www.tufin.club
TufinOS 3.71 available
- Details
- Category: TufinOS
In November 2021 Tufin has released TufinOS 3.71. This version is available for download now in the Tufin Portal (authentication required).
Upgrading to this version requires an installed TufinOS on the machine. A clean installation is currently possible for TufinOS 3.5x and 3.60 only. From here a direct upgrade to TufinOS 3.71 is possible.
The most important features and updates are:
- Apache HTTPD has been updated to version 2.4.6
- PHP has been upgraded from PHP 5.4 to PHP 7.4
Even if there are no new CVEs fixed as it has been done with TufinOS 3.70, this update is recommended.
After having installed the upgrade, a restart of the httpd is necessary. This can be done by the command
systemctl restart httpd
Hints:
- Upgrading to TufinOS 3.71 requires at least one of these versions of the Tufin Orchestration Suite (so it might be necessary to upgrade TOS also):
- R21-1 HF3.2 and above
- R21-2 HF1.5 and above
- R21-3 RC1 and above
- Please keep in mind, that with an upgrade of TufinOS, the configuration of Apache, as well as SSH, might be altered back to default values. So please check your individual configuration before and after the upgrade.
Please be aware that only TufinOS 3.50 to 3.71 are supported by Tufin now, i.e. older versions will also get no security-related updates.
If you still use TufinOS 2.x, the only supported version is TufinOS 2.23. In this case, an upgrade is strongly recommended since TufinOS 2.x is based on CentOS 6.x (which is supported no more).
Additional information about Security Fixes included in TufinOS is available. When hardening TufinOS please regard hints given by Tufin.
Requirements of TOS Aurora
- Details
- Category: TOS Aurora
As you know, TOS Aurora is public and will result in the only supported version. TOS Classic will retire end of 2022.
Before upgrading from TOS Classic to TOS Aurora, the requirements need to be considered. If you are using a Tufin Appliance, please consult Tufin about its compatibility.
If you want to install TOS Aurora on other hardware, please refer to Tufin and consider the requirements.
Not only the size of the hard disk is important, but also the speed of it. Do not try to install TOS Aurora on classic hard disks...
- (fast) SSD array
- 7.500 IOPS or more
- 250 MB/s throughput or more
So besides the requirements for processors/cores, RAM, and disk size, the speed of the hard disk is very important.
Sending syslog via TCP
- Details
- Category: SecureTrack
Some messages can be delivered by SecureTrack using syslog. Looking at the WebUI, only a syslog server can be selected. At first glance, it looks as if SecureTrack supports syslog via UDP and the default port only. In the example below, the syslog server has the IP address 10.0.0.100.
Other references, e.g. in "Policy Change Notifications", "SecureTrack Administrative Alerts", and "SecureTrack Audit Trail" only have buttons to "send by syslog".
Many companies don't allow to use syslog via 514/UDP in their networks. At least TCP has to be used. To configure this, open the URL
https://<IP_SecureTrack>/stcgitest.htm
In the menu select "Edit StConf".
If you follow the link, a short menu opens. Press the button "Fetch Current Conf".
After having done so, the SecureTrack configuration is shown in XML. Now it's necessary to find the section <syslog>
<syslog>
<syslog_server>127.0.0.1</syslog_server>
<port>514</port>
<protocol>udp</protocol>
<policy_syslog>0</policy_syslog>
<admin_alerts_syslog>0</admin_alerts_syslog>
<audit_trail_syslog>1</audit_trail_syslog>
<original_syslog_format>1</original_syslog_format>
</syslog>
Here it's possible to change the IP of the server, the protocol as well as the port. To change it, just fill in the required entries - e.g. syslog shall be sent to 10.0.0.100 using 9000/TCP
Please be aware that currently this configuration is not active for policy notifications!
<syslog>
<syslog_server>10.0.0.100</syslog_server>
<port>9000</port>
<protocol>tcp</protocol>
<policy_syslog>0</policy_syslog>
<admin_alerts_syslog>0</admin_alerts_syslog>
<audit_trail_syslog>1</audit_trail_syslog>
<original_syslog_format>1</original_syslog_format>
</syslog>
Besides this, you can also turn on the options shown in the top screenshot by changing the "0" to "1". It's not necessary to do the change here, because this can be configured via WebUI also.
To save changes, press the button "Submit New Conf". This button shows up at the bottom of the right page.
Tufin Orchestration Suite 21-2
- Details
- Category: Version update
Tufin has released TOS R21-2, the second version of the Tufin Orchestration Suite of 2021.
TOS 21-2 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.
Change Automation and Orchestration
- Access Decommission is supported now for Cisco ASA, Fortinet Manager Advanced Mode, Forcepoint, VMware NSX, and Amazon AWS. For these supported devices the Designer determines which changes are necessary. Besides this, a detailed list of rules (and their information) impacted by this ticket can be extracted.
- Rule comments now can be edited using the Designer using the WebUI or API. This is supported for Check Point R80, Cisco ASA, Juniper SRX, Palo Alto Panorama, and VMware NSX.
- Change Automation for NSX-T allows detailed configuration of Security Groups using the WebUI or API.
- Auditing SecureChange is possible now using the API. So changes to workflows are documented. It includes information about the user and the time changes were done.
Devices and Platforms
- Check Point
When analyzing traffic with the APG, now Check Point Inline Layers are supported. - Cisco
Cisco Firewall Threat Defense (FTD) in Active Mode is supported when managed using the FMC. - F5
The Interactive Map now supports paths that go through F5 devices which have SNAT Automap configured. - Fortinet
FortiManager 6.4 is supported now. Regarding IPv6 a specific behavior needs to be considered. - Palo Alto
IPsec VPN tunnels configured in Palo Alto gateways are now considered in SecureTrack Topology. - VMware NSX-T
information about the rule direction has been added to the rules in SecureTrack and SecureChange to increase visibility. - VMware NSX-T
NSX-T Security Groups have been improved, now showing dynamic group content based on matching criteria. For these, a search in SecureTrack Policy Browsers can be done. The information is also considered in Topology and Violation calculation.
Deployment
- Administering licenses in SecureTrack has been improved. This includes details about the specific SKU attached to the device, its expiration date as well as a counter for expired licenses.
REST API
- SecureChange Auditing
The history of workflows now can be retrieved, so auditing the life cycle of a workflow is possible now. - Designer Suggestions
Using the API, now security groups for VMware NSX can be specified.
Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Firewall OS Monitoring for Check Point R81
- Details
- Category: SecureTrack
This article is about a legacy license feature. This feature cannot be licensed anymore. If you purchased and installed it on your SecureTrack Server earlier, it still can be used for Check Point up to Version R80.x without problems.
-------
When having a Check Point firewall, it is possible to monitor the Check Point management. All information about a connected firewall is gathered from here. Sometimes it is wanted that this information is collected directly from the firewall using SNMP. This works since many versions of Check Point and SecureTrack quite well, following the configuration guide published by Tufin - as far as the license has been purchased (TF-SECTRK-CP-GAIA-OS-MONITOR).
Hint:
If you import a Check Point firewall, all topology data are derived from here, no more from the Check Point management. So if there is a problem with SNMP (e.g. connectivity, authentication), no topology data are available for this firewall.
Problem when having Check Point R81:
Independent of the configuration (that has worked for R80.x and earlier), the firewall running R81.x delivers "wrong password" in Menu > Settings > Administration > Status.
Therefore no data are imported into SecureTrack and also no topology information is available for this firewall.
Following a discussion in the Check Point CheckMates community and also Tufin Technical Support, the authentication of SNMPv3 users with SHA1 is not supported anymore.
Only SHA256 and SHA512 are supported by Check Point R81.x. To solve this issue, some additional steps are required.
So the complete integration of a Check Point Firewall R81.x into SecureTrack includes these steps:
(examples used here: SNMPv3 user: securetrack, Interface: 127.0.0.1, Password: password123)
- Open the WebUI of GAiA
- Activate SNMP agent running SNMPv3 and select the corresponding interface
- Define a user (e.g. username "securetrack", passphrase "password123")
This user shows up in GAiA then.
Due to the selected Authentication Protocol, this user cannot authenticate when configured in SecureTrack.
- Activate SNMP agent running SNMPv3 and select the corresponding interface
- Open a console window on the GAiA system after having closed the WebUI.
In Expert Mode check that this user can authenticate, using e.g. this command:
r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA-256 -A password123 -x AES -X password123 127.0.0.1
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (27949040) 3 days, 5:38:10.40
...
r81_expert> - Now it is necessary to change the authentication protocol. The corresponding values can be gathered e.g. from a system running GAiA R80 (file /config/active).
By default in R81, the user is listed in this file with this entry for using SHA256:
r81_expert> cat /config/active | grep auth:proto
snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.5
To change the authentication protocol for the user defined above to SHA1, go to the console in expert mode:
r81_expert> dbset snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.3 - The authentication type now has been changed to SHA1. This can be checked using the console (clish)
r81> show snmp usm user securetrack
Username securetrack
Permissions read-only
Security Level authPriv
Authentication Type SHA1
Privacy Type AES - Since the authentication protocol has been changed, the password needs to be set again - don't forget this step...
(it needs to be done via CLI / clish. In case, just copy / paste it to the CLI from an editor on your PC)
r81> set snmp usm user securetrack security-level authPriv auth-pass-phrase password123 privacy-pass-phrase password123
r81>
and check the authentication by e.g. this command in expert mode:
r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA1 -A password123 -x AES -X password123 127.0.0.1
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (28182734) 3 days, 6:17:07.34
...
r81_expert> - Now everything is prepared to import the firewall module into SecureTrack via Menu > Settings > Monitoring > Manage Devices
- Select the firewall you want to import (this management has connected only one firewall)
Be sure to fill in the correct username and password as configured before. Press Next - Now select the network interface SecureTrack shall connect to
and import the interface. The configuration is saved automatically then. - In Menu > Administration > Status, the firewall shows up below the management server. It is necessary to check the status. It should be "green" and "started"
- It this is the case, the first revision should have shown up. This is to be checked via Menu > Compare
Generic Interfaces for SecureTrack Topology
- Details
- Category: SecureTrack
In some situations, it might be necessary to add Interfaces to devices. Reasons might be a not by Tufin recognized Interface or the support of VRRP or GLBP. You need some steps to add a generic Interface to a device monitored by SecureTrack.
- Find the Device ID of the device that gets one or more generic Interfaces
- Configure a CSV file providing information about generic Interfaces
- Import the CSV file to Tufin SecureTrack
- Synchronize the Topology and check the result
1. Find the Device ID in Tufin SecureTrack
There are several methods to find the Device ID in SecureTrack.
In Menu > Compare all monitored devices are listed on the left side. If you click into the left window and press "t" the Device ID is shown right from the device.
It is also possible to gather this information at the CLI using the command "st stat".
You need to pay attention if you are using a Firewall Management like e.g. Check Point SmartCenter. In this case, you will need the Device ID of the firewall and NOT the Device ID of the Management (!)
To find the Device ID of the Firewall you need to go to Menu > Settings > Administration > Licenses. Here you scroll down until the window "Devices" is shown. Clicking into it and pressing "t" will show the Device ID not only of the Management but also of the Firewalls connected to it.
In this example, the Device ID of the Firewall "r81" is 344. If Device ID 343 is taken, the Management is altered resulting in an error in the Topology.
2. Configure a CSV file providing information about generic Interfaces
The file providing the information needs to be a plain ASCII file with a ".csv" extension. If another file type is chosen, the import will not be successful.
Each line needs to have six comma-separated entries. Even if there is no entry, the comma needs to be written.
- Name of the generic Interface
- IP address of the generic Interface
- Mask corresponding with the IP address, dotted-decimal
- VRF where the generic Interface resides
- MPLS i.e. boolean expression if the generic Interface has configured MPLS
- Unnumbered, blank means that the Interface is numbered, unnumbered requires a "true"
Each generic Interface requires an own line. Example for a very simple generic Interface:
MyNewInterface, 10.2.2.1, 255.255.255.0,,,
Hint:
The information provided in this file always replaces all generic Interfaces that are configured on the device. So if you want to add a generic Interface, you will provide information about the new, but also the already configured generic Interface.
3. Import the CSV file to Tufin SecureTrack
The file now can be imported. This is done by the command
/usr/local/st/topology_generic_interfaces -m <Device ID> -i <file name>
[root]# /usr/local/st/topology_generic_interfaces -m 344 -i MyGenericInterface.csv
Successfully deleted all generic interfaces for device 344
1 generic interfaces has been loaded to device 344 from input file MyGenericInterface.csv.
[root]#
If necessary, generic Interfaces can also be deleted. To delete all generic Interfaces from Device ID 344 this command should be used for this task:
[root]# /usr/local/st/topology_generic_interfaces -m 344 -d
Successfully deleted all generic interfaces for device 344
[root]#
4. Synchronize the Topology and check the result
If you have time, you can wait until the next morning since at 3:00 a Topology Synchronization is done automatically. If not, the synchronization needs to be started manually. This is done using the WebUI via Menu > Network > Interactive Map and the "sync button".
After a refresh, the new generic Interface is established and used by SecureTrack for Topology calculation and representation.
Page 6 of 22