Sometimes it's neccessary to improve SecureTrack Topology. Reasons might be islands in the topology, the integration of unsupported devices or if devices don't support every option, e.g. VPN. In this case configuring "generic" things help to get the "real topology".
IMPORTANT - before doing steps mentioned below, be sure to have a current backup of your SecureTrack server!
Let's consider the situation that there is a supported device and a generic device - and that a VPN is needed between these two devices. In the first step the supported device and the generic device don't have any connection between them.
The problem is: There has been no VPN detected between the devices R80_lab and VPN_Router. So this VPN needs to be configured manually.
Before configuring anything, some data need to be collected:
- Type of the VPN devices
- m - the device is monitored by SecureTrack
- g - the device is a generic device that has been added manually to topology
- Device ID of the VPN device. They can be found out in these ways:
- m - monitored device
- from CLI issue "st stat" and find the device in the list, e.g.
MANAGEMENT IP ID TYPE PID LICENSE STATUS
R80_lab 10.0.0.1 285 SmartCenter 10917 valid Connected
In this case, the device ID is 285
- from WebUI > Menu > Compare
find the device in the left tree and press t to get the device ID
- g - generic device
- from data base directly, using CLI:
[root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_devices"
id | customer_id | name
----+-------------+------------------
4 | 1 | CP-Remote
14 | 1 | VPN_Router
(2 rows)
[root@TufinOS ~]#
In this example, the device ID is 14
- Name of the interface where the VPN is configured on this device
- Source IP address of the tunnel (not necessarily the IP address of the interface)
- Destination IP address of the tunnel (not necessarily the IP address of the interface)
- Name of the VPN (any name can be choosen)
After having collected all information, the generic VPN can be configured via WebUI:
https://<IP_SecureTrack>/tools
The next step is to fill in the parameters collected above. This example configures a VPN between a monitored device and a generic device for both directions.
Syntax: <device_type>,<device_id>,<interface_name>,<tunnel_source_ip>,<tunnel_destination_ip>,<vpn_name>
No spaces are allowed between the entries.
Configuring a VPN in both directions using these parameters
- Device 1 is monitored by SecureTrack, ID 285, VPN uses Interface eth2, Source IP 10.3.62.227, Destination IP 112.12.12.12, name is MyVPN
- Device 2 is a generic device, ID 14, VPN uses Interface interface1, Source IP 112.12.12.12, Destination IP 10.3.62.227, name is MyVPN
results in these two lines that need to be filled in:
m,285,eth2,10.3.62.227,112.12.12.12,MyVPN
g,14,interface1,112.12.12.12,10.3.62.227,MyVPN
It's possible to have many lines at once, so different generic VPN can be configured simultaneous. If all data are entered, the configuration is saved by pressing the "Submit" button.
The next step is to synchronize the topology to get this new information into it. After this, a refresh is necessary so the new topology is displayed:
The VPN is also "used" in the Topology, as it can be seen in a path:
To get an overview of generic VPN configured, it's necessary to use a data base query via CLI:
[root@TufinOS ~]# psql securetrack -Upostgres -c "select * from topology_generic_vpn_connections"
id | is_generic | device_id | interface_name | tunnel_source_ip_addr | tunnel_dest_ip_addr | vpn_name
----+------------+-----------+----------------+-----------------------+---------------------+----------
9 | f | 285 | eth2 | 10.3.62.227 | 112.12.12.12 | MyVPN
10 | t | 14 | interface1 | 112.12.12.12 | 10.3.62.227 | MyVPN
(2 rows)
[root@TufinOS ~]#
To delete a generic VPN, the ID of the VPN is needed. The command to remove the VPN is (example for id 10):
[root@TufinOS ~]# psql securetrack -Upostgres -c "delete from topology_generic_vpn_connections where id=10"
DELETE 1
[root@TufinOS ~]#
Issuing the command above will show that only the VPN with the ID 9 is left.