Clean Install of TOS Aurora/TufinOS 4.30 on a Tufin Appliance via RMM (Gen 4)

Overview

This procedure is for a clean installation of TOS Aurora with TufinOS 4.30 on a T-800 or T-1220 Gen 4 Tufin appliance via a RMM. When performing this installation, any existing data on the machine will be deleted.

The Tufin Appliance is delivered with TufinOS pre-installed, and TOS Aurora ready to be installed (according to the instructions in the Quick Start Guide). However, there may be circumstances in which you will later need to reinstall TufinOS and TOS.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

High Availability (HA)

TOS Aurora can be set up to run as a high availability environment using three servers (nodes).

Distributed Deployment Using Remote Collectors

TOS Aurora can be set up to run as a distributed architecture using remote collectors (RC's).

The current procedure is meant for installing on both central and remote collector clusters. For more information, see remote collectors.

NFS

TufinOS 4.x does not support NFS on this TOS release. To use NFS we recommend installing R23-2, or a later TOS release. Your backup server needs to be running NFS 4.

If you still want to install this TOS release, you will need to upgrade to R23-2 PHF2.0.0 and later, or a later TOS release.

Alternatively, you can switch to local storage or one of the cloud storage options.

Other Installation Options

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and reboot before reinstalling (see Uninstalling TOS)

  • You cannot use IP Tables with TOS Aurora. In addition, all IP Tables rules will be flushed when installing.
  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. The resources required can be categorized by system size.

    To evaluate the size of system you need, see Sizing Calculation for a Clean Install.

  • Do not run third party applications on the Tufin Appliance. Do not share the CPU, memory, or IOPS.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

  • Complete the preliminary set up described in the T-800 / T-1200 quick start guide.

Network Requirements

  • You must allow access to required Ports and Services.

  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

  • If a proxy is configured on your system make sure this network is excluded.

  • You must have available the following dedicated IP addresses:

    • For on-premise deployments, a primary VIP that will serve as the external  IP address used to access TOS Aurora from your browser. The primary VIP will not be needed in the installation of the operating system, except in the final step - the installation command.
    • The physical network IP address of the first network interface used by the administrator for CLI commands. This is the IP address you will use in most steps of the procedure.
    • If additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP address.

    • Additional syslog VIPs can be allocated as needed.
    • The VIP, all node physical network IP addresses and all syslog VIPs must be on the first network interface.

    • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

      To find the first network interface, run the following command:

      [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
      sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

      Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

  • You must have a DNS server that can resolve its own address using a reverse lookup.

Downloads

  1. Download the TufinOS 4.30 installation package from the Download Center.

  2. Download the TOS R23-1 PHF2.1.0 installation package from the Download Center.

  3. The downloaded files are in .tgz format <FILENAME>.tgz.

  4. Extract the TufinOS image from its archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS USB file example: TufinOS-4.30-4368238-x86_64-Final.usb.img

  5. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256

    The output should return OK

The Install Procedure

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

Skip any steps that have already been done when following the quick-start guide: T-800 / T-1200

Install TufinOS

    Before beginning check that there are no physical USB thumb drives connected to the appliance.
  1. Open a browser, enter the RMM IP address and enter username and password to log in.

  2. On the System tab, in the Remote Console Preview area, click on the black area and accept any warning messages until the KVM window appears.

  3. In the KVM window go to Virtual Media > Virtual Storage. click on HD Image in Logical Drive Type and click Open Image.

  4. Select the image file, and click Open.

  5. Click Plug in > OK and confirm that the connection status is OK.

  6. Reboot the appliance.

  7. The TufinOS 4.30 installer launches.

  8. Select TufinOS 4.30 installation for TOS Aurora.

  9. Select Install 4.30 via KVM:
  10. When prompted, select Yes.

  11. When the installation is complete, reboot the appliance.

  12. When the BIOS POST starts, detach the TufinOS installation image. Go to Virtual Media > Virtual Storage, click Plug out, and then OK.

  13. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:

    • username:tufin-admin

    • password: admin

  14. The system requires that you change the password on the first login.

Set Up TufinOS

  1. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:

    [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>
  2. Configure the server timezone:

    [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
    sudo timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

    To view a list of the time-zone formats that can be used, run:

    [<ADMIN> ~]$ sudo timedatectl list-timezones
    sudo timedatectl list-timezones
  3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

  4. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

  5. To assign a static IP address:

    1. Run the command:

    2. [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
      sudo nmtui edit <Interface Name>

      and set the following parameters in the window:

      • Set IPv4 CONFIGURATION to Manual
      • Set Addresses for the physical IP, together with the chosen subnet
      • Set Gateway and DNS Servers to the IPs used by your organization
    3. Restart the network service.
    4. [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service
      sudo systemctl restart NetworkManager.service

Install TOS Aurora

  1. Run the tmux command:

    [<ADMIN> ~]$ tmux new-session -s TOS-Install
    tmux new-session -s TOS-Install
  2. On the target machine, create the directory /opt/misc/, if it does not exist already.

  3. Transfer the run file (already downloaded) to the /opt/misc/ directory.

  4. Go to /opt/misc/

  5. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

  6. [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
  7. Extract the TOS run file from its archive.

    [<ADMIN> ~]$ tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
  8. The run file name includes the release, version, and build number.

    TOS file example: R23-1-pga0.0-final-4577.run

  9. Run the TOS Aurora run file.

    [<ADMIN> ~]$ cd /opt/misc/
    cd /opt/misc/
    [<ADMIN> ~]$ sudo sh <runfile>
    sudo sh <runfile>
  10. Run the install command, replacing the parameters:

    • <PRIMARY> - The VIP you will use to access TOS Aurora as described in Prerequisites
    • <SERVICE-CIDR> - The CIDR you want to use for the Kubernetes service network, as described in Prerequisites

    • <PODS-CIDR> Optional. The CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16

    • <MODULE-TYPE> - One of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> - small, medium or large, as provided by your account team, based on your sizing calculation.

    There is also an option to do a dry run, to verify the procedure in advance by going through all the stages without installing anything. To do a dry run, add the parameter --dry-run to the install command.

    [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
    sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d

    Examples:

    $ sudo tos install --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d

    $ sudo tos install --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d

  11. The EULA is displayed. After reading, enter q to exit the document. If you accept the EULA, enter y and wait until the command completes.

  12. You can now safely exit the CLI tmux session:

    [<ADMIN> ~]# exit
    exit
  13. If the installation was for a central (main) cluster, log into TOS Aurora at https://<VIP> in your browser with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

    If the installation was for a remote collector, connect it to the central cluster.

Post-Install Configuration

SSL Certificates

Secured connections to TOS Aurora require a valid SSL certificate. Such a certificate is generated during the installation. It is automatically renewed when it expires and also when upgrading to later versions of TOS Aurora. When connecting for the first time after certificate renewal, you will be prompted to accept the new certificate. You can also use your own CA signed certificate, but such certificates will not be renewed automatically.

SAN Certificates

If you have FortiManager devices in SecureTrack, add a SAN signed certificate to each device.

License Activation

Relevant only for central clusters, skip for remote collectors.

Follow the instructions in Activate license

Using Syslog for Accountability and More

You can use syslog to send accountability and other information from your devices to SecureTrack - see Sending Additional Information via Syslog. If you want to use this feature and you have installed TOS on-premise, you must also set up a Syslog VIP Address.

Adding Worker Nodes to Your Cluster

TOS Aurora is now deployed as a single node Kubernetes cluster. See Multi-Node Cluster for more information about adding additional nodes.

Setting up External Backups

We recommend setting up backups on external storage.

Setting up Scheduled Backups

We recommend creating a backup policy as soon as possible.

DR (Disaster Recovery)

If you want to use the DR feature to setup TOS redundancy across sites, see Disaster Recovery.

HA (High Availability)

If you want TOS Aurora to run in HA, see High Availability.

TOS Monitoring

TOS Monitoring lets you monitor the status of the TOS cluster and its nodes by generating a notification whenever a change in status occurs, such as a node failing, or a usage threshold reached, such as CPU or disk usage. We recommend that you set up TOS notifications in TOS Monitoring (see TOS Monitoring).

Additional Configuration

A number of additional parameters can be set now or later e.g. session timeout and SNMP - see Configuring TOS.

SecureChange Settings

Relevant only for central clusters; skip for remote collectors.

If you have SecureChange:

  1. If you are not already logged in to SecureTrack, log in now.
  2. Create a new SecureTrack administrator user that SecureChange and SecureApp will use to get SecureTrack information. If you have already configured multi-domain management, make this user either a super administrator or multi-domain administrator, depending on whether you want to restrict the administrator to selected domains.

  3. Sign into SecureTrack.

    • Using SSO: From R22-1, TOS uses Single Sign-On (SSO) authentication method by default.

      1. Log into TOS.

      2. For your first login session, you must change your password:

      3. You are automatically logged into SecureTrack. To log into SecureChange, type https://<IP>/securechangeworkflow or https://<IP>/tufinapps/securechange in the browser URL, where <IP> is the cluster VIP or external load-balancer IP.

    • Not using SSO:

      1. For your first login session, you must change your password. SecureChange users are separate from SecureTrack users; there is no connection between a SecureTrack user and SecureChange user with the same name.

      2. In this prompt window, you can also enter an email address for administrative email notifications. We recommend using the address of an email list so you can easily edit the list of recipients.

      3. Login to SecureChange at https://<IP>/securechangeworkflow or https://<IP>/tufinapps/securechange where <IP> is the cluster VIP or external load-balancer IP, with your admin credentials.

  4. Go to Settings > Miscellaneous.

  5. Enter a value for Server DNS name - the DNS server to use for links in email notifications. This can be an IP address in the format 11.22.33.44 or a FQDN in the format https://mydomain.com. The SecureChange DNS name is published by SecureChange so it can be accessed from external sources. For example, it is embedded in notification mails sent by SecureChange, which include a link to a ticket, such as an email notifying a handler assigned with a task, or informing a requester that the ticket has been successfully resolved.

  6. Go to Settings > SecureTrack:

    1. Enter the SecureTrack administrator username, created previously.

    2. If you want a link from SecureChange to SecureTrack and from SecureTrack to SecureChange, select Show link to SecureTrack. These two links will appear in the applications icon menu in both systems:

    3. If you want to change how often SecureChange tests its connectivity to SecureTrack, change the value of Connection check interval.

    4. Click Test connection to verify that SecureChange has a connection to SecureTrack.

    5. Click Refresh license status so that SecureTrack and SecureChange share the highest level of connectivity.

    6. Click Save.

  7. Additional setup can be done now or later: