The current workflow for updating network frack ACLs is:
- fr-tech generates the new policies
- fr-tech copy them to the firewall's /var/tmp/ folder (identified by their timestamp)
- fr-tech opens a netops (SRE) task to push the changes with an instruction if it's safe to be done anytime or needs to be scheduled with fr-tech
- SRE stage the change, analyze the diff for any unexpected changes
- For large or unsure diff, SRE shares the diff with fr-tech for confirmation
- If any issues, repeat the previous steps
- If all good, SRE commits the change
- fr-tech checks that everything went as expected
I think this process could be improve in 2 ways:
As a prerequisite: grant ACL changes permission to the fr-tech users
- Edit the ACL generation script to stage and diff the ACLs
This prevents the back and forth between fr-tech and SRE if there are any unexpected diff
- Edit the ACL generation script to commit the ACLs
This would alleviate the need of SRE, especially for minor changes
If SRE's input is needed, fr-tech could either add the diff to a task for analysis or follow the current process (with the file in /var/tmp/).
This task is to start the conversation, nothing here is strict, please let me know what you think.
I'm happy to help and provide guidance on Juniper libraries/APIs.