www.tufin.club
Tufin Orchestration Suite 18-1
- Details
- Category: Version update
Tufin has released the first version of the Tufin Orchestration Suite in 2018: R18-1. TOS 18-1 is available as GA now, delivering some improvements, e.g.
Cloud
- SecureTrack
Support of AWS AssumeRole as part of the AWS Security Token Service - SecureTrack
Support of the latest Microsoft Azure SDK 1.2.0
Security Policy Change Automation and Orchestration
- SecureTrack, SecureChange
Rule Recertification Automation by a specific workflow - SecureTrack, SecureChange
Cisco Firepower Automation (including Target Suggestion, Risk Analysis, Designer and Verifier) - SecureChange
New Workflow Customization Triggers (e.g. when Automatic Step fails, Pre-Assignment Script) - SecureChange
Enhancements for Manual Target Selection - SecureTrack, SecureChange
Stealth Rule is considered now by Designer
Security, Risk, and Compliance
- SecureTrack
Automatic Policy Generator (APG) for Palo Alto Panorama and Fortinet FortiManager
Devices and Platforms
- SecureTrack
Dynamic Routing Support for Palo Alto and Fortinet - SecureTrack, SecureChange
Extended Generic NAT for Palo Alto - SecureTrack, SecureChange
Topology Support for Cisco Firepower - Support of new devices
- Fortinet FortiManager 5.4.4
- Fortinet FortiGate 5.2.11
- F5 13.0
- Cisco Security Manager 4.15
- Cisco Firepower 6.2.3
- Microsoft Azure SDK 1.2.0
REST API
- Improvements for SecureTrack
- Parameter show_members for Network Object APIs
- Network Topology APIs for NSX
- Retrieve Total Available Records
- Offline Device APIs
- Improvements for SecureChange
- new Tickets API - Confirm
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Interactive Map doesn't allow search for protocol:port ?
- Details
- Category: SecureChange
The Interactive Map of Tufin SecureTrack allows to find a Path from A to B combined with a service / protocol / application.
This has the advantage that matching rules of firewalls involved are shown also.
Using earlier versions, it was very easy to select a specific service, e.g. tcp:8080
This is still stated in the (i), but when a newer version is used, the Button "Find Path" is still greyed out when some information is provided in the "Service" field.
So it seems that a search isn't possible...
Tufin has changed the use of this field, so please be sure to type "protocol:port" as needed and press <return> afterwards.
Only then the configured Service is taken by the system - and therefore only then a search in the Interactive Map is possible.
Time in SecureTrack Reports isn't correct
- Details
- Category: SecureTrack
It's quite a good feature that reports in SecureTrack can be generated automatically and sent by E-Mail to recipients.
Sometimes the time mentioned in the reports seems to be wrong, even if following time settings are correct and all the same:
- PC of the user
- SecureTrack Server
- Monitored Device reported on
Even if all these time settings are ok, it might happen that e.g. the report is sent at 16:40 while the time in the report itself shows 17:40.
The reason for this behaviour is that PostgreSQL has another time zone configured. By default the time zone in TufinOS is "Israel".
This can be changed using these steps:
Stop services
- # service crond stop
- # service tufin-jobs stop
- # service jms stop
- # service postgresql-9.4 stop
Edit configuration file
- Backup and edit the file /var/lib/pgsql/9.4/data/postgresql.conf
find the settings for
log_timezone ='Israel'
timezone = 'Israel'
and change them to your time zone, e.g. 'UTC' or 'Europe/Berlin' (the timezone needs to be listed in /usr/share/zoneinfo)
Start services
- # service postgresql-9.4 start
- # service jms start
- # service tufin-jobs start
- # service crond start
- # service tomcat restart
After the services are started again in the correct order, the time used in reports should be correct. Restarting tomcat is necessary because otherwise the time of ticket creation in SecureChange isn't correct.
Hint: If the postresql service doesn't start, check the correct spelling of the time zone configured.
Sudden logout from SecureTrack WebUI
- Details
- Category: SecureTrack
Working with SecureTrack mainly means to work with a Browser connected to the SecureTrack Server. If nothing is done, an automatic logout is initiated by the system. The time untli this logout happens, can be configured.
Sometimes a logout from the WebUI happens while the administrator works. This should not happen and seems to be a "feature" of versions up to and including 17-2.
With 17-3 and subsequent versions Tufin has changed the authentication method to Keycloak. These versions don't show this effect any more.
If there is a problem with automatic logout while working with the WebUI, an upgrade to 17-3 or newer is recommended.
Monitoring TufinOS
- Details
- Category: TufinOS
As many administrators know, there is an option Suite Administration when configuring TOS using tos conf. Activating this option allows to monitor the system.
If (3) is selected and therefore the Suite Administration activated, it needs to be configured. This is done by the command
[root@TufinOS]# configure_os_monitoring
A menu opens and allows to configure the necessary options:
- Recipient Settings
Configure Recipients here who will get an E-Mail when Suite Administration is sending an alert.
- Show defined recipients
- Add recipient
- Delete recipient
- Modify recipient
- SMTP Settings
This section is to configure the Mail server for sending E-Mail to recipients in case of an alert. Besides this, authentication data for the Mail server needed to send E-Mail can be configured.
- Server Name
- Server Port
- User Name
- User Password
- Sender Email
- Mail Sending Interval
- SNMP Settings
TufinOS will send SNMP Traps when an alert condition is given. In this section the server, port etc. need to be configured if Traps are wanted. The support of addtional SNMP MIBs can be configured by adapting the file /etc/snmp/snmpd.conf and restarting the snmpd.
- Manager IPv4 Address
- Manager Port
- Community Name
- Trap Sending Interval
- Threshold Settings
Configure Thresholds here. Please be aware that the default for CPU usage is 10%, i.e. if there is a little load on the machine, an alert will be sent.
The options for JMS Tunnel and Stunnel are needed only, if the server is used in an HA deployment or the Central Server is in an environment using Distriubted Architecture (DA).- CPU Usage (default: 10%!)
- Memory Usage (default 70%)
- Disk Usage (default 70%)
- Service Settings
- Application Server
- Cron
- Database
- JMS Tunnel
- Stunnel
- Syslog
- Web Server
So these options might allow a tighter control and monitoring TufinOS as well as the services running on this machine.
Using an own logo in TOS
- Details
- Category: Admin Management
The Tufin Orchestration Suite (TOS) sometimes needs to be customized. Tufin delivers some options to use an own logo, but not everywhere. Let's have a look the default options and more.
SecureChange
in SecureChange a user with administrative rights has access to the Settings tab in the menu. Selecting Menu > Settings > Customzation offers the use of an own logo.
At the bottom of the page is a button labeled Publish. Pressing it will change the logo used in SecureChange.
So changing the logo in SecureChange is quite easy.
SecureTrack
By default, an own logo can be integrated for SecureTrack Reports. This is done via Menu > Settings > Configuration > Reports. The fiels Custom Logo allows to place the own logo here.
As an option, the logo can also be shown on every PDF page. The result looks quite good.
Sometimes the WebUI of SecureTrack shall also be customized. Tufin doesn't have an option for this in the Menus of SecureTrack. But changing the logo is also possible.
Requirement: PNG file with a size of 120x50 called tufin-suite-logo.png.
The following procedure is for SecureTrack R17-3 (paths may vary in other versions).
If you have your logo, make a backup of the original files before you continue. Then rename your logo to tufin-suite-logo.png and place it on the server:
Logo in the WebUI top left:
/var/www/html/images/header/tufin-suite-logo.png
Logo for Login window:
/usr/keycloak-2.5.4.Final/themes/tufin-theme/login/resources/img/tufin-suite-logo.png
Logo for Logout window
/var/www/html/logout/tufin-suite-logo.png
After having changed these settings (and cleared the browser cache), the own logo is shown in SecureTrack also.
Page 15 of 22