Professional Documents
Culture Documents
Skybox ChangeManager UsersGuide V10!0!300
Skybox ChangeManager UsersGuide V10!0!300
User Guide
10.0.300
Revision: 11
Proprietary and Confidential to Skybox Security. © 2019 Skybox Security,
Inc. All rights reserved.
Due to continued product development, the information contained in this
document may change without notice. The information and intellectual property
contained herein are confidential and remain the exclusive intellectual property of
Skybox Security. If you find any problems in the documentation, please report
them to us in writing. Skybox Security does not warrant that this document is
error-free.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means—electronic, mechanical, photocopying,
recording, or otherwise—without the prior written permission of Skybox Security.
Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network
Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox
Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the
Skybox Security logo are either registered trademarks or trademarks of Skybox
Security, Inc., in the United States and/or other countries. All other trademarks
are the property of their respective owners.
Contact information
Contact Skybox using the form on our website or by emailing
info@skyboxsecurity.com
Customers and partners can contact Skybox technical support via the Skybox
Support portal
Contents
Technical support ..................................................................................... 5
How this manual is organized ..................................................................... 5
Change management............................................................................... 9
Users and their responsibilities ................................................................... 9
Typical flow of a change request ............................................................... 10
Submitting change requests ..................................................................... 11
Selecting a workflow .......................................................................... 13
Requesting specific access .................................................................. 13
Uploading a file with multiple requests ................................................. 15
Adding an access rule ........................................................................ 16
Modifying access rules ........................................................................ 20
Deactivating and enabling access rules ................................................. 21
Modifying firewall objects.................................................................... 22
Custom change requests .................................................................... 22
Cloning a change request ................................................................... 23
Adding business information to an access rule ....................................... 23
Processing technical details ...................................................................... 23
Reviewing tickets that have no formal change requests .......................... 24
Reviewing the derived change requests ................................................ 24
Assessing risk ........................................................................................ 26
Implementation phase ............................................................................ 28
Verifying a request ................................................................................. 29
Additional workflow actions ...................................................................... 30
Change Manager ends risky changes with network-aware planning and risk
assessment that keep your network secure and in continuous compliance with
policies. Change Manager incorporates customizable workflows and provides
comprehensive management of rule lifecycles to automate change processes.
Highlights
Change management
Change Manager provides a complete and centralized change workflow so that
you can:
In this chapter
Users and their responsibilities ............................................... 9
Typical flow of a change request ........................................... 10
Submitting change requests ................................................. 11
Processing technical details .................................................. 23
Assessing risk..................................................................... 26
Implementation phase ......................................................... 28
Verifying a request.............................................................. 29
Additional workflow actions .................................................. 30
Requestors
Requestors are users who submit requests for granting connectivity. The
following actions are available:
Analysts
Analysts are users who process tickets. The following actions are available:
Workflow supervisors
The following actions are available to workflow supervisors:
› View tickets that have been in the system for some time and do not seem to
be progressing (including overdue tickets)
› Update ticket due dates, change ticket priority
› View tickets by phase: For each phase, make sure that there are no
bottlenecks, that content is coherent, and so on
› Find a ticket by ID: View a specific ticket to resolve a problem with requests
2 Technical details:
• General requests are refined to include IP addresses and ports, and the
relevant firewalls and clusters. They might be subdivided to several
requests—usually one per firewall.
• Specific requests are checked for validity and sometimes refined (if Skybox
finds a more efficient way to grant access). For example, a request to add
a new rule might be refined into a request to modify an existing (similar)
rule.
To open a ticket
1 In the control panel, click Create New Ticket.
If you have multiple workflows and no default workflow, select a default
workflow or a workflow for this ticket. See Selecting a workflow (on page 13).
6 Click Save.
SELECTING A WORKFLOW
Skybox supports multiple workflows for tickets—different ticket types can have
different sets of phases, different due date calculations, and different users.
When you submit a change request for the 1st time, you might find that you
have multiple workflows that you can use. You must select a workflow to
continue submitting the change request. You can either select a workflow only for
the current ticket or select a default workflow. Until you select a default
workflow, you must select a workflow for each new change request. However,
even if you select a default workflow, you can select a different workflow when
necessary.
( )
2 Click Choose Workflow, select the workflow you want, and click OK.
› Identifies the firewalls and access rules that must be changed to permit
access
› Derives specific change requests from the original request for the identified
firewalls and access rules
Property Description
service objects are also listed. Click to search for
specific objects (see page 19).
Type Port The services (ports) for which access is requested to be
added or blocked.
Use application If an application is selected, Skybox sets the service to be
default ports as the default service for that application. You can select a
services different service.
Additional fields
Rule Logging Specifies whether changes to the relevant access rules
are logged in the firewall.
Create Shared Specifies whether objects needed for this access rule are
Objects created as shared for all the firewalls managed by a
(Panorama only) specific Panorama device.
Install on Any Specifies whether the requested change should be added
(Panorama only) to all firewalls in the specified device group.
Expiration Date The expiration date of the access rule.
Comment A comment to add to the change request.
Note: Change Manager requires that the file include the fields that were
configured; use the template and only enter information in that format.
Otherwise, the file cannot be uploaded.
5 After the file is previewed a dialog box appears. You can see all the change
requests in the file.
If Change Manager detected an error or missing value in any field of a change
request, there is an X in the problematic field and in the Valid field of that
request. Change requests that are not valid are not added to the ticket.
6 You can make changes to a change request by selecting it and clicking Edit;
you can delete a change request from the list by selecting it and clicking
Remove.
7 When you are finished, click OK.
The valid change requests are added to the ticket.
Property Description
rule (the permitted source addresses for a packet).
• Separate the values of a range with a hyphen.
• To permit all source addresses except those selected,
select NOT.
Negate Specifies whether to use all valid sources (IP addresses or
objects) except those selected.
Users The users that the request is for.
Possible values:
• Any (default)
• Unknown
• Known User
• Specific users or user groups (Select Specific and
then type in the user and group names)
Destination
Addresses • For Requestors (if there is a repository): Objects that
represent the assets of the destination. Click to
search for specific application objects.
• For other users: The original representation of the
destination addresses in firewall objects. If there is a
repository, application objects are also listed. Click
to search for specific objects (see page 19).
Type IP Addresses A comma-separated list of destination IP addresses for
this rule (the permitted destination addresses for a
packet).
• Separate the values of a range with a hyphen.
• To permit all destination addresses except those
selected, select NOT.
Negate Specifies whether to use all valid destinations (IP
addresses or objects) except those selected.
Services & Applications
Services & • For Requestors (if there is a repository): Objects that
Applications represent the services (ports) used for the access.
Click to search for specific service objects.
• For other users: The original representation of the
ports in firewall objects. If there is a repository,
service objects are also listed. Click to search for
specific objects (see page 19).
Type Ports The services (ports) for this rule (the permitted services
for a packet).
Negate Specifies whether to use all valid services (ports or
objects) except those selected.
Rule Group The rule group to which to add this access rule when the
rule is created.
Note: This information is not added to the access rule.
NAT
Hide Source Specifies whether source networks are hidden behind the
Behind Gateway gateway IP address (they are translated to the IP address
of the gateway or firewall).
Property Description
Source
Addresses A comma-separated list of source NAT IP addresses for
this rule (the permitted source addresses for a packet).
• Separate the values of a range with a hyphen.
• To permit all source addresses except those selected,
select NOT.
Objects The original representation of the source NAT addresses
in firewall objects. Click to search for specific objects
(see page 19).
Destination
Addresses A comma-separated list of destination NAT IP addresses
for this rule (the permitted destination addresses for a
packet).
• Separate the values of a range with a hyphen.
• To permit all destination addresses except those
selected, select NOT.
Objects The original representation of the destination NAT
addresses in firewall objects. Click to search for
specific objects (see page 19).
Services
Ports The service NATs (ports) for this rule (the permitted
services for a packet).
Objects The original representation of the service NATs in firewall
objects. Click to search for specific objects (see page
19).
Additional Fields
Comment A comment or additional information about the change
request.
Create After Information about where to create the rule for the user
who makes the actual change on the firewall.
Note: This information is not added to the access rule.
VPN Specifies the VPN over which to send data.
Expiration Date The expiration date of the access rule.
Security Profile Specifies the security profile group to use for the access
Group rule.
(Panorama only)
Rule Logging Specifies whether changes to this rule are logged in the
firewall.
Create Shared Specifies whether objects needed for this access rule are
Objects created as shared for all the firewalls managed by a
(Panorama only) specific device.
Install on Any Specifies whether the requested change should be added
(Panorama only) to all firewalls in the specified device group.
Object finder
3 Click .
The objects that meet the search requirements are listed in the Matching
Objects box. If there is a repository, there are separate tabs for firewall
objects, repository objects, and all objects.
4 Select desired objects from each tab and click to move them to the
Selected Objects box. Click OK.
5 If a firewall object that you need does not exist, use the following instructions
to open a request to create it.
To create a request for a new firewall object from within the Object Finder
1 Click New Object.
2 Provide the necessary information about the new object, according to the
following table.
3 Click OK.
• A change request for the new object is created.
• The new object is added to the set of searchable objects for the firewall or
management system for which it was created. If the new object is used in
additional change requests, it appears as a link to its change request.
The properties of a new object are described in the following table.
Property Description
Name A name for the new object.
Type (read-only) The type of the object (network or service).
Value The value of the new object. For a network object, this is
the IP addresses or IP address ranges; for a service
object, it is the ports or port ranges.
Members For group objects, the members of the group, consisting
of either existing objects or new objects. You can only add
one layer of members.
Create as Shared (For Panorama only) Specifies whether this object is
created as shared.
Comment Any information about this object for the firewall
administrator.
5 Click .
The access rules that match the search criteria are displayed.
6 Select the rules to modify and click the arrow to move them to the Selected
Access Rules box.
7 Click OK.
8 In the Modification Details pane:
a. Select the field to modify.
b. Make the required changes, either manually or by clicking to search for
specific objects (see page 19).
Note: Selecting Rule Logging toggles the rule logging of the selected
rules; you do not have to make any additional changes.
Note: Unless you selected Users or # (Rule Position), you can negate
the value of the selected field.
9 Click OK.
10 If necessary, update the rule’s business attributes (on page 20).
c. Click .
The access rules that match the search criteria are displayed.
d. Select the rules that you want to deactivate and click the arrow to move
them to the Selected Access Rules box.
e. To delete the rules rather than disable them, select Delete Rules in the
Action Required field.
f. Click OK.
c. Click .
The access rules that match the search criteria are displayed.
d. Select the rules that you want to activate and click the arrow to move
them to the Selected Access Rules box.
e. Click OK.
f. Click .
g. The objects that match the search criteria are displayed.
h. Select the object to modify and click the arrow to move it to the Selected
Object box.
i. Click OK.
3 Define the properties of the object that you want to change in the Modification
Details pane. The pane is filtered according to the type of the selected object;
you can only enter entities or select objects to add or delete that match the
object type.
a. Use the Name field to change the name of the object.
b. In the Modification Details pane, type entities or select objects (see page
19) add to or delete from this object.
c. Add a comment.
4 Click OK.
3 Click the Browse button and select the relevant firewall or management
server, or the relevant access rules.
4 Fill in the values of the fields, as you would for any change request.
Mandatory fields are marked with an asterisk.
• In the Change Details field, provide a description of the requested
change and any other necessary information.
• Add an expiration date.
• Add additional comments.
5 Click OK.
› Rule Owners: The owners of the access rule and their email addresses
› Next Review Date: The date when the access rule should be reviewed
› Business Function: The business function of the access rule
› Comment: A comment about the rule
› (Optional) Custom Attribute fields: If custom business attributes were
defined, you can add their information here
These derived change requests must be reviewed to make sure that they are
correct and necessary (on page 24).
› Check whether the changes are necessary. If the requested access exists, the
changes are unnecessary. If all the derived change requests are unnecessary,
you can close (reject) the ticket.
› Access Update change requests are not firewall-specific. When Change
Manager derives requests from them, it might miss a firewall or suggest
changing the wrong firewall because of inaccurate or incomplete routing rules
on the firewalls. Users in this phase must validate that the breakdown is
correct and fix it.
3 Look at the Derived Change Requests panel. Check whether the derived
change requests suggested by Skybox cover all the necessary firewalls, make
sense, and are in line with your firewall policy.
Note: If some of the derived change requests in the ticket are obfuscated,
they are for firewalls owned by other users. In this case, mark your
change requests as Reviewed (select a change request and click
Review).
If the derived change requests are not what you expected, edit the original
change request or add additional requests. You can delete derived change
requests by selecting them and clicking Remove.
4 Derived change requests that are unnecessary have linked explanations as to
why they are unnecessary. Click the link to see the existing rules that cover
this request.
Assessing risk
In the Risk Assessment phase, security analysts review the tickets to check
whether the requested access is justified in terms of risk.
The risk of the requested changes to your organization is displayed in the Risk
Assessment tab. For each change request there is a list of:
› All the Access Policy and Rule Policy violations that the requested change
would cause
› All the vulnerability occurrences to which the requested change would expose
your organization
Note: Skybox does not calculate risk for change requests that add Deny rules.
These requests are considered both compliant and secure.
Analysts reviewing tickets in the Risk Assessment phase:
1 Check the due date of the ticket. If it is overdue or seems unreachable, revise
the due date for the current phase (and Skybox modifies subsequent due
dates).
2 Check whether each request is compliant with your organization’s Access
Policy and Rule Policy and view the violations if it is not.
3 Check whether each request exposes your organization’s network to any
Vulnerability Definitions and view the exposed Vulnerability Definitions.
4 Based on the 2 previous steps, determine the overall risk of the ticket.
5 If there are policy violations, decide whether to approve them, and whether to
limit your approval until a specific expiration date. After the ticket is verified,
these changes are no longer displayed as violations in Change Manager or
Firewall Assurance until their expiration date is reached.
6 If the risk continues to be very high, decide whether to demote the ticket to a
previous phase (or to the Requestor) with an explanation. Otherwise,
promote the request to the next phase.
2 After you look at the overall risk of each original change request, change the
view to Derived Change Requests.
3 Review each change request that is not compliant.
a. With the request selected in the table, look at the Compliance: Policy
Violations table. Each violation shows the policy type and the part of the
affected policy that would be violated if this request is implemented.
Skybox version 10.0.300 26
Chapter 2 Change management
Because violations might exist for other reasons also, violations that are
only a result of the request are marked as new.
Note: If you are working with recertification requests, all the policy
violations and vulnerability occurrences for the access rule are listed,
to help you to determine the risk of recertifying the rule.
b. If you decide that the risk of the change request is acceptable (at least
temporarily), click Approve.
c. In the Approve Request dialog box, select either Approve Until or
Approve with No Expiration. If you select Approve Until, an expiration
date is displayed. This date is determined by the highest severity of all the
violations. Higher severities have closer expiration dates. (You can change
the expiration date.)
• You can check the available solutions for each exposed Vulnerability
Definition by clicking the link in the Solutions column.
5 Based on your review, specify the risk of the ticket:
a. Assign a risk value: High, Medium, or Low.
b. In the Assessment Details box, type your assessment of the risk. This
can include separate risks for each request.
If the risk is too high, demote the ticket to a previous phase for additional
review and update of the requests or back to the Requestor to revise the
requests. Make sure to add a comment explaining the problem.
Note: If you do not have permissions for all the change requests, there is
a Review button instead of Promote. After all the change requests in the
ticket are reviewed by their owners, it is promoted automatically.
7 If there are no approved change requests when you promote the ticket, you
are asked whether to approve the change requests as part of the promotion.
The effects of approval are the same as those explained in step 3.
Implementation phase
The Implementation Details tab includes a list of changes to be made on the
firewalls. Use this tab to track and comment on tickets, and for tickets that
require urgent implementation. We recommend that the actual implementation
be done via the Pending Implementation view, where change requests are
grouped by firewalls, in a way that is suitable for the firewall administrators that
implement the changes.
The tasks in this phase are often split between the following users:
Note: Even if you are using automatic implementation, you must perform
this step.
5 Tickets whose change requests are all marked as implemented are promoted
automatically and are no longer listed in Pending Implementation. If the
ticket was not promoted, promote it manually to the final phase (usually
named Verification or Pending Closure). (When you promote a ticket, its
change requests are marked as implemented.)
By default, tickets are sent to their Requestors for verification. After the
Requestor reviews the ticket, they usually close it.
Verifying a request
After the firewall changes are implemented, Skybox rechecks the change
requests the next time firewall data is imported. An Analysis – Change
Tracking task, scheduled to run after the import cycle, checks the requests.
› If all the change requests are implemented (that is, there is access between
the source and destination over the specified port), Skybox changes the
status of the ticket to Verified, and the ticket is sent back to its original
Requestor, who usually closes it.
If notifications are set up for Access Change tickets, then the owner receives
a notification about the change in the ticket status.
Rejected tickets
A ticket that is rejected for any reason is given a status of Rejected and
returned to its Requestor. It should usually be closed, but the Requestor can
reopen it and fix the properties.
To close a ticket
1 Select the ticket.
2 Click .
3 Add a comment to the ticket before you close it.
4 Click OK.
› Reject a ticket
› View statistics for any workflow
Note: Requestors can only manage the first and last phases of the tickets.
Rule recertification
Rule recertification tickets are opened by users in Skybox Firewall Assurance or
Skybox Network Assurance, or automatically for access rules that are schedule to
be reviewed in the near future (via rule recertification ticket policies). Each
recertification ticket includes at least 1 access rule.
After recertification tickets are opened, they are handled in Change Manager.
They generally go through a different workflow than other tickets, with fewer
steps.
Pending Review
Rule owners can use the Pending Review section to view and respond to each
of the rules they own that are in the process of recertification. When there are
multiple owners of a rule, each owner can see the status selected by all the other
owners.
Statuses
When a recertification ticket for a rule with multiple owners is promoted, the rule
will have one of the following statuses:
Change implementation
For firewall administrators who must implement change requests, it is helpful to
view the requests grouped by firewalls. To do this, use the Pending
Implementation view, which lists all change requests from tickets in the
implementation phase.
When you work in the Pending Implementation view, you can:
In this chapter
Viewing a specific set of change requests ............................... 33
Assigning change requests ................................................... 34
Implementing change requests ............................................. 34
› To assign change requests to yourself, select the change requests and click
Assign to Me.
› To assign change requests to a specific user, select the change requests and
click Assign; select the user.
In both cases, you must add a comment to the change request.
› View the change requests in command format (see page 34) and then mark
them as implemented (see page 35) in Skybox
This format can help you to understand the changes that you need to make.
It saves time because you can copy and paste relevant parts of the command
text directly. Sometimes, these are generic representations. For many request
types on Cisco devices, a representation of the command is displayed in Cisco
format.
A separate window shows the commands to use on the firewall for each
selected change request.
› Add Rule
› Modify Rule
› Deactivate Rule
› Add Object
› Modify Object
You can copy the commands in this window directly to the CLI, but they might
need editing to make them completely compatible with the command format
used on the firewalls.
AUTOMATIC IMPLEMENTATION
Change Manager provides the option of automatically implementing some change
requests directly to Check Point, Cisco ASA and Firepower, Palo Alto Panorama,
and Fortinet FortiManager devices.
Note: For best results, we recommend that you use these versions.
Device Version Additional Add Add Modify Modify Delete Global
type information Rule Object Rule Object /Disab Object
le Rule
Check R77 • Expiration dates
Point are not supported
CPMI in Add Rule.
• Modify Rule is not
supported.
• Implementation
fails if other read-
write sessions are
open at the same
time.
• Automatic
implementation is
not supported on
R77 MDS CMAs
(Check Point
limitation).
Check R80, • Modify Rule is
Point R80.10, supported from
Security R80.20 R80.10 and
Manage higher.
ment
Cisco 9.3(2),
ASA 9.9(2)
Cisco 6.2.3, You must implement
Firepow 6.3 the Add Object and
er Add Rule change
requests at the same
time.
Fortinet 5.2, The policy must be
FortiMa 5.4, 5.6 installed on a VDOM.
nager
Palo PA OS An administrator can
Alto 7.1, PA define whether the
› Add Rule
Support is available for expiration dates, comments, networks, hosts, ranges,
and TCP, UDP, and ICMP services.
› Add Object
Support is available for source, destination, service, and object comments.
› Modify Rule
Support is available for Allow rules, Deny rules, source, destination, and
service.
Global rules cannot be modified.
› Object renaming
› Changes to global objects
› If the ticket is in the Verification phase, open the Implementation tab, select
each change request to revert, and click Revert.
The ticket is demoted to the Implementation phase. For every change
request to revert, a change request to delete the rule is added to the ticket.
Note: When a change request is reverted, the ticket will not move automatically
to the Verified phase. This must be done manually.
› <view name>_<timestamp>.csv
› <panel name>_<request>_<phase
name>_phase_Ticket_<ticket#>_<timestamp>.csv
Workflow statistics
The Workflow Statistics view displays statistics for each workflow; for example,
the number of tickets that have change requests that were opened during the
selected period, the firewalls for those change requests, a breakdown of change
requests per type, and the total number of change requests for the workflow.
Administration of Change
Manager
Administration is via Skybox Manager, not the Skybox Change Manager web
interface.
In this chapter
User management .............................................................. 42
Customizing the look and feel of Change Manager................... 47
Configuring Change Manager options .................................... 48
Customizing ticket phases and workflows ............................... 53
Multi-tier change requests.................................................... 63
Customizing ticket priority levels .......................................... 64
Enabling users to change the status of their tickets ................. 64
Setting up the Application & Service repository ....................... 65
Setting up analysis of change requests .................................. 68
Triggers ............................................................................. 68
Integration with the ServiceNow ticketing system ................... 75
User management
All Skybox Change Manager users must be registered Skybox users with the
appropriate user role (see page 43) for their job. We recommend that you define
user groups that classify the Skybox Change Manager users according to their
tasks or departments.
The Skybox Admin window (Tools > Administrative Tools > Users), displays
users and user groups in the tree, and a list of users and their properties in the
workspace.
Note: This section explains aspects of user management that are specific to
Skybox Change Manager. For additional information, see the User management
section in the Skybox Installation and Administration Guide.
USER ROLES
The following user roles can work with Skybox Change Manager:
› User or User – Assurance: These users can create and work with tickets
both in the Manager and in Change Manager:
Analysts and administrators working with Change Manager must have a user
role of User or User – Assurance.
› Web Ticket User: These users can manage tickets in Change Manager.
› Web Ticket Requestor: This role is intended specifically for users whose
main job in Skybox is to create tickets in Change Manager. These users can
create tickets (that is, submit change requests) in Change Manager and close
tickets that they created.
› Read-only User and Read-only User – Assurance: These users can
manage tickets in Skybox Change Manager.
› Custom roles based on Admin – Assurance, User – Assurance, or Read-
only User – Assurance.
USER ACTIVITIES
The actions that can be performed on tickets in Change Manager and by which
users are listed in the following table. Admins can perform all actions on all
tickets.
Action Who can do it Additional information
Create a ticket Usually done by Web Ticket The user must have
Requestors but can be done permissions for the 1st phase
by any user. of the workflow in which they
want to create the ticket.
Edit a ticket The ticket owner or another
member of the owner’s user
group who has full
permissions for the current
workflow phase.
Promote (or The user who created or Depending on permissions,
demote) a ticket updated the ticket can then after the ticket is promoted,
that you created promote it to the next phase, Web Ticket Requestors
or updated assigning it to any user with might not be able to view or
full permissions for that edit it.
phase.
Delete a ticket This depends on what Tools > Options > Change
attachment permissions were defined for Manager > Permissions >
ticket attachments. You can Attachment Permissions
specify that ticket
attachments cannot be
deleted at all.
Reassign a ticket The ticket owner or another
member of the owner’s user
group who has full
permissions for the current
workflow phase.
Reopen a closed Only Admins.
ticket
› Web Ticket Requestor: For users whose main job in Change Manager is
turning requests into Skybox tickets and, later, closing these tickets
› Web Ticket User: For users who have permissions to perform various tasks
in Change Manager
Note: Skybox Admin, User, and User-Assurance users can work with Change
Manager.
By grouping users who share the same permissions, you can assign permissions
in Skybox to the whole group rather than to each user separately. Users in the
same group can edit each other’s tickets, if the group is assigned permissions.
Create a default user for each group (see Defining a default user for each group
(on page 45)).
Skybox version 10.0.300 44
Chapter 7 Administration of Change Manager
For information about how to create user groups, see the User groups topic in
the Skybox Installation and Administration Guide. For information about how to
create users, see the Users topic in the same book.
PERMISSIONS
To work with Change Manager tickets, users must have permissions for specific
workflows or workflow phases. You can grant these permissions to individual
users or (preferably) to groups of users via Tools > Admin Tools > Users,
either when you create the users and user groups or by editing them later.
› Admins have permissions for all workflows and phases. They can reopen
tickets.
› Grant Users, Web Ticket Users, and Read-only Users permissions for any
workflow phases in which they must create tickets or edit them.
› Grant Web Ticket Requestors permissions for any workflows in which they
must create tickets, and for any workflow phases in which they must view or
edit the tickets.
› You can define the types of change requests that Requestors can create. By
default, they can only create Access Update change requests.
› You can define whether Requestors can view and revise ticket due dates. By
default, they cannot.
› You can define whether all Requestors can see all tickets. By default,
Requestors can only view tickets that they themselves or a member of their
user group created.
› You can define whether Requestors can view detailed information about
access rules that permit or block access. By default, Requestors cannot view
this information.
You can change these permissions in Tools > Options > Server Options >
Change Manager Settings > Permissions > Requestor Permissions.
› The user must have permission to edit tickets in this workflow phase.
Workflow phase permissions are defined per user or user group in the CM
Permissions tab.
› The ticket must be assigned either to the user or to someone in the same
user group. If the ticket was assigned to a different user who is not in the
same user group (but who also has permission to edit tickets in this workflow
phase), the user cannot edit the ticket.
For example, John owns a ticket in workflow1, phase 2. Mary can edit the
ticket if she and John are in the same group and the group is permitted to edit
tickets in this workflow phase. If Mary is not in John’s group, even if her
group has permissions for this workflow phase, she cannot edit the ticket.
Note: If Tickets can only be edited by their owner is selected (in
Tools > Options > Server Options > User Settings > User
Permissions), then only the ticket owner can edit each ticket, not other
members of the owner’s group.
› If Ticket creator cannot edit this phase is selected for a phase (in Tools >
Options > Server Options > Change Manager Settings > Workflows),
the user who created the ticket cannot edit the ticket in that phase.
› Use Tools > Options > Server Options > Customization to define the
display settings.
The parts of the screen that can be customized are described in the following
table.
Note: If you change the text, logos, and website address, the navigation pane
includes the message: “Powered by Skybox”.
Property Description
Logo
Company Name The company name to display; default is SKYBOX.
Website Address Specifies the URL that opens when users click the logo at
the top left of the Change Manager or Skybox Horizon
page; default is www.skyboxsecurity.com
Logo Image The logo to be shown at the top left of the Change
Manager or Skybox Horizon page.
Note: The logo must be in PNG format and should be 75
x 43 pixels. Larger images are resized to 75 x 43 for
display.
Welcome Logo The logo to be shown at the top of the Change Manager
Image home page.
Note: The logo must be in PNG format and should be 250
x 101 pixels. Larger images are resized to 250 x 101 for
display.
Login Screen The logo to be shown on the login screen of Change
Image Manager and Skybox Horizon.
Note: The logo must be in PNG format and should be 500
x 305 pixels. Larger images are resized to 500 x 305 for
display.
Toolbar The colors to display on the Change Manager or Skybox
Background Horizon toolbar.
Colors
Toolbar The colors of the text to display on the Change Manager
Foreground Colors or Skybox Horizon toolbar. Note: Each text color is
displayed directly underneath the background color on
which it will be used. (There is no text on the 3rd section
of the toolbar.)
Property Description
Message of the Day
Enter message of The message to display after a user logs in to Skybox
the day in HTML Change Manager.
format Note: The <html>, <body>, <header>, and <script>
tags cannot be used in the message.
Dashboards
Maximal number The maximum number of dashboards in a Skybox web
of dashboards interface.
Note: To revert to using the Skybox look and feel, click Return to Default.
Optimization settings
Access Update and Add Rule change requests can be optimized into Modify Rule
change requests; modifying an existing access rule rather than creating a new
rule usually makes rule maintenance an easier task (as there are fewer rules to
maintain). However, some organizations prefer separate rules for different
scenarios.
Change requests are checked against existing access rules to see if their fields
match those of any access rules. Optimization (to Modify Rule change requests)
is performed when at least 2 fields of the change request match the
corresponding fields of an access rule. You can specify:
› Identical Match: At least 2 of the fields of the change request match the
same 2 fields of the access rule exactly.
› Contained within: At least 2 of the fields of the change request are
contained within (or identical to) the fields in the access rule.
• The sub-option Include Contained in Any provides an even broader
basis for matching: Consider fields as matching if the value of the field in
the access rule is Any.
› If the model does not include routers or is not fully connected, use firewall
mode.
› If the model includes routers and is fully connected, use network mode.
In network mode, you can also define the Access Policy scope to use for
calculating policy violations.
For additional information, see the Change Manager Settings topic in the Skybox
Installation and Administration Guide.
Verification
Change Manager verifies change requests by matching the main fields (source,
destination, and services) of the requests with those of the access rules.
Additional fields can be used in the verification:
4 Use the General and Rule Business Attributes areas to map the column names
in the file to the change request fields (including source, destination, and
service).
5 If you are uploading from anything other than the 1st sheet in an Excel file
that has multiple sheets, add the name of the sheet in the Excel Sheet field
in the Advanced area.
6 If the change request files may include expiration dates, next review dates, or
any other dates, either make sure that the dates are listed in standard date
format (MM/dd/yyyy) or change the expected date format in the Date
Format field in the Advanced area.
› Custom Fields
You can specify how many custom fields are displayed in a single row in
Change Manager tickets.
› Add Rule
› Add Object
› Modify Rule
› Modify Object (Fortinet FortiManager only)
› Delete/Disable Rule (Check Point R80 only)
For information about automatic implementation, including supported device
versions, see Automatic implementation (on page 36).
Risk Assessment
To make it mandatory for users to comment in the Risk panel before promoting a
ticket, select Enforce Risk Justification comment.
If you have a Firewall Assurance-only license, vulnerability occurrences are not
available by default in Change Manager. To make vulnerability occurrences
available, select the Show Exposed Vulnerability Occurrences field.
Approve Risk
When you approve the risk of a change request in the Risk Assessment phase,
the Approve Request dialog box provides an expiration date for the approval,
based on the highest violation severity caused by the change request. Skybox
uses these expiration dates to create the corresponding exceptions, based on the
approval. For each risk level, a period is specified for calculating the expiration
date. When you approve a change request, this period is added to the current
date to provide the expiration date.
You can change the expiration period for each severity according to your policy.
Skybox version 10.0.300 52
Chapter 7 Administration of Change Manager
› For each risk level for which you want to change the expiration period:
1. Select the level in the Approve Risk table and click Modify.
2. In the Default Approve Expiration Date dialog box, change the value.
3. Click OK.
CONFIGURING TICKETS
You can define various options for tickets via the Tools > Options > Server
Options > Change Manager Settings > Tickets page.
› Whether Skybox closes tickets whose change requests are all implemented
› Whether Skybox closes ticket that are in the final phase (usually Pending
Closure or Verified) after a specified number of days
› The status assigned to tickets that Skybox closes
Creating workflows
There are several ways to create a new workflow:
Phases
Each phase has an owner, due date, start date and end date. Each phase also
has a list of field groups (panels) that defines the information that is accessible in
Skybox Change Manager when a ticket is in that phase.
When a ticket is created, it contains the list of phases that it is to pass through
according to its workflow. Initially, the ticket is assigned to the 1st phase and the
1st phase owner. During the life cycle of the ticket, the ticket can progress from
1 phase to the next or go back to the previous phase. You can specify that
specific phases are skipped automatically if they meet the conditions that you set
for them.
When a phase owner finishes working on a ticket, they promote it to the next
phase. This updates the end date of the phase and moves the ticket to the next
owner. If a phase owner sees a problem in a ticket, they can demote it to the
previous phase, adding a comment to specify the problem.
The verification phase is always the final phase in each workflow. It is the final
step in the life cycle of each ticket; completed tickets are automatically passed to
this phase. In some organizations, the administrator uses this phase to review
the work that was done and validate its completion. If your organization is not
interested in using this final check, you can complete the work by moving the
ticket to the verification phase.
7 Click Next.
The Phases page is displayed.
8 Add phases to the workflow in order. The final phase is added automatically;
by default, it is named Pending Closure.
For information about adding phases, see Adding new phases to a workflow
(on page 57).
9 Specify the phase (if any) of the workflow that is visible in the Approved
Requests view.
The Pending Implementation view enables firewall administrators to see all
change requests from tickets in the implementation phase, so that they can
implement them per firewall rather than per ticket. You can control whether
this view is displayed in Change Manager and how it works.
a. In the Pending Implementation View area, select Enable Pending
Implementation View.
b. In Based on Phase, select the phase for which the view is visible. Use the
implementation phase of the workflow.
c. To automatically promote tickets to the next phase when all their requests
are implemented, select Automatically promote tickets.
10 Click Next.
The Ticket SLA page is displayed. Use this page to define how due dates for
each phase of the workflow are added. You can use the default work time or
define a work time specifically for this workflow.
11 Specify whether the 1st phase is included in the timetable for tickets of all
priorities. The 1st phase is for creating and submitting tickets. Sometimes,
you want the age of each ticket to be calculated only after the ticket passes
this phase.
If you do not want the 1st phase to be included in the timetable for each
ticket, clear Include the first phase in the timetable.
12 Define the maximum phase lengths for each priority level:
a. Select the priority and click Modify.
b. In the table, click each phase in turn and type the maximum number of
days in which that phase must be completed.
You must provide the maximum length of every phase. (If you cleared
Include the first phase in the timetable, you do not need to provide a
maximum length for the 1st phase.)
c. Click OK.
13 Specify the work week and the holiday schedule for the workflow:
• For a standard schedule, select Use Default Settings.
— For information about defining the standard schedule, see Defining the
default work time for ticket workflows (on page 55).
When you add a phase, you define the information to display on that page in
Change Manager by adding field groups (panels). You can add existing field
groups that are also displayed in other phases, or custom field groups. Custom
field groups contain custom fields that you define. You can mark each field group
(existing or custom) that you add as read-only if you do not want users to edit it
in that phase.
field, select Read-only, if necessary, and click OK. You can change the
order of the field groups by moving them up or down.
› Change Requests: In the 1st phase, used for creating, viewing, and editing
change requests
› Comments: In any phase, enables users to add a comment to the ticket
› General Information: Title, priority and description of the ticket
› Implementation Details: Used by firewall administrators in the
Implementation phase to add a target date for implementation and any
relevant details
› Implementation List: Used by firewall administrators in the
Implementation phase; shows each change request separately with the
details of the changes needed on the firewall
› Recertification: Used for recertification workflows; shows the rules for which
recertification was requested and enables the ticket owner to certify or reject
each rule
› Review Change Requests: Used in the 1st or 2nd phase; enables users to
review the original and derived change requests, and to make changes
› Risk Assessment: Used when reviewing the risk of change requests; you
can change the risk level and add assessment details (text)
› Risks: Used to review the risk of both original and derived change requests;
enables you to view risk information (compliance and security of the risk), to
add a comment for risk justification, and to approve the risk of the change
requests
Note: You can mark field groups as read-only. Individual fields cannot be read-
only; to make fields read-only in this phase, create separate field groups for
them.
You can create a field group that is a link to an URL. This enables the ticket
owner to view information about the ticket from an external ticketing system
(see Linking to an external ticketing system (on page 60)).
iv. If a value for the field must be entered in this phase, select Mandatory.
v. Click OK.
vi. Repeat these steps to add another new field.
d. To make the fields read-only for users in this phase, select Read-only.
e. Click OK.
Linking to an external ticketing system
You can show ticket-related information to users in phases. This information can
come from your organization’s ticketing system or from any other organizational
system that holds such information. You can add a panel to any phase that
shows the desired information.
Note: Make sure that there is a default owner for the next phase of these tickets.
EDITING PHASES
You can make the following changes to an existing phase of a workflow:
Property Description
Permissions – By default, the creator of a ticket can edit the ticket in
Ticket creator any phase. You can specify that ticket creators cannot
cannot edit this edit this phase.
phase Note: Some phases cannot be edited by Web Ticket
Requestors, but this field prevents ticket creators,
regardless of their user role, from editing their own
tickets in this phase.
Note: If your organization has created an Application & Service repository, you
can add owners (approvers) for workflow phases per application. These owners
are then used as the default phase owners for tickets that relate to the
applications. For additional information, see Using application phase approvers as
the default phase owners of application-related tickets (on page 67).
› The change requests in the ticket do not trigger any policy violations
Skybox version 10.0.300 62
Chapter 7 Administration of Change Manager
› The change requests in the ticket do not cause any vulnerability occurrences
› Policy violations triggered by the change requests in the ticket are at or lower
than a specified severity level (Info, Low, Medium, High, or Critical)
› Vulnerability occurrences caused by the change requests in the ticket are at
or lower than a specified severity level (Info, Low, Medium, High, or
Critical)
› In Tools > Options > Server Options > User Settings > User
Permissions, verify that Permissions for Firewall Assurance, Network
Assurance (Access Analyzer) & Vulnerability Control is selected.
› Verify that Firewall Assurance user permissions are assigned.
› In Tools > Options > Server Options > User Settings > User
Permissions, select Apply Firewall Assurance permissions to Change
Manager tickets.
To set up notifications
Note: If you work with multi-tier change requests, notifications can be sent to all
firewall administrators or to the user group’s default owner.
1 Select Tools > Administrative Tools > Triggers.
2 In the Skybox Admin window, right-click Triggers and select New Trigger.
3 In the New Trigger dialog box, select the Ticket trigger type and fill in the
fields as specified in the Skybox Reference Guide.
4 Click OK.
Note: Ticket status can only be changed manually for active tickets. The status of
‘finished’ tickets (those with Resolved, Rejected, or Closed status) cannot be
changed manually. The status of a ticket with a custom status can only be
changed manually if its status is in the Open status group.
Note: If the owner and approvers for an application are the same as those
of its application group, you do not need to define them again in the
application.
Note: The Owner field is for future use; it is not necessary to define
application Owners.
2 Define in which phases of which workflows users can define (or change) the
application or application group associated with a ticket.
› Connectivity between the source and destination over the selected services
› Compliance with your Access Policy
› That tickets with Resolved or Verified status were implemented
If the tickets were implemented, and connectivity now exists, the ticket status
is changed to Verified. If connectivity does not exist, the task changes the
ticket status to Reopened.
Analyze change tracking after reimporting the relevant firewalls, so that the
analyzed information is up-to-date; create a task sequence that includes offline
file import or online collection tasks for the analyzed firewalls, followed by an
Analysis – Change Tracking task.
For information about task sequences, see the Task sequences section in the
Skybox Firewall Assurance User Guide.
Triggers
Skybox uses triggers (rules) to:
CREATING TRIGGERS
You can create triggers that send notifications, run scripts, or both.
To create a trigger
1 Select Tools > Administrative Tools > Triggers.
2 In the Skybox Admin window, right-click the Triggers node and select New
Trigger.
3 In the General pane, provide a name for the trigger and select Ticket as the
notification type.
4 Fill in the other fields in the General tab as described in the following table.
5 If you want a non-standard notification for the events covered by this trigger
(as specified in the Notification Events tab), or if you want different
notifications for the same event (for example, for different user roles), see
Customizing notifications (on page 71).
6 Click OK.
Property Description
Events tab
Ticket Events
Any ticket change Triggers notifications and scripts every time that a ticket
(including (that matches all the filters) is created, changed, or
creation and deleted.
deletion)
Specific actions Triggers notifications and scripts every time that a
and updates specified change occurs to a ticket that matches all the
filters.
Use the Actions and Updates property to specify the
change types that trigger notifications.
Actions and A list of change types that, if selected, trigger
Updates notifications and scripts when they occur.
Overdue
Notify on overdue Specifies whether notifications and scripts are triggered
tickets when a ticket becomes overdue (misses the due date for
the current phase).
Ticket Filter tab
Network Scope (Skybox Vulnerability Control and Threat Manager only)
The assets and container entities for which to send
notifications.
Type The type of ticket for which to trigger notifications and
scripts.
Ticket Phases Triggers notifications and scripts if the ticket is in a
selected phase.
Ticket Owner Triggers notifications and scripts if the ticket belongs to a
selected owner.
Owner Lookup If owners are specified in Ticket Owner, specifies
whether to search for the selected ticket owners in the
current phase of each ticket or in specific phases.
If you select Specific Phases, select the desired phases
in the Owner Phases field.
Property Description
Owner Phases The phases in which to search for the ticket owner.
Priority Triggers notifications and scripts if the entity for which the
ticket was created has the selected priority.
CVSS Base Score (Skybox Vulnerability Control and Threat Manager only)
Triggers notifications and scripts if the CVSS base score of
the Vulnerability Definition for which the ticket was
created is in the selected range.
CVSS Temporal (Skybox Vulnerability Control and Threat Manager only)
Score Triggers notifications and scripts if the CVSS temporal
score of the Vulnerability Definition for which the ticket
was created is in the selected range.
Trigger Notification tab
Ticket's CC List Sends notifications to all users listed in the cc list of the
ticket.
Ticket Owner Sends notifications to the owner (assignee) of the ticket.
Ticket Owner's Sends notifications to all users who are in the same user
Group(s) groups as the owner (assignee) of the ticket.
Ticket Requestor Sends notifications to the user who created the ticket.
Skybox Users Sends notifications to the selected Skybox users.
External Email Sends notifications to the specified email addresses.
Addresses
When the assignees or cc list recipients of this Ticket change, send
notifications to:
New Recipients (Read-only) Sends notifications to users added to the
ticket.
Former Recipients Sends notifications to users removed from the ticket.
Change Manager If FA permissions are enabled for Change Manager,
Notification specifies who receives notifications about each derived
Recipients change request.
User Groups Specifies whether notifications about each derived change
Default Members request are sent to the default member of all the user
groups to which the relevant firewall owner belongs.
All Firewall Specifies whether notifications about each derived change
Administrators request are sent to all administrators for the relevant
firewall.
Trigger Program tab
Tasks Specifies the Tools – Script Invocation tasks that are
run when the triggering specifications are met.
Content of email
ID: 372
Title: Access from dev desktops to SVN machine
Description: Access from Guy's team to the SVN server in port 1234.
Priority: High
Due Date: 2/5/14
URL: https://Nir-PC:8443/skyboxview/#cpl-Ticket:&Ticket=372
Notifications are based on templates that use text and keywords (variables) to
inform the recipients of changes that occurred. The following is the template that
produced the preceding notification.
Subject field
Ticket __TICKET_ID__ was promoted to phase __CURRENT_PHASE__
URL: __URL__
The text in this template is the actual text that is in the email notifications. The
keywords (listed in the template as __<KEYWORD_NAME>__) are replaced by the
value of the relevant field in Skybox when a notification is created, as in the
sample at the beginning of this topic.
Skybox’s default templates use specific text and keywords for specific events, but
if you create your own templates you can use any text together with the
appropriate keywords. You can create multiple notification templates for the
same event type (for example, a very basic template for Ticket Requestors
when their tickets are promoted and a more detailed template for the users
responsible for implementing the next phase). You create multiple notification
templates using the Notification Templates tab of the Notification properties
dialog box.
CUSTOMIZING NOTIFICATIONS
You create custom notifications using the Notification Templates tab.
Note: This specifies to Skybox to not use the default template that would
otherwise be used for the selected event types. The notification contains
only the information that you add.
3 Skybox uses the text in the Subject field as the subject header of the email
notification:
a. Add appropriate text. For example, “Subject: New Ticket ID ” (without
the quotation marks but including the space at the end).
b. With the cursor placed after the text, click Insert Label.
See Keywords for notifications (on page 72) for a list of all possible
keywords.
c. In the list that appears, double-click the name of the field to add. For this
example, select Ticket ID.
The relevant keyword (for this example, __TICKET_ID__) is inserted in the
text.
d. Add any text to appear in the subject header after the keyword. In this
example, you might add “ Notification” (again, without the quotation
marks; remember to include a space).
4 Skybox uses the text in the Primary Information field as the body of the
email notification. It should provide the changes that were made. Use the
same steps that you used for the Subject field, adding lines of text and
keywords.
Note: The Details field is not necessary in Change Manager notifications;
it provides information used for other types of ticket notifications.
5 Click OK.
The new notification is added to the list of notifications.
You can use the keywords in the following table in Access Change ticket
notifications
Ticket field Keyword
The importance of the __IMPORTANCE__
violated Access Check
The test ID of the violated __VIOLATION_ID__
Access Check
The name of the Access __APR_NAME__
Check
The type of the Access __APR_TYPE__
Check (Limited, No-
Access, or Full Access)
The path of the Access __APR_PATH__
Check in the policy tree
The source used in the __SOURCE__
Access Check
The destination used in the __DESTINATION__
Access Check
The original change __ORIGINAL_CHANGE_REQUESTS__
requests of the ticket
The derived change __DERIVED_CHANGE_REQUESTS__
requests of the ticket
Keywords that you can use in ticket notifications for specific events are listed in
the following table.
Ticket field Keyword Event / Note
Creation time __CREATION_OF_TICKET__ Ticket creation (and other
ticket events, when
necessary)
Original ticket ID __ORIGINAL_TICKET_ID__ Cloned ticket
URL __URL__ Displays the URL of the
Change Manager with the
relevant ticket ID.
Done date __DONE_DATE__ Ticket completion
Status __STATUS__ Ticket completion (and
other ticket status change
notifications)
Closure type __CLOSURE_TYPE__ Ticket closure (explains
how the ticket was closed)
Deletion time __DELETION_TIME__ Ticket deletion
Deleted by __DELETED_BY__ Ticket deletion
Current owner __CURRENT_OWNER__ Events (including promote,
demote, or reassign)
Current owner __CURRENT_OWNER_WITH_ Same as
with email EMAIL__ __CURRENT_OWNER__ but
adds the email address in
parentheses. If the user
does not have an email
address defined, then this
is the same as
__CURRENT_OWNER__
Previous owner __PREVIOUS_OWNER__ Events (including promote,
demote, or reassign)
Previous owner __PREVIOUS_OWNER_WITH Same as
with email _EMAIL__ __PREVIOUS_OWNER__
but adds the email address
in parentheses. If the user
does not have an email
address defined, then this
is the same as
__PREVIOUS_OWNER__
Previous phase __PREVIOUS_PHASE__ Phase-changing events
(including promote or
demote)
Current phase __CURRENT_PHASE_NUMBE Displays the number of the
number R__ current phase. If there are
no phases or if the ticket is
closed, this field is empty.
SUPPORTED WORKFLOWS
The following workflows are supported in Skybox when working with ServiceNow.
› Create a ticket
1. A user creates a ticket in Skybox.
2. Skybox extracts all the relevant data from the ticket and uses it to create a
ticket in ServiceNow.
3. The Skybox ticket (External ID field) is updated with the ServiceNow ticket
number.
› Update a ticket
1. A user updates a ticket in Skybox.
2. Skybox finds the parallel ticket in ServiceNow using the (Skybox) ticket's
External ID.
3. Skybox updates the ServiceNow ticket with the relevant Skybox data.
1. The ticket action that was defined to trigger uploading reports occurs. For
example, a Skybox ticket is promoted from the Request phase to the
Technical Details phase of the General workflow (if this is the defined
trigger).
Note: This workflow uses a sample action that could trigger a report:
ticket promotion from the Request phase to the Technical Details
phase. However, the workflow for different triggers is similar.
2. Skybox collects the data needed for the report and creates an Excel report
file.
3. Skybox uploads the report to ServiceNow as an attachment to the ticket.
SETTING UP SERVICENOW
To set up ServiceNow to work with Skybox Change Manager
1 Create a new dev environment (ServiceNow instance). For example:
https://dev81508.service-now.com/
2 Create a default user.
a. Type “users” in the search bar on the left.
c. Give the user a user ID and password, first and last name, and email.
d. Click Submit.
3 Disable Business Rules for this table.
a. Find the Change Requests table by typing “change” in the search bar and
selecting Change - All.
If you are using a demo environment created by ServiceNow, the table
should already have tickets.
b. Create a new ticket by clicking New.
c. From the menu, select Configure > Business Rules.
d. Find the rule “State model - Can change state?”.
e. Click the link to edit the rule.
f. Disable the rule by making sure that the Active check box is cleared.
SETTING UP SKYBOX
Each workflow requires both a separate task and a separate trigger. It also
requires a separate phase mapping (on page 78).
CONFIGURATION
The following additional configuration is required for the integration:
› Phase mapping
› Destination endpoint
- skybox_phase_name: 'Closed'
service_now_name: 'Closed'
service_now_state: 3
assignment_group: 'a715cd759f2002002920bde8132e7018'
Definitions
› After a new ticket is uploaded to ServiceNow, you must refresh the Skybox
ticket before you continue working with it.
› After a ticket is promoted to a different phase in Skybox, you must refresh
the ticket in ServiceNow to see the new phase.