To find a serial number of a Tufin Appliance like T-1100 is quite easy - just have a look at the hardware and you will find this number. But what if there is no physical access to the box itself? You can find out the serial number via console also by using the command
[root@TufinOS ~]# dmidecode -s chassis-serial-number
It sounds easy, and yes - it's easy to get the serial number of a Tufin Appliance using CLI.
In SecureChange an Access Request can be configured. If wanted, the use of ANY for Source, Destination and Service can be allowed.
If a requestor wants access from a specific IP to ANY he or she will write e.g.:
If (accidently) an IP address has been entered into the Destination field, there is (at the first glance) no chance to re-configure an ANY or any accepted by the system.
Solution:
Just delete the entry in the Destination, so you have an empty field. Pressing OK delivers the Destination ANY back again.
Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.
/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0
etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:
/usr/local/sbin/config_mgmt_if
Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:
config_mgmt_if
This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.
[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no
Network settings for TOS management interface
=============================================
(1) IP address: 192.168.1.1
(2) Netmask: 255.255.255.0
(3) Gateway IP: 192.168.1.254
(4) DNS Servers: 192.168.1.253, 192.168.2.253
To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#
So this command might help to configure the management interface of TufinOS.
When a ticket is worked on, the ticket goes step for step through the workflow.
There is an option called "Redo Step" to jump back to an earlier step which will be redone then. To do so, just select the earlier step and press the "Redo Step" button.
In this example we are currently at step 5 while step 3 shall be repeated (and therefore step 4 and 5 also becuse in the repeated step a change could have be configured).
Here, in step 5 the step 3 is selected and shown (read only).
After having selected the step, press the "Redo Step"button.
So the ticket goes back in the workflow to the step selected (in this case back from step 5 to step 3).
BUT - this sometimes doesn't seem to work
In the upper example, step 2 is shown with a "skip" sign. This sign is shown if the step of the workflow has been skipped in this ticket. Due to this, a "Redo Step" can't be assigned. At the first glance, it seems to be strange that this step can't be selected, but with a second look it's quite logical. Btw - if a ticket using other conditions is going through the step, a "Redo Step" for this step can be configured later on. In this case, the "skip" sign doesn't show up in the ticket.
Lesson learned:
The option "Redo Step" can be used to go back to any step the ticket has passed before.
If a step has been skipped, going back to this step using "Redo Step" isn't possible.
How to work with the field "Manager" in Tufin SecureChange
To use this feature, first of all it needs to be defined in the workflow. To do so, in the definition of a step of the workflow select the option Add Field to let a menu open.
In the Drop Down Menu select the option Manager.
If done so, the field is shown to the user. Since it's marked as Mandatory, it will show up with a red dot. Therefore the user is required to fill this field in the step.
To have this option work, in the NEXT STEP the Assignment needs to be defined correctly. For this following step, the selection of Manager Assignment is mandatory. Since the user might provide an incorrect E-Mail Address, a "Default Manager" needs to be defined. This is a user of Tufin SecureChange. So if the E-Mail to the Manager can't be delivered, this user will get an E-Mail to work on the ticket.
Hints:
By default, Tufin TOS runs with Apache configured to listen on port 443/tcp to accept HTTPS only. In some installations users are used to type http:// only - so a redirect might be useful. Since on machines running Tufin TOS (mostly) only this applilcation is active, the change of the apache configuration can be done globally and doesn't require things like VirtualHosts etc.
To make Tufin listen on Port 80/tcp for HTTP in cleartext and to redirect this request to Port 443/tcp to use HTTPS these steps are necessary:
- Backup your original configuration file /etc/httpd/conf/httpd.conf and keep in a safe place
- Edit the file /etc/httpd/conf/httpd.conf :
- Now it's time to restart the web server running on the system. You can do it by executing
service httpd restart
or by executing the command
/etc/init.d/httpd restart
- You will need to check if there are any error messages, for sure. And - please test the configuration to be sure it works as you want