www.tufin.club
Tufin Orchestration Suite 19-2
- Details
- Category: Version update
Tufin has released R19-2, the second version of the Tufin Orchestration Suite in 2019. TOS 19-2 is available as GA now, delivering some improvements, e.g.
Change Automation and Orchestration
- SecureChange
Enhancements for the "Clone Server Policy" Workflow. They include zero-touch automation for Designer, Policy Update and Commit Policy Changes for all supported devices. Addtionally, support for NSX-V has been added. - SecureChange
The Desgner now can be configured to implement changes in Access Requests as before (optimized policy), but also to implement each Access Request in separate rules. On demnad, this can also be requested by users. - SecureChange
The Workflow "Modify Group" supports now Check Point objects with dual stack (IPv4 / IPv6) - SecureTrack, SecureChange
Support of Fortinet Web Filter allows more visibility on rules that have configured it. So auditing is improved. End-to-End change automation is possible for current and Next Generation Fortinet configurations. - SecureChange
Support of Dual Stack Objects (IPv4/IPv6) in Modify Group Workflow for Check Point R80 - SecureChange
Requester Notifications can be sent to AD groups, not only to individuals
Security, Risk and Compliance
- SecureTrack, SecureChange
Updated NextGen Applications Library for Palo Alto. - SecureTrack
Improved Troubleshooting using advanced path analysis queries that contain multiple IP addresses - SecureTrack, SecureChange
Protection against CSRF (Cross-Site Request Forgery) attacks (not currently supported for Microsoft Internet Explorer 11)
Devices and Platforms
- SecureTrack
Support of Cisco ACI regarding "Enhanced Visibility", "Enhanced Topology Modeling", and "Risk Assessment". - SecureTrack
Support of Palo Alto Panorama High Availability - SecureTrack
Suppport of Palo Alto Panoramy External Dynamic List (EDL) Support - SecureTrack
Support of Palo Alto Fully Qualified Domain Names - SecureTrack, SecureApp
Policy Browser allows mapping of SecureApp Connections to rules for Cisco FMC, Fortinet FortiManager, and Palo Alto Panorama in Advanced Mode - SecureTrack
Support of Check Point CloudGuard for Azure - Support of new devices:
- Cisco Firepower Management Center (FMC) 6.3
- Cosco ASA 9.13 beta
REST API
- Improvements for SecureTrack
- Automatic onbording of Management Devices via API has been added for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
- Adding / Updating of single or multiple devices is possible now for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
- Improvements for SecureTrack/SecureChange
- Support for Palo Alto Panorama External Dynamic List (EDL) data has been added
- Improvements for SecureChange
- The results for the Clone Server Policy can be retrieved via API
- Improvements for SecureTrack/SecureChange/SecureApp
- The serialization implementation for JSON is now complete for all SecureTrack, SecureChange and SecureApp REST APIs.
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Changing the IP address of a SecureTrack Server
- Details
- Category: SecureTrack
In some cases, it's necessary to change the IP address of the SecureTrack Server. Some facts need to be considered before. The change itself consists of two parts - changing the IP address of the system as well as changing the IP in the SecureTrack Server.
- Please consider that the solution described is working for TOS CLASSIC only!
If the IP address needs to be changed for TOS AURORA, a new installation is necessary - see also the Knowledge Center of Tufin.
Things to be considered before
Esp. in complex scenarios, some facts need to be considered before changing the IP address of SecureTrack, e.g.
- Check and configuration of IP addresses/netmasks for all NIC (see below), incl. update of file /etc/hosts
- Check and configuration of routes
- Check if switch configuration is affected (e.g. VLAN, Port Security...)
- Check if there are changes necessary for using DNS, NTP, syslog, etc.
- Check if changes are needed at other servers, e.g. SecureChange, Authentication, E-Mail, LDAP
- Check if firewall rules need to be changed for communication between SecureTrack and SecureChange (and vice versa), SecureTrack and monitored devices...
- If Check Point is monitored: Check if API access is still possible after changing the IP address, modification of OPSEC Application is needed
- Other devices need to be configured to send syslog data to the new IP address
- If Access Control is configured, access from the new IP address needs to be allowed, e.g. for downloading a new revision
- ...
Don't forget to update the documentation/operation manual
Changing the IP address of TufinOS
Since TufinOS is based on CentOS, changing the IP address of an interface (eth0) is done by editing the file
/etc/sysconfig/network-scripts/ifcfg-eth0
In this file the parameters IPADDR and NETMASK need to be adapted. If necessary, changing the GATEWAY might necessary also. To make the changes effective, a restart of the network component (service network restart) or a reboot of the system is necessary. After this successful change SecureTrack Server has the other IP address.
Changing the IP address in SecureTrack
Before making any change using the command psql, create a backup of your configuration!
If only the IP address of the system is changed, SecureTrack shows the "old" IP address in the WebUI. Everything works fine, but this address should also be changed.
Btw., the same issue happens if a backup is restored to a machine with a different IP address.
In Menu > Settings > Administration > Status, the "old" IP address is 10.100.200.206 is shown. It should be the "new" IP address 10.0.0.20.
To change the IP address it's necessary to connect to the CLI with administrative rights.
First thing to do is to find the ID of the SecureTrack Server.
[root] psql -Upostgres securetrack -c "select * from st_servers"
id | ip | display_name | services_stat | services_last_update | disk_usage | server_type | software_version | cgi_stat | cgi_last_success
----+----------------+--------------+---------------+---------------------------+------------+-------------+------------------+----------+----------------------------
1 | 10.100.200.206 | TufinOS | ok | 2019-09-05 15:25:13.32552 | 15 | standalone | | up | 2019-07-15 10:57:36.657694
(1 row)
[root]
The next step is to change the IP address of this server.
[root] psql -Upostgres securetrack -c "update st_servers set ip='10.0.0.20' where id='1'"
UPDATE 1
[root]
Now it can be checked that also in the data base the IP address is changed:
[root] psql -Upostgres securetrack -c "select * from st_servers"
id | ip | display_name | services_stat | services_last_update | disk_usage | server_type | software_version | cgi_stat | cgi_last_success
----+----------------+--------------+---------------+---------------------------+------------+-------------+------------------+----------+----------------------------
1 | 10.0.0.20 | TufinOS | ok | 2019-09-05 15:25:13.32552 | 15 | standalone | | up | 2019-07-15 10:57:36.657694
(1 row)
[root]
After a new login at the WebUI also here the correct IP address is shown.
Use of "jokers" in USP
- Details
- Category: SecureTrack
When setting up a USP, first of all the networks need to be assigned to Zones. This is done via Menu > Network > Zones. Here Zones and corresponding networks can be edited and/or imported.
In many cases a "joker" is needed to fetch all IP addresses which are not mentioned in a Zone. Since longer time the default Zone "Internet" is available here. It matches for all official IP addresses not being in another Zone.
Big enterprises have possibly also private IP addresses (RFC 1918) they don't trust. So here another "joker" is necessary. Current versions of SecureTrack allow to use:
- Internet
Zone of all official IP addresses that are not belonging to any other Zone in SecureTrack - Unassociated Networks
Zone of all private IP addresses that are not belonging to any other Zone in SecureTrack
So it's quite easy to set up a USP that matches for all IP addresses (official as well as private). It might look like e.g.
In this example, allowed and forbidden traffic between the Zones "Internal", "DMZ", "Internet", and "Unassociated Networks" is described, matching for all (official and private) IP addresses.
Support of Check Point R80.30
- Details
- Category: TOS classic
Some customers have moved to Check Point R80.30 (or they plan it).
Tufin will support R80.30 from TOS 19-1 HF3 on. (Link requires authentication to the Tufin Portal).
Earlier versions might result in problems when connecting R80.30 to Tufin.
Update August 2019: Tufin TOS 19-1 HF3 is available for download now
Policy Analysis in TOS 19-1
- Details
- Category: SecureTrack
What is Policy Analysis?
Since a long time SecureTrack offers Policy Analysis to check the way a packet takes through the topology. Besides the corresponding firewalls and routers, it's also shown if the packet is allowed to pass or not. Queries can be saved and run later. So it's possible to have many queries configured and to run them when needed, e.g. when a change in the Topology has taken place. As shown below, queries as well as results are quite easy to understand.
Policy Analysis in TOS 19-1 - upgrade
When upgrading to TOS 19-1 the Policy Analysis is still there and can be used. Additionally, the "Interactive Map" allows now to save queries.
Policy Analysis in TOS 19-1 - new installation
When TOS 19-1 is not upgraded but newly installed, Policy Analysis can't be found in the menu any more. This points out, that Tufin is going to remove the Policy Analysis and to move the functionality to the "Interactive Map". If Policy Analysis is needed in a new installation of 19-1 it can be activated via stconf:
- Using the WebUI
Log in to SecureTrack and open https://<IP_of_ST>/stcgitest.htm
Here you find the section Configuration > Edit StConf > Fetch Current Conf
When clicking the button, the configuration is shown. Browse down to the line that refers <show_legacy_pa>
Change <show_legacy_pa>0</show_legacy_pa> to <show_legacy_pa>1</show_legacy_pa>
and don't forget to press the button "Submit New Conf"
When you log in again, the menu shows Policy Analysis as wanted.
Even if you can use Policy Analysis in 19-1, please be aware that this feature will probably removed in one of the next versions.
Currently there is no way known, how to migrate queries of Policy Analysis to queries of Interactive Map.
If you know a way, please send me a note - thanks.
Connect SecureChange to SecureTrack
- Details
- Category: SecureChange
When configuring Tufin SecureChange, the corresponding SecureTrack server needs to be connected to the SecureChange server.
So in a first step an administrative user is configured in SecureTrack. This user is for a later authentication of SecureChange at SecureTrack.
- Hint:
Don't use reserved words like "Securechange" as username. This user won't be able to authenticate.
So if the user for SecureChange is configured, test it by logging in using the WebUI. If this works, SecureChange also will be able to authenticate.
- Hint:
The Authentication of SecureChange at SecureTrack is machine based. Using a certificate is currently not possible.
So use a very strong password not known to any person for this purpose.
The next step is to log in at SecureChange with permission to configure "Settings". In the menu select "SecureTrack".
This information needs to be provided if SecureTrack isn't configured to run on the same system as SecureChange:
- Select "Remote host" and provide the IP address of SecureTrack, SecureChange will connect to.
- Provide user name and password as configured in SecureTrack.
- optional: "Show link to SecureTrack" - sometimes useful for admins, but maybe confusing end users working with SecureChange. It selected, the IP address configured in (1) will be linked here.
- Provide "Internal IP of SecureChange server" means to fill in the IP address SecureTrack uses for connections to SecureChange. This IP address will also be in the link to SecureChange shown in the login screen of SecureTrack.
For (1) as (4) a host name can be configured also, but this name needs to be resolved using DNS.
If the configuration is ready, try the button "Test connection" on the right bottom of the page. This will test the connection and deliver a result. This result can be, that an authentication error has occurred, the connection couldn't be established - or that the connection is ok. If this is the case, press "Save" and the task is finished.
- Hint:
The test done checks not only the connection from SecureChange to SecureTrack, but also from SecureTrack to SecureChange. So it might happen that you can connect from SecureChange to SecureTrack using 443/tcp - and the WebUI delivers a connection error. This is because maybe the back connection from SecureTrack to SecureChange isn't possible. In this case, error message might point to other reasons. So it's useful to check the back connection.
Connecting SecureChange to SecureTrack is essential, since the license is held in SecureTrack. Besides this, SecureChange uses features of SecureTrack like e.g. Zones and USP as well as the Topology.
Page 11 of 22