Prepare a Node on a Tufin Appliance

Overview

This procedure is for preparing a Tufin appliance before adding it as a node to an existing TOS Aurora cluster.

For all other installation procedures, such as installing TOS Aurora and adding nodes on other platforms, see the menu for the appropriate procedure.

If you are preparing a data node, start with high availability.

If you are preparing a worker node, start with multi-node cluster.

Read and understand Prerequisites, then proceed with Set Up TufinOS

Prerequisites

General Requirements

  • You cannot use IP Tables. All IP tables rules will be flushed when adding the node.
  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. Consult with your sales engineer or Tufin support to ensure your resources or sufficient.

Tufin Appliance Requirements

Network Requirements

  • You must allow access to required Ports and Services.
  • If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.
  • The node's network IP must be on the same subnet as the cluster primary VIP.

  • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

    To find the first network interface, run the following command:

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Set Up TufinOS

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

Skip any steps that have already been done when following the quick-start guides T-800 / T-1200 or T1000XL / T-1100.

  1. Open a command line via SSH to the eth0 IP address (default: 192.168.1.100).

  2. Login with user=tufin-admin, password=admin.

    You will be prompted to set a new password.

  3. Run the command:

    [<ADMIN> ~]$ sudo switch-tos-mainstream
    sudo switch-tos-mainstream

    When prompted to reconfigure TufinOS, select yes. This process can run about five minutes.

  4. Reboot the appliance and log in again as tufin-admin.
  5. TufinOS 3.100 and later. Optional. Create a password for the root user.

    1. Login as the tufin-admin user.

    2. Run the following command:

      sudo passwd root
      sudo passwd root
    3. Enter the password and then retype it.

  6. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:

    [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>
  7. Configure the server timezone:

    [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
    sudo timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

    To view a list of the time-zone formats that can be used, run:

    [<ADMIN> ~]$ sudo timedatectl list-timezones
    sudo timedatectl list-timezones
  8. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

  9. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32):

    Use one of these two configuration methods:

    • Method 1: (Recommended) Run this command:

      [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
      sudo nmtui edit <Interface Name>

      and set the following parameters in the window:

      • Set IPv4 CONFIGURATION to Manual
      • Set Addresses for the physical IP, together with the chosen subnet
      • Set Gateway and DNS Servers to the IPs used by your organization
    • Method 2: Edit the configuration files directly:

      1. Edit file /etc/sysconfig/network-scripts/ifcfg-<Interface Name>: For example:

        sudo vi /etc/sysconfig/network-scripts/ifcfg-ens32

      2. Change line BOOTPROTO=dhcp to BOOTPROTO=static

      3. Add entries at the end of the file:

        IPADDR=<NEWIP>
        NETMASK=<MyNetmask>
        GATEWAY=<MyGateway>
        DNS1=<DNS_IP1>
        DNS2=<DNS_IP2>
        IPADDR=<NEWIP> NETMASK=<MyNetmask> GATEWAY=<MyGateway> DNS1=<DNS_IP1> DNS2=<DNS_IP2>

        where

        <NEWIP> is the physical machine IP

        <MyNetmask> , <MyGateway>, <DNS_IP1>, and <DNS_IP2> are the appropriate values for your network

    Restart the network service.

    [<ADMIN> ~]# systemctl restart network
    systemctl restart network
  10. Change the host name to a unique name in the cluster. Replace <mynode> with your preferred name.

    [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname
  11. Synchronize the time with the primary data node. This can be achieved by all servers being synchronized using ntpd or chrony.