XClose

Information Services Division

Home
Menu

Firewall rules recertification

Information about the new recertification process for permanent Institutional firewall rules.

A recent audit has identified a requirement for UCL to improve its auditing functionality for Institutional firewall rules. Therefore, a process has been implemented where customers will be required to recertify their Institutional firewall rules within RemedyForce to comply with this security audit requirement.

Affected firewalls

  • This process will only be implemented for new Institutional firewall requests going forward (it will not cover existing firewall rules already in place)
  • This process only applies to the Institutional firewall (does not include the datacentre or departmental firewalls)

High level overview

  • Permanent rules can only be requested for a maximum duration of 24 months before requiring recertification.
  • The customer needs to recertify their rules after this time, in order to retain the rules for up to another 24 months. This is done via automated reminder emails from within RemedyForce asking the customer to login to RemedyForce and confirm they wish to keep their firewall rules. These reminders will be sent at five weeks, three weeks and two weeks before the rule expiry date.
  • Customers who do not respond to the three reminder emails will be escalated to ISG for follow-up with the department for a response.
  • If the customer selects to keep their rule, they select how long they wish to keep the rule for (maximum duration of 24 months again) and the RemedyForce timer is reset for that duration. No further action required.
  • If the customer selects to not keep their rule, a new ticket is created in the Network Platforms ticket queue with the required details to remove the firewall rule and should be actioned appropriately.

Please note: rules will not be disabled or removed if there is no response from the customer as this could cause serious interruption to service.

What you need to do

This process is now live so all permanent rules requested are set to have an expiry date of 24 months from the date of creation within RemedyForce.

As the customer requesting the rules, you won’t have to do anything until your firewall rules are due for recertification - which will be in 24 months unless they have requested a shorter timeframe. After this time, you will start to see the recertification reminders coming through and you will need to response to these in order for Network Platforms to recertify your rules within the RemedyForce process.

Further reminder comms will be sent the IT Managers and ISD in March 2023 as this is when the majority of customers will start to see the renewal reminders coming through.

Process for customers

  1. Fill in a firewall request using the Firewall request form
  2. The rule is implemented by Network Platforms as per the usual process
  3. Five weeks before the rule is due to expire, you will receive the first automated email asking if you want to renew or remove the rule
  4. Click the link in the email and log into RemedyForce which takes you to the renewal form for that rule
  5. Choose to either keep or remove the rule via the option (towards the bottom of the form)
    1. If you opt to renew the rule, you are asked how long you wish to renew the rule for using the slider bar. The timer within RemedyForce is then reset to the duration you select.
    2. If you select to remove the rule, a new ticket is created in the Network Platforms ticket queue with the required details to remove the firewall rule.

Reminder emails

Five weeks before the rule is due to expire, you will receive the first automated email asking if you want to renew or remove the rule

Should you not respond to that first email, you will automatically receive a reminder three weeks before the rule is due to expire with the same information asking you to confirm if you wish to keep the rule or have it removed.

Should you still not respond, a second reminder is sent two weeks before the rule is due to expiry stating this will be escalated to ISG if no response is received.

Help and support

Please direct any queries to ns-core@ucl.ac.uk