www.tufin.club

Check Point Managment-HA and SecureTrack

Sometimes there are requirements regarding redundancy and high availability. In most cases, firewalls are configured to act as a cluster. So if one cluster member fails, packets are still possible to pass the firewall. In this case, the firewall cluster has a virtual IP address that is addressed by the packets.

Check Point Management HA

Check Point offers not only firewall clusters but also redundant management. In this case, there are two management servers running as active and standby, respectively. The administrator connects to the active management server and makes changes to the firewall configuration. These changes are synchronized to the standby management server. If the active management server fails, the administrator can connect to the other management server to continue the work and install the policy on the firewalls. Regarding this situation, there are two different IP addresses the administrator connects to; no virtual cluster IP address is in use.

Management HA and SecureTrack

Tufin has supported Check Point Management HA for many years. After the first server is defined in Tufin SecureTrack, the second server is imported using the WebUI via "/tools". This is described in the Tufin Portal. Everything works as expected if only rule changes are tracked.

Restrictions of SecureTrack regarding rule metadata

Today's SecureTrack works with metadata for each rule. These metadata include further information about the rule, e.g. "last hit", "last modification date", "rule owner", etc. Many companies need information stored in the metadata, e.g. reference to a "ticket number" in SecureChange that is related to this rule or a "rule recertification date". This date can be set with e.g. the Rule Lifecycle Management (RLM) tool. Recertification is often required esp. for companies working in the finance sector.

When metadata are created or modified, they are written to the corresponding rule on the active Check Point Management server - and these data are not synchronized (by design). So if e.g. rule 2 has been certified until 2024, this information is stored on the active server only. After a failover the other management server becomes active - and rule 2 is not certified here. The same situation occurs if a rule is modified: Ticket information is stored on the active server only, and is not synchronized to the standby server.

Lesson Learned

Tufin SecureTrack doesn't support "modern features" like rule recertification or ticket information per rule if Check Point Management HA is deployed.

Update 26.11.2023:
AERAsec has developed a procedure to circumvent the restrictions of SecureTrack regarding rule metadata when using Check Point Management HA.

AERAsec is 2022 Tufin Best SDP+ Partner

Many thanks to Tufin for awarding AERAsec at the Annual Partner Summit as

Tufin 2022 Best SDP+ Partner of the Year for the EMEA region

After more than 15 years of successful cooperation with Tufin, the AERAsec team is proud to receive this award.

Skip Condition and more than one Access Request

When working with Workflows in Tufin SecureChange, it's sometimes useful to skip a specific step. To configure this for a step in the Workflow, go to "Assignments" and select the option "Skip this step if:" Several conditions can be added and combined with AND or OR. A mixture is not possible (e.g. (a AND b) or c).

The example above has a Skip Condition with combined parameters. The step will be skipped if

the Check Box "Important access for me" is checked (e.g. in step 1)
AND
the service is NOT http (tcp 80)
AND
the Risk Status of all access requests is "No risk"

This condition works perfectly for a single Access Request.

BUT

If there is more than one Access Request in a ticket, the Skip Condition is evaluated for each Access Request. The suggested behavior has been that if each Access Request fulfills the Skip Condition, the step is skipped - and vice versa: If any Access Request does not fulfill the condition, the skip will not be skipped. This is wrong (!)

Lesson Learned

Tufin Support has clarified the behavior: "For tickets containing multiple access requests, the step will be skipped if the condition is met in any one of them unless the condition selected specifically states that it applies to all access requests."

So if only one Access Request within the ticket fulfills the Skip Condition, the step will be skipped - regardless of all other Access Requests.

The condition applies to all Access Requests only for "Risk Status", "Target", "Destination", "Verification Status". So only for these four conditions the behavior is as expected above.

User Access to Topology of SecureTrack

SecureTrack has two kinds of users: "Administrator" and "User".
An "Administrator" has access to every part of SecureTrack, also to SecureTrack Topology. The permissions of this user cannot be restricted.

In TOS Classic a "User" had the possibility to access SecureTrack Topology. The requirement was that this user has permission to view "all devices". In this case, Topolgy has been shown and could be used. For sure, when a new device has been added, the permission of the user needed to be updated (because otherwise the requirement for accessing the Topology was not fulfilled).

The access to the Topology for users has been classified by Tufin as a "security flaw". Therefore, in TOS Aurora there is no possibility for a "User" to access the Topology. If this access is needed, the permissions need to be extended to "Administrator" (with all consequences). If only some information is needed, a user is able to use the API for calling specific information from the Topology. Examples of this API access are shown here:
https://forum.tufin.com/support/kc/rest-api/R22-2P/securetrack/apidoc/#!/Network_Topology/getPathCalc
https://forum.tufin.com/support/kc/rest-api/R22-2P/securetrack/apidoc/#!/Network_Topology/getPathCalcImage

Automatic Target Selection and many Source/Destination

A very useful feature of Tufin SecureChange is the possibility to have an automatic target selection in Access Request workflows. Quite often, the first step of an Access Request ticket doesn't require the requester to fill in the necessary targets. Just Source and Destination as well as Service are needed for opening a ticket. In the next step, the corresponding targets are often calculated automatically for further use, e.g. by the Designer or Verifier. These tools rely on the results of the values configured in "Targets" - independently if they are filled in manually or by Automatic Target selection.
The automatic selection works perfectly for Access Requests with one Source and one Destination.

AR with one Source and one Destination - working path

For the first request below a target can be found because the path can be found in the SecureTrack Topology. This behavior is as expected.

AR with one Source and one Destination - not working path

The second request is not in SecureTrack Topology, therefore neither a path nor a target can be found. This behavior is also as expected.

AR with a "mixed condition" for Source and Destination

If now both cases are mixed within one Access Request, Tufin only finds the targets of the first example, not pointing out that for the second option, no Targets have been found. Only the found Targets are filled into the field - without any hint that not all connections have been found within SecureTrack Topology.