www.tufin.club

In many situations, Firewalls not have their "productive" interfaces only, but also others like e.g. Management Interfaces. If this is the case and many Firewalls are connected not only via "productive" interfaces but also via Management Interfaces, some problems might arise. One could occur when SecureTrack Topology is used to check the path a packet takes. Even if it's not the case in real life, Topology could consider the shortest way using the Management Network... As a consequence, the Designer of SecureChange could also assume this path - and the result isn't as expected.

So in many cases, it seems to be useful to ignore single interfaces in SecureTrack Topology. This can be done quite easily, but it needs to be done very carefully and well documented (!).

Please don't continue before you have made a backup of your data!

To find out the relevant device, you first need its Management ID in Tufin SecureTrack. If it's a directly monitored Firewall (e.g. Cisco ASA, FortiGate without FortiManager or directly monitored Check Point Firewall Module) the Management ID can be found in Menu > Compare. Go to the left pane called "Monitored Devices" and press "t". The Management ID shows up beside the name of the device. In the screenshot shown below, Firewall modules have the Management ID 290 and 294, respectively.

If only the Management is listed here, another step is necessary because here only the ID of the Management is shown.

 

In this case, you need to go to Menu > Settings > Administration > Licenses. Here you scroll down to the section called "Devices", click into it, and press "t". The Management IDs of all Devices will be shown here.

Next is to find which interface shal be ignored by Tufin Topology. You can obtain this information from SecureTrack or directly from the device. 
To have an example, we will ignore the Interface "Mgmt" of the device with ID 290 and IP address 192.168.1.1 from Topology.

This information needs to be stored in the database. You can do this using the REST API or directly via CLI. In this example, we use CLI for modification of the table "ignored_interfaces".
To get a list of all currently "ignored_interfaces" this command should be used:

[root@TufinOS ~]# psql -Upostgres securetrack -xc "select * from topology_ignored_interfaces"
-[ RECORD 1 ]--+-----------------
interface_name | ethernet1/1
mgmt_id        | 2
ip             | 0.0.0.0
[root@TufinOS ~]#

To add an interface to this list, be sure to have the Management ID of the device as well as the name of the interface and its IP address. Then it can be added to this table using

[root@TufinOS ~]# psql -Upostgres securetrack -xc "insert into topology_ignored_interfaces (interface_name, mgmt_id, ip) values ('Mgmt','290','192.168.1.1')"

After having done so, this interface is listed in the table and therefore ignored by SecureTrack Topology - after a Sync of the Topology (!).
(The IP address can also be left out, then it later shows "0.0.0.0")

[root@TufinOS ~]# psql -Upostgres securetrack -xc "select * from topology_ignored_interfaces"
-[ RECORD 1 ]--+-----------------
interface_name | ethernet1/1
mgmt_id        | 2
ip             | 0.0.0.0
-[ RECORD 2 ]--+-----------------
interface_name | Mgmt
mgmt_id        | 290
ip             | 192.168.1.1
[root@TufinOS ~]#

If you look at the device in the Topology, this interface isn't listed here any more.
To remove an interface from this list and to get it back into Topology, just take the command

[root@TufinOS ~]# psql -Upostgres securetrack -xc "delete from topology_ignored_interfaces where interface_name='Mgmt' and mgmt_id='290'"

To make this change effective, don't forget to Synchronize the Topology again.

 

 

 

 

 

Having a Unified Security Policy (USP) requires to have network zones defined, filled with all relevant networks.
This is done in SecureTrack via Menu > Network > Zones. Only zones defined here can be used in an USP configuration.

There are some pre-defined zones:

  • Internet
    This zone includes all official IP-Adresses that are not defined to be in any other zone
  • Unassociated Networks
    This zone includes all private IP-Adresses (RFC 1918) that are not defined to be in any other zone
  • Users Networks
    This zone includes all networks that users connect to (e.g. used in Check Point Identity Awareness)

Based on interface information of devices, zones are allocated with interfaces automatically - except the zone Internet.

Tufin SecureChange calculates "Risk" in Access Requests in the classic way while SecureTrack uses for the calculation of "Violations" a specific configuration that can be adapted.
To modify interfaces and zones, it's necessary to go to the USP list, i.e. Menu > Audit > Compliance > Unified Security Policy. Here you select an USP to modify the relationship of Interface - Zone. This is done by pressing the button "Preferences". A window opens, so you can modify the allocations manually.

In this example, the Interface "pppoe2" has no associated zone even if (in real live) the "Internet" is connected to this Interface. To configure this, select the interface and then the button "Edit" at the top right. Here, you select the zone that shall be connected to this Interface.

After having done so, the configration is changed by pressing the button "save".

So from now on, calculations regarding "violations" consider this configuration and zone association.

Please regard: Be sure to document well all changes done this way!
In SecureTrack Audit Trail only this message is shown "Unified security policy configuration - Modify - Device - FWGW-Office - Modify was done by MeAdmin on interface/zone mapping for device FWGW-Office".

Changes done here have a direct impact on "violations", so every configuration change needs to be documented well.
The calculation of "violations" is done when a new revision arrives to SecureTrack, a USP is changed or the Topology (Interactive Map) is synchronized.

 

 

 

 

 

 

Tufin has launched the Tufin Marketplace.

Here you find some applications and scripts that extend the possibilities. Some of the current options are e.g.

  • Change Automation
    Apps for "Vulnerability Mitigation", "Workflow Integrator" and "ServiceNow Integration"
  • Reporting Pack
    SecureTrack Reporting Essentials
  • Network Segmentation
    Apps for integration of EfficientIP SOIDserver and Infoblox Grid Manageer
  • SecOps / Incident Response
    Some apps for intergration of products by e.g. Resilient, Splunk, Swimlane and others
  • Application Discovery
    Support of Cisco Tetration App Discovery

The list of apps offered will grow, so registering at and visiting the Tufin Marketplace may save time regarding development. Some apps are free, others need to be licensed.

 

 

 

 

 

Since Check Point R80 it's necessary not to connect Tufin SecureTrack to a Check Point Management using only OPSEC, but an HTTPS connection to the Check Point Management API is necessary also. This might result in a scenario shown here.

Problem and Symptom

  • Monitoring the Check Point Management R80x has been configured successfully in SecureTrack i.e. connections using OPSEC and Management API are configured and certificates have been retrieved.
  • Testing the connectivity by SecureTrack has been successful
  • Starting the newly monitored Check Point Management has been successful, the icon is indicated with a green sign - so everything seems ok

BUT

  • no revisions are retrieved
  • in the file /var/log/st/checkpoint.get_checkpoint_conf_<IP>_<ID>.log an information is shown:
    [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Device Version Mismatch : The Device Got Version mismatch returning device version for updating db
    [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Server API version 1.5, Max supported API version 1.5, argument API version 1.1

Solution

Tufin SecureTrack seems to take the wrong version of the Check Point API. This isn't always the case, but it might happen. In this case, SecureTrack tries version 1.1, but the Check Point Server uses version 1.5. This needs to be adjusted, using these steps:

  • Check if the file /usr/local/st/javatools/config.properties is present
  • If not, create a new file using vi or another CLI editor and
  • insert this line:
    checkpoint.sdk.api_version=v1.5
    This defines the version SecureTrack shall take for monitoring Check Point Management R80.x.
    The version shown above is fine for the logs above, but if necessary take another (correct) version
  • Restart the monitoring of this device in SecureTrack by
    # st restart <ID>

Shortly after these steps, a revision should show up in SecureTrack.

 

 

 

Tufin has released TOS R20-1, the first version of the Tufin Orchestration Suite in 2020. TOS 20-1 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Improvement of Rule Modification Workflow
    This type of workflow has been introduced with R19-3. This version allows to create tickets to change Source and Destionation of an existing rule. With R20-1 now also Services can be added / changed / removed from a rule.
    Supported devices are Check Point R80, Cisco ASA, Cisco FMC, Palo Alto Panorama, and Juniper SRX.
  • Enhancements in SecureApp User Permissions
    More flexibility for roles and permissions in SecureApp, e.g. configuration whether users are allowed to use Server Resources in their Application Connections. Besides this, Tufin has enhanced the Security Segmentation if Interconnected Domains are configred.

Devices and Platforms

  • Support of IPv6 in Topology
    SecureTrack Topology supports IPv6, i.e. it can be used in the Interactive Map for e.g. paths and traffic simulation.
    Supported are currently Cisco IOS-XR, Check Point R80, and Fortinet FortiManager in Advanced Mode.
  • Fortinet IPv6 automation in non-topology mode
    If Topology isn't used in SecureChange (require e.g. manual Target selection), IPv6 objects in SecureChange Access Requests can be used in automation. So change processes can be automated working with IPv4 as well as IPv6 objects.
  • Enhancements for Licensing page
    Some improvements have been implemented to deliver more clarity regarding available and bound licenses.
  • Cisco FMC Zones Support - Automation
    For Cisco Firepower Management Center (FMC) devices in non-topology mode specific zone-to-zone mapping can be chosen in SecureChange Access Requests. This can also be used in automated changes.
  • Cisco Firepower Rule and Object Usage
    The enhanced rule usage capabilities and features in SecureTrack can now be used for FMC devices, i.e. metadata for rules are calculated and shown in Policy Browser.
  • Palo Alto Panorama Dynamic Address Group (DAG) support with Tags
    The content of Dynamic Access Groups based on Panorama Tags can be shown in SecureTrack, improving visibility and traffic analysis (also in Topology).
  • Hashicorp Vault Support for Amazon AWS
    This option can be used to store Amazon AWS authentication credentials and to provide tight access control to the AWS. Instead of connecting directly to the AWS, SecureTrack can receive a token for authentication and communication with the AWS device.
  • Support of additional devices and versions
    • Check Point R80.40, supporting Check Point API version 1.5
    • Cisco Firepower Management Center (FMC) 6.5
    • Forcepoint SMC 6.5.10
    • F5 BIG IP 14.1
    • Palo Alto PanOS firewall version 9.1
    • Palo Alto Panorama version 9.0.4, 9.1
    • VMware NSX-V version 6.4.6

REST API

  • Management of Generic Interfaces, Generic Routes, and Generic VPN
    New API calls are available, supporting full functionality - e.g. get Generic Interface by ID, get Generic Interfaces for a device, get Generic Route by ID, get Generic Routes for a device, get Generic VPN by ID, get Generic VPNs for a device.
  • Management of Device Connections for Firewalls in Transparent Mode
    Managing L2 Firewalls is now integrated and possible using REST API.
  • Management of Ignored Interfaces
    It's possible to exclude selected Interfaces from SecureTrack Topology. They can now being managed using REST API.
  • Device Interfaces and Domains
    When working with Domains in SecureTrack, now REST API can be used to associate an interface óf a device with a Domain ID.
  • Cloud Management
    The Interactive Map uses Clouds in some situations. Now the management of Joining Clouds can be done via REST API.
  • Enhancements of User Management
    Management of SecureChange and SecureApp users is enhanced when REST API is used, esp. management of Groups.
  • Rule Modification Workflow
    As shown above, Service can now be changed for a rule. This can also be done with REST API.
  • Ticket Search in SecureChange
    Pagination can now be used in REST API to shorten response time and to limit the amount of data returned by rule search APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com