Generic Routes to improve SecureTrack Topology
Building the SecureTrack Topology (Interactive Map) so it represents the network reality sometimes is a challenge.
Some improvements can be done manually, e.g. to define a Generic Device. There might be situations, SecureTrack doesn't recognize all routes configured on a monitored device. In this case, one or more routes need to be added manually to SecureTrack Topology by defining Generic Routes.
Today's versions allow to add them in the Interactive Map directly, but also using the CLI is a way to configure Generic Routes. Once integrated into SecureTrack, Generic Routes will be persistent until they are removed manually. So let's have a look at
- Configuration of Generic Routes in the Interactive Map
- Configuration of Generic Routes using the CLI
- Listing and removing Generic Routes from Topology
Configuration of Generic Routes using the Interactive Map
Using one of the recent versions of SecureTrack, a Generic Route can be added directly in the Interactive Map.
To do so, login to SecureTrack with administrative rights and go to
Menu > Network > Interactive Map (TOS Aurora: Menu > Map)
Then, find the device you want to provide with an additional, generic route. In this example, the Check Point Firewall will get an additional route. To show all routes stored in SecureTrack for this device, right-click and select "show routes".
A new window opens, showing all routes configured for this device.
To add a route, click on the "+" at the top right corner. A new window opens that allows defining a new (generic) route. Here information needs to be provided:
- Destination
IP-Address and Prefix - Interface
optional - Virtual R&F
optional - Next Hop Type
IP or VR - Next Hop
e.g. IP address of the next hop / router
By pressing "Add" the configuration is taken into the window shown below.
In this phase, the route can be deleted by clicking on the dustbin on the right side. The configuration is finished by pressing "Save".
The newly configured route is shown and active in the interactive map after synchronizing the Topology
Please be aware that this Generic Route cannot be deleted via WebUI. To delete a Generic Route access to the CLI is necessary, shown here.
Configuration of Generic Routes using the CLI
(TOS Classic only)
Some administrators prefer using the CLI. If an elder version of SecureTrack is used, the configuration of Generic Routes is possible using the CLI only.
Doing so, the Management ID of the device needs to be known (also called Device ID).
To configure it, a CSV file needs to be prepared. It has to have the following content:
- Destination
IP-Address - Mask
Dotted decimal subnet mask - Interface
name of the Interface to be used - Next Hop
IP address of the next hop / router - Next Hop Type
IP or VR - VRF
optional
Here is an example of the content:
# cat /home/tufin-admin/route.csv
10.1.2.0,255.255.255.0,eth1,10.1.1.254,IP,
10.1.3.0,255.255.255.0,eth1,10.1.1.254,IP,
It needs to be considered that the number of fields needs to be always the same. So if a VRF isn't configured, the "," still needs to be in the file.
Besides this, it needs to be known that an import of the file replaces all Generic Routes configured before. So each Generic Route that needs to be configured on the device needs to be included in this file.
The next step is to import the file. This is done by the commands
- cd /usr/local/st
- ./topology_generic_routes -m <DeviceID> -i <file.csv>, e.g.
./topology_generic_routes -m 286 -i /home/tufin-admin/routes.csv
The next step is to synchronize SecureTrack Topology. This can be done using the WebUI (see above) or via CLI by the commands
- cd /usr/local/st
- ./topology_graph_builder
After this procedure, the content of the CSV files is shown in the Topology.
Listing and removing Generic Routes from Topology
(TOS Classic only)
If one or more Generic Routes are configured, they can be displayed in the WebUI - but there is no option to remove or alter these routes. To do so, using the CLI is necessary. One option is to use "regular commands", the other is to "hack the database". The second option is not really recommended by Tufin.
To check Generic Routes the easiest way is to check the routing table of the device in the Interactive Map. Here it needs to be considered that there is no difference shown between a regular and a generic route. Checking the Generic Routes via CLI requires knowing the Management ID of the device (the example below refers to 286 and the configuration above).
It is a command to query the database of SecureTrack:
# psql -Upostgres securetrack -c "select * from topology_generic_routes where mgmt_id='286'"
id | mgmt_id | destination | mask | interface_name | next_hop | next_hop_type | vrf
----+---------+-------------+---------------+----------------+------------+---------------+-----
26 | 286 | 10.1.2.0 | 255.255.255.0 | eth1 | 10.1.1.254 | IP |
27 | 286 | 10.1.3.0 | 255.255.255.0 | eth1 | 10.1.1.254 | IP |
(2 rows)
The output shows two Generic Routes that have been added to the device with Management ID 286.
If one or more Generic Routes need to be removed from SecureTrack Topology, this should be done with a CSV file as shown above. An import of a CSV file with Generic Routes always replaces all of them. So if an empty file is imported, all Generic Routes are removed after Topology Sync.