TOS CLI Reference

Overview

The TOS Aurora CLI - command line interface - is a set of commands that can be run from the Linux command line. The command sudo tos help will list all CLI commands. All TOS commands require root privileges to run, therefore on TufinOS, they must be run using sudo as user root is not available on the TufinOS operating system.

Commands that retrieve information can be run on any node; commands that make changes can only be run on the primary data node, unless specified otherwise.

Global Parameters

Many of the commands can be run with the following optional flags

  • --help or -h: lists the usage, available commands and the flags (options) for the command for example, sudo tos backup --help
  • --debug or -d: adds additional information for some commands, used for troubleshooting for example, sudo tos backup --debug
  • --skip cli-validation: skips the cli version validation

TOS CLI Commands

If your system runs on TufinOS, all TOS commands must be run using sudo, because user root is not available on this operating system.

For details of SecureChange CLI commands, see the SecureChange Command Line Reference.

Most of the commands that modify the cluster configuration can run only on the primary data node.

Archive Revision Data

This is a subset of commands that allows you to archive and temporarily restore old revision data (device policy rules):

sudo tos archive create

Description

This command is a variant of sudo tos archive. It removes old revision data (rules) from the TOS Aurora database and stores it in a file outside of the cluster. If a previously archived file is currently loaded (see sudo tos archive load), you cannot create a new archive containing any rules in the loaded range.

We recommend first running the screen command to ensure that the archive command runs to completion.

Syntax

[<ADMIN> ~]$ sudo tos archive create [-t|--date=<TODATE>] [-p|--path=<PATH>] [-o <TIMEOUT>] [--no_vacuum]
sudo tos archive create

Parameters

Parameter

Description

Mandatory/Optional

<TODATE>

To-date, in format YYYY-MM-DD, up to which revisions will be archived.

Mandatory

<PATH>

Target directory, excluding file name, in which the new archive file will be created.

Mandatory

<TIMEOUT>

Amount of time that the archive creation will run. The default time is 60 minutes. Syntax can be given in minutes (50m), hours (1.5h) or days (2d).

Optional

no_vacuum

Disables the database vacuum operation during archive. This feature was introduced in R22-2 PHF2.0.0 but due to a bug, the specified target location was ignored. To mitigate the problem, you must provide the --no_vacuum flag and manually run a vacuum on the database after the archive completes. This bug was fixed in R22-2 PHF3.0.0.

Optional

On completion:

  • A log file is created /opt/tufin/logs/services/st-archive-job/app.log.

  • If the operation completes successfully, the archive file is created in the target directory, with the to-date as part of its name.

Example

[<ADMIN> ~]$ sudo tos archive create --date=2021-12-31 --path=/tmp
Archive completed successfully. Archive file created: /tmp/archive_2021-12-31.tar         

sudo tos archive load

Description

This command is a variant of sudo tos archive. It restores old revision data from a file created previously with sudo tos archive create. More than one archive can be loaded at a time. If the command is run again with a different archive file, the data will be appended to the database.

Syntax

[<ADMIN> ~]$ sudo tos archive load [-p|--path=<PATH>]
sudo tos archive load

Parameters

Parameter

Description

Mandatory/Optional

<PATH>

Full path of the archive file from which to restore the data, including directory path and file name.

Mandatory

Example

[<ADMIN> ~]$ sudo tos archive load --path=/tmp/archive_2021-12-31
Loading archive file completed successfully.

sudo tos archive unload

Description

This command is a variant of sudo tos archive. It removes all revision data from the TOS Aurora database that was previously loaded from one or more archives using sudo tos archive load.

Syntax

[<ADMIN> ~]$ sudo tos archive unload 
sudo tos archive unload

Parameters

Example

[<ADMIN> ~]$ sudo tos archive unload
Unloading revisions completed successfully.

Backup Creation and Management

A subset of commands to create on-time backups and manage backup policy.

sudo tos backup create

Description

Create an on-demand backup of your data. You can create this type of backup at any time, whether you have a policy defined or not. The command will check if there is enough disk space available. The backup requires a little over twice the space currently taken up by your databases.

Syntax

[<ADMIN> ~]$ sudo tos backup create [--name <NAME>] [--ttl <TIME TO LIVE>]
sudo tos backup create

Parameters

Parameter

Description

Mandatory/Optional

<NAME>

Name for the backup that appears in the tos backup list command. If not specified, a default name will be given, containing the date and time.

Optional

<TIME TO LIVE>

Time to Live (TTL) in hours, minutes, and seconds. When the specified time has passed, the backup will automatically be deleted and its disk space released. If no value is set, the default TTL is 720 hours (30 days).

The TTL can not be set above 720 hours.

Format: XhYmZs

Optional

You can only create backup files if the backup directory has sufficient storage.

sudo tos backup delete

Description

Delete a single backup, or all backups. This does not affect the backup policy. The alias remove can be used instead.

Syntax

[<ADMIN> ~]$ sudo tos backup delete [<FILENAME>] [--all]
sudo tos backup delete

Parameters

Parameter

Description

Mandatory/Optional

<FILENAME>

Name of a single backup file, as shown using the tos backup list command.

Optional

--all

Deletes all backups.

Optional

sudo tos backup expiry

Description

Assigns an expiration date to a specific backup. The backup is deleted once it is expired.

Syntax

[<ADMIN> ~]$ sudo tos backup expiry <BACKUP_NAME> <"EXPIRY_DATE_TIME">
sudo tos backup expiry

Parameters

Parameter

Description

Mandatory/Optional

<BACKUP_NAME>

Name of a backup file, as shown using the tos backup list command.

Mandatory

<EXPIRY_DATE_TIME>

String with the date and time for the expiration.

Format: YYYY-MM-DD HH:MM:SS

Mandatory

Example

$ sudo tos backup expiry tufin-scheduler-000999 "2022-04-30 00:30:45"
		

sudo tos backup export

Description

Transfer all your backup files from the TOS backup directory to a single .gzip file in a remote location so they can be restored if required. All the backup files and your backup policy will be saved to a single backup archive file in the specified target location. If the target location is not specified, the archive will be created in /opt/tufin/backups. The alias tar can be used instead.

The backup archive file will be named in the following format: 

backup-<TOSVER>-YYYYMMDDHHMMSS.tar.gzip

where <TOSVER> is your SecureTrack version number. We strongly recommend using the screen command before proceeding.

Note that backup export will not work when external backup storage is set.

Syntax

[<ADMIN> ~]$ sudo tos backup export [-t|--target "<PATH>"]
sudo tos backup export

Parameters

Parameter

Description

Mandatory/Optional

<PATH>

Destination directory in which to place the archived backup (directory only, without a file name). If the path does not exist, it will be created automatically.

Optional

Examples

$ sudo tos backup export --target /mapdrive/save/
			$ sudo tos backup export -t "/opt/myarchive/"
		

To ensure you have enough disk space, we recommend that before exporting, you check the disk usage of your backup files and compare it to the available space in the target destination.

To check disk usage of your backup files:

[<ADMIN> ~]$ sudo du -sh /opt/tufin/data/volumes/minio/velerok8s/
sudo du -sh /opt/tufin/data/volumes/minio/velerok8s/

To check available space in the target:

[Target location]$ sudo df -h <path>
sudo df -h <path>

where <path> is the target path.

The files will be compressed in the export but the degree of compression cannot be known in advance. We recommend ensuring that you have at least the amount of space available in your target equal to the original files.

After the backup is exported, we recommend verifying that the file contents can be viewed by running the following command:

[Target location]$ tar tzvf <filename>
tar tzvf <file name>

sudo tos backup import

Description

Extract all backups from a TOS Aurora backup export file (gzip format) file and place them in the TOS backup directory, so they can be subsequently restored to your database. The import command does not restore data. If the source location is not specified, the default path/file name /opt/tufin/backups/backup.tar.gzip will be used. After completion of the command, the restored backups and policy will replace those currently in your system. We strongly recommend using the screen command before proceeding.

The alias untar can be used instead.

Note that backup import will not work when external backup storage is set.

Syntax

[<ADMIN> ~]$ sudo tos backup import [-s|--source <FULLPATH>
sudo tos backup import

Parameters

Parameter

Description

Mandatory/Optional

<FULLPATH>

Full path including the backup archive file name, created previously by the tos backup export command.

Optional

Example

$ sudo tos backup import --source /etc/mapped/save/backup-20-1-pga-20200526092902.tar.gzip

  • Backups have an expiration date. You cannot restore from a backup that has expired.
  • You can import a backup file to a machine with an existing file. The original backup file is deleted by this action. Therefore, if the backup file is needed, export it first to a separate location. When importing the file, if an existing backup file is detected, a warning will be displayed and you will need to confirm the action.

sudo tos backup list

Description

List all backups in the backup location, including automated backups created from the policy and on-demand backups created manually.

Syntax

[<ADMIN> ~]$ sudo tos backup list
sudo tos backup list

Information Provided in Output

  • Backup name
  • Date/time started
  • Date/time completed
  • Modules included
  • Whether high availability was active at the time of backup
  • TOS Aurora release and build
  • file expiration date
  • Completion Status

Sample Output

[“16-december-2020-12-4”]
Started: “2020-12-16 10:04:14 +0000 UTC”
Completed: “2020-12-16 10:05:52 +0000 UTC”
Modules: “RC”
HA mode: “false”
TOS release: “21.1 (PRC1)”
TOS build: “21.1.1100-201215163002315”
Expiration Date: “2021-01-15 10:04:14 +0000 UTC”
Status: “Completed” # sudo tos backup list
["23-august-2021-16-18"]
Started: "2021-08-23 13:18:43 +0000 UTC"
Completed: "N/A"
Modules: "ST, SC"
HA mode: "false"
TOS release: "21.2 (PGA.0.0) Final"
TOS build: "21.2.2100-210722164631509"
Expiration Date: "2021-09-22 13:18:43 +0000 UTC"
Status: "InProgress"

sudo tos backup policy delete

Description

Delete the current backup policy and stop further automatic backups until a new backup policy is created.

Syntax

[<ADMIN> ~]$ sudo tos backup policy delete
sudo tos backup policy delete

sudo tos backup policy get

Description

Display the current backup policy.

Syntax

[<ADMIN> ~]$ sudo tos backup policy get
sudo tos backup policy get

Information Provided in Output

  • Policy creation date and time
  • backup days, hour and minute in cron format
  • Status - always Enabled
  • Last backup data and time
  • Number of backups found that were produced from this policy

Sample Output

[tufin-scheduler]
Creation Time: 2019-11-18 12:13:47 +0000 UTC
Cron: 0 0 * * 0,1,2
TTL: 720h0m0s
Status: Enabled
Last backup: 2019-11-18 12:13:47 +0000 UTC
Found backups: 1

sudo tos backup policy set

Description

Create a backup policy, which will run automatically and perform self cleanup. Only one backup policy can be defined at a time, so executing this command a second time will delete the current policy and create a new one in its place.

Syntax

$ sudo tos backup policy set --days <DAYS> --hour <HOUR> [--min <MINUTE>] [--ttl <TIME TO LIVE>]
sudo tos backup policy set

Parameters

Parameter

Description

Mandatory/Optional

Possible Values

<DAYS>

Days of the week on which to run the backup.

Mandatory

One or more values separated by a comma with no spaces: sun,mon,tue,wed,thu,fri,sat.

<HOUR>

Hour of day at which to execute the backup.

Mandatory

Number 0-23.

<MINUTE>

Minute after the hour at which to run the backup.

Optional

Number 0-59. Default 0.

<TIME TO LIVE>

Time to Live (TTL) in hours, minutes, and seconds. When the specified time has passed, the backup will automatically be deleted and its disk space released. If no value is set, the default TTL is 720 hours (30 days).

The TTL can not be set above 720 hours.

Optional

XhYmZs.

Examples

  • sudo tos backup policy set --days sun,fri --hour 23 --min 30 (backup every Sunday and Friday at 23:30)
  • sudo tos backup policy set --days sun,mon,tue,wed,thu,fri,sat --hour 00 --min 05 --ttl 720h00m00s (backup every day of the week at 5 minutes past midnight, expiry after 30 days)

sudo tos backup status

Description

Show details of backups currently in progress.

Syntax

[<ADMIN> ~]$ sudo tos backup status
sudo tos backup status

Sample Output

$ sudo tos backup status
Found active backup "23-august-2021-16-18"
$ sudo tos backup status
No active backup was found

sudo tos backup storage set

Description

Sets either local backup storage or remote backup storage. Supported for all cloud providers (AWS/Azure/GCP) for public cloud only and not private cloud.

Syntax

$ sudo tos backup storage set --location <LOCATION> [--conf <CONF_PATH>] [--provider <PROVIDER_TYPE>] 
sudo tos backup storage set --location <LOCATION> EITHER --conf <CONF_PATH> OR --provider <PROVIDER_TYPE>

Parameters

Parameter

Description

Mandatory/Optional

Possible Values

<LOCATION>

Location of the backup storage file.

  • external: S3-compatible storage

  • local: local path on primary node (/opt/tufin/data/volumes/minio/velerok8s/backups)

Mandatory

external

local

<CONF_PATH>

(For external location) Path to a configuration file that contains the required fields depending on the provider (see Provider Details). If you do not provide this file, you must provide a value for <PROVIDER_TYPE> so that you will be prompted with these fields.

Optional

 

<PROVIDER_TYPE>

(For external location) String that indicates the provider. If you do not use this parameter, you must provide a <CONF_PATH> file with the required fields and values (see Provider Details).

Optional

aws

azure

gcp

minio

Provider Details

In the configuration file, provide the following information:

Provider

Required Fields

AWS

provider: aws

bucket: <bucket_name>

region: <region>

secret-key: <secret_key>

access-key: <access_key>

Azure

provider: azure

bucket: <bucket_name>

storage_account: <storage_account>

storage_account_key: <storage_account_key>

resource_group: <resource_group>

subscription_id: <subscription_id>

GCP

provider: gcp

project_id: <project_id>

private_key_id: <private_key_id>

private_key: <private_key>

client_email: <client_email>

client_id: <client_id>

bucket: <bucket_name>

Minio

provider: minio

bucket: <bucket-name>

secret_key: <secret_key>

access_key: <access_key>

endpoint: <IP>:<PORT>

Example

$ sudo tos backup storage set --location external --provider aws
		

Certificate Management

This is a subset of commands related to certificates:

Examples

$ sudo tos backup export --target /mapdrive/save/
$ sudo tos backup export -t "/opt/myarchive/"

To ensure you have enough disk space, we recommend that before exporting, you check the disk usage of your backup files and compare it to the available space in the target destination.

To check disk usage of your backup files:

[<ADMIN> ~]$ sudo du -sh /opt/tufin/data/volumes/minio/velerok8s/
sudo du -sh /opt/tufin/data/volumes/minio/velerok8s/

To check available space in the target:

[Target location]$ sudo df -h <path>
sudo df -h <path>

where <path> is the target path.

The files will be compressed in the export but the degree of compression cannot be known in advance. We therefore recommend ensuring that you have at least the amount of space available in your target as is taken up by the original files.

sudo tos certificate client generate

Description

Create an authorization certificate for an OPM device.

[<ADMIN> ~]$ sudo tos certificate client generate[--id=<"ID">][--output=<"OUTPUT.TAR.GZ"][--help][--debug]
sudo tos certificate client generate[--id=<"ID">][--output=<"OUTPUT.TAR.GZ"][--help][--debug]

Parameters

Parameter

Description

Required/Optional

<ID>

Certificate ID name.

Required

<OUTPUT.TAR.GZ>

Name of the file to be created.

Required

sudo tos certificate import

Description

Import your own SSL certificates to authenticate and encrypt communications with your TOS server. Generation of certificates must be done outside of TOS Aurora (see Importing and Reverting a Signed Certificate). TOS Aurora must be stopped before running this command and started again afterwards.

Syntax

[<ADMIN> ~]$ sudo tos stop
sudo tos stop
[<ADMIN> ~]$ sudo tos certificate import [-t|--type=["server"]["auth"]["syslog"]] [-c|--cert=<CERT-PATH>][-k|--key=<KEY-PATH>][--ca=<KEY-PATH>][--help] [--debug]
sudo tos certificate import [-t|--type=["server"]["auth"]["syslog"] [-c|--cert=<CERT-PATH>][-k|--key=<KEY-PATH>][--ca=<KEY-PATH>][--help] [--debug]
[<ADMIN> ~]$ sudo tos run
sudo tos run

*--type syslog is available from R22-2 PHF1.0.0

Parameters

Parameter

Description

Required/Optional

Possible Values

--type= or -t=

The type of certificate.

Required

"server"

"auth"

"syslog"

--cert= or -c=

<CERT-PATH>

Location of the certificate.

Required

 

--key= or -k=

<KEY-PATH>

Location of the private key.

Required

 

--ca=

<CA-PATH>

Location of the CA certificate.

Required for type syslog from R22-2 PHF1.0.0. Skip for other types.

 

Example

$ sudo tos certificate import --type="server" --cert=/tmp/certfile.pem --key=/tmp/keyfile.key

sudo tos certificate Renew

Description

Renew your existing SSL certificates to authenticate and encrypt communications with your TOS server. TOS Aurora must be stopped before running this command and started again afterwards.

Syntax

[<ADMIN> ~]$ sudo tos stop
sudo tos stop
[<ADMIN> ~]$ sudo tos certificate renew [-t|--type=["server"]["auth"]["all"]][--help] [--debug]
sudo tos certificate renew [-t|--type=["server"]["auth"]["all"]][--help] [--debug]
[<ADMIN> ~]$ sudo tos run
sudo tos run

Parameters

Parameter

Description

Required/Optional

--type="server" or -t="server"

Renew the self-signed server certificate used for the TOS Aurora web server.

 

--type="auth" or -t="auth"

Renew the self-signed authority certificate used to create OPM certificates.

Required

--type="all"

Renew the server and authority certificates.

 

Cluster Management

This is a subset of commands related specifically to clusters:

sudo tos cluster connect

Description

Connect a remote collector cluster to the central cluster. The command is run on the remote collector cluster after generating a password by running tos cluster generate-one-time-password on the central cluster. Requires the password generated previously by running tos cluster generate-otp on the central server.

Syntax

[<ADMIN> ~]$ sudo tos cluster connect ​
--central-cluster-vip=​
--remote-cluster-vip=​
--remote-cluster-name=​
--initial-secret=​
sudo tos cluster connect
--central-cluster-vip=​
--remote-cluster-vip=​
--remote-cluster-name=
--initial-secret=​

Parameters

Parameter

Description

Required/Optional

--central-cluster-vip

External IP address (Primary VIP or Load Balancer address) of your central server cluster.

Required

--remote-cluster-vip

External IP address (Primary VIP or Load Balancer address) of the server you want to connect (the current server).

Required

--remote-cluster-name

Any alphanumeric string you choose; quotes are not used so you cannot embed spaces.

Required

--initial-secret

One-time password returned from running tos cluster generate-otp on the central server.

Required

sudo tos cluster disconnect-rc-cluster

Description

Disconnect a remote collector cluster from its central cluster.

Syntax

[<ADMIN> ~]$ sudo tos cluster disconnect-rc-cluster --cluster-id <ID>
sudo tos cluster disconnect-rc-cluster --cluster-id <ID>

Parameters

Parameter

Description

Required/Optional

<ID>

ID of the remote collector cluster displayed when running command sudo tos cluster list.

Required

sudo tos cluster generate-otp

Description

Run on a central server to which you want to connect a remote collector and generates a password that needs to be provided when connecting the remote collector using tos cluster connect. The password remains valid for about five minutes. (otp stands for one time password.)

Syntax

[<ADMIN> ~]$] sudo tos cluster generate-otp
sudo tos cluster generate-otp

Example

[tufin-admin@TufinOS ~]$ sudo tos cluster generate-otp
			4a120db6-401a-4991-b0c5-54ufc91c150c
			[tufin-admin@TufinOS ~]$
		

sudo tos cluster ha disable

Turn off high availability mode.

  1. On the primary data node:

    [<ADMIN> ~]$ sudo tos cluster ha disable [--force]
    sudo tos cluster ha disable

    --force should be used only if the cluster status is not healthy - see sudo tos status.

    On completion:

    • Replication of data to the additional data nodes will cease.

    • Data nodes other than the primary data node will contribute very little to the running of the cluster and we recommend removing them using sudo tos cluster node remove.

    • Verify that HA is no longer active by running sudo tos status on the primary data node.

sudo tos cluster ha enable

Description

Turn on high availability mode.

Prerequisites:

  • A total of three data nodes in your cluster.

Steps:

  1. On the primary data node:

    [<ADMIN> ~]$ sudo tos cluster ha enable
    sudo tos cluster ha enable

    Replication of data will commence. The time to completion will vary depending on the size of your database.

    On completion,  TOS Aurora will be in high availability mode.

  2. Verify that HA is active by running sudo tos status.

  3. We recommend defining a notification to inform you in the event of a change in the health of your cluster - see TOS Monitoring.

sudo tos cluster list

Description

List all remote collector clusters for a central cluster.

Syntax

[<ADMIN> ~]$ sudo tos cluster list <FORMAT>
sudo tos cluster list <FORMAT>

Parameters

Parameter

Description

Required/Optional

Possible Values

<FORMAT>

Format of the output.

Required

text (default)

json

Example

sudo tos cluster node add

Description

This command adds a data node or worker node to the cluster.

Steps

  1. On the primary data node run:

    [<ADMIN> ~]$ sudo tos cluster node add --role=<TYPE>
    sudo tos cluster node add --role=<TYPE>

    where <TYPE> is worker or data, depending on the type of node you want to add.

    On completion, a new command string is displayed, which you will need to run on the new node within one hour. If the allocated time expires, you will need to repeat the current step.

  2. Log in to the CLI of the server to be added as a new node in the cluster.

  3. On the new node, run the command string displayed previously on the primary data node in step 2 above. If the allocated time has expired, you will need to start from the beginning.
  4. Verify that the node was added by running sudo tos cluster node list on the primary data node.

sudo tos cluster node list

Description

This command lists all nodes in the cluster showing IP address, node status and other attributes for each.

Syntax

[<ADMIN> ~]$ sudo tos cluster node list [--output|-o <type>]
sudo tos cluster node list

Parameters

Parameter

Description

Mandatory/Optional

Possible Values

[--output] or [-o] Specifies that the output will be json/text format. Default is text Optional

 

<type> Format of the output if the output flag is used. Optional

json

text

Example Output:

# tos cluster node list -o text

Nodes list:

[ node1 ]
Status:  Ready
Role:  data
Primary:  true
Data-Enabled:  true

[ node2 ]
Status:  Ready
Role:  data
Primary:  false
Data-Enabled:  true

[ node3 ]
Status:  Ready
Role:  data
Primary:  false
Data-Enabled:  true	

sudo tos cluster node remove

Description

This command removes a node definition from the cluster. If you want to replace a node, we recommend using sudo tos cluster node replace instead of removing and adding nodes.

When a node is removed from the cluster, the functions it performed and data it contained are transferred to the primary data node and/or other nodes.

Limitations

  • A data node cannot be removed from the cluster while high availability is active.

  • The command will not remove a node, with a status is not healthy, unless the --force flag is used. Running the command without force flag on the wrong node will not result in the destruction of the cluster as there is hostname match validation; however, running it with --force on the wrong node can destroy the cluster.

Steps

  1. Identify the node you want to remove and its status by running sudo tos cluster node list on the primary data node.

    • If the node is in a healthy state:

      1. On the primary data node, run:

        [<ADMIN> ~]$ sudo tos cluster node remove <node>
        sudo tos cluster node remove <node>

        Parameters

        Parameter

        Description

        Required/Optional

        <node>

        Hostname address of the node to remove.

        Required

        On completion, a new command string is displayed, which you will need to run on the node you want to remove within 30 minutes. If the allocated time expires, you will need to repeat the current step.

      2. Log in to the CLI of the node to be removed.

      3. On the node to be removed, run the command string displayed on completion of the command above. On completion, all TOS-related directories and data will be deleted from the node, therefore make sure you run it on the correct node. Running the command on the wrong node will destroy the cluster.

      All TOS-related directories will be deleted from the node.

    • If the node you want to remove is not in a healthy state:

      1. On the primary data node, run:

        [<ADMIN> ~]$ sudo tos cluster node remove <node> --force
        sudo tos cluster node remove <node> --force

        Parameters

        Parameter

        Description

        Required/Optional

        <node>

        Hostname address of the node to remove.

        Required

        TOS directories will not be deleted from the node

      2. If the machine is still serviceable, you can delete the TOS directories manually:

        [<ADMIN> ~]$ sudo rm -rf /opt/tufin/data/*
        sudo rm -rf /opt/tufin/data/*
        [<ADMIN> ~]$ sudo rm -rf /opt/tufin/logs/*
        sudo rm -rf /opt/tufin/logs/*
        [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/*
        sudo rm -rf /opt/tufin/migration/*
        [<ADMIN> ~]$ sudo rm -rf /opt/tufin/dumps/*
        sudo rm -rf /opt/tufin/dumps/*
  2. Verify that the node has been removed by again running sudo tos cluster node list.

sudo tos cluster node replace

Description

Take the role of an existing node in the cluster and assign it to a new node, while removing the existing node from the cluster.

Limitations

  • If the existing node is not healthy, you must use the --force flag. This will allow the command to be run but will not delete the TOS Aurora data.

  • The new node cannot already be a node in the cluster.

  • The primary data node cannot be replaced using this command. You must first elect a different data node for the role, using sudo tos cluster set-primary.

Cluster and node status and health can be seen using sudo tos status.

Steps

To replace an existing node with a new one:

  1. On the primary data node:

    [primary data node]# sudo tos cluster node replace <OLD_NODE> [--force] 
    sudo tos cluster node replace <OLD_NODE> [--force]

    Parameters

    Parameter

    Description

    Required/Optional

    <OLD NODE>

    Name of the node you want to remove, as seen in the output of sudo tos cluster node list.

    Required

    --force

    Only use this flag when the node you want to remove is not in a healthy state. 

    Optional

    On completion, one ore two new command strings will appear in the output. The second command string will appear only if the original node was in a healthy state, i.e.  -force was not used.

  2. Copy/paste the first string and run it on the new node.

  3. If a second string appeared in the output from the command that you ran on the primary data node, copy/paste this string and run it on the old node.

  4. Verify that the nodes in the cluster are what you expected, by running sudo tos cluster node list on the primary data node.

sudo tos cluster node set-primary

Description

This command gives the role of primary data node to a data node in the cluster. It can be run on any data node.

When backup storage is set locally, backups are saved on the primary data node. In this case, when setting a different primary data node, existing backups will not be automatically copied to the new primary data node. Therefore, it is recommended to export the backups and import them after setting the primary data node.

When backup storage is set externally, backups are unaffected if you change the primary data node and you can restore from the external backup stoarge.

Steps

  1. Run this command on the data node that you want to assume the role of primary data node:

    [Data Node]$ sudo tos cluster node set-primary [--force]
    sudo tos cluster node set-primary [--force]

    TOS Aurora verifies that the cluster status is healthy (see sudo tos status). If there is an issue and you still want to reassign the primary data node, use the --force option. Note that this option is required when the current primary data node is down and you want to reassign the primary data node.

  2. Verify that the node roles are as you intended, by running sudo tos cluster node list on any data node.

  3. We strongly recommend performing a one-time backup and exporting it immediately, as all prior backups are unavailable from the original primary data node.

sudo tos cluster primary-vip get

Display the primary VIP of the cluster.

[<ADMIN> ~]$ sudo tos cluster primary-vip get
sudo tos cluster primary-vip get

sudo tos cluster primary-vip set

Description

Change the primary VIP of the cluster, providing a valid IPv4 address. When completed, check that the command succeeded by running command tos cluster primary-vip get.

Syntax

[<ADMIN> ~]$ sudo tos cluster primary-vip set <11.22.33.44>
sudo tos cluster primary-vip set <11.22.33.44>

sudo tos cluster rotate-certificate

Description

Creates a new SSL certificate on a central server for connection with remote collectors.

Syntax

[<ADMIN> ~]$ sudo tos cluster rotate-certificate --central-cluster-vip=CENTRAL-CLUSTER-VIP
sudo tos cluster rotate-certificate --central-cluster-vip=CENTRAL-CLUSTER-VIP

Parameters

Parameter

Description

Required/Optional

--central-cluster-vip

Primary VIP address of the central cluster.

Required

sudo tos cluster syslog-vip add

Description

Add a syslog VIP, specifying the IP to use. This action will temporarily stop TOS services until it completes, which may take up to 15 minutes or more.

Syntax

[<ADMIN> ~]$ sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] [--transport <STRING>]
sudo tos cluster syslog-vip add <SYSLOG_VIP> [--port <PORT>] [--transport <STRING>]

Parameters

Parameter

Description

Mandatory /Optional

Possible Values

<SYSLOG_VIP>

VIP of the cluster.

Mandatory

 

--port

Allows you to specify a port; otherwise, the default port 514 is used.

*From R22-2 PHF1.0.0, the default port for TCP is 6514.

Optional

UDP: 514

TCP: 10514, 6514

 

--transport 

Syslog transport protocol. By default, the transport protocol is UDP.

From R22-2 PHF1.0.0, when using TCP a syslog certificate must be imported beforehand.

Optional

UDP

TCP

sudo tos cluster syslog-vip list

Description

List all syslog VIPs.

Syntax

[<ADMIN> ~]$ sudo tos cluster syslog-vip list
sudo tos cluster syslog-vip list

sudo tos cluster syslog-vip remove

Remove a syslog VIP, specifying the VIP to remove. This action will temporarily stop TOS services until it completes, which may take up to 15 minutes or more.

[<ADMIN> ~]$ sudo tos cluster syslog-vip remove <SYSLOG_VIP>
sudo tos cluster syslog-vip remove <SYSLOG_VIP>

Configuration Management

tos config is a subset of commands for viewing and changing various TOS Aurora settings or properties. It has four formats:

Each is described in more detail below.

Global and Service-Specific Properties

There are two types of TOS property - global and service-specific. Some global properties can be changed freely to suit the needs of your organization and these are explained in Configuring TOS. However the majority of properties - mostly service-specific but also some global - should be changed only if specific problems are encountered and should be done only with the guidance of Tufin support.

sudo tos config get

Description

Variant of sudo tos config. Display the current value of one or more TOS Aurora properties that have been configured using tos config set and/or properties that still retain their default values. You can filter by service, property or both, or run without any parameters to list all properties for all services. Properties that have never been set using sudo tos config set or have been reset using sudo tos config reset are not displayed unless the --default or -d flags are used.

Syntax

[<ADMIN> ~]$ sudo tos config get [-p param1,param2...][-s service][--default|-d]
sudo tos config get [-p param1,param2...][-s service][--default|-d]

Parameters

Parameter

Description

Required/Optional

-p

Used with one or more specified properties, separated by comma (no spaces). Displays only specified global properties.

Optional

-s 

Used with a specified service. Displays only properties related to the specified service.

Optional

--default or -d 

Additionally include properties that still retain their default values. 

Optional

Examples

			[<ADMIN> ~]$ sudo tos config get
			[<ADMIN> ~]$ sudo tos config get -p server.timezone
			[<ADMIN> ~]$ sudo tos config get -s tss -d
			[<ADMIN> ~]$ sudo tos config get -p web.session.maxDuration,st.trace.Mem -s tss
		

Output Formats

No parameters - all properties in all services, sorted by property.

[<ADMIN> ~]$ sudo tos config get
			SERVICE    PROPERTY    VALUE   MESSAGE
			service1   property1   value
			service2   property1   value
			service3   property1   value
			service1   property2   value
			service2   property2   value
			..
			..
		..																																			

Parameter -s only - all properties for specified service

[<ADMIN> ~]$ sudo tos config get -s <service name>
			SERVICE          PROPERTY    VALUE   MESSAGE
			<service name>   property1   value
			<service name>   property2   value
			<service name>   property3   value   Awaiting approval
			<service name>   property4   value   Authorized by IT
			<service name>   property5   value
			..
			..
		..																			

Parameter -p only - all specified properties in all services. sorted by property

[<ADMIN> ~]$ sudo tos config get -p <property1,property2 name>
			SERVICE     PROPERTY           VALUE   MESSAGE
			service 1   <property1 name>   value
			service 2   <property1 name>   value   Changed by admin
			service 2   <property2 name>   value
			service 1   <property2 name>   value
			service 5   <property2 name>   value
			..
			..
			..
		

Parameter -p and -s - all specified properties for specified service

[<ADMIN> ~]$ sudo tos config get -p <property name> -s <service name>
			SERVICE          PROPERTY    VALUE   MESSAGE
			<service name>   property1   value
			<service name>   property2   value
			<service name>   property3   value
			<service name>   property4   value
			<service name>   property5   value
			..
			..
		..																		

sudo tos config list

Description

Variant of sudo tos config. List properties that can be configured using sudo tos config set. Each property is listed followed by information such as description, default value, type, whether applicable globally or service-specific, and constraints such as values and format.

Syntax

[<ADMIN> ~]$ sudo tos config list [-p <property1>,<property2>...>][-s <service>][--services][--all]
sudo tos config list [-p <property1>,<property2>...>][-s <service>][--services][--all]

Parameters

Parameter

Description

Required/Optional

No parameters

Lists only the global properties that you can modify without assistance from Tufin technical support to suit the needs of your organization - see User-Defined Global Properties.

Optional

-p 

Used with one or more specified properties, separated by comma (no spaces). Lists only specified global properties that you can modify without assistance from Tufin technical support. Specifying any other property will be ignored .

Optional

--services 

Lists all services including a description of each service without any related property details. 

Optional

--all 

Lists all properties that can be modified.

Optional

Output Format (all except when used with --services parameter)

[<ADMIN> ~]$ sudo tos config list
PROPERTY 1
  Description - <description>
  Default - <default value>
  Applicable on - global/service-specific
  Type - <string, boolean...>
  Constraints - values, format etc
PROPERTY 2
  Description - <description>
  Default - <default value>
  Applicable on - global/service-specific
  Type - <string, boolean...>
  Constraints - values, format etc
	..
	.. 

Examples

[<ADMIN> ~]$ sudo tos config list
[<ADMIN> ~]$ sudo tos config list -p server.timezone
[<ADMIN> ~]$ sudo tos config list -p server.timezone,web.session.inactivityTimeout
[<ADMIN> ~]$ sudo tos config list --all
[<ADMIN> ~]$ sudo tos config list --services

sudo tos config log-level

Description

Variant of sudo tos config. Use this command to manage the TOS Aurora log level.

Syntax

[<ADMIN> ~]$ sudo tos config log-level [command]
sudo tos config log-level

Parameters

Parameter

Description

Required/Optional

Possible values

command

Manage the TOS Aurora log level:

  • get: Retrieve the service log level.

  • reset: Reset log levels.

  • set: Set the service log level.

Optional

get

reset

set

sudo tos config set

Description

Variant of sudo tos config. Change one or more TOS Aurora properties.

There are two types of TOS property - global and service-specific. You are encouraged to modify global properties to suit the needs of your organization. See all global properties by running command tos config list. Changing service-specific properties should only be done if specific problems are encountered and should be done only with the guidance of Tufin support.

Syntax

[<ADMIN> ~]$ sudo tos config set –p param1=val1[,param2=val2...][-s service1,service2][-c] [-m <TEXT>] [-d]
sudo tos config set –p param1=val1[,param2=val2...][-s service1,service2][-c] [-m <TEXT>] [-d]

Parameters

Parameter

Description

Required/Optional

-p

One or more specified property/value pairs, separated by comma (no spaces).

Required

-s 

Used with a specified service. When not specified, sets only global properties; when specified, sets only properties related to the specified service. Global properties (see sudo tos config for list) cannot be set for a specified service.

 

-c 

Skip confirmation.

 

-m 

Include a description. 

 

<TEXT> 

Text to be appended when -m is specified and will be displayed in output from sudo tos config get

 

-d  

Duration: Time period after which the properties will return to their previous value. Format xxu where xx is an integer and u can be s, m or h (seconds, minutes, hours).  

 

Examples

[<ADMIN> ~]$ sudo tos config set -p load.model=medium -d 24h -m temporary change of load for a day
[<ADMIN> ~]$ sudo tos config set -p st.trace.Mem=false -s tss

sudo tos config reset

Description

Variant of sudo tos config. Reset one or more TOS Aurora settings to their default values.

Syntax

[<ADMIN> ~]$ sudo tos config reset [–p param1=val1,param2=val2...][-s service1,service2][-c]
sudo tos config reset [–p param1=val1,param2=val2...][-s service1,service2][-c]

Parameters

Parameter

Description

Required/Optional

-p

One or more specified property/value pairs, separated by comma (no spaces).

Required

-s 

Used with a specified service. When not specified, sets only global properties; when specified, sets only properties related to the specified service.

Optional

-c 

Skip confirmation.

Optional

Examples

[<ADMIN> ~]$  tos config reset -p load.model
[<ADMIN> ~]$  tos config reset -p st.trace.Mem=false -s tss

Disaster Recovery Management

This is a subset of commands related to disaster recovery:

sudo tos dr connect

Run this command on the cluster that will be designated as the standby cluster.

Description

Connects the standby cluster with the active cluster. After the connection is complete, most of the services in the standby cluster will be shutdown.

Syntax

[<ADMIN> ~]$ sudo tos dr connect [-n <name>][-p <IP_ADDRESS>][-t <TOKEN>]
sudo tos dr connect [name][-p <IP_ADDRESS>][-t <TOKEN>]

Parameters

Parameter

Description

Required/Optional

Possible Values

-n or --name

Name of the Disaster Recover (DR) cluster.

Optional

Default: hostname of the primary node

This parameter is required if you changed the name when running sudo tos dr init.

-p or --peer-cluster

IP address of peer cluster primary node.

Required

 

-t or --token

Token generated

Required

Value generated from tos dr generate-token

Example

$ sudo tos dr connect -p 192.168.32.23 -t Zbk7lwH4Qu7rINz8DvuwjQgJgpWjcsgtxKe3h90=
[Jul 18 10:39:07]  INFO Local cluster state is "StandBy"	

sudo tos dr disable

Run this command to disable disaster recovery on a cluster with DR.

Description

Disables DR on the cluster.

Syntax

[<ADMIN> ~]$ sudo tos dr disable
sudo tos dr disable

sudo tos dr generate-token

Run this command on the cluster that will be designated as the active cluster.

Description

Generates a unique token that is used to authenticate the connection between the two clusters.

Syntax

[<ADMIN> ~]$ sudo tos dr generate-token
sudo tos dr generate-token

Example

$ sudo tos dr generate-token
[Jul 18 10:38:45]  INFO Please save the token and use it when running the connect command from remote peer
Token: z1obGYNhdcb85rsDI7IrygGfMP5rHFq50iygPcEWxnE=		

sudo tos dr init

Run this command on the cluster that will be designated as the active cluster.

Description

Initializes DR on a cluster and makes it the active cluster. The backup destination must be set to external storage before running. The command also sets the backup policy in the same way as sudo tos backup policy set.

Syntax

[<ADMIN> ~]$ sudo tos dr init [-n <NAME>][--rate <RATE>][--hour <HOUR>][--minute <MINUTE>]
sudo tos dr init -n <NAME>

Parameters

Parameter

Description

Required/Optional

Possible Values

-n or --name

Not used. For future use.

N/A

N/A

--rate

Backup frequency (in hours).

Optional

24 (default), 12, 8, 6

--hour

Hour when the first daily backup occurs. Format is HH.

Optional

Default: 00

--minute

Minute of the hour when the first daily backup occurs. Format is mm.

Optional

Default: 00

Example

$ sudo tos dr init 
[Jul 18 10:38:34]  INFO DR initialization finished successfully	

sudo tos dr status

Description

Display DR status for active and standby peers. The standby cluster can view the backups taken on the active cluster .

Syntax

[<ADMIN> ~]$ sudo tos dr status
sudo tos dr status

Example

$ sudo tos dr status 
DR configuration: 
  Backup policy rate: 24H
  Hour: 0:0h

Last valid backup: 2022-07-26 06:10:40 +0000 UTC

Local cluster status:
  Name: local
  State: Active, Ready
  Last Update: 2022-07-26 09:33:45 +0300 IDT

Peer cluster status:  
  Name: remote
  State: StandBy, Ready
  Last Update: 2022-07-26 13:53:22 +0300 IDT

sudo tos dr switch

Description

Switches activity between peer clusters.

Syntax

[<ADMIN> ~]$ sudo tos dr switch [-b <BACKUP_NAME>]
sudo tos dr switch [-b <BACKUP_NAME>]

Parameters

Parameter

Description

Required/Optional

Possible Values

<BACKUP_NAME>

Backup to be used on switch.

Optional

Default: latest completed backup will be used

Example

$ sudo tos dr switch
[Jul 18 10:46:55]  INFO Switching current peer to Active
[Jul 18 10:46:55]  INFO Setting peer to "Switch" mode	

General Commands

This is a subset of commands that allows you to archive and temporarily restore old revision data (device policy rules):

sudo tos completion

Description

Adds the ability to use auto-completion for commands or arguments in a Linux shell session. Run these commands:

Syntax

[<ADMIN> ~]$ sudo tos completion bash > ~/.bash
sudo tos completion bash > ~/.bash
[<ADMIN> ~]$ source ~/.bash
source ~/.bash

sudo tos help

Description

List all available TOS CLI commands.

Syntax

[<ADMIN> ~]$ sudo tos help
sudo tos help

sudo tos install

Description

Initiate the installation of TOS Aurora on your system.

Syntax

[<ADMIN> ~]$ sudo tos install [-m|--migrate] [-c|--clean] [--dry-run] --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD>
sudo tos install [-m|--migrate] [-c|--clean] [--dry-run] --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD>

Parameters

Parameter

Description

Required/Optional

Possible Values

-m or --migrate

Upgrading from TOS Classic.

 

 

-c or --clean 

Clean install.

 

 

--dry-run

Runs through all the steps without installing anything.

 

 

<PRIMARY> 

Either the VIP you will use to access an on-premise deployment or the text external if you are installing on a cloud VM like Azure

Required

 

<SERVICE-CIDR> 

Dedicated range of IP addresses to allocate to TOS Aurora, in the format 11.22.0.0/16. It must not overlap with POD-SUBNET. If you don't include this parameter, the default value of 10.100.0.0/16 will be used.

 

 

 <MODULE-TYPE>

Type of module.

 

  • ST for SecureTrack only
  • ST, SC for both SecureTrack and SecureChange
  • RC for a remote collector

<PODS-CIDR>

The CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16

Optional

 

<LOAD>  

  • Processing load you expect your system to handle (small, medium [default], large or extra-large), obtained from your account team based on the your sizing calculation. extra large is not supported for public cloud deployments.
  •  

    small, medium (default), large , extra-large

    -r or --reindex 

  • Initiates a database reindex when upgrading (to be used only if instructed by Tufin support).
  •  

     

    Examples:

    [<ADMIN> ~]$ sudo tos install --migrate --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=small

    [<ADMIN> ~]$ sudo tos install --clean --modules=RC --primary-vip=external --services-network=10.10.10.0/24 --load-model=large

    sudo tos maintenance

    Description

    tos maintenance lets you put TOS Aurora into maintenance mode, a state in which users cannot access the UI and communication with devices and connected clusters is halted. Only command line access is allowed.

    Syntax

    [<ADMIN> ~]$ sudo tos maintenance --mode <state>
    sudo tos maintenance --mode <state>

    Parameters

    Parameter

    Description

    Required/Optional

    Possible Values

    <state>

    TOS state

    Required

    on puts TOS into maintenance mode

    off takes TOS out of maintenance mode

    Examples

    [<ADMIN> ~]$ sudo tos maintenance --mode on
    [<ADMIN> ~]$ sudo tos maintenance --mode off

    sudo tos report

    Description

    Create a file containing a list of cluster events, similar to sudo tos status history.

    Syntax

    [<ADMIN> ~]$ sudo tos report [-f|--file <FILE>] [-s|--since <HMS>]
    sudo tos report [-f|--file <FILE>] [-s|--since <HMS>]

    Parameters

    Parameter

    Description

    Required/Optional

    -f or--file

    Specifies you will provide a file name for the output. If not specified, a default name will be used in the format report-<TIMESTAMP.tar.gz.

    Optional

    <FILE>

    File name for the output file.

    Optional

    --overwrite

    Overwrite any existing files and directories with the same names, without additional prompts. If the [--overwrite] parameter is not included, an error will be generated if there are existing files or directories with the same name.

    Required when -f or --file specified 

    -s or--since  

    Indicates that you will provide an age limit for the events to be included.

    Optional

    <HMS>  

    Age limit for events to be included, in the format hms. For example: 36h30m0s - 36 hours and 30 minutes. If not specified, a default value of 336 hours (14 days) will be used. 

    Required when -s or --since specified 

    Examples

    [<ADMIN> ~]$ sudo tos report -f myreport
    			[<ADMIN> ~]$ sudo tos report -s 12h30m30s
    		[<ADMIN> ~]$ sudo tos report 			

    sudo tos restore

    Description

    Restore your data from a single backup from the same TOS release and version (for example, backups made under R22-2PHF4.0.0 can only be restored to an R22-2PHF4.0.0 deployment).

    If you are restoring a remote collector cluster, you must reconnect the RC to the central cluster after the restore. If you are restoring a central cluster with remote collectors attached, you must reconnect all remote collectors after the restore.

    The backup policy is not included in backups, so after restoring you must configure a new backup policy using tos backup policy set.

    Tufin auto-generated certificates will be automatically re-created on the first connection following the restore.

    We strongly recommend using the screen command before proceeding.

    Syntax

    [<ADMIN> ~]$ sudo tos restore from-backup <BACKUP-NAME>
    sudo tos restore from-backup <BACKUP-NAME>

    Parameters

    Parameter

    Description

    Required/Optional

    <BACKUP-NAME>

    Name of a single backup, as shown in the tos backup list command.

    Required

    Examples

    • sudo tos restore from-backup 26-october-2020-11-49 (for on-demand backups)
    • sudo tos restore from-backup tufin-scheduler-20201208073700 (for scheduled backups)

    sudo tos run

    Description

    Start the TOS Aurora services. The alias start can be used instead.

    Syntax

    [<ADMIN> ~]$ sudo tos run
    sudo tos run

    Parameters

    Parameter

    Description

    Required/Optional

    <-p> or <--preset>

    Show the configuration preset file.

    optional

    sudo tos start

    Description

    An alias for sudo tos run.

    Syntax

    [<ADMIN> ~]$ sudo tos start
    sudo tos start

    sudo tos status

    Description

    Display information about your TOS Aurora system.

    Syntax

    [<ADMIN> ~]$ sudo tos status
    sudo tos status

    Example Output:

    [<ADMIN> ~]$ sudo tos status  tos status
    			Tufin Orchestration Suite 2.0
    			System Status: Ok
    			System Mode:   High Availability
    			Nodes:
    			3 Data Nodes. Total 5 nodes. Nodes are healthy.
    			Components:
    			Cassandra:       Ok
    			Mongodb:         Ok
    			Mongodb_sc:      Ok
    			Nats:            Ok
    			Neo4j:           Ok
    			Postgres:        Ok
    		Postgres_sc:     Ok 

    sudo tos status history

    Description

    List cluster events, similar to sudo tos report.

    Syntax

    [<ADMIN> ~]$ sudo tos status history [-r|--reverse] [-s|--since <HMS>]
    sudo tos status history [-r|--reverse] [-s|--since <HMS>]

    Parameters

    Parameter

    Description

    Required/Optional

    -r or --reverse

    Specifies to list the events in reverse chronological order (from most recent to oldest). If not included, the events will be listed from the oldest to the most recent.

    Optional

    -s or--since  

    Indicates that you will provide an age limit for the events to be included.

    Optional

    <HMS>  

    Age limit for events to be included, in the format hms. For example: 36h30m0s - 36 hours and 30 minutes. If not specified, a default value of 336 hours (14 days) will be used. 

    Required when -s or --since specified 

    Examples

    [<ADMIN> ~]$ sudo tos status history --reverse
    			[<ADMIN> ~]$ sudo tos status history -s 12h30m0s
    		[<ADMIN> ~]$ sudo tos status history			

    sudo tos stop

    Description

    Stop all TOS Aurora services. This process may take time.

    Syntax

    [<ADMIN> ~]$ sudo tos stop [--confirm] [--force]
    sudo tos stop [--confirm] [--force]

    Parameters

    Parameter

    Description

    Required/Optional

    [-y] or --confirm

    Suppresses warning messages and confirmation prompts.

    Optional

    --force

    If this parameter is included, no warning messages appear before files are deleted.

    Optional

    sudo tos uninstall

    Steps

    1. If high availability is enabled, disable it.

    2. On the primary data node:

      [<ADMIN> ~]$ sudo tos cluster ha disable [--force]
      sudo tos cluster ha disable

      --force should be used only if the cluster status is not healthy - see sudo tos status.

      On completion:

      • Replication of data to the additional data nodes will cease.

      • Data nodes other than the primary data node will contribute very little to the running of the cluster and we recommend removing them using sudo tos cluster node remove.

      • Verify that HA is no longer active by running sudo tos status on the primary data node.

    3. If your cluster contains nodes other than the primary data node, remove them:

      1. Identify the node you want to remove and its status by running sudo tos cluster node list on the primary data node.

        • If the node is in a healthy state:

          1. On the primary data node, run:

            [<ADMIN> ~]$ sudo tos cluster node remove <node>
            sudo tos cluster node remove <node>

            Parameters

            Parameter

            Description

            Required/Optional

            <node>

            Hostname address of the node to remove.

            Required

            On completion, a new command string is displayed, which you will need to run on the node you want to remove within 30 minutes. If the allocated time expires, you will need to repeat the current step.

          2. Log in to the CLI of the node to be removed.

          3. On the node to be removed, run the command string displayed on completion of the command above. On completion, all TOS-related directories and data will be deleted from the node, therefore make sure you run it on the correct node. Running the command on the wrong node will destroy the cluster.

          All TOS-related directories will be deleted from the node.

        • If the node you want to remove is not in a healthy state:

          1. On the primary data node, run:

            [<ADMIN> ~]$ sudo tos cluster node remove <node> --force
            sudo tos cluster node remove <node> --force

            Parameters

            Parameter

            Description

            Required/Optional

            <node>

            Hostname address of the node to remove.

            Required

            TOS directories will not be deleted from the node

          2. If the machine is still serviceable, you can delete the TOS directories manually:

            [<ADMIN> ~]$ sudo rm -rf /opt/tufin/data/*
            sudo rm -rf /opt/tufin/data/*
            [<ADMIN> ~]$ sudo rm -rf /opt/tufin/logs/*
            sudo rm -rf /opt/tufin/logs/*
            [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/*
            sudo rm -rf /opt/tufin/migration/*
            [<ADMIN> ~]$ sudo rm -rf /opt/tufin/dumps/*
            sudo rm -rf /opt/tufin/dumps/*
      2. Verify that the node has been removed by again running sudo tos cluster node list.
    4. Uninstall TOS Aurora from your system. This removes the software components but not your data.

      [<ADMIN> ~]$ sudo tos uninstall
      sudo tos uninstall
    5. After the uninstall command has completed, a number of directories will remain on your primary data node. Run the commands below to remove all directories except backups and other data that you may need in the future:

      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/data/*
      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/logs/*
      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/tmp
      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/log
      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/tos2-upgrade
      [<ADMIN> ~]$ sudo rm -rf /opt/tos/.install
      [<ADMIN> ~]$ sudo rm -rf /opt/tos/.update
      [<ADMIN> ~]$ sudo rm -rf /tmp/tufin
      sudo rm -rf /opt/tufin/data/* \
      sudo rm -rf /opt/tufin/logs/* \
      sudo rm -rf /opt/tufin/migration/tmp \
      sudo rm -rf /opt/tufin/migration/log \
      sudo rm -rf /opt/tufin/migration/tos2-upgrade \
      sudo rm -rf /opt/tos/.install \
      sudo rm -rf /opt/tos/.update \
      sudo rm -rf /tmp/tufin 
      				

      In addition, if the SC module was enabled:

      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/migration/sc-server
      sudo rm -rf /opt/tufin/migration/sc-server

      An alternative to deleting the sub-directories from /opt/tufin and /opt/tos is to delete /opt/tufin and /opt/tos entirely, however this will remove also data that you may need in the future, including backups and installation files:

      [<ADMIN> ~]$ sudo rm -rf /opt/tufin/
      [<ADMIN> ~]$ sudo rm -rf /opt/tos/
      sudo rm -rf /opt/tufin/ \
      sudo rm -rf /opt/tos/

    sudo tos update

    Description

    Update TOS from an earlier version of TOS Aurora. See Upgrade From TOS Aurora.

    sudo tos version

    Description

    Get information about the TOS Aurora and supporting software installed on your system.

    • TOS Aurora
    • Helm
    • Kubernetes
    • CLI - TufinOS command line interface

    Syntax

    [<ADMIN> ~]$ sudo tos version [-f|--full][-o|--output=("text")("json")("yaml")]<div class="CodeToPaste">sudo tos version [-f|--full][-o|--output=("text")("json")("yaml")]</div>
    sudo tos version

    Parameters

    Parameter

    Description

    Required/Optional

    Possible Values

    -f or --full

    Provides additional information about Kubernetes core services including image path, tags, and build details.

     

     

     

    -o or --output

    Specifies the output format.

     

    text (default)

    json

    Tufin Extensions (formerly Tufin Marketplace)

    These commands are usedfor the management of Tufin extensions (formerly Tufin Marketplace apps) and Professional Services (PS) solutions. Installation and upgrading of Tufin extensions will normally be done by executing the downloaded run file as explained in the appropriate Tufin Extensions KC.

    sudo tos apps list

    Description

    List all installed Tufin extensions and Professional Services solutions.

    Syntax

    [<ADMIN> ~]$ sudo tos apps list [--output|-o <type>]
    sudo tos apps list

    Parameters

    Parameter

    Description

    Mandatory/Optional

    Possible Values

    [--output] or [-o] Specifies that the output will be yaml/json format instead of plain text Optional

     

    <type> Format of the output if the output flag is used. Optional

    json

    yaml

    Examples

    			[tufin-admin@TufinOS ~]$ sudo tos apps list
    			NAME          TITLE                    STATUS     PROVIDER   VERSION   INSTALLATION DATE
    			qa-test-app   PS Customizations test   Deployed   ps         1.2.5     2021-09-14
    			ps-proxy      PS Proxy                 Deployed   ps         1.0.0     2021-09-14
    
    			[tufin-admin@TufinOS ~]$ sudo tos apps list -o yaml
    			items:
    			- name: qa-test-app
    			title: PS Customizations test
    			status: Deployed
    			provider: ps
    			version: 1.2.5
    			creationTimestamp: "2021-09-14"
    			- name: ps-proxy
    			title: PS Proxy
    			status: Deployed
    			provider: ps
    			version: 1.0.0
    			creationTimestamp: "2021-09-14"
    
    		

    sudo tos apps install

    Description

    This is meant for installing a PS solution from a .tar file. It is not normally used for Tufin extensions, which are installed by executing the downloaded run file as explained in the Tufin Extensions KC.

    Syntax

    [<ADMIN> ~]$ sudo tos apps install <FILE-NAME> [--no-wait]
    sudo tos apps install <FILE-NAME>

    Parameters

    Parameter

    Description

    Mandatory/Optional

    <FILE-NAME>

    Full path of the installation file that you have placed on your server. Mandatory
    --no-wait

    If specified, the installation will run in the background, freeing up the command line.

    Optional

    sudo tos apps upgrade

    Description

    This is meant for upgrading a PS solution from a .tar file. It is not normally used for Tufin extensions, which are installed by executing the downloaded run file as explained in the Tufin Extensions KC.

    Syntax

    [<ADMIN> ~]$ sudo tos apps upgrade <FILE-NAME>
    sudo tos apps upgrade <FILE-NAME>

    Parameters

    Parameter

    Description

    Mandatory/Optional

    <FILE-NAME>

    Full path of the installation file that you have placed on your server. Mandatory

    sudo tos apps uninstall

    Description

    Remove an installed Tufin extension.

    Syntax

    [<ADMIN> ~]$ sudo tos apps uninstall <NAME>
    sudo tos apps uninstall <NAME>

    Parameters

    Parameter

    Description

    Mandatory/Optional

    <NAME>

    Name of the extension as it appears in the output of sudo tos apps list.

    Mandatory

    Module Management

    A subset of commands to add, remove and list active modules of TOS Aurora.

    Subset includes commands:

    There are 3 types of modules:

    • SecureTrack (ST)

    • SecureChange (SC)

    • Remote Collector (RC)

    sudo tos modules add

    Description

    Add a module to TOS Aurora. In the current release, only the SecureChange module can be added.

    Syntax

    [<ADMIN> ~]$ sudo tos modules add SC
    sudo tos modules add SC

    sudo tos modules list

    List the active TOS Aurora modules. The alias ls can be used instead.

    [<ADMIN> ~]$ sudo tos modules list
    sudo tos modules list

    sudo tos modules remove

    Description

    Remove a module from TOS Aurora. In the current release, only the SecureChange module can be removed. When you remove a SecureChange module, both SecureChange and SecureApp data is removed. The alias rm can be used instead.

    Syntax

    [<ADMIN> ~]$ sudo tos modules remove SC
    sudo tos modules remove SC

    Profile Management

    This is a subset of commands that allows you to archive and temporarily restore old revision data (device policy rules):

    sudo tos profile export

    Description

    Create a file containing the definitions of the current configuration of your TOS Aurora setup (see sudo tos profile show). The exported file can be modified and used to update the current configuration using the sudo tos profile import command.

    Syntax

    [<ADMIN> ~]$ sudo tos profile export <FILE>
    sudo tos profile export <FILE>

    Parameters

    Parameter

    Description

    Required/Optional

    <FILE>

    Path of the profile file to be created. If it already exists you will be prompted to overwrite.

    Required

    sudo tos profile import

    Description

    Place a new or changed configuration into the TOS Aurora cluster. The change can be made in a file previously exported with the sudo tos profile export command or with a clean file containing only the sections needing change, using the --merge parameter. After the command has run, you will need to run three additional commands as shown.

    Syntax

    [<ADMIN> ~]$ sudo tos profile import [--merge] <FILE>
    sudo tos profile import [--merge] <FILE>
    [<ADMIN> ~]$ sudo tos profile reload
    sudo tos profile reload

    Parameters

    Parameter

    Description

    Required/Optional

    --merge

    Specifies merging of the imported profile with the existing profile. Definitions in the import file, which don't exist in the current profile, will be added and definitions that already exist will be replaced. If not specified, the import file will replace the entire current profile.

    Optional

    <FILE>

  • Path of the profile file to import.
  •  

    sudo tos profile reload

    Description

    Update the current profile of your TOS Aurora application and server with the settings of a profile imported with the command sudo tos profile import.

    Syntax

    [<ADMIN> ~]$ sudo tos profile reload
    sudo tos profile reload

    sudo tos profile show

    Description

    Display the current configuration of your TOS Aurora setup. Information displayed includes:

    • Tufin Orchestration Suite settings
    • Tomcat settings
    • TOS Aurora image version
    • Load balancer IP - the IP required to connect to TOS Aurora through the browser and from devices
    • TOS Aurora timezone (could be different from the server timezone)
    • Database details

    Syntax

    [<ADMIN> ~]$ sudo tos profile show [--imported] 
    sudo tos profile show [--imported]

    Example Output

    [root@TufinOS3-0029 ~]$ sudo tos profile show
    			core:
    			tss:
    			TosConfig:
    			CommitManagerService:
    			maxConnections:
    			..
    			..
    		.. 

    Parameters

    Parameter

    Description

    Required/Optional

    <-i> or <--imported>

  • Displays information on the configuration of the currently imported profile.
  • Required

    Scripts Management

    This is a subset of commands that allows you to archive and temporarily restore old revision data (device policy rules):

    sudo tos scripts sc list

    Description

    List files and directories containing the SecureChange scripts you have uploaded.

    Syntax

    [<ADMIN> ~]$ sudo tos scripts sc list [relative path on SecureChange] [--detailed]
    sudo tos scripts sc list [relative path on SecureChange] [--detailed]

    Include -l or [--detailed] to include details of the files, for example:

    $ sudo tos scripts sc list --detailed
    -rwxrwxr-x 1 1000 1000 35 Dec 15 11:17 basic.yaml
    -rwxr-xr-x 1 1000 1000 267346 Dec 15 11:17 metrics
    -rwxr-xr-x 1 1000 1000 292 Dec 15 11:17 promui.yaml
    -rwxr-xr-x 1 1000 1000 298 Dec 15 11:15 promui1.yaml
    drwxr-xr-x 2 root root 23 Dec 15 11:17 myfile
    -rwxr-xr-x 1 1000 1000 11 Dec 15 11:17 myfile.txt

    sudo tos scripts sc pull

    Description

    Download SecureChange scripts from SecureChange.

    Syntax

    [<ADMIN> ~]$ sudo tos scripts sc pull <path on local host> <relative path on SecureChange> [--overwrite]
    sudo tos scripts sc pull <path on local host> <relative path on SecureChange> [--overwrite]

    Parameters

    Parameter

    Description

    Required/Optional

    <path on local host>

    Path of a directory.

    Required

    <relative path on SecureChange>

    Path of a single file or a directory. In the case of a directory, all sub-directories will be included. If provided, is relative to the default SecureChange script location. If not provided, the default SecureChange script location is used.

    Optional

    --overwrite

    Overwrite any existing files and directories with the same names, without additional prompts. If the [--overwrite] parameter is not included, an error will be generated if there are existing files or directories with the same name.

    Optional

    Copies files and folders, including sub-directories from the SecureChange node to a local directory.

    sudo tos scripts sc push

    Description

    Upload SecureChange scripts to SecureChange.

    The default SecureChange script location is /opt/tufin/data/securechange/scripts/.

    Syntax

    [<ADMIN> ~]$ sudo tos scripts sc push <path on local host> <relative path on SecureChange> [--overwrite]
    sudo tos scripts sc push <path on local host> <relative path on SecureChange> [--overwrite]

    Parameters

    Parameter

    Description

    Required/Optional

    <path on local host>

    Path of a single file or a directory. In the case of a directory, all sub-directories will be included.

    Required

    <relative path on SecureChange>

    Path of a directory. If provided, it is relative to the default SecureChange script location. If not provided, the default SecureChange script location is used.

    Optional

    --overwrite

    Overwrite any existing files and directories without additional prompts.

    Optional

    sudo tos scripts sc remove

    Description

    Deletes files and folders, including sub-directories in the designated SecureChange script directory.. The aliases rm and delete can be used instead.

    If the [--force] parameter is not included, a warning message will appear before files are deleted.

    Syntax

    [<ADMIN> ~]$ sudo tos scripts sc remove [relative path on SecureChange] [--force]
    sudo tos scripts sc remove [relative path on SecureChange] [--force]

    Parameters

    Parameter

    Description

    Required/Optional

    path

    Script directory on SecureChange

    Optional

    --force

    If this parameter is included, no warning messages appear before files are deleted.

    Optional