Policies and Objects that Support Change Management

If a policy or object supports the change management workflow, then creating, editing, or deleting the policy or object, including assigning a policy to a device, must be done in an open ticket.

Any action, policy, or object that does not support the change management workflow can be created, edited, or deleted, and so forth, without an open ticket. Even if a ticket is open, the changes made to unsupported policies are not included in the ticketed changes and are available for deployment immediately.

The following lists include the policies and objects that are supported. Anything not listed is unsupported.

Supported Policies

  • Access Control, including rules, references to other policies, and inheritance settings.

  • Device Configuration policies:

    • Interfaces

    • Inline Sets

    • DHCP

    • VTEP

    • All Routing

  • Decryption policy

  • DNS policy

  • FlexConfig

  • Intrusion policy and Network Analysis Policy (NAP), Snort 3 only.

  • Malware and File policy

  • Network Address Translation (NAT)

  • Network Discovery policy

  • Platform Settings

  • Prefilter

  • QoS

  • Umbrella SASE Topology

  • VPN policies, both site-to-site and remote access

  • Zero Trust Access

Supported Objects

  • AAA Server

  • Access List

  • Address Pools

  • AS Path

  • Cipher suit lists

  • Community List

  • Distinguished Name objects

  • DHCP IPv6 Pools

  • DNS Server Group

  • FlexConfig objects

  • Group policy

  • Interface

  • Key Chain

  • Network

  • PKI certificates, all objects

  • Policy List

  • Port

  • Prefix List

  • Route Map

  • Sinkhole

  • SLA Monitor

  • Time Range

  • Time Zone

  • Tunnel Zone

  • URL

  • Variable Set

  • VLAN Tag

  • VPN objects (IKEv1, IKEv2 IPSec and policy, PKI enrollment, certificate map)