www.tufin.club

Decommissioning Rules is possible if Tufin SecureTrack and SecureChange are licensed and connected to a Device for which this feature is supported.
This article is about decommissioning Rules on a Check Point Management Server.

 

General Requirements

Some requirements need to be fulfilled for this task:

  • Tufin TOS 17-1 or above with correct licenses
  • A user in SecureTrack and SecureChange with identical login name
  • A workflow for Rule Decommission
  • Check Point Management Server R80 or above since this feature isn't supported for R77.x

 

Requirements for Check Point Management Server

Above all, the Check Point Management Server needs to be a "new one", i.e. R80 or above. This server needs to be connected to SecureTrack correctly. This means, that the Management API is working and new revisions are shown in SecureTrack. Additionally, write access to Check Point Management is necessary if provisioning is desired.

 

Plan

We want to remove Rule 3 from the Rule Base of the Check Point Maangement Server as shown below.

 

Users in SecureTrack and SecureChange

A user in SecureTrack needs to be defined having access to the data of the Check Point Management Server within SecureTrack.
In SecureChange a user with identical login credentials needs to be configured. It's required that this user has the right to "Create Change Requests" by the role assigned to him.

 

Workflow in SecureChange

A workflow is needed to carry out a Rule decommission. After opening a new workflow, SecureChange requires to define the purpose of it. Here, "Rule decommission" should be selected.

The workflow itself can be kept quite simple with e.g. three steps. We will not discuss "basic things" like Properties of the step or its Assignment but concentrate on the section Fields.

Now let's have a look at the steps:

1 - Rules to Remove/Disable

Insert a field of the type "Rule decommision". Besides the basic option no others are required in this step. If wanted, further fields like e.g. Business Justification might be added.

2 - Business approval

The second step should show the field "Rule decommission" and allow the Approver to see what he or she is approving... So a field "Approve/Reject" should be added, too.

3 - Technical Design and Implementation

This step also shows the field "Rule Decommision". Having provisioning licensed, the full feature can be used now. So the Designer as well as the Verifyer should be activated.

After having completed all steps, the workflow needs to be activated and saved. The part of Workflow definition is done now.

 

Search for rule in SecureTrack

Using the Option Menu > Home > Policy Browser allows to find the rule that shall be deleted. It can be searched by this (new) tool, also.

Clicking on the very left field of the rule (eye) opens a window showing all details, including meta data like e.g. Permissiveness, Last Hit etc.

 

Adding a rule to a new Ticket

If the rule is selected, it's shown with a yellow background. The option "Add to ticket" should be active as shown below.

Having clicked this button, the eye besides it shows a number - if one rule is selected only, this number is "1".

Clicking on the eye opens a window that allows to open a Change Request. The rule is shown to the user. Additionally, on the right side of the window the action needs to be proviced (Disable or Remove). A name for the Ticket is required as well as the selection of the workflow that will be used for this Ticket.

To continue select the button "Continue" at the right bottom of this page.

Now, a Ticket is opened in SecureChange which needs to be submitted for further action.

 

Steps in the Ticket and Provisioning of the change

After having completed the first step and having submitted the Ticket, it will be approved in the second step. The request itself is shown in this step, so the Approver knows what he or she approves.
The third step allows the Designer and Verifyer to be run.

The designer finds the rule and shows it. If Provisioning is licensed, the field "Update Policy" can be used to provision the change directly. If the change is finished, the Verifier can prove if this change has been done correctly.
Hint: Please wait using the Verifier until SecureChange has downloaded the new Revision, otherwise the Verifyer will show the message that the change hasn't been implemented.

After a successful verification, the Verifier should give a green field also.

Finally, the Check Point Management Server should be checked regarding this change. Don't forget to install the policy so the change becomes active on the Gateway.

 

 

 

 

 

Many thanks to Tufin Technologies for nominating us at Tufinnovate EMEA 2017:

AERAsec is Tufin "Partner of the Year 2016 Central EMEA"

 

 

Award Ceremony Tufinnovate 2017, Frankfurt/Main - Germany, 19.10.2017
from left to right:
- Ruvi Kitov, CEO and Co-Founder Tufin Technologies
- Dr. Matthias Leu, CEO and Founder AERAsec
- Ian Rigby, VP EMEA Tufin Technologies

 Please see also: https://www.tufin.com/blog/tufinnovate-emea-2017-thank-you-attendees/

 

 

 

 

 

Using the latest versions of SecureTrack, the "good old" Topology isn't available any more.
The new Interactive Map offers more possibilities and doesn't need Flash.

Searching a path from A to B is possible inside this map.

The result is shown inline. Especially in komplex environments, the result is shown very small and many administrators have difficulties to have a "good graph for documentation". In this case, it's useful to take the REST API for the request.
The URL https://forum.tufin.com/support/kc/R16-3/securetrack/apidoc/#!/Network_Topology/getPathCalcImage shows the syntax how to request the path which is shown in the browser afterwards.

Just an easy example: We want to know the way from 10.100.1.1/32 to 40.50.60.1/32 using SSH. In the Interactive Map the request is configured and the result is shown. This example delivers a simple output:

 

The result could be much more detailed, so it might happen that the output is too small. In this case, or if a graphic file is wanted directly, the same request can be done by using this URL:

https://<IP_SecureTrack>/securetrack/api/topology/path_image?src=10.100.1.1:32&dst=40.50.60.1:32&service=ssh%20protocol

The result is a png graphic file which can be saved and easily put into a documentation.

 

 

 

 

Today Tufin has released the latest version of the Tufin Orchestration Suite. So TOS 17-2 is available in its GA version, delivering some improvements, e.g.

Cloud:

  • SecureTrack for Azure Resource Manager
    Working with VNETs and NSGs for the Azure Resource Manager Cloud Environment

Security Change Automation and Orchestration:

  • Separation of steps for Design and Provisioning
    Both is done by the Designer, but separate teams are able to work with different duties (Design Team, Provisioning Team).
  • Full Automation for Palo Alto Panorama NGFW Security Profile Groups using Content-ID
    Zero-Touch end-to-end automated changes for PAN NGFW policies that include Security Profile Groups and Content-ID Inspection
  • Full Automation for Palo Alto Panorama NGFW Log Forwarding Profiles
    Zero-Touch end-to-end automated changes for PAN NGFW policies that include Log Forwarding Profiles.
  • End-to-end Server Decommission Automation
    Working with Designer and Provisioning for Check Point R80/R80.10, Palo Alto Panorama, Cisco ASA, Cisco IOS, Juniper SRX, and Fortinet FortiManager

Security Risk and Compliance:

  • Unified Security Policy (USP) Alerts
    It's possible to use USP alerts in SecureTrack now.

Devices and Platforms:

  • Support of Cisco Firepower Management Center (FMC) by SecureTrack
  • Full Cross-Suite Support of Check  Point R80.10
  • Support of Palo Alto Dynamic Access Group (DAG) Objects for VMware NSX by SecureTrack and SecureChange
  • Support of Fortinet Fortigate 5.4.4 and FortiManager 5.4.3
  • Support of Juniper JM/MX 13.3
  • Support of Palo Alto Panorama PanOS 8.0.1

REST API:

  • SecureTrack: additional_parameters API (parameter: type), devices API (parameter: sort), rule_search API (parameter: start, count)
  • USP Alerts: creation, modification, retrieval and deletion with Unified Security Policy Alerts commands
  • Better modification of Designer Suggestions using the command modify designer suggestion

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Some administrators of Tufin SecureTrack are used to the old Topology Map, which has been removed in TOS 16-4. Instead of the Topology Map the new Interactive Map has been integrated. It shows some advantages and doesn't require the Adobe Flash. But still some administrators want the "good old Topology Map".

This is the view administrators have today - only the Interactive Map is shown in the Menu. It's possible to enable the Topology Map using this command at the CLI of the server:

[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh enable
Restarting httpd service to apply changes
[root@TufinOS]#

The change becomes visible when the page is reloaded or the user has logged off and logged on again.

As you see, even in the latest versions the Topology Map can be used. Due to improved options, the Interactive Map should be the preferred way to work with  the Topology in SecureTrack.

 

PS: To disable the Topology Map, this command can be used:

[root@TufinOS]# /usr/local/st/manage_old_topology_tab.sh disable
Restarting httpd service to apply changes
[root@TufinOS]#

 

 

 

 

A problem with PrimeFaces Expression Language (EL) in Tufin SecureChange has been found. CodeWhite points out that in SecureChange an EL Injection is possible, allowing unauthenticated attackers to inject arbitrary EL code to PrimeFaces custom EL Parser.

Tufin has published a Security Advisory regarding this fact on August, 24th.

All TOS versions with SecureChange installed are affected. Not affected are systems if SecureTrack only is installed.
Fixes are available for most supported TOS versions.

TOS R17-2: Fix will be published End of August
TOS R17-1: Fix is included in R17-1HF3 which is available in Tufin Download Center
TOS R16-4: Fix is included in R16-4HF5 which is available in Tufin Download Center

If a fix is needed for TOS R16-3 or TOS R16-2 Tufin asks customers to contact Tufin Support
(support at tufin dot com).

Earlier versions are no more supported, so a fix will not be published. In this case, upgrading to a supported version is strongly recommended.