Set Up a Non-TufinOS Server

Proceed only if...

  1. You have completed all the checks on your current TOS Classic system and the results indicate you are ready to set up your target machine.
  2. Your target platform meets all general and platform-specific prerequisites.
  3. You have available all IP, DNS and other information needed to set up the server and TOS Aurora. We recommended putting this information in your worksheet and sharing with relevant administrators.

Otherwise, go back.

In this step you will:

  • Configure your server/VM ready to install TOS Aurora

Overview

This procedure describes how to configure a server / VM that has a supported non-Tufin operating system already installed, so that a TOS Aurora cluster can be installed on it or it can be added as a node to an existing TOS Aurora cluster.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and remove all data and then reboot before reinstalling (see Uninstalling)

  • Some commands must be preceded with screen, see Screen Command.
  • You cannot use IP Tables with TOS Aurora. In addition, all IP Tables rules will be flushed when installing.
  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. The resources required can be categorized by system size.

    To evaluate the size of system you need, see Sizing Calculation for a Clean Install.

  • All resources need to be dedicated to the TOS Aurora machine. Do not use shared CPU or memory and if the datastore is shared, the disk performance must meet the requirements at all times.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Do not run third party applications on the Tufin Appliance. Do not share the CPU, memory, or IOPS.

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

  • We recommend that you have all nodes in the cluster run on the same operating system. Therefore, if you are adding a new node running on RHEL 8 or Rocky Linux 8 to a cluster running on RHEL 7 or CentOS 7, also upgrade the entire cluster to RHEL 8 or Rocky Linux 8 (RHEL 8 and Rocky Linux 8 are only supported for R22-2 PHF1.0.0 and later).

Operating System Requirements

  • Host: Physical server / VMware ESXi 6.5, 6.7, 7.0 or 8.0 (ESXi 8.0 requires TufinOS 4.20 or later) vSphere

  • OS distribution:
    • Red Hat Enterprise Linux 8.6, 8.8, or 8.9
    • Rocky Linux 8.6, 8.8, or 8.9
  • Disks: Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • Language: en-US

  • You will need to configure three partitions: /opt, /tmp and /var, as well as a separate disk for etcd. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*

    /tmp/

     

    /var/

     

    etcd

    Central cluster / remote cluster primary data node / HA data nodes 80 GB 170 GB 370 GB 25 GB 200GB 128 GB
    Worker node (central and remote clusters) 70 GB 70 GB 70 GB 25 GB 60 GB N/A

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the other directories.

    For assistance with disk partitioning, see Increasing the Partition Size on a Virtual Machine.

  • The kernel must be up-to-date
  • SELinux must be disabled
  • rsync, wireguard and screen must be installed for transferring data, in-cluster encryption and launching shell sessions respectively
  • Required modules must get loaded using a configuration file /etc/modules-load.d/tufin.conf containing entries:

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter wireguard overlay ebtables ebtable_filter
  • Permanent kernel parameters must be set. For example, using a configuration file /etc/sysctl.d/tufin.conf containing entries:

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances=10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances=10000 net.ipv4.ip_forward = 1
  • Network configurations for your interface must be set to manual IPv4 with gateway and DNS Servers set to the IPs used by your organization.

    The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.
  • You must have permissions to execute TOS CLI commands located in directory /usr/local/bin/tos and to use sudo if necessary.

  • To run TOS CLI commands without specifying the full path (/usr/local/bin/tos), your environment path must be modified accordingly.

  • The server timezone must be set.

Configure Partitions

If not done already, set up partitions according to the Prerequisites.

Configure the Operating System

  1. If you are not currently logged in as user root, do so now.

    [<ADMIN> ~]$ su -
    su -
  2. If you want to change the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

    [<ADMIN> ~]# hostnamectl set-hostname <mynode>
    hostnamectl set-hostname <mynode>
  3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos).

    [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
    echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
  4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

  5. Configure the server timezone.

    [<ADMIN> ~]# timedatectl set-timezone <timezone>
    timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

    [<ADMIN> ~]# timedatectl list-timezones
    timedatectl list-timezones
  6. Upgrade the kernel:

    [<ADMIN> ~]# dnf upgrade
    dnf upgrade
  7. Disable SELinux:

    • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

      SELINUX=disabled
    • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
  8. Reboot the machine and log in.
  9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. See Install Wireguard and follow the steps for your Linux distribution.
  10. Reboot the machine and log in.
  11. Install screen and rsync:

    [<ADMIN> ~]# dnf install -y rsync screen
    dnf install -y rsync screen
  12. Disable the firewall:

    [<ADMIN> ~]# systemctl stop firewalld
    systemctl stop firewalld
    [<ADMIN> ~]# systemctl disable firewalld
    systemctl disable firewalld
  13. Create the TOS Aurora load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf
    vi /etc/modules-load.d/tufin.conf
  14. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter wireguard overlay ebtables ebtable_filter
  15. Load the above modules now:

    [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 
    cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

    Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

  16. Check that Wireguard has loaded correctly.

    [<ADMIN> ~]# lsmod |grep wireguard
    lsmod |grep wireguard

    The output will appear something like this:

    wireguard              201106  0
    ip6_udp_tunnel         12755  1 wireguard
    udp_tunnel             14423  1 wireguard
    

    If Wireguard is not listed in the output, contact support.

  17. Create the TOS Aurora kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf
    vi /etc/sysctl.d/tufin.conf
  18. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot.

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1
  19. Apply the above kernel settings now:

    [<ADMIN> ~]# sysctl --system
    sysctl --system
For maximum security, we recommend only installing official security updates and security patches for your Linux distribution, as well as the RPMs specifically mentioned in this section.

Can I Proceed?

Continue to the next step only if...

  • You have completed the setup described above.