www.tufin.club
Network Settings for Management Interface in TufinOS
- Details
- Category: TufinOS
Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.
/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0
etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:
/usr/local/sbin/config_mgmt_if
Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:
config_mgmt_if
This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.
[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no
Network settings for TOS management interface
=============================================
(1) IP address: 192.168.1.1
(2) Netmask: 255.255.255.0
(3) Gateway IP: 192.168.1.254
(4) DNS Servers: 192.168.1.253, 192.168.2.253
To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#
So this command might help to configure the management interface of TufinOS.
"Redo Step" not working?
- Details
- Category: SecureChange
When a ticket is worked on, the ticket goes step for step through the workflow.
There is an option called "Redo Step" to jump back to an earlier step which will be redone then. To do so, just select the earlier step and press the "Redo Step" button.
In this example we are currently at step 5 while step 3 shall be repeated (and therefore step 4 and 5 also becuse in the repeated step a change could have be configured).
Here, in step 5 the step 3 is selected and shown (read only).
After having selected the step, press the "Redo Step"button.
So the ticket goes back in the workflow to the step selected (in this case back from step 5 to step 3).
BUT - this sometimes doesn't seem to work
In the upper example, step 2 is shown with a "skip" sign. This sign is shown if the step of the workflow has been skipped in this ticket. Due to this, a "Redo Step" can't be assigned. At the first glance, it seems to be strange that this step can't be selected, but with a second look it's quite logical. Btw - if a ticket using other conditions is going through the step, a "Redo Step" for this step can be configured later on. In this case, the "skip" sign doesn't show up in the ticket.
Lesson learned:
The option "Redo Step" can be used to go back to any step the ticket has passed before.
If a step has been skipped, going back to this step using "Redo Step" isn't possible.
Manager Approvals in SecureChange
- Details
- Category: SecureChange
How to work with the field "Manager" in Tufin SecureChange
To use this feature, first of all it needs to be defined in the workflow. To do so, in the definition of a step of the workflow select the option Add Field to let a menu open.
In the Drop Down Menu select the option Manager.
If done so, the field is shown to the user. Since it's marked as Mandatory, it will show up with a red dot. Therefore the user is required to fill this field in the step.
To have this option work, in the NEXT STEP the Assignment needs to be defined correctly. For this following step, the selection of Manager Assignment is mandatory. Since the user might provide an incorrect E-Mail Address, a "Default Manager" needs to be defined. This is a user of Tufin SecureChange. So if the E-Mail to the Manager can't be delivered, this user will get an E-Mail to work on the ticket.
Hints:
- This option can be used in multiple steps, i.e. the Manager Field can be used for the step when opening a ticket and also at a later step (additionally)
- Using the Manager Field requires the next step to be configured with "Manager Assignment"
- Even in a step that is "Manager Assigned", a (new) Manager Field can be defined and used
- If the step has "Dynamic Assignment" configured (e.g. to have different Approvers for different destination networks) the Manager Field is not supported and can't be used!
HTTP redirect to SecureTrack using HTTPS
- Details
- Category: SecureTrack
By default, Tufin TOS runs with Apache configured to listen on port 443/tcp to accept HTTPS only. In some installations users are used to type http:// only - so a redirect might be useful. Since on machines running Tufin TOS (mostly) only this applilcation is active, the change of the apache configuration can be done globally and doesn't require things like VirtualHosts etc.
To make Tufin listen on Port 80/tcp for HTTP in cleartext and to redirect this request to Port 443/tcp to use HTTPS these steps are necessary:
- Backup your original configuration file /etc/httpd/conf/httpd.conf and keep in a safe place
- Edit the file /etc/httpd/conf/httpd.conf :
- After the line
Listen 127.0.0.1:80
add a new line with
Listen <IP Address of the Tufin Server>:80
to make the system listening on the network IP address and not on the internal IP address only - Add the line
RewriteEngine On
to enable rewriting (somewhere at the end of the file) - Add the line
RewriteCond %{HTTPS} off
to check if HTTPS is turned on (it should be). If so, the next line will be executed (Add this line below the rewrite line) - Add the line
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
to redirect to HTTPS on Port 443/tcp, and give a 301 Message to the browser (permanent redirect)
(Add this line below the other two) - Save the file
- Now it's time to restart the web server running on the system. You can do it by executing
service httpd restart
or by executing the command
/etc/init.d/httpd restart
- You will need to check if there are any error messages, for sure. And - please test the configuration to be sure it works as you want
Tufin Orchestration Suite 16-2
- Details
- Category: Version update
Today, Tufin has published the second Major Release of TOS in 2016. Therefore it's called 16-2. Please find some information about changes in this version below.
This version includes some improvements, e.g.:
- Optional configuration of the user interface without Adobe Flash components
- Enhanced syslog support, up to 150k syslogs per second
- Improvements regarding Distributed Architecture
Cloud:
- Provisioning of AWS Security Groups, policy changes to AWS and built-in risk analysis checks
- Unified Security Policy for AWS
Automation:
- End-to-End Automation support for FortiManager ADOM Policies in SecureChangen, incl. Risk Analysis, Designer, Provisioning, Server Decomissioning
- Configurable Designer Suggestions regarding objects selected
- REST API allows the change of ownership of a Closed Ticket is possible now
Security and Compliance:
- Find permissive Rules using the Rule Documentation feature to optimize policies
- Rest API allows to configure Flow Exceptions in a Unified Security Policy
Devices and Platforms:
- Fortinet:
Full support of FortiManager 5.4 using ADOM Policies - Palo Alto:
Support of Panorama 7.1 regarding Devices using Device Groups - Cisco:
Cisco CSM 4.8 and 4.9 are now certified to work with TOS - Cisco:
Cisco ASA 9.5 is now certified to work with TOS - Forcepoint:
Stonesoft 5.10 is certified to work with TOS
Changes regarding SecureTrack:
- Unitied Security Policy for AWS
- Analyzing and Optimization of Policies using Rule Permissiveness Level
- IPv6 Support for Stonesoft Devices, Definition of IPv6 Zones in Zone Manager is possible now
- Filtering of Cisco ASA passwords is possible (optional)
- Support of FortiManager 5.4 managing Devices using ADOM Policies
- Managing Devices using Device Groups in Palo Alto Panorama 7.1 is possible
- Using REST API allows to get matching rules for Unified Security Policy exceptions as well as to configure flow exceptions is the Unified Security Policy
Changes regarding SecureChange:
- Provisioning of AWS groups
- End-to-End Automation for FortiManager
- Configurable Designer Suggestions - Object Selection
- View of additional Palo Alto Network Fields
- IPv6 Support for Stonesoft Policies and for Risk Analysis in Unified Security Policies
Changes regarding SecureApp:
- View of additional Palo Alto Network Fields
- Support of FortiManager ADOMs
- IPv6 support allowing security compliance checks for violations to IPv6 Zones
Further improvements and corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
TOP Plugin can't be uninstalled?
- Details
- Category: SecureTrack
When using one or more TOP Plugin other devices than fully supported devices can be monitored. Even if the documentation is very basic, some use cases are there.
Uninstalling a TOP Plugin using the "Red X" in Menu > Settings > Monitoring > TOP Plugins might not be possible in some versions.
If you run into this problem, do an upgrade to TOS R16.1 HF3. This version allows to uninstall a TOP Plugin (again).
Page 20 of 22