Prefix & subnet
Each address in a rule resolves to its smallest enclosing NetBox prefix, carrying site, VRF, tenant, and description.
Integration · NetBox
A firewall rule is a set of addresses and ports. NetBox knows what those addresses mean, which prefix, which site, which device, which tenant. FwChange reads that context and puts it next to the rule, so a reviewer judges the change against the real network, not a guess.
Why it matters
Most rule reviews happen blind. Is 10.42.0.0/16 the DMZ or an internal user segment? Is 203.0.113.5 a live production gateway or a host that was decommissioned last quarter? Answering means leaving the review screen and digging through IPAM by hand, so most reviewers don't, and approve on memory instead.
FwChange closes that gap. While a change sits in review, it resolves every source and destination against NetBox and shows the match inline, the prefix, its site and tenant, and the nearest device, so the decision is grounded in what the network is today.
What it syncs
FwChange reads from NetBox, it never writes. The connector uses a read-only API token and pulls just enough to enrich a review, then caches the result so it isn't hammering your source of truth.
Each address in a rule resolves to its smallest enclosing NetBox prefix, carrying site, VRF, tenant, and description.
A firewall linked to its NetBox device surfaces name, serial, rack, and site, and a deep link straight back to the record.
Tenant assignment travels with the prefix, so a reviewer can see whose segment a change touches before approving it.
In the analysis
FwChange already flags shadowed rules, redundant policy, and over-permissive any/any access before a change ships. NetBox data makes that judgement sharper, an open rule to a host the IPAM marks as retired is a different risk to the same rule into an active production prefix.
How it connects
No agent, no write access, no copy of your IPAM. FwChange holds an encrypted token and queries NetBox live when a review needs it.
Create an API token in NetBox with write disabled. Set an expiry if policy requires it. That token is the whole footprint.
Enter the NetBox base URL and the token. The credential is encrypted at rest with AES-256-GCM and scoped to your organization.
FwChange calls the status endpoint, confirms the NetBox version, and marks the connector active. Self-signed certificates are handled per connector.
Open any pending change. Every source and destination resolves to its NetBox prefix inline, with responses cached for five minutes to spare your instance.
Built to be safe
The connector speaks standard NetBox REST endpoints: status, devices, prefixes, stable since the 3.x line and supported from NetBox 3.7 onward. It runs on a read-only token by design, so there is no path for FwChange to create, edit, or delete a record.
NetBox stays the source of truth. FwChange borrows its context for the length of a review and gives nothing back to store, change, or trust against your IPAM. Your records are exactly as you left them.
The NetBox integration is one part of how FwChange turns a firewall change into a decision you can defend. See where it fits in the platform, or read the longer argument for why rule review needs network context.