Sometimes it's necessary to have zones defined that include "new" or "unknown" networks.
Traditional Approach
The traditional approach in Tufin SecureTrack is to have devices monitored. These devices deliver information about Networks and Routes to SecureTrack. This information is used to build the Topology.
The next step would be to define Zones manually. These zones include networks included in the Topology. So finally, only "known networks" are defined in zones which can be used to define the Unified Security Policy (USP).
Another Approach
Some administrators have a tool for IPAM (IP Address Management) that includes all IP-Adresses and Networks, even if they are not registered in SecureTrack Topology. This information at all shall be used for compliance rules ini the USP. Since an import of zones is possible and no check is done if the networks exist in SecureTrack, exporting these data from IPAM helps, e.g.
Known: Zone a (Network 10.1.1.0/24), Zone b (Network 10.1.2.0/24)
in IPAM: Network 10.1.3.0/24 which should be imported into a new zone
File for import into SecureTrack Zones:
"#Zone Properties"
"zone name","description"
"Internet","Internet zone is all public addresses, excluding the addresses defined in all other zones"
"Users Networks","Users Networks zone should include the address space from which users can come within your organization"
"a",""
"b",""
"c","new zone"
"#Zone Hierarchy"
"parent","child"
"#Zone Subnets"
"zone name","subnet","description"
"a","10.1.1.0/24",
"b","10.1.2.0/24",
"c","10.1.3.0/24","new"
"#Zone Security Groups"
"zone name","security group name","description"
Even if the new zone isn't known in SecureTrack before and the network isn't in the Topology the import works.
After having imported the zones including the new zone c, the USP can be adapted and imported, too. Even if the following example isn't really a USP, it can be shown that it works.
"from zone","to zone","severity","access type","services","rule properties","flows"
"a","a","high","allow all","","",""
"a","b","critical","allow all","","",""
"b","a","low","allow all","","",""
"b","b","high","allow all","","",""
"c","c","high","allow all","","",""
"a","c","critical","allow all","","",""
"c","a","low","allow all","","",""
"b","c","critical","allow all","","",""
"c","b","low","allow all","","",""
After import, the new zone c is shown in the USP, even if the network isn't included in the SecureTrack Topology.
Lesson learnt: If an IPAM hosts all information about the networks, exporting relevant information in the correct format allows to define a USP with networks not even included in the Topology.
