TOS Aurora

Sometimes it's necessary to provide a disclaimer on the login page. So legal aspects are considered.

When using "Single Sign On" (SSO) in TOS Aurora, only one page for access to SecureTrack, as well as SecureChange, is shown. This page refers to SecureTrack. If a separate disclaimer needs to be shown for SecureChange, SSO needs to be turned off. The same is required if a user is configured for SecureChange only.

 

SecureTrack (or SSO enabled)

There are two options to configure a disclaimer on this page. If the disclaimer consists of a single sentence and it doesn't need to be formatted, it can be added with this command:

[root@TufinOS ~]#  kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_disclaimer --content "Access restricted"

This results in

If formatting is required, the disclaimer itself needs to be written into an HTML file. Please find an example below:

[root@TufinOS ~]# ll disclaimer.html
-rw-r----- 1 root root 110 Jan 12 18:03 disclaimer.html
[root@TufinOS ~]# cat disclaimer.html
<!DOCTYPE html>
<html><body>
<h1>Disclaimer</h1>
Please regard - <b>Access restricted</b>
</body></html>
[root@TufinOS ~]#

Regarding the documentation delivered by Tufin, the command listed ccurrently there leads to an error. 
The correct procedure is shown below.

Find the correct name of the pod running keycloak 
[root@TufinOS ~]# kubectl get pods | grep keycloak
keycloak-service-85559fc884-tlpqp                    1/1     Running            0                  29d
[root@TufinOS ~]#

Then copy the disclaimer file into the (correct) pod and make it active
[root@TufinOS ~]# cat disclaimer.html | kubectl exec -i keycloak-service-85559fc884-tlpqp -c keycloak-service -- sh -c "cat > /tmp/disclaimer.html"
[root@TufinOS ~]# kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_disclaimer -f /tmp/disclaimer.html

The result looks like this

 

If you want to delete any disclaimer in SecureTrack, use this command:

#  kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_disclaimer --content ""

 

 

SecureChange

Customizing SecureChange is easier than it is for SecureTrack. The menu to customize SecureChange can be reached via Menu > Settings > Customization.
Having navigated to this page, the lower part called "Disclaimer" allows adding the text shown during the login. Basic formatting of the text is possible, too. When finished, press "Publish" - so the text will be shown during login.

Please be aware, that this disclaimer will be shown only if Single Sign On (SSO) is turned off (!)

 

 

 

 

The Tufin Orchestration Suite (TOS) Aurora is no more a "simple installation based on Linux", but a Kubernetes Cluster. Therefore some network requirements regarding IP addresses need to be considered. Before upgrading to or installing TOS Aurora, some IP addresses need to be reserved. These are:

  • A dedicated IP address for each physical server (central server, worker node)
    This address is also used to access the CLI of each system
  • A VIP that is used for accessing the WebUI of SecureTrack/SecureChange/SecureApp
  • If Syslog messages are going to be received, an additional VIP is necessary also

All of these IP addresses need to be on the same network (or the system needs more than one active interface).

Besides this, additional networks need to be reserved for TOS Aurora.

  • A 16-bit CIDR network dedicated to the Kubernetes pods network. It's by default 10.244.0.0/16
    If another network is needed, please contact Tufin Support.
  • A 24-bit CIDR network dedicated to TOS Aurora for the Kubernetes service network. This must not overlap with the first network.

These networks need to be out of the range described in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
They must not overlap with the addresses of the networks listed above. Additionally, it's required that they don't overlap with any subnets communicating with TOS Aurora or its nodes. 

Further details can be found in the Knowledge Center run by Tufin.

 

 

 

TOS Classic has reached its last version, R21-3. This platform is supported by Hotfixes until the End of 2022. If needed, extended support is available. In this case, you need to contact your Reseller and/or your local Tufin Sales Representative. 

TOS Aurora is the only platform for which improvements are developed. Therefore also some changes regarding devices and reports are announced or implemented. Most cases have a successor in TOS Aurora. The changes are in supported devices and reports.

 

Reports

Tufin SecureTrack still includes some Standard Reports e.g. "Rule and Object usage". Besides this, the free app SecureTrack Reporting Essentials is available in the Tufin Marketplace. Some of the reports are going to be removed or replaced.

  • Policy Analysis Report
    Based on Policy Analysis Queries regular Reports can be triggered. The queries are carried out at the configured times, leading to a Policy Analysis Report.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: Rule Viewer

  • Security Risk Report
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. Reports can be generated per device showing potential risks.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Risk Charts
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. The result of such a Risk Analysis is shown as Risk Charts overall or per Device.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: Widget in USP Viewer

  • Compliance Policies
    For a very long time, own compliance policies could be defined and the configuration monitored accordingly.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, USP Alerts Manager, USP Exceptions

  • Regulations Audit Browser
    Regulations are defined in SecureTrack, e.g. PCI DSS or SOX. The monitored configuration is shown using the Regulations Audit Browser - also showing fulfillment of the regulations or details about violations.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Rule Documentation Report
    Reports about Rule Metadata can be achieved using this kind of report. These reports per device are about e.g. expired rules, their business owner, or ticket ID.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Rule Viewer

  • Security Risk Report
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. Reports can be generated per device showing potential risks.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Expired rules Report
    Many vendors offer a time limit for rules. After the given date the corresponding rule is disabled automatically. Reports point out expired rules or rules that will expire within a configurable time frame.
    No more available in new installations: R22-1
    Removed from all installations: R22-2
    Substitute / Follow up: Rule Viewer

 

Devices and features

Support of some devices and features are going to be removed in TOS Aurora. It affects e.g.

  • Check Point Firewall OS Monitoring
    No new configuration in R22-1 and above, but available for installations using this feature (no more in the price list)
  • Fortinet FortiManager in Basic Mode
    No more new devices starting with R19-3, no revisions in R22-1 and above
  • Palo Alto Networks Panorama in Basic Mode
    No more new devices starting with R19-3, no revisions in R22-1 and above
  • Palo Alto Panorama Version 8 and earlier
    No longer supported in R22-1 and above

 

 

 

As you know, TOS Aurora is public and will result in the only supported version. TOS Classic will retire end of 2022.

Before upgrading from TOS Classic to TOS Aurora, the requirements need to be considered. If you are using a Tufin Appliance, please consult Tufin about its compatibility.

If you want to install TOS Aurora on other hardware, please refer to Tufin and consider the requirements.
Not only the size of the hard disk is important, but also the speed of it. Do not try to install TOS Aurora on classic hard disks...

  • (fast) SSD array
  • 7.500 IOPS or more
  • 250 MB/s throughput or more

So besides the requirements for processors/cores, RAM, and disk size, the speed of the hard disk is very important.