Itential Orchestration

Automating the End-to-End Process of Closed Loop Policy Configuration Management with Itential + Batfish Enterprise

Mike Elrom

Director of Customer & Tech Partner Enablement ‐ Itential

Automating the End-to-End Process of Closed Loop Policy Configuration Management with Itential + Batfish Enterprise
Share this:
Posted on October 28, 2021

When it comes to network automation, one concern that comes up often is what happens if changes are made incorrectly? This could mean fast failure for network teams with constant change requests coming in. Teams are unfortunately caught between the need to make network and security changes quickly while allowing enough time for due diligence to ensure those changes are secure. This isn’t something teams should have to decide between.

That’s why we’ve teamed up with Intentionet to integrate our solutions together to automate the entire process of closed loop policy configuration management, leveraging Itentionet’s Itential Pre-Built contributions to perform policy validation (-pre and post-change) with Batfish Enterprise.

Let’s dive into this use case and how network teams can leverage it.


How We Built a Closed Loop Firewall Automation Use Case

In a recent joint webinar, Samir Parikh, Head of Product at Intentionet, and I did a live discussion and demo of this very solution. Here’s a quick overview of the process we built and executed.

Let’s assume you’ve configured Batfish Enterprise and are ready to support Change Reviews. The list of things you’ll want to do for each change request is:

  • Create a Batfish Enterprise Change Review
  • Run the Change Review
  • View the Change Review Results
    • Did the Change Review finish?
    • Did the Change Review pass?
    • Did all of the policies within the Change Review pass?
  • Post change request Snapshot

At Itential, we followed the exact same exact process and were able to build a demonstration using several Itential Pre-Built Automations for a Firewall Policy Change, leveraging the following:

Partnering with Intentionet to build our use case was simple. Samir Parikh walked us through how to perform the Batfish Enterprise actions. Samir said most folks automate using Python scripts that they share with their customers, but with Itential complimenting the solution we were able to convert the Python Scripts into drag-and-drop automation tasks from Batfish Enterprise’s gRPC adapter. With this approach, when teams need to tweak things in a process workflow, they don’t have to find a Python developer and locate which line of code to change but rather move tasks on a visual canvas. By leveraging this drag-and-drop approach, more people can participate in automation.


Event-Driven Automated Remediation

If you want to get started and try tackling this use case yourself, you can create your own free account with full access to our cloud platform. Once in the platform, here’s how you do it:

  1. Go to Itential Automation Studio and create a new automation. Keep in mind, this should match up to your business process as close as possible. You can use our “stub” task to mock up the workflow.
  2. Pull in some Itential Pre-Builts such as integrations to connect to systems in your environment automations so that you can have modular automations to handle tasks such as notifications and change requests. You’ll want the include the Batfish Enterprise adapter (gRPC) and the Batfish Enterprise Change Review Results automation as well.
  3. Once you have all the components on your canvas, the trick will be how to pass data around. That’s where Itential’s Pre-Built Transformations will come in. You can add these to your workflow to transform data throughout your automation.
  4. By connecting all of these together, you will have what’s needed to successfully build your closed loop firewall automation.

Check out this short demo video to see it in action:


A few things to keep in mind as you’re building your very own closed loop firewall automation:

  • Take the Itential Academy training courses. These are included in your free account and provide interactive training courses, labs, and documentation.
  • Start simple as you build workflows. There’s no need to start complex as you can always add more as you get more confident in your automations.
  • Look through Itential’s Pre-Built Collection to see what out-of-the-box components will be best suited to help automate across your unique environment.
  • Invite your network, cloud, and DevOps team members to collaborate on automations within the Itential Automation Platform.

Be sure to watch the full on-demand webinar here to see how Samir and I were able to create this use case so network operators can take comfort in knowing their configuration will meet the configured network policy, all while enjoying the full benefits of automation. Once you’re ready to get started, you can try Itential for free.

Mike Elrom

Director of Customer & Tech Partner Enablement ‐ Itential

Mike Elrom is the Director of Customer & Tech Partner Enablement at Itential who has spent his entire professional career working on telecommunications networks. Holding roles within Network Operations and Software Development teams, Mike’s career has naturally progressed into network automation. At Itential, Mike has the pleasure of working with our customer’s network engineers while he and his team are responsible for enabling our customers to become successful automation engineers.

More from Mike Elrom