Document Control

Authorization
TEMPLATE NAME Firewall Change Request Form
TEMPLATE VERSION 1
EFFECTIVE DATE 15th-Sep-2023
TEMPLATE OWNER Information Technology
TEMPLATE APPROVER Process Owner
DOCUMENT OWNER Mahesh Patil (M23882)
DOCUMENT CLASSIFICATION Restricted
DOCUMENT VERSION NO. 1

Review
TEMPLATE VERSION DATE AUTHOR
1.0 15th-Sep-2023

Frequency of Review – Annually

Ownership

Bank's Information Technology is the owner of the document. Unless otherwise specified, no part of this document m
reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm,
permission in writing from Information Technology (IT). Similarly, distribution of this document to a third party is also
prohibited unless specific approval is taken from IT. This document is allowed to be distributed to vendor by IT Team

Placement
The most updated copies of the document can be found on the Bank's information portal under Information Technol
section. All printed copies of this document are to be treated as uncontrolled and may be obsolete. You shall always
consult the current authorized versions before making important decisions.
 DESCRIPTION

e specified, no part of this document may be

ncluding photocopying and microfilm, without
this document to a third party is also
o be distributed to vendor by IT Team.

tion portal under Information Technology (IT)

nd may be obsolete. You shall always
 Guidelines for Firewall Change C
Firewall Rule open requests for the following cases, ISG approval required to be received and attached in the
1. Manager).
Risky ports e.g. tcp-80, tcp-21, tcp-23, tcp-1521, tcp-3306, tcp-1433
Management access on services like ssh, rdp or others - directly from VDI or ser Laptop/desktop instead of C
Request for RFC 1918 Supernets e.g. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 and VDI entire super nets
Request for "any" source or destination or service
Request for source or destination = Internet, 3rd Party, Vendor/partner
Request for communication between PROD and UAT or PROD and DEV or UAT and DEV.
2. For tcp-22, please specify service - is it ssh or sftp?
3. All the details mentioned in the CCF for firewall rule request needs to be collected/synced from/with CMDB.
4. Each Justification for each rule is mandatory.
It is responsibility of Change Initiator and Change Approver (Line Manager), to take approval from Source and
5. Manager if in case of Risk / Impact category is Critical or High.
6. Once Change is approved by CAB, there will not be any change in CCF template. If any change is required than
Note: This Change is applicable for Cloud Connect Zone and Cloud Landing Zone Firewall incl. of Cloud Native
7.
wall Change Control Form
o be received and attached in the Change by Change Initiator and to be verified by Change Approver(Line

or ser Laptop/desktop instead of CyberArk.

8.0.0/16 and VDI entire super nets

UAT and DEV.

ected/synced from/with CMDB.

to take approval from Source and Destination Application owner and Incident Manager / Problem

ate. If any change is required than new change needs to be raised.

one Firewall incl. of Cloud Native Firewall e.g. Security Group, VPC Firewall , Network Security Group
 Classification - Internal #

Sr. No. Details Required

1 Source Application owner Name (as per ITGRC /CMDB) & employee code (if Multiple, add additional rec
2 Change Initiator Name & employee code
3 Line Manager Name (Change Approver) & employee code
4 Functional Head Name & employee code
5 Destination Application owner Name (as per ITGRC /CMDB) & employee code (if Multiple, add additiona
6 What is the Destination Application Availability Rating (as per ITGRC)
Confirm if RULES are requested for ALL STANDBY & DR INSTANCES too.
7
(Yes/No)
8 Approval from Source Application Owner is attached in Change? (To be verified by CAB)
9 Approval from Destination Application Owner is attached in Change? (To be verified by CAB)
10 Confirm, Rules are requested for which environment?
11 In case of DEV/UAT/POC, please mention the duration. (Rules will be opened for the said duration)

Firewall Rule Template

Source Name (As per

Source Location Source Type
CMDB)
Sr.No (Select from drop-down (Select from drop-down
(Hostname/Resource
list) list)
Name/Resource Identity)

5 Other ECMS V2 Prod

6 Other OBP Prod

7 Other ECMS V2 Prod

# Classification - Internal
 Classification - Internal #

8 Other OBP Prod

# Classification - Internal
 Classification - Internal #

Change Initiator Input

e code (if Multiple, add additional records). ECMS V2

Mahesh Patil (M23882)
Sujeet Singh(S2319)
Izadyas Rohinton Irani (I1548)
oyee code (if Multiple, add additional records). ECMS V2 Sujeet Singh (S2319)
C) 3
ES too.
Yes
o be verified by CAB) Yes
? (To be verified by CAB) Yes
Prod
e opened for the said duration) Permanent

Destinatio
n Name
Source
Destination (As per
NAT IP
Source IP/ Subnet with CIDR Location CMDB) Destination Type
(if
(In case of Single IP mentioned (Select from (Hostname/ (Select from drop-down
applicabl
with /32) drop-down Resource list)
e else
list) Name/Res
NA)
ource
Identity)
10.226.49.166
10.226.50.124
10.226.51.7 NA Other OBP Prod
10.225.56.92
10.225.10.252
10.225.17.1
10.227.232.56
10.227.232.57
10.225.232.59
10.225.232.60
10.227.230.159 NA Other ECMS V2 Prod
10.225.230.255

10.226.49.166
10.226.50.124
10.226.51.7
10.225.56.92
10.225.10.252 NA Other Prod
OBP
10.225.17.1
10.226.109.12
10.225.72.243

# Classification - Internal
 Classification - Internal #

10.227.204.70
10.227.204.71
10.227.204.72
10.227.204.73
10.227.204.74
10.227.204.75 NA Other ECMS V2 Prod
10.227.204.76
10.227.204.77
10.227.204.61
10.227.204.62
10.227.204.63

# Classification - Internal
 Classification - Internal #

Destinati Port No / Services

Destination IP/ Subnet on NAT (TCP/UDP - <Port
with CIDR or FQDN IP number/Port Range>) (Ad
(In case of Single IP (if multiple line item if more
mentioned with /32) applicable than one ports in the same
else NA) direction)

10.227.232.56
TCP-9476
10.227.232.57
10.225.232.59 TCP-9447
NA
10.225.232.60 TCP-443
10.227.230.159
10.225.230.255
10.226.49.166
10.226.50.124
10.226.51.7
10.225.56.92 TCP-9476
10.225.10.252 TCP-9447
10.225.17.1 TCP-443
10.226.109.12
10.225.72.243
10.227.204.70
10.227.204.71
10.227.204.72
10.227.204.73 TCP-9476
10.227.204.74 TCP-9447
NA
10.227.204.75 TCP-443
10.227.204.76
10.227.204.77
10.227.204.61
10.227.204.62

# Classification - Internal
 Classification - Internal #

10.226.49.166
10.226.50.124
10.226.51.7
10.225.56.92
10.225.10.252 TCP-9476
10.225.17.1 TCP-9447
10.226.109.12 TCP-443
10.225.72.243

# Classification - Internal
 Classification - Internal #

GCP Destination Tag (Network

AWS Security Group Azure NSG Name
Tag) (As configured during Bidirectional/
ID - Only Applicable - Only Applicable
Resource deployment) - Only Unidirectiona
to AWS CLoud to Azure CLoud
Applicable to GCP CLoud l

TCP NA NA Bidirectional

TCP NA NA Bidirectional

TCP NA NA Bidirectional

# Classification - Internal
 Classification - Internal #

TCP NA NA Bidirectional

# Classification - Internal
 Classification - Internal #

Permanent/Temporary
<Exp date> Justification for Risky Access if falling under Risk
(Mention Rule Expiry Date in Criteria
case of temporary)

We need to open firewall rules for the OBP IP and port to

the ECMS PROD application for the OBP interface to
Permanent ensure connectivity for Zerodha's ECMS client.

We need to open firewall rules for the OBP IP and port to

the ECMS PROD application for the OBP interface to
ensure connectivity for Zerodha's ECMS client.
Permanent

We need to open firewall rules for the OBP IP and port to

the ECMS PROD application for the OBP interface to
ensure connectivity for Zerodha's ECMS client.

Permanent

# Classification - Internal
 Classification - Internal #

We need to open firewall rules for the OBP IP and port to

the ECMS PROD application for the OBP interface to
ensure connectivity for Zerodha's ECMS client.

Permanent

# Classification - Internal
 Classification - Internal #

Justification for Bidirectional Communication

Purpose of rule
if there

We need to open firewall rules for the OBP IP We need to open firewall rules for the OBP IP
and port to the ECMS PROD application for the and port to the ECMS PROD application for the
OBP interface to ensure connectivity for OBP interface to ensure connectivity for
Zerodha's ECMS client. Zerodha's ECMS client.

We need to open firewall rules for the OBP IP We need to open firewall rules for the OBP IP
and port to the ECMS PROD application for the and port to the ECMS PROD application for the
OBP interface to ensure connectivity for OBP interface to ensure connectivity for
Zerodha's ECMS client. Zerodha's ECMS client.

We need to open firewall rules for the OBP IP We need to open firewall rules for the OBP IP
and port to the ECMS PROD application for the and port to the ECMS PROD application for the
OBP interface to ensure connectivity for OBP interface to ensure connectivity for
Zerodha's ECMS client. Zerodha's ECMS client.

# Classification - Internal
 Classification - Internal #

We need to open firewall rules for the OBP IP We need to open firewall rules for the OBP IP
and port to the ECMS PROD application for the and port to the ECMS PROD application for the
OBP interface to ensure connectivity for OBP interface to ensure connectivity for
Zerodha's ECMS client. Zerodha's ECMS client.

# Classification - Internal