www.tufin.club

When F5 devices are monitored with Tufin SecureTrack, every part of the configuration can be found here (except ACLs).
It might happen that in SecureTrack > Menu > Settings > Administration > Status the status sign is yellow, stating "Error: Wrong arguments". At the first glance, there seems to be a problem regarding authentication or version of F5. But this isn't necessarily so complicated.

Looking at the Client Log in /var/log/st for example this information can be found:

FAULT: 14713 20191221 08:24:06.041 what() -> Error occurred when pulling configuration from the device: Wrong arguments
"send_error "\n$expect_out(buffer)\n""
send_error "\nsent username\n"
send_error "\nsent username\n"
11255 20191221 08:24:05.030 Error occurred when pulling configuration from the device: Wrong arguments
FAULT: 11255 20191221 08:24:05.031 what() -> Error occurred when pulling configuration from the device: Wrong arguments

If you find the error mentioned above, just check the connection. Even if it isn't obvious, a connection time out might have occurred.
"Wrong arguments" is also displayed if there is no ssh connection possible between SecureTrack Server and F5.

 

 

 

When upgrading Check Point Management, MDS or CMA from R77.x to R80.x it seems quite easy to upgrade it in SecureTrack, too. Just go to Menu > Settings > Monitoring and select the device that has been upgraded. The Menu on the right side shows the option "Upgrade to R80", you select it and provide the credentials for the API user at the Check Point Management. After that, the device monitoring has been changed to R80 and everything runs fine.

 

Problem

What happens if "st stat" or Menu > Admininstration > Status shows an error:

myDevice        10.1.1.1  14   CMA  1001   valid        Error: Upgrade device to R80 in Settings > Manage Devices > Monitored Devices

The situation seems a little bit confusing - the upgrade has been done in Check Point as well as Tufin SecureTrack, but the status shows an error as if the Management Server has not been upgraded in SecureTrack.

 

Reason for this error

The reason for this error is a change of the management type in the data base - and the change has not taken place in the data base. This is not the "normal way", but it might happen that the change is not recognized in SecureTrack. The differences are:

SmartCenter R77.x is referred as cp_smrt_cntr
SmartCenter R80.x is referred as cp_smc_r80plus

CMA R77.x is referred as cp_cma
CMA R80.x is referred as cp_domain_r80plus

 

Solution

First - as every time you work on the data base: Perform a backup (!)
For a Check Point CMA the necessary next procedure looks like this:

  • Check the ID of the device using "st stat". This example uses the Management ID 14
  • Check the current status of the device:
    [root@TufinOS]# psql -Upostgres securetrack -xc "select cp_type from managements where management_id=14"
    -[ RECORD 1 ]---
    cp_type | cp_cma
    [root@TufinOS ~]
  • Update the variable in the data base and re-check the status
    [root@TufinOS ~]# psql -Upostgres securetrack -xc "update managements set cp_type='cp_domain_r80plus' where management_id=14"
    UPDATE 1
    [root@TufinOS ~]# psql -Upostgres securetrack -xc "select cp_type from managements where management_id=14"
    -[ RECORD 1 ]--------------
    cp_type | cp_domain_r80plus
    [root@TufinOS ~]
  • Restart the monitored device
    [root@TufinOS~]# st restart 14
    Stopping SecureTrack process for server myDevice - 10.1.1.1 (Id: 14)
    SecureTrack process stopped for server 10.1.1.1 (Id: 14)
    SecureTrack for myDevice - 10.1.1.1 (Id: 14) was started successfully
    [root@TufinOS ~]

 

After some seconds the status should have been changed - this can be checked either "st stat" or the WebUI.
The error shown above should not be shown any more. If other errors are shown, you need to continue troubleshooting. Maybe these links help:
https://www.tufin.club/index.php/24-securetrack/52-check-point-api-client-error
https://www.tufin.club/index.php/24-securetrack/73-check-point-api-client-error-part-2

 

 

 

 

If TOS is configured to run as a cluster, a Virtual Cluster IP (VIP) is used for communication with SecureTrack and/or SecureChange server. Besides this, further interfaces are needed to configure a cluster, e.g. for Heartbeat. If the network interface of the Heartbeat is down, the cluster will do a failover. At first glance, this isn't a problem because users can still work using the VIP. But, for bringing TOS back to cluster mode with data replication, a maintenance window is recommended. The database sync takes some time and during this time the VIP is unreachable.

So if a cluster member is e.g. moved from one switch to another, a failover occurs. If this isn't wanted, the failure detection can be (temporarily) disabled by typing the command on the active member:

# hactl --pause-auto-failover

Run the command hactl status on both nodes after a few minutes and make sure the status shown is "unmanaged"
Then, replace the switch. If done so and having connected all cables on the active cluster member run the command:

# hactl --resume-auto-failover

After some (short) time, the status should be checked again using hactl status. It should be normal again, showing correct distribution of active / standby member as before.

 

 

 

In September 2019 Tufin has released TufinOS 2.19. This version is available for download now in the Tufin Portal (authentication required). TufinOS 2.19 is available as upgrade package only. So if you need to set up a new system, installing TufinOS 2.18 from ISO or USB is necessary befor upgrading to 2.19.

New features and updates of TufinOS 2.19 are:

  • Update of 29 RPMs based on the latest version of CentOS 6.10
  • Update of PostgreSQL to version 9.4.23

Please be aware that only TufinOS 2.19 is supported by Tufin now, i.e. older versions will also get no security related updates.

An updated description how to upgrade TufinOS in HA environments is available in the Tufin Portal.

 

 

 

Many thanks to Tufin for nominating us at Tufinnovate EMEA 2019 in Lisbon. We are proud to be awarded to be

  2018 EMEA Service Provider of the Year

So about one year after becoming the first Tufin Service Delivery Partner in Central Europe, it's an honor for us to be awarded with this price.

Award Ceremony Tufinnovate 2019, Lisbon - Portugal, 11.09.2019
From left to right:
- Ruvi Kitov, CEO and Co-Founder Tufin Technologies
- Kevin Raff, IT Security Consultant AERAsec
- Dr. Matthias Leu, CEO and Founder AERAsec
- Mike Menegay, VP of Global Channels Tufin Technologies
- Remko Postma, Director of Channels EMEA Tufin Technologies

 

 

 

Tufin has released R19-2, the second version of the Tufin Orchestration Suite in 2019. TOS 19-2 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecureChange
    Enhancements for the "Clone Server Policy" Workflow. They include zero-touch automation for Designer, Policy Update and Commit Policy Changes for all supported devices. Addtionally, support for NSX-V has been added.
  • SecureChange
    The Desgner now can be configured to implement changes in Access Requests as before (optimized policy), but also to implement each Access Request in separate rules. On demnad, this can also be requested by users.
  • SecureChange
    The Workflow "Modify Group" supports now Check Point objects with dual stack (IPv4 / IPv6)
  • SecureTrack, SecureChange
    Support of Fortinet Web Filter allows more visibility on rules that have configured it. So auditing is improved. End-to-End change automation is possible for current and Next Generation Fortinet configurations.
  • SecureChange
    Support of Dual Stack Objects (IPv4/IPv6) in Modify Group Workflow for Check Point R80
  • SecureChange
    Requester Notifications can be sent to AD groups, not only to individuals

Security, Risk and Compliance

  • SecureTrack, SecureChange
    Updated NextGen Applications Library for Palo Alto.
  • SecureTrack
    Improved Troubleshooting using advanced path analysis queries that contain multiple IP addresses
  • SecureTrack, SecureChange
    Protection against CSRF (Cross-Site Request Forgery) attacks (not currently supported for Microsoft Internet Explorer 11)

 Devices and Platforms

  • SecureTrack
    Support of Cisco ACI regarding "Enhanced Visibility", "Enhanced Topology Modeling", and "Risk Assessment".
  • SecureTrack
    Support of Palo Alto Panorama High Availability
  • SecureTrack
    Suppport of Palo Alto Panoramy External Dynamic List (EDL) Support
  • SecureTrack
    Support of Palo Alto Fully Qualified Domain Names
  • SecureTrack, SecureApp
    Policy Browser allows mapping of SecureApp Connections to rules for Cisco FMC, Fortinet FortiManager, and Palo Alto Panorama in Advanced Mode
  • SecureTrack
    Support of Check Point CloudGuard for Azure
  • Support of new devices:
    • Cisco Firepower Management Center (FMC) 6.3
    • Cosco ASA 9.13 beta

REST API

  • Improvements for SecureTrack
    • Automatic onbording of Management Devices via API has been added for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
    • Adding / Updating of single or multiple devices is possible now for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
  • Improvements for SecureTrack/SecureChange
    • Support for Palo Alto Panorama External Dynamic List (EDL) data has been added
  • Improvements for SecureChange
    • The results for the Clone Server Policy can be retrieved via API
  • Improvements for SecureTrack/SecureChange/SecureApp
    • The serialization implementation for JSON is now complete for all SecureTrack, SecureChange and SecureApp REST APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com