Using the latest versions of SecureTrack, the "good old" Topology isn't available any more.
The new Interactive Map offers more possibilities and doesn't need Flash.

Searching a path from A to B is possible inside this map.

The result is shown inline. Especially in komplex environments, the result is shown very small and many administrators have difficulties to have a "good graph for documentation". In this case, it's useful to take the REST API for the request.
The URL https://forum.tufin.com/support/kc/R16-3/securetrack/apidoc/#!/Network_Topology/getPathCalcImage shows the syntax how to request the path which is shown in the browser afterwards.

Just an easy example: We want to know the way from 10.100.1.1/32 to 40.50.60.1/32 using SSH. In the Interactive Map the request is configured and the result is shown. This example delivers a simple output:

 

The result could be much more detailed, so it might happen that the output is too small. In this case, or if a graphic file is wanted directly, the same request can be done by using this URL:

https://<IP_SecureTrack>/securetrack/api/topology/path_image?src=10.100.1.1:32&dst=40.50.60.1:32&service=ssh%20protocol

The result is a png graphic file which can be saved and easily put into a documentation.

 

 

 

 

Some administrators of Tufin SecureTrack are used to the old Topology Map, which has been removed in TOS 16-4. Instead of the Topology Map the new Interactive Map has been integrated. It shows some advantages and doesn't require the Adobe Flash. But still some administrators want the "good old Topology Map".

This is the view administrators have today - only the Interactive Map is shown in the Menu. It's possible to enable the Topology Map using this command at the CLI of the server:

[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh enable
Restarting httpd service to apply changes
[root@TufinOS]#

The change becomes visible when the page is reloaded or the user has logged off and logged on again.

As you see, even in the latest versions the Topology Map can be used. Due to improved options, the Interactive Map should be the preferred way to work with  the Topology in SecureTrack.

 

PS: To disable the Topology Map, this command can be used:

[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh disable
Restarting httpd service to apply changes
[root@TufinOS]#

 

 

 

 

Sometimes it's necessary to have zones defined that include "new" or "unknown" networks.


Traditional Approach

The traditional approach in Tufin SecureTrack is to have devices monitored. These devices deliver information about Networks and Routes to SecureTrack. This information is used to build the Topology.
The next step would be to define Zones manually. These zones include networks included in the Topology. So finally, only "known networks" are defined in zones which can be used to define the Unified Security Policy (USP).


Another Approach

Some administrators have a tool for IPAM (IP Address Management) that includes all IP-Adresses and Networks, even if they are not registered in SecureTrack Topology. This information at all shall be used for compliance rules ini the USP. Since an import of zones is possible and no check is done if the networks exist in SecureTrack, exporting these data from IPAM helps, e.g.

Known: Zone a (Network 10.1.1.0/24), Zone b (Network 10.1.2.0/24)

in IPAM: Network 10.1.3.0/24 which should be imported into a new zone

File for import into SecureTrack Zones:

"#Zone Properties"
"zone name","description"
"Internet","Internet zone is all public addresses, excluding the addresses defined in all other zones"
"Users Networks","Users Networks zone should include the address space from which users can come within your organization"
"a",""
"b",""
"c","new zone"

"#Zone Hierarchy"
"parent","child"

"#Zone Subnets"
"zone name","subnet","description"
"a","10.1.1.0/24",
"b","10.1.2.0/24",
"c","10.1.3.0/24","new"

"#Zone Security Groups"
"zone name","security group name","description"

Even if the new zone isn't known in SecureTrack before and the network isn't in the Topology the import works.
After having imported the zones including the new zone c, the USP can be adapted and imported, too. Even if the following example isn't really a USP, it can be shown that it works.

"from zone","to zone","severity","access type","services","rule properties","flows"

"a","a","high","allow all","","",""
"a","b","critical","allow all","","",""
"b","a","low","allow all","","",""
"b","b","high","allow all","","",""
"c","c","high","allow all","","",""
"a","c","critical","allow all","","",""
"c","a","low","allow all","","",""
"b","c","critical","allow all","","",""
"c","b","low","allow all","","",""

After import, the new zone c is shown in the USP, even if the network isn't included in the SecureTrack Topology.

 

Lesson learnt: If an IPAM hosts all information about the networks, exporting relevant information in the correct format allows to define a USP with networks not even included in the Topology.

 

 

 

 

How to connect a "traditional" Check Management Server R77.x to SecureTrack has been described before:
Now let's see how a R80.x Check Point Management Server (SMS) can be connected to SecureTrack.

 


Prepare the Check Point SMS

First of all, a Permission Profile needs to be defined. Since R80, a profile needs to allow write access to SMS due to the new Management API.
To do so, in SmartConsole navigate at top left to Manage & Settings > Permissions & Administrators > Permission Profiles.

You will need an Administrator for Tufin SecureTrack using the Management API. So it's necessary to navigate to Manage & Settings > Permissions & Administrators > Administrators to define it.

Next, an object of the type Host Node is needed representing the System Tufin SecureTrack is running on. This is necessary because the IP address is needed when the OPSEC Application is defined in a later step. To define it, navigate to the top right in SmartConsole and select Object Catetories > Network Objects > New > Host.

To initiate the Secure Internal Communication (SIC), defining an OPSEC Application is necessary. To do so, navigate to Object Categories > Servers > OPSEC Applications > Applications and define a new one. Necessary protocols are LEA (Log Export API) to have access to logs as well as CPMI (Check Point Management Interface) to have access to the objects and rules.

It's necessary to configure the permissions of Tufin SecureTrack within Check Point. For CPMI as well as for LEA a Read-Only Permission Profile should be sufficient. You are free to allow further access, but it's not necessary if the use of only SecureTrack is planned.

After these steps, the SIC should be initiated by setting an Activation Key. This is a One-Time Password for authenticating Tufin SecureTrack at the SMS. When this authentication is successful, a newly generated certificate is transferred to SecureTrack. From then on, authentication is based on this certificate. The communication is encrypted as it is between the Check Point components like e.g. SMS and Firewall Module.

 

When the password is typed twice, the button Initialize finishes this part of the configuration.

 Please don't forget to make this newly generated certificate available by installing the Database. This is done by Menu > Install Database. If you forget to install the database on the SMS, the connection to SecureTrack won't work.

 


Prepare the Check Point Rulebase

If there is a Firewall between Tufin SecureTrack and Check Point SMS, a rule must allow the necessary access. Besides the access using LEA and CPMI furhter connections are needed, e.g. for Certificate Management:

  • 443/tpc
    Connection from SecureTrack Server to SMS when using the Management API
  • 18184/tcp
    Connection from SecureTrack to SMS / Logserver to retrieve log data (statistics) and Audit log data (recognition of actions done by administrators)
  • 18190/tcp
    Connection from SecureTrack to SMS with a CPMI client to retrieve the latest revision
  • 18210/tcp
    Connection to SMS for authenticating using the one-time password and for retrieving the certificate
  • 18264/tcp
    Connnection needed to access the CRL running on the SMS to check if the certificate presented by SMS is valid

So a rule needs to be configured. This is necessary if any firewall is between SecureTrack and SMS. When a Check Point Firewall is in between, the rule could look like this:

 


 Configure Check Point SMS in Tufin SecureTrack

The Check Point SMS needs to be defined in SecureTrack so the configuration can be monitored. To do so, some steps are necessary. First of all, connect with administrative rights to Tufin SecureTrack using a web browser using HTTPS (443/tcp). In the default configuration doesn't redirect a HTTP request from port 80/tcp to the correct port.

 

In the Menu go to Settings > Monitoring > Manage Devices. On the left pane all monitored devices are listed. On the right side a new device can be definded. Here, select Check Point SmartCenter.

After this selection a wizard starts, asking for several configuration options in six steps.