What happens with USP if a Network is not member of a SecureTrack Zone?

Having a Unified Security Policy (USP) matrix defined requires zones configured in SecureTrack Network Topology. Networks are assigned to these zones, which are referenced in a USP. In this matrix, traffic can be allowed or forbidden explicitely. The compliance of a connection with USP is tested in SecureTrack Violations as well as SecureChange Risk checks and SecureApp Compliance checks.

Besides individually configured zones a zone called Internet is available by default. This zone includes all networks that are not configured to be in other zones and that are not defined as Private Networks (RFC 1918). So in many cases this Internet Zone can be used to forbid "all other traffic" in the USP. So all official networks which aren't assigned to an individually configured zone will result in "RISK".

What happens if a private network like e.g. isn't assigned to a zone, but used as SRC or DST?


Behaviour before R18-2 HF1

Private networks not assigned to a zone referenced in the USP are not mentioned here, so they are not tested - and therefore such a network in SRC or DST will not lead to "RISK". Result of USP check is "no risk". 


Behaviour since R18-2 HF1

Tufin has introduced a new row to configure this behaviour. This can be done quite easily: 

  • Navigate to https://<SecureTrackHost>/stcgitest.htm
    to be redirected to https://<SecureTrackHost>/securetrack/admin/stcgitest.htm
  • Find Edit StConf and follow the link to Edit StConf

  • Press the button to Fetch Current Conf

  • Now search for this entry and modify the severity as needed


  • When ready, safe the configuration using the button Submit New Conf

You can select the Severity by changing the number in the middle of the expression. Possible options are

0 - No Risk (Default, same behaviour as before R18-2 HF1)
1 - Severity low
2 - Severity medium
3 - Severity high
4 - Severity critical

Based on this information a USP can be configured in a way that also "unknown" private networks lead to "RISK"



Tufin SecureTrack supports Check Point R80.x since a longer time now. Using a Check Point Management R80.20 may result in a problem.

A Check Point Management R80.20 can be connected to SecureTrack without a problem - at the first glance. All checks regarding OPSEC and Management API are ok, the device is shown in green pointing out that everything is ok.

But getting a revision seems not possible. Everything is green, but no revision shows up. In the corresponding log the statement "Checkpoint error code: http_forbidden" can be found.

This problem can be solved by using the correct version of Tufin SecureTrack.
Check Point R80.20 is supported from TOS R18-2 HF 1.2 and TOS R18-3 GA on (not by RC).
Upgrading to one of these versions solve the problem.





Some months ago, an article about potential problems connecting SecureTrack to a Check Point R80 Management Server has been published here. Most of the points are still true - except the option
   Menu > Settings > Monitoring > Check Point Management R80 > Test Connectivity
is now also testing the API connect to the Check Point Management Server (e.g. in R18-3).

As pointed out in Tufin Knowledge Center #10413, one reason for an API client error is the API itself. At the CLI of this machine an "expert" user can (and should) check the status of the api to be sure it's up and running. Tufin points out the resolution to allow access to the API from "All IP addresses", which is correct.

It might happen that access isn't possible even if the change has been configured, published via SmartConsole and the API has been restarted using CLI. Assuming that access to port 443/tcp is granted, another reason might be possible. In our lab this problem has been found using Check Point R80.20 with SecureTrack R18-3. It might happen in your environment also, but not necessarily.

Even if the change of allowed IP addresses has been published and the API has been restarted, it might not be active for the API. This can be checked by an "expert" user

[Expert@SMS]# api status
API Settings:
Accessibility:                      Require ip
Automatic Start:                  Enabled

So in this case, the change hasn't become active and the API allows access from only. This might also not change when the API is restarted again. In this case, try the command

[Expert@SMS]# api reconf
API reconfigured successfully

[Expert@SMS]# api status
API Settings:
Accessibility:                      Require all granted
Automatic Start:                  Enabled

After the completion of the first command, the change is active and SecureTrack can access the API.





Tufin points out that a vulnerability has been found in Tufin SecureTrack.

It's a XXE (XML External Entity) vulnerability described in Top 10-2017 A4-XML External Entities (XXE) which alows attackers to exploit vulnerable XML processors. They can upload XML or include hostile content in a XML document.

Tufin has provided a first fix to address this issue:

TOS 17-3 HF 4.1

For these versions fixes will be available and included, respectively:

TOS 18-1 HF 3  - scheduled to be published on September 5th, 2018

TOS 18-2 GA - Fix will be included in GA scheduled for release on August 22nd, 2018

Due to Tufin's policy regarding earlier versions no fix will be published for them. So if you use an older version, please do an upgrade to a supported version.





If Tufin SecureTrack is monitoring Cisco Firewalls and Routers, credentials to authenticate SecureTrack here need to be provided. Now it has been found, that the Enable Password may be exposed in a log file. This has been rated as "High Severity Vulnerability".

Please note that the password is shown in a log file of SecureTrack only, so only administrators with CLI access might get this information, but no unauthenticated attackers.

Affected versions of SecureTrack are R17-1, R17-2, R17-3, R18-1, R18-2 and R18-3, respectively.
A vulnerability fix will be included in HFs for supported versions:

  • TOS 18-1: Fix is included in R18-1 HF3.1 which will be published November 4th, 2018
  • TOS 18-2: Fix is included in R18-2 HF1 which will be published Novermber 7th, 2018
  • TOS 18-3: Fix is included in R18-3 RC1.1 which will be published November 4th, 2018

If you use an older version please plan an update to a version supported by Tufin.
Newer versions of Tufin Orchestration Suite will have the Fix included.





Since many years it's possible to authenticate users and administrators of SecureTrack via LDAP Server. This method is different to the others using TACACS+ or RADIUS. Here, a user needs to be defined. In this profile, the authentication method is selected: Local, TACACS+ or RADIUS.

Authentication using LDAP is a little different. First of all attaching a LDAP Server to SecureTrack needs to be done by Menu > Configuration > External Authentication > LDAP

Testing if the authentication of SecureTrack at the LDAP Server with LDAP Bind password isn't possible yet.

The "Administrators group DN" includes a group of AD users that are entitled to have administrative rights in SecureTrack. "Users" with restricted rights are located in the "Users group DN".
These users are not listed in Menu > Configuration > Users until their first login, they don't need to be imported.

When a LDAP user logs in to SecureTrack the first time, SecureTrack will check his name and credentials using LDAP. Depending in which group the user is found he will geht the corresponding rights.

  • Administrators group:
    User gets full administrative rights, if a Multi-Domain environment is configured, the right will be "Super-Admin"

  • Users group:
    User has restricted rights as "user", if a Multi-Domain environment is configured the right will be "Multi-Domain Users". But with the first login no device is showed to the user. This right has to be configured manually by an administrator after first login of the users.

 Besides this, the user is shown in the list of configured users in SecureTrack with Authentication method LDAP.

 Each time such a user authenticates, the password is checked against the LDAP server.