Table Of Contents
Managing Activities
Understanding Activities
Understanding How the Locking Mechanism Works
Managing Activities with Workflow Disabled
Important Notes about Using Firewall MC When Workflow Is Disabled
Using the Activity Bar
Managing Activities with Workflow Enabled
Using Activity Management
Creating an Activity
Submitting an Activity for Review
Approving or Rejecting an Activity (Approval Process Enabled)
Opening an Existing Activity
Closing an Activity
Undoing An Activity
Understanding Activity Error and Warning Messages
Activity Error Messages
Activity Transition Warning Messages
Managing Activities
You use activities to make most changes in Firewall MC. Certain settings, like administrative settings, do not require an activity to modify, but firewall device settings must be changed using an activity. Activities provide an audit trail for changes, and are a convenient way to experiment with changes—you can simply discard any activities with changes you do not want to implement.
Activities are implemented in three different ways, depending on the workflow mode you choose:
•
Workflow disabled (default)—The workflow feature is turned off, eliminating the need for you to define activities. Firewall MC defines activities automatically when you make configuration changes.
•Workflow enabled—The workflow feature is turned on. You must define activities to make changes, but formal approval is not required for you to deploy changes.
•Workflow with formal approval enabled—The workflow feature is turned on. You must submit an activity for approval before you can deploy changes.
When workflow is enabled, the GUI displays the Workflow tab. You can use it to manage activities. When workflow is disabled, the GUI displays the Deployment tab. You can use the Deployment tab to view deployment status information and to deploy saved configurations to devices.
You control which of these methods to use for tracking changes. You can enable workflow with or without approval at any time; however, before you can disable workflow, you must approve or discard any open activities and deploy, cancel, or verify that all jobs are being deployed. For more information on jobs, see Managing Deployment With Workflow Enabled.
Topics to be discussed are:
• Understanding Activities
• Managing Activities with Workflow Disabled
• Managing Activities with Workflow Enabled
• Understanding Activity Error and Warning Messages
Understanding Activities
You use activities to control changes made to the firewall devices you are managing. Although how activities are implemented depends on the workflow settings you choose, activities provide the following benefits in all workflow modes:
•Audit trail—Activities track changes that are made in Firewall MC. You can use this information to determine what changes have been made and who made the changes. For more information, see Viewing Administrative Activity Reports, page 16-31.
•Safety mechanism—Activities provide a means for experimenting with changes. You can make changes using an activity, then view the configuration that results from those changes. If you do not want to implement the changes, you can discard the activity. For more information, see Undoing An Activity.
•Task isolation—When you create an activity, the firewall devices that are modified by that activity are locked from further changes. This prevents conflicting changes that could make a configuration unstable. For more information, see Understanding How the Locking Mechanism Works.
Understanding How the Locking Mechanism Works
The device hierarchy is the basis for the locking-model design, which ensures the integrity of the deployed configuration files. If a group within the hierarchy is locked, subgroups and devices are implicitly locked. This eliminates the possibility of conflicting changes being imposed on the same devices.
When you open or create an activity, the system must acquire a lock. The lock can be acquired only if no other activity holds a lock on the same groups or devices. Other users are locked out until the activity is approved and committed or undone. This guarantees that when you change elements associated with a global group, no other user can read or write changes to the group that you are editing.
Note When workflow is enabled, locks are associated with activities. When workflow is disabled, locks are associated with users.
Imagine a device hierarchy with a group called Global at the top level containing subgroups Fruits and Nuts. Fruits contains devices Apple and Banana. Nuts contains devices Walnut and Pecan.
The general rule is that when an activity makes changes to a device or device group in the hierarchy, that device or group and everything below that group is locked, and each enclosing group is marked so that no other activity can lock it. Making changes to the Global group locks everything in the hierarchy. Adding a group or device to an existing group is like making changes to the existing group.
Consider the following:
•Suppose an activity were to make changes to Walnut device settings. Nothing can be below a device, so nothing other than Walnut is locked. Walnut is enclosed by the Nuts group, which is enclosed by the Global group. Both Global and Nuts are marked to prevent other activities from locking them. Another activity can be used to make changes to Pecan, because the marks on Nuts and Global only prevent them from actually being locked.
Suppose an activity tried to make changes to the Nuts group. These changes would not be permitted, because the Nuts group has been marked, which prevents it from being locked.
•Suppose an activity were to make changes to the Fruits group. The Fruits group becomes locked. The Apple and Banana devices contained within the Fruits group are also locked. The Fruits group is enclosed by the Global group, so Global is marked to prevent any other activities from locking it. In this example, changes to the Nuts group can still be made by another activity.
Understanding Padlock Icons
After you use the Object Selector to select the scope, Firewall MC displays the scope information in the Object bar. A padlock icon is placed to the left of the locked device or device group. The padlock is associated with the highest locked point in the object hierarchy. This enables you to determine if the device or device group is available for you to make configuration changes. You can also place the mouse cursor over the lock to determine who holds the lock when workflow is disabled, or which activity holds the lock when workflow is enabled.
Two types of padlocks exist:
•Red—Another user or activity holds the lock. You cannot make changes to devices or device groups until the configurations for those devices are generated and deployed, are being generated, or are discarded.
•Green—You or the current activity holds the lock. You can make changes to the devices and groups, which are locked to outside users.
Taking Over Changes
You might find the need to take over changes originated by another user. For example, you need to make changes to a device, but you are denied access because another user has an activity open that holds a lock on that device. If the user is not available to save or discard his changes, you can take over his activity, which transfers the lock to you and allows you to make changes to the device.
The Take Over Changes feature can be accessed only when workflow is disabled. If you decide to enable workflow, all activities must be submitted and approved before a lock becomes available to another user. As a result, the Take Over Changes feature is not used. However, when a user takes over changes from another user, it is recorded in the Activity Management table. To access the table, select Workflow > Activity Management.
To perform this task, your user role must be assigned the appropriate privileges.
Step 1 Select Admin > Take Over Changes.
The Take Over Changes page appears.
Step 2 Locate the user who holds the lock that you want to take over, click the appropriate radio button, then click Take Over Changes.
After the page refreshes, your name is shown in the User column and you hold the lock. You may now make changes to devices and device groups.
Managing Activities with Workflow Disabled
When workflow is disabled (default), you do not need to define activities for tracking changes in Firewall MC. After you make configuration changes, you can deploy those changes. To do so, click the Save and Deploy icon in the activity bar under the Devices and Configuration tabs. You can also discard the changes. To do so, click the Undo icon. When you click the Save and Deploy icon, new configurations are generated for any modified devices. You can then deploy the new configurations or save and deploy them later. For more information on deploying saved configurations, see Using the Deployment Tab.
The Deployment tab is visible only when workflow is disabled. When you enable workflow, the Deployment tab is replaced by the Workflow tab, and you manage deployments by using jobs. For more information on using jobs for deployment, see Using Job Management.
Important Notes about Using Firewall MC When Workflow Is Disabled
•You can enable workflow at any time, but to disable workflow, you must approve or discard any open activities and deploy, cancel, or verify that all jobs are being deployed before you disable workflow.
•You do not need to define an activity when workflow is disabled; an activity is automatically assigned to you. To view report information, click the View Details icon in the activity bar or select Reports > Activity.
•Locks are assigned to users, not activities.
•A user acquires locks as needed.
•After you save and deploy or save a device configuration for deployment later, the lock on that device is released.
•When workflow is disabled, you cannot select the deployment method during deployment. You must specify the deployment type before deploying. To specify the deployment type for a device or group, select Configuration > MC Settings > Deployment, then click the Deployment Type radio button that corresponds with the method to use for deployment.
Using the Activity Bar
When workflow is disabled, you use the activity bar under the Devices and Configuration tabs to:
•Generate configurations for changed devices.
•Undo changes.
•View changes that were made since the last save.
Table 4-1 shows the activity bar icons available when workflow is disabled.
Table 4-1 Activity Bar Icons Used when Workflow Is Disabled
Icon
|
Icon Name
|
Description
|
|
Save and Deploy
|
Generates configurations for devices and allows you to deploy configurations now or later.
|
|
Undo
|
Discards all changes to configurations and device inventories since the last save.
|
|
View Details
|
Opens a popup window to display changes made to configurations and device inventories since the last save.
|
Managing Activities with Workflow Enabled
Many organizations benefit from separating responsibility for defining, approving, and deploying corporate firewall policies. For example, a security administrator might be responsible for defining a device configuration file, another administrator for approving the configuration file, and a network operator for deploying the resulting configuration to a device. This separation of responsibility helps maintain the integrity of deployed device configurations.
Firewall MC supports this separation of responsibility by using activities and jobs. Activities and jobs define tasks that are accomplished by one or more people in succession.
Note You can set up Firewall MC to require formal approval for both activities and jobs. This approval process is disabled by default. To enable it, select Admin > Workflow Setup.
Activities control policy changes. When you create a new activity, you are preparing a proposal to create or change firewall device configurations. An activity includes such information as device groups or devices to which configuration settings, access rules, and translation rules will be downloaded. To access the activities feature, select Workflow > Activity Management. See Using Activity Management.
Tip You can also access the activities feature from the Devices and Configuration tabs by clicking the activity bar buttons at the top right of your screen.
After an activity is approved, you can download the corresponding configuration elements to several devices in the form of a job. A job identifies devices to which configuration files will be deployed. To access the jobs feature, select Workflow > Job Management. See Using Job Management.
To view the latest configuration file, select Configuration > View Config. See Viewing Configurations.
The following table is a quick reference to help you understand how to use activity- and job-management features.
Using Activity Management
When you create a new activity, you are preparing a proposal to create or change firewall device configurations.
An activity is a task that is accomplished by one or more people in succession. For example, a network administrator sets configuration parameters for a firewall device, and a system administrator approves the configuration settings. This separation of responsibility helps maintain the integrity of deployed device configurations.
Because most users manage many firewall devices within their networks, it is common practice to manage these devices in groups. The Firewall MC design is based on a navigation hierarchy to facilitate navigation to firewall device groups and devices. As a result, a single activity could affect several devices or groups; however, only one user may open the activity at any given time.
Important Notes About Activities
•The opened activity and its state are displayed in the top right corner of pages under the Devices and Configure tabs in the activity bar. This enables you to see at a glance the context within which you are working. If no activity is open, the word None is displayed.
•An activity must be opened (in the Edit_Open state) to allow changed device or configuration information to be saved.
•Each user can have only one activity open at a time; users are locked out of any other activity that involves an overlapping scope.
•Multiple users can work in an activity in series, but only one user can have the activity open at a time.
•An activity acquires locks as needed.
•After an activity is approved, changes in an activity cannot be undone automatically. You must create a new activity and manually change the settings back to the desired state.
•If you are working in an activity, you can click Undo at any time to discard changes.
Understanding Activity Actions
Firewall MC keeps a history of actions made with each activity, from creation to approval for deployment. You also have the option of undoing all changes to an activity, which discards the activity from use. Although the Activity Management table shows only the most recent action state, you can view all actions for an activity by selecting Reports > Activity. See Viewing Administrative Activity Reports, page 16-31.
Figure 4-1 shows an Activity Management table with activity actions and activity state information. After a new activity is defined, it advances to the Edit_Open state in the Activity Management table. The activity name is also displayed in the activity bar at the top right of your screen when you view it under the Devices or Configure tab. You can now begin making device or configuration changes.
While in the Edit_Open state, the activity and the devices and groups defined within the activity are locked to other users. Only the person who opened the activity can make changes.
Figure 4-1 Activity Management Table
|
|
Name
|
Description
|
1
|
Activity
|
User-defined activity name.
|
2
|
State
|
State of the activity in which you are working.
|
3
|
Opened by
|
Username of person associated with most recent state.
|
4
|
Last Action
|
Date and timestamp of most recent state.
|
5
|
Activity action buttons
|
See Table 4-2 for activity action buttons and their descriptions.
|
Table 4-2 shows activity action buttons and their descriptions.
Table 4-2 Activity Action Buttons
|
|
Description
|
Refresh
|
Manually refreshes the table.
Note The table refreshes automatically every 60 seconds.
|
Status
|
Opens a popup window showing the status of a selected activity, for example, if an activity has import or generate operations in progress.
|
Info
|
Opens a popup window to display changes made to configurations and device inventories.
|
Add
|
Adds a new activity to the Activity Management table.
|
Open
|
When activity is in Edit or Rejected state, it opens the activity. Changes the activity state to Edit_Open. When activity is in Submitted state, it opens the activity. Changes the activity state to Submitted_Open.
|
Close
|
Closes an activity. Changes activity state to Edit.
|
Submit
|
Visible only when formal approval process is enabled. Notifies person with approval authority that activity is ready for review. Changes the activity state to Submitted.
|
Undo
|
Discards the activity. Changes the activity state to Discarded.
|
Approve
|
When approval is disabled, used by the person who created an activity. When approval is enabled, used by the person with approval authority to approve an activity. Changes the activity state to Approved.
|
Reject
|
Visible when formal approval process enabled. Used by person with approval authority to reject activity. Changes activity state to Rejected.
|
Cancel
|
Cancels the active import/generate operations associated with a selected table row.
|
Understanding Activity States
An activity can have the following states, which are shown in the State column of the Activity Management table:
Note Available actions associated with an activity state might vary according to whether approval is enabled or disabled.
•Edit—The activity is unlocked, but it cannot be configured within the context of another activity. You must open the activity to make changes to corresponding configuration elements. The activity can be opened or discarded while it is in the Edit state.
•Edit_Open—The activity is opened from the Edit state, or a new activity has been created that automatically results in an Edit_Open state. Configuration changes can be made to the devices and groups selected. The devices or groups being configured are locked to other users. An activity can be edited until it is submitted for approval or deleted. The activity can be closed, discarded, submitted, or approved while it is in the Edit_Open state.
•Submitted—The activity is submitted for review from the Edit_Open state. The activity can no longer be edited; no further configuration changes can be made within the activity. The devices and groups selected for the activity are still locked to other activities. The activity can be discarded or rejected while it is in the Submitted state.
•Submitted_Open—The activity is opened for review from the Submitted state. The devices and groups selected for the activity are still locked to other activities. The activity can be approved or rejected while it is in the Submitted_Open state.
•Generate_Open—The activity is being submitted and the associated device configuration files are being generated for review. The activity can be canceled from the Generate_Open state.
•Reverse_Generate_Open—The activity is importing new devices. The activity can be canceled from the Reverse_Generate_Open state.
•Approved—The activity was approved by a person with approval authority from the Submitted_Open state. The corresponding configuration elements defined within the activity are now committed policy configurations. The locks are removed. The devices and groups can be used in a new activity. The activity can be discarded while it is in the Approved state. A job must be defined to deploy the activity and device configuration files to the devices.
•Rejected—The activity was rejected by a person with approval authority from the Submitted_Open state. The activity remains in the rejected state until it is reopened for editing. Device groups and devices associated with the activity remain locked to other users. The activity can be discarded from the Rejected state.
•Discarded—The activity is discarded (Undo was selected) and further changes to the activity are disallowed. Device groups and devices associated with the activity are unlocked to other users. An activity can be discarded from any state. It is retained in the Activity Management table until it is purged by the system. To configure the same devices or groups, you must create another activity or add each device or group to another existing activity.
Note•If an activity is in the Edit_Open state, you can edit and save changes that you make, but only if the devices or device groups contained within that activity are not overlapping into another activity that is locked.
•If an activity is not in the Edit_Open state, you can view its contents in a read-only state, which is selected implicitly. This allows you to view the last-saved activity content. It does not display content that is undergoing changes.
Creating an Activity
Creating activities to support your organization's policies is simple. You can define your activities:
•As a succession of actions (for example, populate network, set access rules, set passwords).
•Based on your network topology (for example, East Coast, Corporate Office, Finance, Third-party).
•By defining a change in configuration settings (for example, AAA).
You then configure your network settings and submit them for review and approval (if the approval process is enabled). Ultimately, the activity takes effect through deployment jobs that download new configuration information to the selected devices.
After you define your activity, it is listed in the Activity Management table, along with its current state.
Note Creating an activity adds a new row to the Activity Management table and opens the activity automatically.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 Click Add.
You are prompted to enter an activity name and an optional activity comment.
Step 3 Enter the information in the fields provided, then click OK.
You are returned to the Activity Management table with the new activity listed. The activity state is shown as Edit_Open. Updated information is shown in the Last Action column.
You are ready to begin the device setup or configuration settings for use for later deployment.
Table 4-3 describes the elements in the Activity Management page.
Table 4-3 Activity Management
Element
|
Description
|
Activity
|
User-defined proposal to create or change firewall device configurations. Task accomplished by one or more people in succession.
|
State
|
State of the activity in which you are working.
•Edit—The activity is unlocked, but it cannot be configured within the context of another activity. You must open the activity to make changes to corresponding configuration elements. The activity can be opened or discarded while it is in the Edit state.
•Edit_Open—The activity is opened from the Edit state, or a new activity has been created that automatically results in an Edit_Open state. Configuration changes can be made to the devices and groups selected. The devices or groups being configured are locked to other users. An activity can be edited until it is submitted for approval or deleted. The activity can be closed, discarded, submitted, or approved while it is in the Edit_Open state.
•Submitted—The activity is submitted for review from the Edit_Open state. The activity can no longer be edited; no further configuration changes can be made within the activity. The devices and groups selected for the activity are still locked to other activities. The activity can be discarded or rejected while it is in the Submitted state.
•Submitted_Open—The activity is opened for review from the Submitted state. The devices and groups selected for the activity are still locked to other activities. The activity can be approved or rejected while it is in the Submitted_Open state.
•Generate_Open—The activity is being submitted and the associated device configuration files are being generated for review. The activity can be canceled from the Generate_Open state.
•Reverse_Generate_Open—The activity is importing new devices. The activity can be canceled from the Reverse_Generate_Open state.
|
|
|
|
|
|
|
State (cont.)
|
•Approved—The activity was approved from the Submitted_Open state by a person with approval authority. The corresponding configuration elements defined within the activity are now committed policy configurations. The locks are removed. The devices and groups can be used in a new activity. The activity can be discarded while it is in the Approved state. A job must be defined to deploy the activity and device configuration files to the devices.
•Rejected—The activity was rejected from the Submitted_Open state by a person with approval authority. The activity remains in the rejected state until it is reopened for editing. Device groups and devices associated with the activity remain locked to other users. The activity can be discarded from the Rejected state.
•Discarded—The activity is discarded (Undo was selected) and further changes to the activity are disallowed. Device groups and devices associated with the activity are unlocked to other users. An activity can be discarded from any state. It is retained in the Activity Management table until it is purged by the system. To configure the same devices or groups, you must create another activity or add each device or group to another existing activity.
|
Activity action buttons1 ,2
|
•Refresh—Manually refreshes table. Table is refreshed automatically every 60 seconds.
•Status—Opens a popup window showing status of a selected activity, for example, if an activity has import or generate operations in progress.
•Info—Opens a popup window to display changes made to configurations and device inventories.
•Add—Adds a new activity to Activity Management table.
•Open—When activity is in Edit or Rejected state, opens activity. Changes activity state to Edit_Open. When activity is in Submitted state, opens activity. Changes activity state to Submitted_Open.
•Close—Closes activity. Changes activity state to Edit.
•Submit—Visible when approval is enabled. Notifies person with approval authority that activity is ready for review. Changes activity state to Submitted.
•Undo—Discards the activity. Changes activity state to Discarded.
•Approve—When formal approval process is disabled, used by person who created activity. When formal approval process is enabled, used by person with approval authority to approve Activity. Changes activity state to Approved.
•Reject—Visible when formal approval process enabled. Used by person with approval authority to reject activity. Changes activity state to Rejected.
•Cancel—Cancels the active import/generate operations associated with a selected table row.
|
Opened by
|
Shows username associated with most recent state.
|
Last Action
|
Shows timestamp and action for most recent state.
|
Note You can view a history of changes made to activities by selecting Reports > Activity Changes.
Submitting an Activity for Review
The review and approval feature is disabled by default, but you can enable the feature if your organization requires a formal approval process. See Requiring Formal Approval, page 3-9.
If the approval process is disabled, the submit and approval process is a single step and the activity is approved automatically when it is submitted. If the approval process is enabled, you must submit an activity to someone in your organization for review and approval. When you submit an activity for review, it must be in the Edit or Edit_Open state. After you submit an activity for approval, a person with approval authority reviews the changes.
•If the changes are approved, they are committed. The activity is completed and no further changes can be made. Groups and devices affected by the activity are unlocked.
•If the changes are rejected, you can:
–Reopen the activity and fix any problems identified by the approver.
–Discard all changes by performing Undo. In this instance, the undo feature undoes all changes made for an activity, not just the last change in a sequence.
Note•If approval is disabled, the wizard guides you through the complete approval process.
•If approval is enabled, the wizard guides you through the submittal process. The Activity Management table action buttons are used to complete the approval process.
•The Activity Management table action buttons you use to submit and approve an activity will vary according to whether approval is enabled or disabled.
Before You Begin
•Make sure the activity is in the Edit or Edit_Open state.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 In the table, find the activity to submit for approval, then do one of the following:
•If approval is disabled:
a. Click Approve.
b. Enter the Activity Submit Comment (recommended). Enter a comment related to the submitted activity request (for example, includes changes to address translation pools for the Global scope).
c. Click OK.
•If approval is enabled:
a. Click Submit.
b. Enter the email address of a person with approval authority in the field provided. You can enter more than one email address.
c. Enter the Activity Submit Comment (optional). Enter a comment related to the submitted activity request (for example, includes changes to address translation pools for the Global scope).
d. Click OK.
The Review Device Generation List page appears, which displays a list of devices that are changed by the activity.
Step 3 Verify that the devices listed are correct, then click Next.
The activity summary page appears.
Step 4 Verify the information, then click Finish.
If any devices were changed by the activity, a device status popup window opens. The window refreshes automatically every 60 seconds; however, you can click Refresh to update device status manually.
Tip To view the device configurations, select a device from the popup window, then click View Config. A new window displays the configuration file. Repeat this step for each device listed. Close the window after you view the configurations for each device.
Step 5 After viewing device status information, close the device status window. This is not necessary if no devices were changed by the activity.
•If approval is disabled, you are returned to the Activity Management table with the activity state shown as Approved in the State column. Updated information is shown in the Last Action column. You can either create a new activity or create a job, which is used to deploy the approved activity and configuration files to the assigned devices. See Using Job Management.
•If approval is enabled, you are returned to the Activity Management table with the activity state shown as Generate_Open in the State column. The state column refreshes to display Submitted. Updated information is noted in the Last Action column. You can create a new activity.
Note Device groups and devices associated with the submitted activity remain locked until the activity is approved or discarded.
Approving or Rejecting an Activity (Approval Process Enabled)
Only a person with approval authority can approve or reject an activity. In a traditional environment, a creator and an approver work together to support changes made to policies. The creator submitting the activity for approval is prompted to enter the email address of the persons responsible for approving the activity. A person with approval authority can do one of the following:
•Approve the activity—The Activity Management table displays Approved in the State column. Changes are committed. The devices and device groups associated with the activity are unlocked to other users.
•Reject the activity—The Activity Management table displays Rejected in the State column. The activity can be resubmitted after changes are made, or discarded.
Note The review and approval feature is disabled by default, but you can enable the feature if your organization requires a formal approval process. See Requiring Formal Approval, page 3-9.
Before You Begin
•Make sure the activity is in the Submitted state.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 In the table, find the activity to review, then click Open.
The activity state changes to Submitted_Open.
Step 3 Run an activity report to view changes (recommended). See Viewing Administrative Activity Reports, page 16-31.
Step 4 View the configuration file for each device listed in the activity (recommended). To do this, select the activity, then click Status.
A popup window displays the generation status of all devices in the activity.
Step 5 From the popup window, select a device, then click View Config.
Step 6 Do one of the following:
•To approve an activity, click Approve.
•To reject an activity, click Reject.
You are prompted to enter an optional comment.
Step 7 Enter the optional information in the field provided, then click OK.
You are returned to the Activity Management table with Approved or Rejected displayed in the State column. Updated information is shown in the Last Action column.
Opening an Existing Activity
You can open an activity to make changes only if it is unlocked or if none of the devices and device groups overlap another activity that is locked. To verify whether the activity can be opened, check the Activity Management table. If the state shown is any of the following, you will not be able to open the activity:
•Edit_Open—The activity is locked, along with related devices and device groups, and changes are being made to device configuration settings.
•Submitted or Submitted_Open—The activity is locked, along with related devices and groups, and is awaiting approval.
•Discarded—The activity was discarded; no changes can be made.
Note If devices or device groups are overlapping into another activity that is locked, you receive an error message when you click Finish.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 In the table, find the activity to open, then click Open.
The activity state is shown as Edit_Open in the Activity Management table. Updated information is noted in the Last Action column.
You are ready to continue setting up devices or making configuration changes for use for later deployment. Do either of the following:
•Go to the Devices tab to define device groups, create devices, and import devices and configuration files.
•Go to the Configure tab to configure settings, access and translation rules, and building blocks.
Closing an Activity
After you complete an activity, you should close it to grant access to other users. If you have permission to do so, you may close an activity that was opened by another user. Otherwise, you may close only an activity that you opened.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 In the table, find the activity to close, then click Close.
The activity state is shown as Edit in the State column and updated information is shown in the Last Action column.
Note Although the activity is closed, locks remain on its associated device groups and devices.
Undoing An Activity
You might need to discard changes to configuration settings associated with an activity. If this occurs, you can undo your changes, which reverts to the previous configuration settings.
Note•You can discard (undo) an activity in any state.
•If you undo an activity while other activities are open, the other activities may be taken out of the edit_open state.
Step 1 Select Workflow > Activity Management.
The Activity Management page appears.
Step 2 In the table, find the activity to discard, then click Undo.
You are prompted for an optional comment.
Step 3 Enter an optional comment in the field provided, then click OK.
The activity is discarded. You are returned to the Activity Management table with the activity state shown in the State column as Discarded. Updated information is shown in the Last Action column. The activity remains listed in the table until it is purged by the system.
Understanding Activity Error and Warning Messages
Before you can change a policy, you must create or open an activity. To create or open an activity, you must be an authorized user and have permission to perform this action. In addition, creating or opening an activity requires a lock.
While you are making policy changes in Firewall MC, different popup windows might display error or warning messages that guide you through activity management. These messages vary, depending on:
•Lock availability.
•Whether you are authorized to perform an action.
•Whether an activity must be created or opened first.
•The next required action within the workflow process.
Activity Error Messages
The following error messages are discussed:
• Error: No Activity Is Open.
• Error: <Device | Device Group> Is Locked by <Activity>.
• Error: No Changes Can Be Made Within the Open Activity, As It Has Been Submitted for Approval.
• Error: Invalid activity action (action). The workflow type may be changed. Please close and reopen the Firewall MC application window..
• Error: Operation failed. The workflow setup might be changed. Please close and reopen the browser.
• Error: You must approve or discard all existing activities and deploy all existing jobs before you disable workflow.
Error: No Activity Is Open
This message appears if you did not create or open an activity. You must create a new activity or open an existing activity that can be edited to preserve the activity information in the database.
Step 1 From the error popup window, select one of the following.
•Create a new Activity—Allows you to define a new activity.
•Open an existing editable Activity—Allows you to open an existing activity.
Step 2 Click OK.
•If you clicked Create, another popup window opens. The New Activity Name field displays a default name based on username, date, and timestamp.
a. Use the default name or assign a new name in the field provided.
b. Enter a comment in the Initial Activity Comment field.
c. Click OK. The popup window closes and you are returned to the Devices or Configuration tab, with the opened activity name shown in the activity bar at the top right of your screen.
•If you clicked Open, another popup window displays available activities from which to make your selection.
a. Select the activity using the appropriate radio button.
b. Click OK. The popup window closes and you are returned to the Devices or Configuration tab, with the opened activity name shown in the activity bar at the top right of your screen.
You are now ready to make policy changes.
Error: <Device | Device Group> Is Locked by <Activity>
This message is used when no lock is available because a device or device group (7100-WestCoast-1) is already locked by another activity (Trouble ticket 37). The other activity must be approved or discarded to enable the device or device group to be assigned to a new activity. Click OK to close the popup window.
Error: No Changes Can Be Made Within the Open Activity, As It Has Been Submitted for Approval
This message is used when an activity (Trouble ticket 37) has already been submitted for approval and is in the submitted state. The activity cannot be modified unless it is either rejected by a person with approval authority or discarded. Click OK to close the popup window.
Note If the activity is approved as submitted, you must create a new activity through which to make your policy changes.
Error: Invalid activity action (action). The workflow type may be changed. Please close and reopen the Firewall MC application window.
This message is displayed when multiple users access Firewall MC. If the workflow setting is changed by a second user while you are working in an area of Firewall MC that is not available with that setting, you might receive this message.
Close, then reopen, the browser. Firewall MC reopens and you can continue your task.
Error: Operation failed. The workflow setup might be changed. Please close and reopen the browser
This message is displayed when multiple users access Firewall MC. If workflow is disabled and a second user enables it, you might receive this message.
Close, then reopen, the browser. Firewall MC reopens with workflow enabled and you can continue your task.
Error: You must approve or discard all existing activities and deploy all existing jobs before you disable workflow
This message is displayed if you have any open activities or jobs when you try to disable workflow.
Approve or discard any open activities and deploy, cancel, or verify that all jobs are being deployed before you disable the workflow feature.
Activity Transition Warning Messages
An activity transition message appears when your action will result in closing the open activity (Edit_Open state), which returns it to the Edit state. While in the Edit state, the changes you made to that activity cannot be deployed— the activity remains a work in progress. This message prompts you to move the activity to a state other than Edit_Open (such as submitted, approved, or rejected) or to continue your action and close the open activity. Actions that generate this message include:
•Logging out while working on an activity.
•Adding, rejecting, submitting, approving, or undoing an activity while working on another activity.
•Closing an open activity.
The set of options appearing in this message depends on two conditions:
•The states that are available based on the state you are in, which changes according to whether you require formal approval of activities. For information about activity states and actions, see Understanding Activity Actions.
•The action that triggered this message.
In the following figure, the activity (Trouble ticket 37) has been submitted for approval and is in the submitted state. No further changes can be made to the activity unless it is rejected or approved.
Step 1 From the warning popup window, do one of the following:
•Click the radio button for the state that the activity should be moved to. The activity moves to the next state, such as submitted or approved.
•Click the radio button to continue the action you attempted before the popup window opened. The activity closes, remaining in the current state, and the selected action occurs.
Step 2 Click OK to perform the selected operation.
Note You can also click Cancel, which closes the popup window and allows you to continue making changes to the activity.
