www.tufin.club

Building the SecureTrack Topology (Interactive Map) so it represents the network reality sometimes is a challenge.

Some improvements can be done manually, e.g. to define a Generic Device. There might be situations, SecureTrack doesn't recognize all routes configured on a monitored device. In this case, one or more routes need to be added manually to SecureTrack Topology by defining Generic Routes.

Today's versions allow to add them in the Interactive Map directly, but also using the CLI is a way to configure Generic Routes. Once integrated into SecureTrack, Generic Routes will be persistent until they are removed manually. So let's have a look at

 

Configuration of Generic Routes using the Interactive Map

Using one of the recent versions of SecureTrack, a Generic Route can be added directly in the Interactive Map.
To do so, login to SecureTrack with administrative rights and go to
   Menu > Network > Interactive Map (TOS Aurora: Menu > Map)

Then, find the device you want to provide with an additional, generic route. In this example, the Check Point Firewall will get an additional route. To show all routes stored in SecureTrack for this device, right-click and select "show routes".

A new window opens, showing all routes configured for this device.

To add a route, click on the "+" at the top right corner. A new window opens that allows defining a new (generic) route. Here information needs to be provided:

  • Destination
    IP-Address and Prefix
  • Interface
    optional
  • Virtual R&F
    optional
  • Next Hop Type
    IP or VR
  • Next Hop
    e.g. IP address of the next hop / router

By pressing "Add" the configuration is taken into the window shown below.

In this phase, the route can be deleted by clicking on the dustbin on the right side. The configuration is finished by pressing "Save".
The newly configured route is shown and active in the interactive map after synchronizing the Topology

Please be aware that this Generic Route cannot be deleted via WebUI. To delete a Generic Route access to the CLI is necessary, shown here.

 

Configuration of Generic Routes using the CLI
(TOS Classic only)

Some administrators prefer using the CLI. If an elder version of SecureTrack is used, the configuration of Generic Routes is possible using the CLI only.
Doing so, the Management ID of the device needs to be known (also called Device ID).
To configure it, a CSV file needs to be prepared. It has to have the following content:

  • Destination
    IP-Address
  • Mask
    Dotted decimal subnet mask
  • Interface
    name of the Interface to be used
  • Next Hop
    IP address of the next hop / router
  • Next Hop Type
    IP or VR
  • VRF
    optional

Here is an example of the content:

# cat /home/tufin-admin/route.csv
10.1.2.0,255.255.255.0,eth1,10.1.1.254,IP,
10.1.3.0,255.255.255.0,eth1,10.1.1.254,IP,

It needs to be considered that the number of fields needs to be always the same. So if a VRF isn't configured, the "," still needs to be in the file.
Besides this, it needs to be known that an import of the file replaces all Generic Routes configured before. So each Generic Route that needs to be configured on the device needs to be included in this file.

The next step is to import the file. This is done by the commands

  • cd /usr/local/st
  • ./topology_generic_routes -m <DeviceID> -i <file.csv>, e.g.
    ./topology_generic_routes -m 286 -i /home/tufin-admin/routes.csv

The next step is to synchronize SecureTrack Topology. This can be done using the WebUI (see above) or via CLI by the commands

  • cd /usr/local/st
  • ./topology_graph_builder

After this procedure, the content of the CSV files is shown in the Topology.

 

Listing and removing Generic Routes from Topology
(TOS Classic only)

If one or more Generic Routes are configured, they can be displayed in the WebUI - but there is no option to remove or alter these routes. To do so, using the CLI is necessary. One option is to use "regular commands", the other is to "hack the database". The second option is not really recommended by Tufin.

To check Generic Routes the easiest way is to check the routing table of the device in the Interactive Map. Here it needs to be considered that there is no difference shown between a regular and a generic route. Checking the Generic Routes via CLI requires knowing the Management ID of the device (the example below refers to 286 and the configuration above).
It is a command to query the database of SecureTrack:

# psql -Upostgres securetrack -c "select * from topology_generic_routes where mgmt_id='286'"
 id | mgmt_id | destination |     mask      | interface_name |  next_hop  | next_hop_type | vrf
----+---------+-------------+---------------+----------------+------------+---------------+-----
 26 |     286 | 10.1.2.0    | 255.255.255.0 | eth1           | 10.1.1.254 | IP            |
 27 |     286 | 10.1.3.0    | 255.255.255.0 | eth1           | 10.1.1.254 | IP            |
(2 rows)

The output shows two Generic Routes that have been added to the device with Management ID 286.

If one or more Generic Routes need to be removed from SecureTrack Topology, this should be done with a CSV file as shown above. An import of a CSV file with Generic Routes always replaces all of them. So if an empty file is imported, all Generic Routes are removed after Topology Sync.

 

 

 

 

Tufin has released TOS R21-3, the third and final version of the Tufin Orchestration Suite of 2021.
TOS 21-3 is available as GA and can be downloaded from the Tufin Portal (login required) in its variants for TOS Classic and TOS Aurora.

TOS 21-3 is the last version for TOS Classic. It will be supported until the end of 2022.

This version delivers improvements, e.g.

Change Automation and Orchestration

  • Enhancements for Access Decommission
    This is supported now for Check Point R80 and Panorama.
    A new tab "Manage Related Rules" has been introduced
    as well as the option to disable and not only to remove rules.

  • Enhancements for Server Decommission and Server Cloning
    Decommission of subnets as well as IP address ranges is possible now.
    Cloning allows this kind of network objects also, including a move e.g. from a subnet to a host

 Application Driven Automation

  • SecureApp supports now User Identity
  • Application Identity is shown in Connection Status

Devices and Platforms

  • Microsoft Azure
    New supported management and firewall devices in Microsoft Azure:
    • Check Point CloudGuard Multi-Domain Server, Check Point Security Management, Check Point Gateway
    • Palo Alto Panorama and PanOS
    • Fortinet FortiManager and FortiGate
  • Fortinet
    FortiManager with Central NAT policies is supported by SecureTrack now
  • Intelligent Provisioning
    for Check Point R80 and Juniper SRX
  • New versions supported:
    • Cisco ACI 5.1
    • Cisco FMC 6.7
    • VMWare NSX-V 6.4.9
    • Forcepoint SMC 6.9 with API 6.8
    • Fortinet FortiManager 6.4.6

REST API

  • SecureTrack
    • Microsoft Azure Resouces can be imported
    • Support of "get license status"
  • SecureChange
    • Auditing of some actions is possible, e.g. LDAP or RADIUS server changes as well as changes in roles
    • Output of a list of active workflows, including name, description, and type

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has published TufinOS 3.81. An upgrade to this version is recommended since it fixes a potential vulnerability (authentication required) in NSS during certificate verification.
When upgrading please consider the supported upgrade path as well as the minimum requirements regarding the TOS version.

 

 

 

 

After the first vulnerability in Apache Log4j has been found and is discussed on the Internet, some more have been identified. All together, until now three vulnerabilities have been found. They are described in CVE-2021-44288 (resolved in Log4j 2.15), CVE-2021-45046 (resolved in Log4j 2.16), and CVE-2021-45105 (resolved in Log4j 2.17).

Tufin has checked whether Tufin Orchestration Suite is vulnerable or not.
The latest status can be found here: https://forum.tufin.com/support/kc/latest/Content/Suite/CVE-2021-44228.htm?cshid=CVE-2021-44228.
Some official patches are available, i.e. for RTOS 19.3 and above. If you are currently using R19-2 or earlier, please upgrade to a supported version of TOS.

It is recommended to check the latest status (Tufin Portal > Security Advisories) and to subscribe to Tufin's mailing list.
Please check also the Tufin Portal also for additional information.

 

 

 

 

 

In November 2021 Tufin has released TufinOS 3.71. This version is available for download now in the Tufin Portal (authentication required).
Upgrading to this version requires an installed TufinOS on the machine. A clean installation is currently possible for TufinOS 3.5x and 3.60 only. From here a direct upgrade to TufinOS 3.71 is possible.

The most important features and updates are:

  • Apache HTTPD has been updated to version 2.4.6
  • PHP has been upgraded from PHP 5.4 to PHP 7.4

Even if there are no new CVEs fixed as it has been done with TufinOS 3.70, this update is recommended.
After having installed the upgrade, a restart of the httpd is necessary. This can be done by the command

   systemctl restart httpd


Hints:

  • Upgrading to TufinOS 3.71 requires at least one of these versions of the Tufin Orchestration Suite (so it might be necessary to upgrade TOS also):
    • R21-1 HF3.2 and above
    • R21-2 HF1.5 and above
    • R21-3 RC1 and above

  • Please keep in mind, that with an upgrade of TufinOS, the configuration of Apache, as well as SSH, might be altered back to default values. So please check your individual configuration before and after the upgrade.

 

Please be aware that only TufinOS 3.50 to 3.71 are supported by Tufin now, i.e. older versions will also get no security-related updates.
If you still use TufinOS 2.x, the only supported version is TufinOS 2.23. In this case, an upgrade is strongly recommended since TufinOS 2.x is based on CentOS 6.x (which is supported no more).


Additional information about Security Fixes included in TufinOS is available. When hardening TufinOS please regard hints given by Tufin.

 

 

 

 

As you know, TOS Aurora is public and will result in the only supported version. TOS Classic will retire end of 2022.

Before upgrading from TOS Classic to TOS Aurora, the requirements need to be considered. If you are using a Tufin Appliance, please consult Tufin about its compatibility.

If you want to install TOS Aurora on other hardware, please refer to Tufin and consider the requirements.
Not only the size of the hard disk is important, but also the speed of it. Do not try to install TOS Aurora on classic hard disks...

  • (fast) SSD array
  • 7.500 IOPS or more
  • 250 MB/s throughput or more

So besides the requirements for processors/cores, RAM, and disk size, the speed of the hard disk is very important.