Get Change Request
Get a single existing Change Request by ID by sending an HTTPS POST request to https://graph.prod.firemon.cloud/graphql
The Authorization header of the request should be the IdToken obtained by authentication.
The body of the request should be in the following format:
{
"query": "query changeRequest($id: String!) { id name state }",
"operationName": "changeRequest",
"variables": "{\"id\": \"ID\"}"
}
The full GraphQL query to an existing change request with all fields:
query changeRequest($id: String!) {
changeRequest(id: $id) {
id
parentPath
projectId
createdAt
createdBy
name
results {
boundaryAction
boundaryId
boundaryName
isMatch
message
state
}
rules {
action
justification
comment
owner
expiration
destinations {
...NetworkObjectFragment
}
services {
...ServiceObjectFragment
}
sources {
...NetworkObjectFragment
}
}
state
stateReason
updatedAt
updatedBy
}
}
fragment NetworkObjectFragment on NetworkObject {
type
... on NetworkObjectCidr {
cidr
}
... on NetworkObjectConnectGroup {
groupId
}
... on NetworkObjectInventoryItem {
itemKey {
accountId
region
type
id
}
}
}
fragment ServiceObjectFragment on ServiceObject {
type
... on ServiceObjectCustomProtocol {
protocol
}
... on ServiceObjectIcmpV4 {
icmpCode
icmpType
}
... on ServiceObjectIcmpV6 {
icmpCode
icmpType
}
... on ServiceObjectTcp {
portEnd
portStart
}
... on ServiceObjectUdp {
portEnd
portStart
}
... on ServiceObjectPortRangeSize {
maxSize
}
}
An example using cURL
curl --request POST \
--url https://graph.dev2.firemon.cloud/graphql \
--header 'Authorization: IdToken' \
--data '{"query":"query changeRequest($id: String!) { changeRequest(id: $id) { id parentPath projectId createdAt createdBy name results { boundaryAction boundaryId boundaryName isMatch message state } rules { action justification comment owner expiration destinations { ...NetworkObjectFragment } services { ...ServiceObjectFragment } sources { ...NetworkObjectFragment } } state stateReason updatedAt updatedBy }}fragment NetworkObjectFragment on NetworkObject { type ... on NetworkObjectAny { negate } ... on NetworkObjectCidr { cidr comparison negate } ... on NetworkObjectConnectGroup { groupId comparison negate } ... on NetworkObjectInventoryItem { itemKey { accountId region type id } }}fragment ServiceObjectFragment on ServiceObject { type ... on ServiceObjectCustomProtocol { protocol } ... on ServiceObjectIcmpV4 { icmpCode icmpType } ... on ServiceObjectIcmpV6 { icmpCode icmpType } ... on ServiceObjectTcp { portEnd portStart } ... on ServiceObjectUdp { portEnd portStart } ... on ServiceObjectPortRangeSize { maxSize }}","operationName":"changeRequest","variables": { "id": "ID" } }'
An example response:
{
"data": {
"changeRequest": {
"id": "a8c3f4dc-56fb-43e5-ba4b-a3efea41fc94",
"parentPath": "/4247001d-db11-4867-9108-6ef407df9fdd",
"projectId": "4247001d-db11-4867-9108-6ef407df9fdd",
"createdAt": "2025-07-31T16:05:01.799Z",
"createdBy": "ead9f7bd-493e-4535-a858-b0a94ea2c1a6",
"name": "test",
"state": "Fail",
"stateReason": "This request failed the following boundaries:\n* Rule allows TCP high ports",
"updatedAt": "2025-07-31T16:09:55.251Z",
"updatedBy": "ead9f7bd-493e-4535-a858-b0a94ea2c1a6",
"results": [
{
"boundaryAction": "Fail",
"boundaryId": "2f071324-84e7-4bee-9840-aa9770934291",
"boundaryName": "Rule allows TCP high ports",
"isMatch": false,
"message": null,
"state": null
}
],
"rules": [
{
"action": "Allow",
"justification": null,
"comment": null,
"owner": null,
"expiration": null,
"destinations": [
{
"type": "Any",
"negate": null
}
],
"services": [
{
"type": "TCP",
"portEnd": 443,
"portStart": 443
}
],
"sources": [
{
"type": "Cidr",
"cidr": "10.10.10.0/24",
"comparison": null,
"negate": null
}
]
}
]
}
}
}