www.tufin.club

Since Check Point R80 it's necessary not to connect Tufin SecureTrack to a Check Point Management using only OPSEC, but an HTTPS connection to the Check Point Management API is necessary also. This might result in a scenario shown here.

Problem and Symptom

• Monitoring the Check Point Management R80x has been configured successfully in SecureTrack i.e. connections using OPSEC and Management API are configured and certificates have been retrieved.
• Testing the connectivity by SecureTrack has been successful
• Starting the newly monitored Check Point Management has been successful, the icon is indicated with a green sign - so everything seems ok

BUT

• no revisions are retrieved
• in the file /var/log/st/checkpoint.get_checkpoint_conf_<IP>_<ID>.log an information is shown:
  [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Device Version Mismatch : The Device Got Version mismatch returning device version for updating db
  [main::c.t.s.c.GetCheckpointConf.handleVersionMismatch] [user:] Server API version 1.5, Max supported API version 1.5, argument API version 1.1

Solution

Tufin SecureTrack seems to take the wrong version of the Check Point API. This isn't always the case, but it might happen. In this case, SecureTrack tries version 1.1, but the Check Point Server uses version 1.5. This needs to be adjusted, using these steps:

• Check if the file /usr/local/st/javatools/config.properties is present
• If not, create a new file using vi or another CLI editor and
• insert this line:
  checkpoint.sdk.api_version=v1.5
  This defines the version SecureTrack shall take for monitoring Check Point Management R80.x.
  The version shown above is fine for the logs above, but if necessary take another (correct) version
• Restart the monitoring of this device in SecureTrack by
  # st restart <ID>

Shortly after these steps, a revision should show up in SecureTrack.

Tufin has released TOS R20-1, the first version of the Tufin Orchestration Suite in 2020. TOS 20-1 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

• Improvement of Rule Modification Workflow
  This type of workflow has been introduced with R19-3. This version allows to create tickets to change Source and Destionation of an existing rule. With R20-1 now also Services can be added / changed / removed from a rule.
  Supported devices are Check Point R80, Cisco ASA, Cisco FMC, Palo Alto Panorama, and Juniper SRX.
• Enhancements in SecureApp User Permissions
  More flexibility for roles and permissions in SecureApp, e.g. configuration whether users are allowed to use Server Resources in their Application Connections. Besides this, Tufin has enhanced the Security Segmentation if Interconnected Domains are configred.

Devices and Platforms

• Support of IPv6 in Topology
  SecureTrack Topology supports IPv6, i.e. it can be used in the Interactive Map for e.g. paths and traffic simulation.
  Supported are currently Cisco IOS-XR, Check Point R80, and Fortinet FortiManager in Advanced Mode.
• Fortinet IPv6 automation in non-topology mode
  If Topology isn't used in SecureChange (require e.g. manual Target selection), IPv6 objects in SecureChange Access Requests can be used in automation. So change processes can be automated working with IPv4 as well as IPv6 objects.
• Enhancements for Licensing page
  Some improvements have been implemented to deliver more clarity regarding available and bound licenses.
• Cisco FMC Zones Support - Automation
  For Cisco Firepower Management Center (FMC) devices in non-topology mode specific zone-to-zone mapping can be chosen in SecureChange Access Requests. This can also be used in automated changes.
• Cisco Firepower Rule and Object Usage
  The enhanced rule usage capabilities and features in SecureTrack can now be used for FMC devices, i.e. metadata for rules are calculated and shown in Policy Browser.
• Palo Alto Panorama Dynamic Address Group (DAG) support with Tags
  The content of Dynamic Access Groups based on Panorama Tags can be shown in SecureTrack, improving visibility and traffic analysis (also in Topology).
• Hashicorp Vault Support for Amazon AWS
  This option can be used to store Amazon AWS authentication credentials and to provide tight access control to the AWS. Instead of connecting directly to the AWS, SecureTrack can receive a token for authentication and communication with the AWS device.
• Support of additional devices and versions
  • Check Point R80.40, supporting Check Point API version 1.5
  • Cisco Firepower Management Center (FMC) 6.5
  • Forcepoint SMC 6.5.10
  • F5 BIG IP 14.1
  • Palo Alto PanOS firewall version 9.1
  • Palo Alto Panorama version 9.0.4, 9.1
  • VMware NSX-V version 6.4.6

REST API

• Management of Generic Interfaces, Generic Routes, and Generic VPN
  New API calls are available, supporting full functionality - e.g. get Generic Interface by ID, get Generic Interfaces for a device, get Generic Route by ID, get Generic Routes for a device, get Generic VPN by ID, get Generic VPNs for a device.
• Management of Device Connections for Firewalls in Transparent Mode
  Managing L2 Firewalls is now integrated and possible using REST API.
• Management of Ignored Interfaces
  It's possible to exclude selected Interfaces from SecureTrack Topology. They can now being managed using REST API.
• Device Interfaces and Domains
  When working with Domains in SecureTrack, now REST API can be used to associate an interface óf a device with a Domain ID.
• Cloud Management
  The Interactive Map uses Clouds in some situations. Now the management of Joining Clouds can be done via REST API.
• Enhancements of User Management
  Management of SecureChange and SecureApp users is enhanced when REST API is used, esp. management of Groups.
• Rule Modification Workflow
  As shown above, Service can now be changed for a rule. This can also be done with REST API.
• Ticket Search in SecureChange
  Pagination can now be used in REST API to shorten response time and to limit the amount of data returned by rule search APIs.

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

Sometimes it's neccessary to improve SecureTrack Topology. Reasons might be islands in the topology, the integration of unsupported devices or if devices don't support every option, e.g. VPN. In this case configuring "generic" things help to get the "real topology".

IMPORTANT - before doing steps mentioned below, be sure to have a current backup of your SecureTrack server!

Let's consider the situation that there is a supported device and a generic device - and that a VPN is needed between these two devices. In the first step the supported device and the generic device don't have any connection between them.

The problem is: There has been no VPN detected between the devices R80_lab and VPN_Router. So this VPN needs to be configured manually.
Before configuring anything, some data need to be collected:

• Type of the VPN devices
  • m - the device is monitored by SecureTrack
  • g - the device is a generic device that has been added manually to topology
• Device ID of the VPN device. They can be found out in these ways:
  • m - monitored device
    
    • from CLI issue "st stat" and find the device in the list, e.g.
      MANAGEMENT          IP              ID    TYPE                  PID   LICENSE        STATUS
      R80_lab             10.0.0.1        285   SmartCenter       10917     valid         Connected
      In this case, the device ID is 285
    • from WebUI > Menu > Compare
      find the device in the left tree and press t to get the device ID
      
  • g - generic device
    • from data base directly, using CLI:
      [root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_devices"
       id | customer_id |       name
      ----+-------------+------------------
        4 |           1 | CP-Remote
      14 |           1 | VPN_Router
      (2 rows)
      [root@TufinOS ~]#
      In this example, the device ID is 14
• Name of the interface where the VPN is configured on this device
• Source IP address of the tunnel (not necessarily the IP address of the interface)
• Destination IP address of the tunnel (not necessarily the IP address of the interface)
• Name of the VPN (any name can be choosen)

After having collected all information, the generic VPN can be configured via WebUI:
https://<IP_SecureTrack>/tools

The next step is to fill in the parameters collected above. This example configures a VPN between a monitored device and a generic device for both directions.
Syntax: <device_type>,<device_id>,<interface_name>,<tunnel_source_ip>,<tunnel_destination_ip>,<vpn_name>
No spaces are allowed between the entries.

Configuring a VPN in both directions using these parameters

• Device 1 is monitored by SecureTrack, ID 285, VPN uses Interface eth2, Source IP 10.3.62.227, Destination IP 112.12.12.12, name is MyVPN
• Device 2 is a generic device, ID 14, VPN uses Interface interface1, Source IP 112.12.12.12, Destination IP 10.3.62.227, name is MyVPN

results in these two lines that need to be filled in:

m,285,eth2,10.3.62.227,112.12.12.12,MyVPN
g,14,interface1,112.12.12.12,10.3.62.227,MyVPN

It's possible to have many lines at once, so different generic VPN can be configured simultaneous. If all data are entered, the configuration is saved by pressing the "Submit" button.

The next step is to synchronize the topology to get this new information into it. After this, a refresh is necessary so the new topology is displayed:

The VPN is also "used" in the Topology, as it can be seen in a path:

To get an overview of generic VPN configured, it's necessary to use a data base query via CLI:

 [root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_vpn_connections"
 id | is_generic | device_id | interface_name | tunnel_source_ip_addr | tunnel_dest_ip_addr | vpn_name
----+------------+-----------+----------------+-----------------------+---------------------+----------
  9 | f          |       285 | eth2           | 10.3.62.227          | 112.12.12.12        | MyVPN
 10 | t         |         14 | interface1   | 112.12.12.12         | 10.3.62.227         | MyVPN
(2 rows)
[root@TufinOS ~]#

To delete a generic VPN, the ID of the VPN is needed. The command to remove the VPN is (example for id 10):

[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from topology_generic_vpn_connections where id=10"
DELETE 1
[root@TufinOS ~]#

Issuing the command above will show that only the VPN with the ID 9 is left.

In February 2020 Tufin has released TufinOS 2.21. This version is available for download now in the Tufin Portal (authentication required). TufinOS 2.21 is available as upgrade package only (tufinos-update-2.21-1395.run.tgz). So if you need to set up a new system, installing TufinOS 2.18 from ISO or USB is necessary before upgrading to 2.21.

New features and updates of TufinOS 2.21 are (e.g.):

• PostgreSQL 11 (11.6-1PGDG.rhel6) has been added
• ncdu and tmux rpms from EPEL have been added
• Updated RAID driver for ASR-8805 to version 1.2.1.58012 (GEN-3.5)
• Updated Microsemi Adaptec ARCCONF Command Line Utility to version 3.03.23668 (GEN-3.5)
• Updated PostgreSQL 9.4 to version 9.4.25-1PGDG.rhel6
• Updated PHP to version 5.6.40-1.w6
• Additionally 35 RPMs based on the latest version of CentOS 2.19 have been updated

Please be aware that only TufinOS 2.19 and 2.21 are supported by Tufin now, i.e. older versions will also get no security related updates.
Additional information about Security Fixes included in TufinOS 2.21 is available. When hardeing TufinOS please regard hints given by Tufin.

Important hint:
Be sure that your TOS version is compatible with the new release of PostgreSQL! You should check it in Tufin Knowledge Center before trying to upgrade.

Besides standard functionality, Tufin offers extra tools like "Reporting Pack". This requires a special library, called PS Scripts. First of all, you need to download the file from the Tufin Portal (authentication required):

• PS Script 5.5.7 (for Reporting Tool) Setup
  (credentials for access to SecureTrack and SecureChange are requested)

After having downloaded This file, it's necessary to install the package - and please remember to create a backup of your Tufin Server before doing so!
Then install the library (as root or with sudo on e.g. SecureTrack Server for Reporting Pack):

•      # /bin/sh setup_tufin_ps_scripts-5.5.7.run -W

Be sure not to forget the "-W" (upper case) when installing the libary. Credentials needed are "Super Admin" for SecureTrack and "Security Administrator" for SecureChange. 
To check a successful installation of the library, run the command

     # ls /opt/tufin/securitysuite/ps/conf/WEB_ENABLED

If this file exists, everything is fine. You can also check if the service is running using the command

     # /etc/init.d/tufin-ps-web status

The service should be running. If not, you may try to start it via CLI.
To check the version of the library, use

     # cat /opt/tufin/securitysuite/ps/PS-version, Logs are stored in the directory /var/log/ps/Tufin_PS_Logger.log.

If all work is done, you can install Reporting Pack or use the library for Tufin PS or your own scripts.