www.tufin.club
Monitoring Check Point R80 with SecureTrack
- Details
- Category: SecureTrack
How to connect a "traditional" Check Management Server R77.x to SecureTrack has been described before:
Now let's see how a R80.x Check Point Management Server (SMS) can be connected to SecureTrack.
Prepare the Check Point SMS
First of all, a Permission Profile needs to be defined. Since R80, a profile needs to allow write access to SMS due to the new Management API.
To do so, in SmartConsole navigate at top left to Manage & Settings > Permissions & Administrators > Permission Profiles.
You will need an Administrator for Tufin SecureTrack using the Management API. So it's necessary to navigate to Manage & Settings > Permissions & Administrators > Administrators to define it.
Next, an object of the type Host Node is needed representing the System Tufin SecureTrack is running on. This is necessary because the IP address is needed when the OPSEC Application is defined in a later step. To define it, navigate to the top right in SmartConsole and select Object Catetories > Network Objects > New > Host.
To initiate the Secure Internal Communication (SIC), defining an OPSEC Application is necessary. To do so, navigate to Object Categories > Servers > OPSEC Applications > Applications and define a new one. Necessary protocols are LEA (Log Export API) to have access to logs as well as CPMI (Check Point Management Interface) to have access to the objects and rules.
It's necessary to configure the permissions of Tufin SecureTrack within Check Point. For CPMI as well as for LEA a Read-Only Permission Profile should be sufficient. You are free to allow further access, but it's not necessary if the use of only SecureTrack is planned.
After these steps, the SIC should be initiated by setting an Activation Key. This is a One-Time Password for authenticating Tufin SecureTrack at the SMS. When this authentication is successful, a newly generated certificate is transferred to SecureTrack. From then on, authentication is based on this certificate. The communication is encrypted as it is between the Check Point components like e.g. SMS and Firewall Module.
When the password is typed twice, the button Initialize finishes this part of the configuration.
Please don't forget to make this newly generated certificate available by installing the Database. This is done by Menu > Install Database. If you forget to install the database on the SMS, the connection to SecureTrack won't work.
Prepare the Check Point Rulebase
If there is a Firewall between Tufin SecureTrack and Check Point SMS, a rule must allow the necessary access. Besides the access using LEA and CPMI furhter connections are needed, e.g. for Certificate Management:
- 443/tpc
Connection from SecureTrack Server to SMS when using the Management API - 18184/tcp
Connection from SecureTrack to SMS / Logserver to retrieve log data (statistics) and Audit log data (recognition of actions done by administrators) - 18190/tcp
Connection from SecureTrack to SMS with a CPMI client to retrieve the latest revision - 18210/tcp
Connection to SMS for authenticating using the one-time password and for retrieving the certificate - 18264/tcp
Connnection needed to access the CRL running on the SMS to check if the certificate presented by SMS is valid
So a rule needs to be configured. This is necessary if any firewall is between SecureTrack and SMS. When a Check Point Firewall is in between, the rule could look like this:
Configure Check Point SMS in Tufin SecureTrack
The Check Point SMS needs to be defined in SecureTrack so the configuration can be monitored. To do so, some steps are necessary. First of all, connect with administrative rights to Tufin SecureTrack using a web browser using HTTPS (443/tcp). In the default configuration doesn't redirect a HTTP request from port 80/tcp to the correct port.
In the Menu go to Settings > Monitoring > Manage Devices. On the left pane all monitored devices are listed. On the right side a new device can be definded. Here, select Check Point SmartCenter.
After this selection a wizard starts, asking for several configuration options in six steps.
The Device Type can't be changed here since this option has been selected before. The other options are:
- Name for Display
Name shown in SecureTrack for this device - Domain
If SecureTrack is configured to use Domains, the corresponding Domain can be selected there. Please be aware that using this option clearly separates all data. - Get revisions from <IP> or <Offline File>
If the SMS is monitored live, the IP Address of the SMS is provided here. If there is no direct access, configuration data can be imported. Please be aware that this option requires a license also - even if there is no monitoring of the changes. - Usage Analysis
Here it's selected which data are collected. Esp. when "Rule and Object Usage" reports are required, the first two options need to be selected. - Topology
It's recommended to select the enablement of the Topology because in this case, all information that require Topology is available (e.g. Policy Analysis, Zones, Compliance Rules...). - Version of Check Point SMS
If you are using R80, be sure to select R80 here since the connection differs from the "traditional one".
The next step is to authenticate using the One-Time Password and to retrieve the certificate used from then on to authenticate.
It's necessary to provide the name of the OPSEC Application configured in Check Point SmartDashboard. The Activation Key is the One-Time Password provided during configuration in Check Point SMS.
In many cases the next windows can be kept using "default" for the OPSEC settings.
If there were changes configured in $CPDIR/conf/sic_policy.conf they can be considered here. It's all about authentication used for LEA and CPMI. All relevant Check Point options can be selected, so a successful authenticated connection from Tufin SecureTrack to Check Point SMS is possible.
The next step has been introduced with R80. For use of the Management API it's necessary to have an administrative user defined at the SMS (see above). Tufin SecureTrack uses this administrator to connect to the SMS via HTTPS.
In some cases the configuration for the timing of monitoring needs to be adjusted.
As in many cases, the default setting is useful when the global configured timing is sufficient.
Finally, the configured connection should be tested. If this is ok, the buttons Save and Done finalize the configuration.
Monitoring the Check Point R80 SMS
The status of monitoring the SMS can be checked using Menu > Settings > Administration > Status. Depending on the connection and the load on the Check Point SMS the status will remain some time in "Starting" and "Yellow". When it has changed to "Green" the SMS is shown under Menu > Compare also in green and after a short time the first revision will show up.
Tufin Orchestration Suite 17-1
- Details
- Category: Version update
The new and first GA version in 2017 of the Tufin Orchestration Suite (TOS) is available: 17-1.
This GA Version delivers some improvements, e.g.
Cloud:
- USP Based Security Groups in SecureTrack
Dynamic micro-segmentation policies for cloud environments, USP Policies that are not based on specific IP addresses and simplified compliance and risk analysis - AWS Direct Connect Support
Integration of AWS Direct Connect in Topology, including the interfaceS
Security Change Automation and Orchestration:
- Zero-touch, end-to-end full automation for Palo Alto Panorama UserID (NGFW)
- End-to-end Rule Decommission workflow with Provisioning
- Cisco ASA IPv6 Change Automation
Security, Risk and Compliance:
- Rules and Objects Report support for Panorama Device Groups Policies
- Palo-Alto Pre- and Post-rules Marked in Policy Browser
- Rules and Objects Report support for FortiManager ADOM Policies
Application Management:
- IPv6-based Application Management
Devices and Platforms:
- Forcepoint (formerly Stonesoft SMC): Support of Stonesoft SMC 6.1
- Juniper: Support of SRX 12.3x48
REST API:
- LDAP
Retrieve the base DN entry, details about a specific DN below the base DN entry, search for all entries that match (EXACT, CONTAINS, STARTS_WITH, ENDS_WITH) a specific string, or search for entries that exactly match a set of strings. - Network Zone Manager - Patterns
Retrieve, create, and modify security group patterns for identifying violations. - Rule Decommission Designer Results and Provisioning Commands
Retrieve Designer results and Provisioning commands for Rule Decommission.
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Changing the certificate used by Tufin web server
- Details
- Category: TufinOS
By default, TufinOS is using a self-signed certificate for authenticating the web server running HTTPS. This is true for SecureTrack Server as well as SecureChange Server. Sometimes it's not wanted to get the warnings in the browser, so an official certificate needs to be used.
It's possible to change the certificate the web server uses. In many cases, it's necessary to generate a Certificate Signing Request (CSR) before the certificate signed by a trustworthy Certificate Authority (CA) can be imported.
Generating a CSR
For importing a valid certificate into the web server running on TufinOS, a Certificate Signing Request (CSR) needs to be generated before. This can be done in several ways. In TufinOS the command openssl is used by the user root. If the system doesn't allow using this account, the command can be executed with elevated permissions using sudo (for sure, this also needs to be configured correctly). The next line shows an example for a CSR being created for the host "hostname":
[root]# openssl req -new -nodes -keyout hostname.key -out hostname.csr -newkey rsa:2048 -sha256
The file hostname.key includes the private key which needs to be protected (!). The other file is hostname.csr which needs to be sent to the CA for singing. Before this, some more details need to be provided:
- Country Name (2 letter code) [AU]:
provide the country code, e.g. DE - State or Province (full name) [Some-State]:
provide the state, e.g. Bavaria - Locality Name (eg, city []:
provide the name of the city, e.g. Munich - Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Provide the name of the company, e.g. AERAsec - Organization Unit Name (eg, section) []:
provide the unit, e.g. IT Department - Common Name (eg, YOUR name) []:
provide the exact name including Domain that shall be protected by the certificate.
Important: Only for this name the certificate is valid - Email Address []:
provide the E-Mail address of the responsible person
The file hostname.csr is going to be sent to the signing CA.
If you need a certificate for more than one host, this command structure is recommended:
[root]# openssl req -new -sha256 -nodes -out \hostname.csr -newkey rsa:2048 -keyout \hostname.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=DE
ST=Bayern
L=Munich
O=AERAsec
OU=IT Department
emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
CN = host1.example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
EOF
)
Also in this case, the file hostname.csr is going to be sent to the signing CA.
Importing the signed certificate
For a smooth import of a signed certificate (.crt), the use of this certificate should be possible without a password. How to remove it is shown below. Further on, it needs to be guaranteed that external servers are reachable.
To import a certificate, these steps are necessary:
- Copy the certificate file (e.g. hostname.crt) and the matching private key file (e.g. hostname.key) to the server
- Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
- Search for Server Privte Key and adapt the following line:
SSLCertificateKeyFile <full path to .key file> - Search for Server Certificate and adapt the following line:
SSLCertificateFile <fill path to .crt file> - Save the file
- Search for Server Privte Key and adapt the following line:
- Restart the web server using the command
[root]# service httpd restart
Removing a password for certificate use
It's possible and sometimes necessary to remove a password from a certificate, e.g. when it's used by a server. To do so, take these steps:
- Use OpenSSL for generating a new certificate that can be used without password. This is done with the command
[root]# openssl rsa -in <path to .key file> -out <path to new .key file> - Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
- Change the line
SSLCertificateKeyFile <full path to .key file>
in
SSLCertificateKeyFile <full path to new .key file> - Save the file
- Change the line
- Restart the web server using the command
[root]# service httpd restart
Tufin Orchestration Suite 16-4
- Details
- Category: Version update
Since today (Feb. 20th, 2017) the new version of the Tufin Orchestration Suite (TOS) is available: 16-4.
This GA Version delivers some improvements, e.g.
Cloud:
- Cisco ACI Support
Monitor ACI Platform as a device, Manage ACI Application Profiles in SecureApp, Integration in Tufin Unified Security Policy (USP), etc. - Cloud Tag Policy (SecureTrack)
Defining a tag policy as part of Tufin USP for AWS or via APIs for any cloud platform supported by Tufin plus further options
Security Change Automation:
- Zero-touch End-to-End Automation for Check Point R80
- Updated Palo Alto NGFW Application IDs
- Rule Decomissionin a cross-suite workflow
- Server Decommission for Cisco ASA/IOS and Juniper SRX delivers required commands which can be used with copy/paste
- Server Decommission for Cisco ASA and Juniper SRXis fully automated possible
- Palo Alto Panorama Post-Rule Automation
- New Role Permission: View handlers of my requests
- New SecureChange E-Mail Template: Request automatically closed
Security, Risk and Compliance:
- Policy Browser is now located on the HOME tab
- Enhancements for the Policy Browser
Application Management:
- Application Connection Search
- Performance Improvement for SecureApp
Devices and Platforms:
- Check Point: Full Support of R80, including MDS, CMA, and SmartCenter
- Forcepoint: Support of Stonesoft SMC 6.1 using 5.10 APIs
- Forcepoint: Enhancements in Stonesoft IPv6 support
- Fortinet: Support of FortiManager and FortiGate 5.2.9
- Fortinet: FortiManager 5.4 and 5.4.1 NAT Support
Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com
Manager Assignment
- Details
- Category: SecureChange
In a workflow the field „Manager“ can be used. This might be useful if the manager has to approve a ticket requested by a member of his team.
The requester provides the E-Mail address of his manager so this person can approve the request in the next step.It's mandatory to have in the next step a "Manager Assignment" so the decision who has to work on the ticket is flexible. Besides this, if the mail address provided by the requester isn's valid for Manager function, the E-Mail will be sent to a "Default Manager" provided in the following step. This person (named Default_Manager below) is able to approve/reject the ticket as well to reassign it.
If the manager gets the E-Mail from SecureChange, logging in to SecureChange is necessary. After this, working on the ticket is possible.
Having local users configured, the validity of the mail address is checked. Examples:
- If the assigned manager has the appropriate right, approval is possible.
- If there is no right for approval, but a link sent by E-Mail, the approval is possible for this case.
- If the mail address isn't known in SC, Default Manager is taken.
So as a result, when this option is used with local users, everything works as designed in SecureChange.The Manager is able to approve a step even if he doesn't have "global rights by role" to do so. Having a LDAP Server connected to SecureChange, this is the result:
- If the assigned manager has the appropriate right, approval is possible.
- If there is no right for approval, but a link, then the approval is possible for this ticket.
- If the mail address isn't known in SC but in LDAP, the ticket is assigned and even without being defined in SecureChange, the manager can follow the link and to approve the step.
- If the mail address is "external", the Default Manager is taken.
Please be aware, that the MANAGER as well as the DEFAULT-MANAGER need to be known in SecureChange or LDAP Server. The MANAGER doesn't need appropriate rights in every case.
Documentation of Workflow Changes
- Details
- Category: SecureChange
Sometimes it's necessary to have a documentation about changes at the system itself or about changes in Workflows defined in SecureChange. System changes can be documented in SecureTrack easily, but what about changes in Workflows that are defined and used in SecureChange?
Currently there is no option in the WebUI to get a report about these changes, but they are recorded in the system, i.e. in the database table change_audit.
To view the table content, a SQL query is used at the CLI of the SecureChange Server:
# psql -Upostgres securechangeworkflow -x -c " select * from change_audit"
This delivers all changes to the CLI, including the name of the user as well as a XML output of the workflow before and after. If necessary, the output can be redirected to a file, e.g. for further inspection.
Page 18 of 22