If TOS is configured to run as a cluster, a Virtual Cluster IP (VIP) is used for communication with SecureTrack and/or SecureChange server. Besides this, further interfaces are needed to configure a cluster, e.g. for Heartbeat. If the network interface of the Heartbeat is down, the cluster will do a failover. At first glance, this isn't a problem because users can still work using the VIP. But, for bringing TOS back to cluster mode with data replication, a maintenance window is recommended. The database sync takes some time and during this time the VIP is unreachable.

So if a cluster member is e.g. moved from one switch to another, a failover occurs. If this isn't wanted, the failure detection can be (temporarily) disabled by typing the command on the active member:

# hactl --pause-auto-failover

Run the command hactl status on both nodes after a few minutes and make sure the status shown is "unmanaged"
Then, replace the switch. If done so and having connected all cables on the active cluster member run the command:

# hactl --resume-auto-failover

After some (short) time, the status should be checked again using hactl status. It should be normal again, showing correct distribution of active / standby member as before.

 

 

 

Some customers have moved to Check Point R80.30 (or they plan it).

Tufin will support R80.30 from TOS 19-1 HF3 on. (Link requires authentication to the Tufin Portal).
Earlier versions might result in problems when connecting R80.30 to Tufin.

Update August 2019: Tufin TOS 19-1 HF3 is available for download now

 

 

SecureTrack as well as SecureChange are using a WebUI to interact with Administrators and Users. Here a timeout of about half an hour is configured by default, i.e. after 30 minutes of inactivity users are logged out automatically.
Not for every case this time is fine, e.g. for some customers this time might be too long due to security reasons. Other complain that this time is too short and they can't work with the tool. Both can be helped by changing the time for auto-logout within the configuration of SecureTrack and SecureChange. Parameters used for SecureChange are also valid for SecureApp.

 

Changing auto-logout time for SecureTrack WebUI

This change is done by changing the Apache configuration.
These steps will help to adjust the time between 600 and 86.400 seconds:

  • Backup the file /etc/httpd/conf/httpd.conf
  • Edit the file /etc/httpd/conf/httpd.conf and find this parameter: OIDCSessionInactivityTimeout
  • Replace the number following this parameter and select your own number of seconds here,
    e.g. if you want to have the timeout after 10 Minutes:
    OIDCSessionInactivityTimeout 60 (space between variable and number)
  • Save the file with the change
  • Restart the webserver using # service httpd restart
  • Restart the Tomcat Server using # service tomcat restart

 

Changing auto-logout time for SecureChange WebUI

This change is done by changing the TOS configuration.
These steps will help to adjust the time in minutes:

  • Backup the file /opt/tufin/securitysuite/conf/tufin_settings.properties
  • Edit the file /opt/tufin/securitysuite/conf/tufin_settings.properties and find the parameter SC_SESSION_TIMEOUT
  • Replace the number following this parameter and select your own number of minutes here,
    e.g. if you want to have the timeout after 10 Minutes:
    SC_SESSION_TIMEOUT=10 (equal sign between variable and number)
  • Save the file with the change
  • Restart the Tomcat Server using # service tomcat restart