IT Knowledge - Firewall Change Request Process

Request a Firewall Change

You must submit all requests through the Firewall Request form. The request must be as detailed and complete as possible.
The firewall engineer may send tickets to the IT Services Security team for review if the request has a broad scope or presents a potential security risk.
Some changes may require approval by the Change Approval Board (CAB).

Problem Resolution/Service Restoration
- Problem requests are those made under the direction of a Problem Manager in the course of managing the resolution of a problem or those identified as such by the Information Security Officer.
- Urgent problem requests will be processed before other firewall change requests and will be implemented either as soon as possible or during a change window, as determined by CAB.
Routine Changes
- Routine changes as approved by IT Services' CAB (draft summary below, pending CAB approval).
Project Related/Other Changes
- CAB approval is required, including out-of-cycle changes.

Change type	Lead time	Change window
Problem Resolution	As required	ASAP
Routine	3-5 business days	Tuesday or Thursday change window
All other	15 business days, including CAB and IT Security approvals (note: the scope of the change could cause delays in this process).	Thursday window

Change Title	Description
Firewall - Create VLAN Interface	Create a new VLAN interface
Firewall - Create Security Zone	Create a new security zone
Firewall - Simple Policy Change	Add a simple addition to existing firewall policy. An example would be the addition of an IP address or a well-known or easily verifiable port to the firewall policy or policy group. It would involve no more than two firewalls, four or fewer security zones, ten or fewer hosts and that the requested change is the same for the hosts involved, six or fewer ports and/or applications.
Firewall - Create of Policies	Create a new security policy that does not require a security review and involves: at most two firewalls, four or fewer security zones, ten or fewer hosts and that the requested change is the same for the hosts involved, six or fewer ports and/or applications.
Firewall - Addition of Routes	Implementation of a static route on the firewall to allow VLANs not directly attached to the firewall to be reachable.
Firewall - Addition of NAT	Create network address translations on the firewall for new hosts or hosts without current address translations.