- Category: SecureTrack
How to connect a Check Point Security Management Server (SMS, aka SmartCenter) R77.x to SecureTrack:
Prepare the Check Point SMS
It's recommended to define a Permission Profile for Tufin's access to the SMS and the logs. If there is only SecureTrack and no provisioning by SecureChange is wanted, a Read-Only Profile is sufficient. To define it, go in the SmartDashboard Menu to Manage > Permission Profiles and define a Read-Only profile.
Next, an object of the type Host Node is needed representing the System Tufin SecureTrack is running on. This is necessary because the IP address is needed later when the OPSEC Application is defined. To define it, go to Manage > Network Objects > New > Host Node.
To initiate the Secure Internal Communication (SIC), defining an OPSEC Application is necessary. To do so, open Manage > Servers and OPSEC Applications and define a new one. Necessary protocols are LEA (Log Export API) to have access to logs as well as CPMI (Check Point Management Interface) to have access to the objects and rules.
It's necessary to configure the permissions of Tufin SecureTrack within Check Point. For CPMI as well as for LEA the Permission Profile defined earlier should be selected. You are free to allow further access, but it's not necessary if the use of only SecureTrack is planned.
After these steps, the SIC should be initiated by setting an Activation Key. This is a One-Time Password for authenticating Tufin SecureTrack at the SMS. When this authentication is successful, a newly generated certificate is transferred to SecureTrack. From then on, authentication is based on this certificate. The communication is encrypted as it is between the Check Point components like e.g. SMS and Firewall Module.
When the password is typed twice, the button Initialize finishes this part of the configuration.
Please don't forget to make this newly generated certificate available by installing the Database. This is done by Menu > Policy > Install Database. If you forget to install the database on the SMS, the connection to SecureTrack won't work.
Prepare the Check Point Rulebase
If there is a Firewall between Tufin SecureTrack and Check Point SMS, a rule must allow the necessary access. Besides the access using LEA and CPMI furhter connections are needed, e.g. for Certificate Management:
Connection to SMS for authenticating using the one-time password and for retrieving the certificate
Connnection needed to access the CRL running on the SMS to check if the certificate presented by SMS is valid
Connection from SecureTrack to SMS / Logserver to retrieve log data (statistics) and Audit log data (recognition of actions done by administrators)
Connection from SecureTrack to SMS with a CPMI client to retrieve the latest revision
So a rule needs to be configured. This is necessary if any firewall is between SecureTrack and SMS. When a Check Point Firewall is in between, the rule could look like this:
Configure Check Point SMS in Tufin SecureTrack
The Check Point SMS needs to be defined in SecureTrack so the configuration can be monitored. To do so, some steps are necessary. First of all, connect with administrative rights to Tufin SecureTrack using a web browser using HTTPS (443/tcp). In the default configuration doesn't redirect a HTTP request from port 80/tcp to the correct port.
In the Menu go to Settings > Monitoring > Manage Devices. On the left pane all monitored devices are listed. On the right side a new device can be definded. Here, select Check Point SmartCenter.
After this selection a wizard starts, asking for several configuration options in five steps.
The Device Type can't be changed here since this option has been selected before. The other options are:
- Name for Display
Name shown in SecureTrack for this device
If SecureTrack is configured to use Domains, the corresponding Domain can be selected there. Please be aware that using this option clearly separates all data.
- Get revisions from <IP> or <Offline File>
If the SMS is monitored live, the IP Address of the SMS is provided here. If there is no direct access, configuration data can be imported. Please be aware that this option requires a license also - even if there is no monitoring of the changes.
- Usage Analysis
Here it's selected which data are collected. Esp. when "Rule and Object Usage" reports are required, the first two options need to be selected. Besides this, it's recommended to select the enablement of the Topology. In this case, all information that require Topology is available (e.g. Policy Analysis, Zones, Compliance Rules...).
The next step is to authenticate using the One-Time Password and to retrieve the certificate used from then on to authenticate.
It's necessary to provide the name of the OPSEC Application configured in Check Point SmartDashboard. The Activation Key is the One-Time Password provided during configuration in Check Point SMS.
In many cases the next windows can be kept using "default" for the OPSEC settings.
If there were changes configured in $CPDIR/conf/sic_policy.conf they can be considered here. It's all about authentication used for LEA and CPMI. All relevant Check Point options can be selected, so a successful authenticated connection from Tufin SecureTrack to Check Point SMS is possible.
In some cases the configuration for the timing of monitoring needs to be adjusted.
As in many cases, the default setting is useful when the global configured timing is sufficient.
Finally, the configured connection should be tested. If this is ok, the button Save finalizes the configuration.
Monitoring the Check Point SMS
The status of monitoring the SMS can be checked using Menu > Settings > Administration > Status. Depending on the connection and the load on the Check Point SMS the status will remain some time in "Starting" and "Yellow". When it has changed to "Green" the SMS is shown under Menu > Compare also in green and after a short time the first revision will show up.
- Category: SecureTrack
Let's imgine following situation:
Tufin SecureTrack is licensed for 2 Firewall Clusters which are centrally managed by one Check Point Security Management Server (resulting in a single SecureTrack ID).
Reports for e.g. Rule and Object Usage deliver results for one Firewall Cluster only. Reports on the second Cluster don't contain any data.
This behavior isn't as expected since it cannot be the connectivity between the Log Server and SecureTrack. Besides this, logs for this cluster are there and shown in the tools by Check Point. So Log data are there but SecureTrack doesn't deliver any report.
This behaviour can be reasoned by a missing license! In our case only one FW-license was attached to the Firewall Cluster, but not the second one. So the Firewall Cluster not delivering reports wasn't licensed full and therefore no reports were generated. After (re-)attaching the license reports deliver results for both Firewall Clusters - as expected.
- Category: Version update
Tufin delivers new versions quite often. If you are working with TOS and all your requirements are fulfilled - fine. But sometimes an upgrade is recommended, e.g. if there are new features you want or support is needed. It's quite sure that Tufin Support will recommend an upgrade if you have a problem with a version which is very old.
Upgrades can't always be done inplace. Esp. when upgrading TufinOS from version 1.x to 2.x a fresh install of the OS is needed.
We do upgrades mostly running in virtualized environments. Using Snapshots it's easy to restore the older version if something went wrong.
The upgrade path
Example: Starting with TufinOS 1.1x and TSS 6.1
To upgrade from version 6.x to R16-1 these steps are recommended
- Upgrade to version R12-6
- Upgrade to TufinOS 1.17 (if not done before)
- Upgrade to version R13-3 GA
- Upgrade to version R14-1 GA
- Upgrade to version R14-3 GA
- Install TufinOS 2.11 and R14-3 GA. Then migrate the configuration to this version using backup/restore.
If an upgrade of TufinOS isn't possible, upgrade to PSQL version 9.
- Upgrade to R15-1 GA
- Upgrade to TufinOS 1.21 - only needed if still TufinOS 1.x is used
- Upgrade to R15-3 GA (direct upgrade to R16-1 is possible)
- Upgrade to R15-4 GA
- Upgrade to R16-1 GA
This procedure has been proven and should work in many situations.
- Category: Uncategorised
Tufin has published their new User Center and Partner Center. A new design and a new structure of content gives an excellent overview and much information. Be sure to visit https://portal.tufin.com - a new password might be required.
A new information provided is e.g. Tufin Products Life Cycle Policy.
https://portal.tufin.com/aspx/ProductsLifeCyclePolicy (Authentication required)
Supported Versions including New Hotfix Support and Patches:
16-1, 15-4, 15-3, and 15-2
All other versions are EOL and don't get any more support
Supported Version including New Critical Security Updates Support:
2.11 and 1.21
All other versions are EOL and don't get any more support
Regarding Appliances: All current Appliances (T510, T1100, T1100XL) are fully supported. Older models as T80, T500, T1000, and T1000XL cannot be ordered any more. The five years of Advanced Replacement Program are guaranteed - but no extent for more years is possible.
- Category: TufinOS
On May 3rd, the OpenSSL project team has announced the release of OpenSSL v1.0.2h and 1.0.1t, respectively. This version addresses some vulnerabilities.
One of the most severe is the OpenSSL Memory Corruption Vulnerability (CVE-2016-2108) which also affects TufinOS (as many other Linux).
If you run Tufin TOS under Red Hat Enterprise Linux or CentOS, please download updated packages and install them on your system.
Tufin is working on a patch for the OpenSSL Memory Corruption Vulnerability. patches for TufinOS 2.11 and TufinOS 1.22 are scheduled for the week of May 16th. So next week an update will be possible. If you don't run the latest version, an upgrade might be necessary before installing the patch.
19.05.2016 - Update:
The patch for TufinOS 2.11 is available now: https://portal.tufin.com/Doc/Default.aspx?id=1208 (Authentication necessary)
For TufinOS 1.22 the patch will be published after Red Hat has published a patch for RHEL 5.
- Category: Version update
Parallel to the Check Point CPX in Nice, Tufin has released version 16-1 GA. Until now, the first HF is available, too.
Please find some information about changes in this version below.
This version includes some improvements, e.g.:
- New Cloud Features for AWS, e.g. automated Connectivity Modeling for AWS Applications, policy based analysis of connections, connection discovery of applications and much more
- New Cloud Features for NSX, e.g. NSX Application Map
Changes regarding SecureTrack:
Support of Palo Alto rule tags, security profiles and log profiles
- Fortinet NAT:
Support vo VIP, IP Pool and Destination Interface NAT as far as the Gateway is managed by FortiManager
- Check Point:
Full Support of Check Point R77.30 Management
Support of ASA 9.5
- Upgrade of HTTPD and JMS Server from TLSv1 to TLSv1.2
- Improvements regarding the Unified Security Policy (USP). Further requirements can be added now, e.g. Logging required, no ANY as Source, Destination, Service, etc.
- In Rule Base Optimization now a rule can be marked as "legacy". If SecureChange would recommend a change to this rule, it's ignored and a new rule will be defined. This is for optmization of "old and complex" rule bases.
- Improvements of the REST API, esp. regarding Authorization and Compare of rule bases.
Changes regarding SecureChange:
- The Designer has been improved, esp. when there are more than one Access Request in a ticket.
- Visual presentation of rules in the Designer
- The REST API now offers options for "Modify Group", exclusion of Devices and more. Please find an extended online documetation of the REST API in SecureChange now.
- Import of Access Requests is now possible for "Comment" and "Action" also
Changes regarding SecureApp:
- Introduction of a Connectivity Map for a graphical view of all connections affecting an application, regardless of involved devices.
- Improved support of AWS applications
- Improvements of the REST API, esp. for AWS
Further improvements and corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Page 12 of 13