In some cases, it's necessary to change the IP address of the SecureTrack Server. Some facts need to be considered before. The change itself consists of two parts - changing the IP address of the system as well as changing the IP in the SecureTrack Server.
- Please consider that the solution described is working for TOS CLASSIC only!
If the IP address needs to be changed for TOS AURORA, a new installation is necessary - see also the Knowledge Center of Tufin.
Things to be considered before
Esp. in complex scenarios, some facts need to be considered before changing the IP address of SecureTrack, e.g.
- Check and configuration of IP addresses/netmasks for all NIC (see below), incl. update of file /etc/hosts
- Check and configuration of routes
- Check if switch configuration is affected (e.g. VLAN, Port Security...)
- Check if there are changes necessary for using DNS, NTP, syslog, etc.
- Check if changes are needed at other servers, e.g. SecureChange, Authentication, E-Mail, LDAP
- Check if firewall rules need to be changed for communication between SecureTrack and SecureChange (and vice versa), SecureTrack and monitored devices...
- If Check Point is monitored: Check if API access is still possible after changing the IP address, modification of OPSEC Application is needed
- Other devices need to be configured to send syslog data to the new IP address
- If Access Control is configured, access from the new IP address needs to be allowed, e.g. for downloading a new revision
- ...
Don't forget to update the documentation/operation manual
Changing the IP address of TufinOS
Since TufinOS is based on CentOS, changing the IP address of an interface (eth0) is done by editing the file
/etc/sysconfig/network-scripts/ifcfg-eth0
In this file the parameters IPADDR and NETMASK need to be adapted. If necessary, changing the GATEWAY might necessary also. To make the changes effective, a restart of the network component (service network restart) or a reboot of the system is necessary. After this successful change SecureTrack Server has the other IP address.
Changing the IP address in SecureTrack
Before making any change using the command psql, create a backup of your configuration!
If only the IP address of the system is changed, SecureTrack shows the "old" IP address in the WebUI. Everything works fine, but this address should also be changed.
Btw., the same issue happens if a backup is restored to a machine with a different IP address.
In Menu > Settings > Administration > Status, the "old" IP address is 10.100.200.206 is shown. It should be the "new" IP address 10.0.0.20.
To change the IP address it's necessary to connect to the CLI with administrative rights.
First thing to do is to find the ID of the SecureTrack Server.
[root] psql -Upostgres securetrack -c "select * from st_servers"
id | ip | display_name | services_stat | services_last_update | disk_usage | server_type | software_version | cgi_stat | cgi_last_success
----+----------------+--------------+---------------+---------------------------+------------+-------------+------------------+----------+----------------------------
1 | 10.100.200.206 | TufinOS | ok | 2019-09-05 15:25:13.32552 | 15 | standalone | | up | 2019-07-15 10:57:36.657694
(1 row)
[root]
The next step is to change the IP address of this server.
[root] psql -Upostgres securetrack -c "update st_servers set ip='10.0.0.20' where id='1'"
UPDATE 1
[root]
Now it can be checked that also in the data base the IP address is changed:
[root] psql -Upostgres securetrack -c "select * from st_servers"
id | ip | display_name | services_stat | services_last_update | disk_usage | server_type | software_version | cgi_stat | cgi_last_success
----+----------------+--------------+---------------+---------------------------+------------+-------------+------------------+----------+----------------------------
1 | 10.0.0.20 | TufinOS | ok | 2019-09-05 15:25:13.32552 | 15 | standalone | | up | 2019-07-15 10:57:36.657694
(1 row)
[root]
After a new login at the WebUI also here the correct IP address is shown.
