In many situations, Firewalls not have their "productive" interfaces only, but also others like e.g. Management Interfaces. If this is the case and many Firewalls are connected not only via "productive" interfaces but also via Management Interfaces, some problems might arise. One could occur when SecureTrack Topology is used to check the path a packet takes. Even if it's not the case in real life, Topology could consider the shortest way using the Management Network... As a consequence, the Designer of SecureChange could also assume this path - and the result isn't as expected.

So in many cases, it seems to be useful to ignore single interfaces in SecureTrack Topology. This can be done quite easily, but it needs to be done very carefully and well documented (!).

Please don't continue before you have made a backup of your data!

To find out the relevant device, you first need its Management ID in Tufin SecureTrack. If it's a directly monitored Firewall (e.g. Cisco ASA, FortiGate without FortiManager or directly monitored Check Point Firewall Module) the Management ID can be found in Menu > Compare. Go to the left pane called "Monitored Devices" and press "t". The Management ID shows up beside the name of the device. In the screenshot shown below, Firewall modules have the Management ID 290 and 294, respectively.

If only the Management is listed here, another step is necessary because here only the ID of the Management is shown.

 

In this case, you need to go to Menu > Settings > Administration > Licenses. Here you scroll down to the section called "Devices", click into it, and press "t". The Management IDs of all Devices will be shown here.

Next is to find which interface shal be ignored by Tufin Topology. You can obtain this information from SecureTrack or directly from the device. 
To have an example, we will ignore the Interface "Mgmt" of the device with ID 290 and IP address 192.168.1.1 from Topology.

This information needs to be stored in the database. You can do this using the REST API or directly via CLI. In this example, we use CLI for modification of the table "ignored_interfaces".
To get a list of all currently "ignored_interfaces" this command should be used:

[root@TufinOS ~]# psql -Upostgres securetrack -xc "select * from topology_ignored_interfaces"
-[ RECORD 1 ]--+-----------------
interface_name | ethernet1/1
mgmt_id        | 2
ip             | 0.0.0.0
[root@TufinOS ~]#

To add an interface to this list, be sure to have the Management ID of the device as well as the name of the interface and its IP address. Then it can be added to this table using

[root@TufinOS ~]# psql -Upostgres securetrack -xc "insert into topology_ignored_interfaces (interface_name, mgmt_id, ip) values ('Mgmt','290','192.168.1.1')"

After having done so, this interface is listed in the table and therefore ignored by SecureTrack Topology - after a Sync of the Topology (!).
(The IP address can also be left out, then it later shows "0.0.0.0")

[root@TufinOS ~]# psql -Upostgres securetrack -xc "select * from topology_ignored_interfaces"
-[ RECORD 1 ]--+-----------------
interface_name | ethernet1/1
mgmt_id        | 2
ip             | 0.0.0.0
-[ RECORD 2 ]--+-----------------
interface_name | Mgmt
mgmt_id        | 290
ip             | 192.168.1.1
[root@TufinOS ~]#

If you look at the device in the Topology, this interface isn't listed here any more.
To remove an interface from this list and to get it back into Topology, just take the command

[root@TufinOS ~]# psql -Upostgres securetrack -xc "delete from topology_ignored_interfaces where interface_name='Mgmt' and mgmt_id='290'"

To make this change effective, don't forget to Synchronize the Topology again.

 

 

 

 

 

Having a Unified Security Policy (USP) requires to have network zones defined, filled with all relevant networks.
This is done in SecureTrack via Menu > Network > Zones. Only zones defined here can be used in an USP configuration.

There are some pre-defined zones:

  • Internet
    This zone includes all official IP-Adresses that are not defined to be in any other zone
  • Unassociated Networks
    This zone includes all private IP-Adresses (RFC 1918) that are not defined to be in any other zone
  • Users Networks
    This zone includes all networks that users connect to (e.g. used in Check Point Identity Awareness)

Based on interface information of devices, zones are allocated with interfaces automatically - except the zone Internet.

Tufin SecureChange calculates "Risk" in Access Requests in the classic way while SecureTrack uses for the calculation of "Violations" a specific configuration that can be adapted.
To modify interfaces and zones, it's necessary to go to the USP list, i.e. Menu > Audit > Compliance > Unified Security Policy. Here you select an USP to modify the relationship of Interface - Zone. This is done by pressing the button "Preferences". A window opens, so you can modify the allocations manually.

In this example, the Interface "pppoe2" has no associated zone even if (in real live) the "Internet" is connected to this Interface. To configure this, select the interface and then the button "Edit" at the top right. Here, you select the zone that shall be connected to this Interface.

After having done so, the configration is changed by pressing the button "save".

So from now on, calculations regarding "violations" consider this configuration and zone association.

Please regard: Be sure to document well all changes done this way!
In SecureTrack Audit Trail only this message is shown "Unified security policy configuration - Modify - Device - FWGW-Office - Modify was done by MeAdmin on interface/zone mapping for device FWGW-Office".

Changes done here have direct impact on "violations", so every configuration change needs to be documented well.
The calculation of "violations" is done when a new revision arrives to SecureTrack, a USP is changed or the Topology (Interactive Map) is synchronized.

 

 

 

 

 

 

Since Check Point R80 it's necessary not to connect Tufin SecureTrack to a Check Point Management using only OPSEC, but a HTTPS connection to the Check Point Management API is necessary also. This might result in a scenario shown here.

Problem and Symptom

  • Monitoring the Check Point Management R80x has been configured successful in SecureTrack i.e. connections using OPSEC and Managmenent API are configured and certificates have been retrieved.
  • Testing the connectivity by SecureTrack has been successful
  • Starting the newly monitored Check Point Management has been successful, the icon is indicated with a grren sign - so everything seems ok

BUT

  • no revisions are retrieved
  • in the file /var/log/st/checkpont.get_checkpoint_conf_<IP>_<ID>.log an information is shown:
    [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Device Version Mismatch : The Device Got Version mismatch returning device version for updating db
    [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Server API version 1.5, Max supported API version 1.5, argument API version 1.1

Solution

Tufin SecureTrack seems to take the wrong version of the Check Point API. This isn't always the case, but it might happen. In this case, SecureTrack tries version 1.1, but the Check Point Server uses version 1.5. This needs to be adjusted, using these steps:

  • Check if the file /usr/local/st/javatools/config.properties is present
  • If not, create a new file using vi or another CLI editor and
  • insert this line:
    checkpoint.sdk.api_version=v1.5
    This defines the version SecureTrack shall take for monitoring Check Point Management R80.x.
    The version shown above is fine for the logs above, but if necessary take another (correct) version
  • Restart the monitoring of this device in SecureTrack by
    # st restart <ID>

Short after these steps, a revision should show up in SecureTrack.

 

 

 

Besides standard functionality, Tufin offers extra tools like "Reporting Pack". This requires a special library, called PS Scripts. First of all, you need to download the file from the Tufin Portal (authentication required):

  • PS Script 5.5.7 (for Reporting Tool) Setup
    (credentials for access to SecureTrack and SecureChange are requested)

After having downloaded This file, it's necessary to install the package - and please remember to create a backup of your Tufin Server before doing so!
Then install the library (as root or with sudo on e.g. SecureTrack Server for Reporting Pack):

  •      # /bin/sh setup_tufin_ps_scripts-5.5.7.run -W

Be sure not to forget the "-W" (upper case) when installing the libary. Credentials needed are "Super Admin" for SecureTrack and "Security Administrator" for SecureChange. 
To check a successful installation of the library, run the command

     # ls /opt/tufin/securitysuite/ps/conf/WEB_ENABLED

If this file exists, everything is fine. You can also check if the service is running using the command

     # /etc/init.d/tufin-ps-web status

The service should be running. If not, you may try to start it via CLI.
To check the version of the library, use

     # cat /opt/tufin/securitysuite/ps/PS-version, Logs are stored in the directory /var/log/ps/Tufin_PS_Logger.log.

If all work is done, you can install Reporting Pack or use the library for Tufin PS or your own scripts.

 

 

 

Sometimes it's neccessary to improve SecureTrack Topology. Reasons might be islands in the topology, the integration of unsupported devices or if devices don't support every option, e.g. VPN. In this case configuring "generic" things help to get the "real topology".

IMPORTANT - before doing steps mentioned below, be sure to have a current backup of your SecureTrack server!

Let's consider the situation that there is a supported device and a generic device - and that a VPN is needed between these two devices. In the first step the supported device and the generic device don't have any connection between them.

The problem is: There has been no VPN detected between the devices R80_lab and VPN_Router. So this VPN needs to be configured manually.
Before configuring anything, some data need to be collected:

  • Type of the VPN devices
    • m - the device is monitored by SecureTrack
    • g - the device is a generic device that has been added manually to topology
  • Device ID of the VPN device. They can be found out in these ways:
    • m - monitored device
      • from CLI issue "st stat" and find the device in the list, e.g.
        MANAGEMENT          IP              ID    TYPE                  PID   LICENSE        STATUS
        R80_lab             10.0.0.1        285   SmartCenter       10917     valid         Connected
        In this case, the device ID is 285
      • from WebUI > Menu > Compare
        find the device in the left tree and press t to get the device ID
    • g - generic device
      • from data base directly, using CLI:
        [root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_devices"
         id | customer_id |       name
        ----+-------------+------------------
          4 |           1 | CP-Remote
        14 |           1 | VPN_Router
        (2 rows)
        [root@TufinOS ~]#
        In this example, the device ID is 14
  • Name of the interface where the VPN is configured on this device
  • Source IP address of the tunnel (not necessarily the IP address of the interface)
  • Destination IP address of the tunnel (not necessarily the IP address of the interface)
  • Name of the VPN (any name can be choosen)

After having collected all information, the generic VPN can be configured via WebUI:
https://<IP_SecureTrack>/tools

The next step is to fill in the parameters collected above. This example configures a VPN between a monitored device and a generic device for both directions.
Syntax: <device_type>,<device_id>,<interface_name>,<tunnel_source_ip>,<tunnel_destination_ip>,<vpn_name>
No spaces are allowed between the entries.

Configuring a VPN in both directions using these parameters

  • Device 1 is monitored by SecureTrack, ID 285, VPN uses Interface eth2, Source IP 10.3.62.227, Destination IP 112.12.12.12, name is MyVPN
  • Device 2 is a generic device, ID 14, VPN uses Interface interface1, Source IP 112.12.12.12, Destination IP 10.3.62.227, name is MyVPN

results in these two lines that need to be filled in:

m,285,eth2,10.3.62.227,112.12.12.12,MyVPN
g,14,interface1,112.12.12.12,10.3.62.227,MyVPN

 

It's possible to have many lines at once, so different generic VPN can be configured simultaneous. If all data are entered, the configuration is saved by pressing the "Submit" button.

The next step is to synchronize the topology to get this new information into it. After this, a refresh is necessary so the new topology is displayed:

The VPN is also "used" in the Topology, as it can be seen in a path:

 

To get an overview of generic VPN configured, it's necessary to use a data base query via CLI:

 [root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_vpn_connections"
 id | is_generic | device_id | interface_name | tunnel_source_ip_addr | tunnel_dest_ip_addr | vpn_name
----+------------+-----------+----------------+-----------------------+---------------------+----------
  9 | f          |       285 | eth2           | 10.3.62.227          | 112.12.12.12        | MyVPN
 10 | t         |         14 | interface1   | 112.12.12.12         | 10.3.62.227         | MyVPN
(2 rows)
[root@TufinOS ~]#

To delete a generic VPN, the ID of the VPN is needed. The command to remove the VPN is (example for id 10):

[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from topology_generic_vpn_connections where id=10"
DELETE 1
[root@TufinOS ~]#

Issuing the command above will show that only the VPN with the ID 9 is left.

 

 

 

 

 

When F5 devices are monitored with Tufin SecureTrack, every part of the configuration can be found here (except ACLs).
It might happen that in SecureTrack > Menu > Settings > Administration > Status the status sign is yellow, stating "Error: Wrong arguments". At the first glance, there seems to be a problem regarding authentication or version of F5. But this isn't necessarily so complicated.

Looking at the Client Log in /var/log/st for example this information can be found:

FAULT: 14713 20191221 08:24:06.041 what() -> Error occurred when pulling configuration from the device: Wrong arguments
"send_error "\n$expect_out(buffer)\n""
send_error "\nsent username\n"
send_error "\nsent username\n"
11255 20191221 08:24:05.030 Error occurred when pulling configuration from the device: Wrong arguments
FAULT: 11255 20191221 08:24:05.031 what() -> Error occurred when pulling configuration from the device: Wrong arguments

If you find the error mentioned above, just check the connection. Even if it isn't obvious, a connection time out might have occurred.
"Wrong arguments" is also displayed if there is no ssh connection possible between SecureTrack Server and F5.