Firewall Change Procedures

Firewall Rule Change Policies

  • We require 24 hour lead time for all firewall rule change requests.
  • All firewall rule changes will be made before 7am each weekday morning or as scheduled with Change Management.
  • All firewall rule change requests will be evaluated to ensure that they conform to current security best practices and current Emory security policy.
  • Emergency firewall rule change requests must be approved by the Information Security Manager.
  • Firewall exceptions are subject to removal after 90 days of inactivity in order to keep the firewall rule base clean, and to prevent accidental network exposure
  • Internet facing rules will have an additional layer of Intrusion Prevention (IPS) rules applied to them

Rule Change Request Procedure

Log in to access the request form

To complete the form, you will need the following:

  • Source address(es), including IP's and domain names (where applicable)
  • Destination address(es), including IP's and domain names (where applicable)
  • Name of application or system requiring firewall exception
  • Destination ports/apps/services that need to be accessible
  • Port(s) requested to be open
  • Plan to keep this application/service patched in a timely manner
  • Description of any sensitive data to be stored/processed on this system
  • Date when the change should be made
  • Point of contact
  • Department Name

Additional Information

If security issues are uncovered it will be the responsibility of the system owner to address those issues before the rule is approved for implementation.
When planning firewall rules, it is important to take this additional delay into consideration. If your request will expose a system externally you will not be able to request the rule the day before you need it to be open.
Rule requests that open up ports between two internal systems in different cores will not require additional vetting at this time, and those rules will be evaluated and applied according to our regular firewall change process.

Please Note: The following services will not be granted Internet facing firewall exceptions by default in most circumstances. Anyone needing to access these services remotely must connect to Emory's VPN first.

  • Remote access protocols such as RDP, SSH, VNC
  • File sharing protocols such as SMB/CIFS, NFS, AFS
  • Database services such as SQL, Oracle
  • Non-production servers/services, such as development, test, QA