AERAsec is 2019 EMEA SDP of the Year
At Tufinovate 2020, AERAsec has been nominated as
EMEA SDP / Service Partner of the Year
Thanks to Tufin for this award!
See also Tufin Press Release about this topic.
At Tufinovate 2020, AERAsec has been nominated as
EMEA SDP / Service Partner of the Year
Thanks to Tufin for this award!
See also Tufin Press Release about this topic.
Having a Unified Security Policy (USP) requires to have network zones defined, filled with all relevant networks.
This is done in SecureTrack via Menu > Network > Zones. Only zones defined here can be used in an USP configuration.
There are some pre-defined zones:
Based on interface information of devices, zones are allocated with interfaces automatically - except the zone Internet.
Tufin SecureChange calculates "Risk" in Access Requests in the classic way while SecureTrack uses for the calculation of "Violations" a specific configuration that can be adapted.
To modify interfaces and zones, it's necessary to go to the USP list, i.e. Menu > Audit > Compliance > Unified Security Policy. Here you select an USP to modify the relationship of Interface - Zone. This is done by pressing the button "Preferences". A window opens, so you can modify the allocations manually.
In this example, the Interface "pppoe2" has no associated zone even if (in real live) the "Internet" is connected to this Interface. To configure this, select the interface and then the button "Edit" at the top right. Here, you select the zone that shall be connected to this Interface.
After having done so, the configration is changed by pressing the button "save".
So from now on, calculations regarding "violations" consider this configuration and zone association.
Please regard: Be sure to document well all changes done this way!
In SecureTrack Audit Trail only this message is shown "Unified security policy configuration - Modify - Device - FWGW-Office - Modify was done by MeAdmin on interface/zone mapping for device FWGW-Office".
Changes done here have a direct impact on "violations", so every configuration change needs to be documented well.
The calculation of "violations" is done when a new revision arrives to SecureTrack, a USP is changed or the Topology (Interactive Map) is synchronized.
Tufin has launched the Tufin Marketplace.
Here you find some applications and scripts that extend the possibilities. Some of the current options are e.g.
The list of apps offered will grow, so registering at and visiting the Tufin Marketplace may save time regarding development. Some apps are free, others need to be licensed.
Since Check Point R80 it's necessary not to connect Tufin SecureTrack to a Check Point Management using only OPSEC, but an HTTPS connection to the Check Point Management API is necessary also. This might result in a scenario shown here.
Problem and Symptom
BUT
Solution
Tufin SecureTrack seems to take the wrong version of the Check Point API. This isn't always the case, but it might happen. In this case, SecureTrack tries version 1.1, but the Check Point Server uses version 1.5. This needs to be adjusted, using these steps:
Shortly after these steps, a revision should show up in SecureTrack.
Tufin has released TOS R20-1, the first version of the Tufin Orchestration Suite in 2020. TOS 20-1 is available as GA now, delivering some improvements, e.g.
Change Automation and Orchestration
Devices and Platforms
REST API
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Sometimes it's neccessary to improve SecureTrack Topology. Reasons might be islands in the topology, the integration of unsupported devices or if devices don't support every option, e.g. VPN. In this case configuring "generic" things help to get the "real topology".
IMPORTANT - before doing steps mentioned below, be sure to have a current backup of your SecureTrack server!
Let's consider the situation that there is a supported device and a generic device - and that a VPN is needed between these two devices. In the first step the supported device and the generic device don't have any connection between them.
The problem is: There has been no VPN detected between the devices R80_lab and VPN_Router. So this VPN needs to be configured manually.
Before configuring anything, some data need to be collected:
After having collected all information, the generic VPN can be configured via WebUI:
https://<IP_SecureTrack>/tools
The next step is to fill in the parameters collected above. This example configures a VPN between a monitored device and a generic device for both directions.
Syntax: <device_type>,<device_id>,<interface_name>,<tunnel_source_ip>,<tunnel_destination_ip>,<vpn_name>
No spaces are allowed between the entries.
Configuring a VPN in both directions using these parameters
results in these two lines that need to be filled in:
m,285,eth2,10.3.62.227,112.12.12.12,MyVPN
g,14,interface1,112.12.12.12,10.3.62.227,MyVPN
It's possible to have many lines at once, so different generic VPN can be configured simultaneous. If all data are entered, the configuration is saved by pressing the "Submit" button.
The next step is to synchronize the topology to get this new information into it. After this, a refresh is necessary so the new topology is displayed:
The VPN is also "used" in the Topology, as it can be seen in a path:
To get an overview of generic VPN configured, it's necessary to use a data base query via CLI:
[root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_vpn_connections"
id | is_generic | device_id | interface_name | tunnel_source_ip_addr | tunnel_dest_ip_addr | vpn_name
----+------------+-----------+----------------+-----------------------+---------------------+----------
9 | f | 285 | eth2 | 10.3.62.227 | 112.12.12.12 | MyVPN
10 | t | 14 | interface1 | 112.12.12.12 | 10.3.62.227 | MyVPN
(2 rows)
[root@TufinOS ~]#
To delete a generic VPN, the ID of the VPN is needed. The command to remove the VPN is (example for id 10):
[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from topology_generic_vpn_connections where id=10"
DELETE 1
[root@TufinOS ~]#
Issuing the command above will show that only the VPN with the ID 9 is left.