On this page
Automated Path Identification and Target Selection
Overview
Streamline security policy changes with automated path discovery and target selection, reducing manual effort and risk of misconfiguration.
Automated Path Identification and Target Selection guides you through using workflows and topology-based analysis to:
-
Identify the relevant enforcement points for an access request based on the path between the source and destination.
-
Apply access changes to the correct firewalls, policy packages, or rulebases.
-
Use automated target suggestions when topology data is available, and manual target definition when it is not.
Why this matters
-
Reduce manual effort by using topology-based analysis to identify the relevant enforcement points for an access request.
-
Improve implementation accuracy by directing access changes to the correct policies and devices on the traffic path.
-
Support more consistent change execution by combining automated target suggestions with manual target definition when topology data is unavailable or incomplete.
Who this is for
-
Network engineers responsible for maintaining topology data that supports target suggestions.
-
Workflow designers responsible for configuring automated and manual target logic in workflows.
-
Operational specialists driving workflow adoption and standardization across teams.
Key capabilities
Automated Path Identification and Target Selection leverages key features in SecureChange:
-
Access Request Workflow to manage target suggestions for access requests
-
Map to support topology discovery for target suggestions
Prerequisites
-
Successful completion of:
-
At least one Access Request Workflow to generate target suggestions
Step 1: Understand target suggestions
This step explains how target suggestions work and why they matter. Understanding the available options helps ensure that access changes are applied to the correct policies and enforcement points.
In SecureChange workflows, target suggestions are critical for automating implementation and ensuring that the correct policy is updated based on the path between the source and destination. Target suggestions determine which firewalls, policy packages, or rulebases an access change applies to.
-
Use SecureChange's Workflows to implement target suggestions.
Topology-based and manual target suggestions
You can generate target suggestions in two ways:
-
Topology-based target suggestion (recommended)
-
Requires an accurate and up-to-date topology map in SecureTrack.
-
Uses the network topology model to identify the devices on the path between the source and destination, for both manual and automated target suggestions.
-
Automatically suggests the relevant enforcement points, such as firewalls or policy packages.
-
-
Manual target suggestion (without topology)
-
Use this option when topology data is unavailable or incomplete.
-
Define enforcement points manually for each relevant vendor or device type, such as policy packages, zones, or ACLs.
-
How topology-based suggestions work
If you have up to date Map in SecureTrack, you can use topology-based suggestions in both Auto and Manual step modes.
-
Auto step mode: When Suggest target is selected, SecureChange adds a target based on SecureTrack's policy and topology information.
-
Manual step mode: When you define targets using Advanced options, switch to Suggestions to run topology analysis and view suggested targets.
When you define the Source, Destination, and Service/App-ID fields in the Access Request form:
• If a valid topology path exists, SecureChange uses SecureTrack's topology model to automatically identify the enforcement points along the path and suggest the appropriate devices and policy targets for rule implementation.
-
If no valid topology path exists, SecureChange displays a Cannot suggest target message. See Troubleshooting topology-based target suggestions in this topic.
See Advanced options for change requests.
Define targets manually when topology cannot be used
When topology data is unavailable or not accurate, define targets manually according to device type:
-
Palo Alto and Fortinet: Use zone pairing to define ingress and egress mapping.
-
Cisco ASA: Select the appropriate access list for rule insertion.
-
Cisco FMC: Define the zones manually by using zone-pairing logic.
-
Check Point: Select the relevant policy package and target firewall manually.
Step 2: Set target suggestion mode
This step defines how the workflow generates target suggestions. Setting the correct mode helps you balance automation with manual control, based on your organizational policy and workflow design.
Configure the execution mode for the workflow step as Auto or Manual. Automatic target generation is available only when the step mode is set to Auto.
-
Go to the workflow step where you need to define target suggestions.
-
Set the Step mode:
-
Auto: Run the step automatically. Select Suggest target to generate target suggestions automatically.
-
Manual: Run the step manually. Define the targets manually, or use Suggestions to run topology analysis and view suggested targets.
-
See Step properties for access request workflow.
Step 3: Troubleshoot topology-based target suggestions
This step helps you resolve cases where the system cannot generate target suggestions. Troubleshooting improves topology accuracy and increases the likelihood of getting reliable target suggestions in future requests.
A Cannot suggest target message indicates that there is no valid path exists between the source and destination.
Troubleshooting
-
To manually trace the traffic path between the source and destination, use Map > Path Analysis in SecureTrack.
-
To identify missing routing or topology data and resolve disconnected or misconfigured segments, follow the steps in Network Path Analysis and Troubleshooting.
-
After you correct the topology, submit the access request again to generate accurate target suggestions.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague