www.tufin.club
Tufin Orchestration Suite 23-1
- Details
- Category: Version update
Tufin has released TOS R23-1, the first version of the Tufin Orchestration Suite of 2023.
TOS R23-1 is available as GA and can be downloaded from the Tufin Portal (login required).
This version is available for TOS Aurora only. Some improvements of TOS Aurora R23-1:
Change Automation and Orchestration
- SecureChange (Azure)
Azure Firewalls can be included in Access Request tickets in topology mode, i.e. they can be used as targets in such a ticket. - SecureChange (Check Point)
Support of FQDN configured in Check Point has been integrated into SecureChange automation tools. - SecureChange (Cisco)
Access Requests now can be provisioned to Cisco Nexus devices - SecureChange
A redesign by the Designer can be triggered by API. - SecureChange
Using API POST allows the creation of tickets with rules from multiple devices for workflows focused on rules (modification, decommission, recertification). - SecureChange API
The API now allows to trigger "commit now", automatic retries are possible also. - SecureChange API
Automation of the provisioning can be scheduled, triggered, or retried using the API
Cloud
- SecureTrack (AWS)
Importing multiple AWS accounts and additional entries like VPCs or transit gateways is possible using the bulk API feature.
Deployment and Monitoring
- TOS Aurora deployment in AWS is now supported for large customers
- Solarwinds can be used to monitor the health of the Kubernetes cluster
- Backups can be stored externally using NAS (NFS) storage.
- Remote Collectors are now supported for Cloud Deployments (AWS, Azure, GCP)
- From now on, the Microsoft Authentication Library (MSAL) can be used for authentication, since the Active Directory Authentication Library (ADAL) will no more be supported after June 2023
Devices and Platforms
- Amazon AWS
AWS Gateway Load Balancers can be imported from the AWS account and be integrated into SecureTrack Topology. This also means that change automation also can be used for these devices. - Check Point / Palo Alto Networks
Syslog is now supported not only using TCP instead of UDP but also using encryption. So for these two devices, Syslog can be transferred securely to SecureTrack. - Check Point
SecureTrack as well as SecureChange support Check Point FQDN objects. They are visible in security rules and change tracking, assessment, path analysis, and matching rules. In SecureChange they can be used in Target Selection, Designer, and Verifier. - Cisco
SecureTrack Rule Viewer, Topology, and USP now support Cisco Meraki Firewalls - Microsoft Azure
Azure Virtual Hubs from Azure subscriptions can be imported to SecureTrack Topology. So they can not only be used for Path Analysis, but also by SecureChange Automation Tools. - Microsoft Azure
The import of Azure Virtual Hubs from Azure subscriptions is possible to show in SecureTrack Topology. This can be used for Path Analysis as well as in SecureChange. - Microsoft Azure
Azure Shared Express Routes are now modeled in the Topology map to be used here as well as in SecureChange - Microsoft Azure
Azure Application Security Groups (ASGs) that are part of Network Security Group (NSG) rules can be used in SeureTrack Rule Viewer, Object Lookup, Compare Revisions, and Topology Path Analysis. - Palo Alto Networks
In SecureTrack Rule Viewer a search for PAN Rule UUID is possible. This information also appears in the ID of the Device column when exporting Rule Viewer information. - API
The Devices Bulk API has been provided with a delete function. So it's possible to remove a Management Device and all of its managed devices with an API call. - API
Rule-based tickets containing multiple devices or policies per ticket can be submitted by API now.
GraphQL API
- USP exceptions
Exceptions can be defined with network objects (e.g. network groups, IP addresses) via GraphQL. This isn't possible using the WebUI
REST API
- Enhancements for SecureTrack
- Bulk Device Deletion API allows to delete e.g. a management server and all firewalls managed by it from SecureTrack
- Multiple AWS Accounts Management API allows using of this bulk API feature to onboard multiple AWS accounts and edit them by importing VPCs and transit gateways also.
- Exceptions can be defined with network objects (e.g. network groups, IP addresses) via REST API and GraphQL API, respectively. This isn't possible using the WebUI
- Enhancements for SecureChange
- Designer Redesign is possible now using the API. This is useful if e.g. a new revision has been retrieved between design and provisioning.
- Selective Device Update is useful for the automation of provisioning changes.
- Ticket Creation is possible using API POST for rules of multiple devices. This is used for Rule Modification, Rule Decommission, or Rule Recertification.
- Trigger Commit Now for a specific device is possible. Automatic Retries can be automated.
- Submit (Rule-Based) Tickets can be used now for multiple devices.
Security, Risk, and Compliance
- USP Exceptions contain Object IDs now, so within these exceptions, network objects can be used.
Topology Map
- Device Grouping in the Topology Map delivers more visualization. This is done by grouping network and security devices by domain or other custom requirements.
User Experience
- Accessibility for color-blind users can be improved by configurable high-contrast color schemes.
- The Look and Feel of the Tickets page is updated, delivering a more user-friendly experience.
Further improvements, as well as corrections, are included in R23-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
AERAsec is 2022 Tufin Best SDP+ Partner
- Details
- Category: Basics
Many thanks to Tufin for awarding AERAsec at the Annual Partner Summit as
Tufin 2022 Best SDP+ Partner of the Year for the EMEA region
After more than 15 years of successful cooperation with Tufin, the AERAsec team is proud to receive this award.
Skip Condition and more than one Access Request
- Details
- Category: SecureChange
When working with Workflows in Tufin SecureChange, it's sometimes useful to skip a specific step. To configure this for a step in the Workflow, go to "Assignments" and select the option "Skip this step if:" Several conditions can be added and combined with AND or OR. A mixture is not possible (e.g. (a AND b) or c).
The example above has a Skip Condition with combined parameters. The step will be skipped if
- the Check Box "Important access for me" is checked (e.g. in step 1)
AND - the service is NOT http (tcp 80)
AND - the Risk Status of all access requests is "No risk"
This condition works perfectly for a single Access Request.
BUT
If there is more than one Access Request in a ticket, the Skip Condition is evaluated for each Access Request. The suggested behavior has been that if each Access Request fulfills the Skip Condition, the step is skipped - and vice versa: If any Access Request does not fulfill the condition, the skip will not be skipped. This is wrong (!)
Lesson Learned
Tufin Support has clarified the behavior: "For tickets containing multiple access requests, the step will be skipped if the condition is met in any one of them unless the condition selected specifically states that it applies to all access requests."
So if only one Access Request within the ticket fulfills the Skip Condition, the step will be skipped - regardless of all other Access Requests.
The condition applies to all Access Requests only for "Risk Status", "Target", "Destination", "Verification Status". So only for these four conditions the behavior is as expected above.
User Access to Topology of SecureTrack
- Details
- Category: SecureTrack
SecureTrack has two kinds of users: "Administrator" and "User".
An "Administrator" has access to every part of SecureTrack, also to SecureTrack Topology. The permissions of this user cannot be restricted.
In TOS Classic a "User" had the possibility to access SecureTrack Topology. The requirement was that this user has permission to view "all devices". In this case, Topolgy has been shown and could be used. For sure, when a new device has been added, the permission of the user needed to be updated (because otherwise the requirement for accessing the Topology was not fulfilled).
The access to the Topology for users has been classified by Tufin as a "security flaw". Therefore, in TOS Aurora there is no possibility for a "User" to access the Topology. If this access is needed, the permissions need to be extended to "Administrator" (with all consequences). If only some information is needed, a user is able to use the API for calling specific information from the Topology. Examples of this API access are shown here:
https://forum.tufin.com/support/kc/rest-api/R22-2P/securetrack/apidoc/#!/Network_Topology/getPathCalc
https://forum.tufin.com/support/kc/rest-api/R22-2P/securetrack/apidoc/#!/Network_Topology/getPathCalcImage
Automatic Target Selection and many Source/Destination
- Details
- Category: SecureChange
A very useful feature of Tufin SecureChange is the possibility to have an automatic target selection in Access Request workflows. Quite often, the first step of an Access Request ticket doesn't require the requester to fill in the necessary targets. Just Source and Destination as well as Service are needed for opening a ticket. In the next step, the corresponding targets are often calculated automatically for further use, e.g. by the Designer or Verifier. These tools rely on the results of the values configured in "Targets" - independently if they are filled in manually or by Automatic Target selection.
The automatic selection works perfectly for Access Requests with one Source and one Destination.
AR with one Source and one Destination - working path
For the first request below a target can be found because the path can be found in the SecureTrack Topology. This behavior is as expected.
AR with one Source and one Destination - not working path
The second request is not in SecureTrack Topology, therefore neither a path nor a target can be found. This behavior is also as expected.
AR with a "mixed condition" for Source and Destination
If now both cases are mixed within one Access Request, Tufin only finds the targets of the first example, not pointing out that for the second option, no Targets have been found. Only the found Targets are filled into the field - without any hint that not all connections have been found within SecureTrack Topology.