Using the Designer Debug Tool

SecureChange Requester This topic is intended for TOS Administrators.

Overview

You can use the Designer Debug tool to help Tufin support debug and fix escalations relevant to Designer and Verifier in access requests. It is relevant for st-server, securetrack-job, and for topology-job services.

This tool collects the following information for a specified access request ticket:

  • information on the relevant devices and their revisions

  • domains

  • legacy and stealth rules

  • access requests and parameters

  • log files

Tufin support uses this information to reproduce, analyze, and debug the scenarios to fully understand escalated issues and discover their cause without requiring a full system backup.

Generate a Designer Debug File

  1. Set the log level to DEBUG by running: 

    tos config log-level set -s st-server -l com.tufin.securetrack.designer.DesignerDecisionLog=DEBUG
    tos config log-level set -s st-server -l DesignerDecisionLog=DEBUG
    tos config log-level set -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLog=DEBUG
    tos config log-level set -s securetrack-job -l com.tufin.securetrack.designer.DesignerDecisionLog=DEBUG
    tos config log-level set -s securetrack-job -l DesignerDecisionLog=DEBUG
    tos config log-level set -s topology-job -l com.tufin.securetrack.designer.DesignerDecisionLog=DEBUG

  2. Run Designer on a ticket and click Save Draft.

  3. Switch to the /tmp directory:

    4. [<ADMIN> ~]$ cd /tmp 
    cd /tmp
  4. Copy the tool to the /tmp directory: 
  5. [<ADMIN> ~]$ sudo kubectl exec deployment/device-collector -c device-collector -- cat /usr/local/st/collect_designer_debug_info.sh > collect_designer_debug_info.sh
                
    sudo kubectl exec deployment/device-collector -c device-collector -- cat /usr/local/st/collect_designer_debug_info.sh > collect_designer_debug_info.sh

  6. Run the tool: 

    [<ADMIN> ~]$ sudo sh collect_designer_debug_info.sh -ticketid <ticket id number> -user <admin user name> [-mgmts <management ids>]
                        
    sudo sh collect_designer_debug_info.sh -ticketid <ticket id number> -user <admin user name> [-mgmts <management ids>]

    where:

    • ticketid is the ticket id number.
    • mgmts (optional) is a list of management IDs separated by commas.
    • user is the user name of an admin level user.

    When prompted, enter the password for the super admin user.The user name and password are not saved or collected as part of the tool.

    An output file designer_debug_info.tar.gz will be created in directory /tmp.

  7. Send the file to Tufin Support.
  8. Reset the log-levels back to their default modes by running: 
    tos config log-level reset -s st-server -l com.tufin.securetrack.designer.DesignerDecisionLog
     tos config log-level reset -s st-server -l DesignerDecisionLog
    tos config log-level reset -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLog
     tos config log-level reset -s securetrack-job -l com.tufin.securetrack.designer.DesignerDecisionLog
    tos config log-level reset -s securetrack-job -l DesignerDecisionLog
    tos config log-level reset -s topology-job -l com.tufin.securetrack.designer.DesignerDecisionLog

    The reset command reverts the logs back to the following configuration: 

    # tos config log-level set -s sc-server -l com.tufin.securechange=info
# tos config log-level set -s st-server -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN
# tos config log-level set -s st-server -l DesignerDecisionLog=WARN
# tos config log-level set -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLog=WARN
# tos config log-level set -s securetrack-job -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN
# tos config log-level set -s topology-job -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN
# tos config log-level set -s verifier -l com.tufin.verifier=WARN