to move to the next task.