www.tufin.club

After the first vulnerability in Apache Log4j has been found and is discussed on the Internet, some more have been identified. All together, until now three vulnerabilities have been found. They are described in CVE-2021-44288 (resolved in Log4j 2.15), CVE-2021-45046 (resolved in Log4j 2.16), and CVE-2021-45105 (resolved in Log4j 2.17).

Tufin has checked whether Tufin Orchestration Suite is vulnerable or not.
The latest status can be found here: https://forum.tufin.com/support/kc/latest/Content/Suite/CVE-2021-44228.htm?cshid=CVE-2021-44228.
Some official patches are available, i.e. for RTOS 19.3 and above. If you are currently using R19-2 or earlier, please upgrade to a supported version of TOS.

It is recommended to check the latest status (Tufin Portal > Security Advisories) and to subscribe to Tufin's mailing list.
Please check also the Tufin Portal also for additional information.

In November 2021 Tufin has released TufinOS 3.71. This version is available for download now in the Tufin Portal (authentication required).
Upgrading to this version requires an installed TufinOS on the machine. A clean installation is currently possible for TufinOS 3.5x and 3.60 only. From here a direct upgrade to TufinOS 3.71 is possible.

The most important features and updates are:

• Apache HTTPD has been updated to version 2.4.6
• PHP has been upgraded from PHP 5.4 to PHP 7.4

Even if there are no new CVEs fixed as it has been done with TufinOS 3.70, this update is recommended.
After having installed the upgrade, a restart of the httpd is necessary. This can be done by the command

   systemctl restart httpd

Hints:

• Upgrading to TufinOS 3.71 requires at least one of these versions of the Tufin Orchestration Suite (so it might be necessary to upgrade TOS also):
  • R21-1 HF3.2 and above
  • R21-2 HF1.5 and above
  • R21-3 RC1 and above
    
    
• Please keep in mind, that with an upgrade of TufinOS, the configuration of Apache, as well as SSH, might be altered back to default values. So please check your individual configuration before and after the upgrade.

Please be aware that only TufinOS 3.50 to 3.71 are supported by Tufin now, i.e. older versions will also get no security-related updates.
If you still use TufinOS 2.x, the only supported version is TufinOS 2.23. In this case, an upgrade is strongly recommended since TufinOS 2.x is based on CentOS 6.x (which is supported no more).

Additional information about Security Fixes included in TufinOS is available. When hardening TufinOS please regard hints given by Tufin.

As you know, TOS Aurora is public and will result in the only supported version. TOS Classic will retire end of 2022.

Before upgrading from TOS Classic to TOS Aurora, the requirements need to be considered. If you are using a Tufin Appliance, please consult Tufin about its compatibility.

If you want to install TOS Aurora on other hardware, please refer to Tufin and consider the requirements.
Not only the size of the hard disk is important, but also the speed of it. Do not try to install TOS Aurora on classic hard disks...

• (fast) SSD array
• 7.500 IOPS or more
• 250 MB/s throughput or more

So besides the requirements for processors/cores, RAM, and disk size, the speed of the hard disk is very important.

Some messages can be delivered by SecureTrack using syslog. Looking at the WebUI, only a syslog server can be selected. At first glance, it looks as if SecureTrack supports syslog via UDP and the default port only. In the example below, the syslog server has the IP address 10.0.0.100.

Other references, e.g. in "Policy Change Notifications", "SecureTrack Administrative Alerts", and "SecureTrack Audit Trail" only have buttons to "send by syslog".

Many companies don't allow to use syslog via 514/UDP in their networks. At least TCP has to be used. To configure this, open the URL
     https://<IP_SecureTrack>/stcgitest.htm
In the menu select "Edit StConf".

If you follow the link, a short menu opens. Press the button "Fetch Current Conf".

After having done so, the SecureTrack configuration is shown in XML. Now it's necessary to find the section <syslog>

<syslog>
            <syslog_server>127.0.0.1</syslog_server>
            <port>514</port>
            <protocol>udp</protocol>
            <policy_syslog>0</policy_syslog>
            <admin_alerts_syslog>0</admin_alerts_syslog>
            <audit_trail_syslog>1</audit_trail_syslog>           
            <original_syslog_format>1</original_syslog_format>
</syslog>

Here it's possible to change the IP of the server, the protocol as well as the port. To change it, just fill in the required entries - e.g. syslog shall be sent to 10.0.0.100 using 9000/TCP
Please be aware that currently this configuration is not active for policy notifications!

<syslog>
            <syslog_server>10.0.0.100</syslog_server>
            <port>9000</port>
            <protocol>tcp</protocol>
            <policy_syslog>0</policy_syslog>
            <admin_alerts_syslog>0</admin_alerts_syslog>
            <audit_trail_syslog>1</audit_trail_syslog>           
            <original_syslog_format>1</original_syslog_format>
</syslog>

Besides this, you can also turn on the options shown in the top screenshot by changing the "0" to "1". It's not necessary to do the change here, because this can be configured via WebUI also.

To save changes, press the button "Submit New Conf". This button shows up at the bottom of the right page.

Tufin has released TOS R21-2, the second version of the Tufin Orchestration Suite of 2021.
TOS 21-2 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

• Access Decommission is supported now for Cisco ASA, Fortinet Manager Advanced Mode, Forcepoint, VMware NSX, and Amazon AWS. For these supported devices the Designer determines which changes are necessary. Besides this, a detailed list of rules (and their information) impacted by this ticket can be extracted.
• Rule comments now can be edited using the Designer using the WebUI or API. This is supported for Check Point R80, Cisco ASA, Juniper SRX, Palo Alto Panorama, and VMware NSX.
• Change Automation for NSX-T allows detailed configuration of Security Groups using the WebUI or API.
• Auditing SecureChange is possible now using the API. So changes to workflows are documented. It includes information about the user and the time changes were done.

Devices and Platforms

• Check Point
  When analyzing traffic with the APG, now Check Point Inline Layers are supported.
• Cisco
  Cisco Firewall Threat Defense (FTD) in Active Mode is supported when managed using the FMC.
• F5
  The Interactive Map now supports paths that go through F5 devices which have SNAT Automap configured.
• Fortinet
  FortiManager 6.4 is supported now. Regarding IPv6 a specific behavior needs to be considered.
• Palo Alto
  IPsec VPN tunnels configured in Palo Alto gateways are now considered in SecureTrack Topology.
• VMware NSX-T
  information about the rule direction has been added to the rules in SecureTrack and SecureChange to increase visibility.
• VMware NSX-T
  NSX-T Security Groups have been improved, now showing dynamic group content based on matching criteria. For these, a search in SecureTrack Policy Browsers can be done. The information is also considered in Topology and Violation calculation.

Deployment

• Administering licenses in SecureTrack has been improved. This includes details about the specific SKU attached to the device, its expiration date as well as a counter for expired licenses.

REST API

• SecureChange Auditing
  The history of workflows now can be retrieved, so auditing the life cycle of a workflow is possible now.
• Designer Suggestions
  Using the API, now security groups for VMware NSX can be specified.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com