Prepare a Node on a Tufin Appliance

Overview

This procedure is for preparing a Tufin appliance before adding it as a node to an existing TOS Aurora cluster.

For all other installation procedures, such as installing TOS Aurora and adding nodes on other platforms, see the menu for the appropriate procedure.

If you are preparing a data node, start with high availability.

If you are preparing a worker node, start with multi-node cluster.

Read and understand Prerequisites, then proceed with Installing TufinOS

Prerequisites

General Requirements

• You cannot use IP Tables. All IP tables rules will be flushed when adding the node.

• Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. Consult with your sales engineer or Tufin support to ensure your resources or sufficient.

Tufin Appliance Requirements

• Your appliance must be one of: T-800, T-1000XL, T-1100, T-1200. For more information, see Tufin Appliance Lifecycle.

• Complete the preliminary set up described in the quick-start guides T-800 / T-1200 or T1000XL / T-1100.

Network Requirements

• You must allow access to required Ports and Services.
• If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.

• The node's network IP must be on the same subnet as the cluster primary VIP.

• Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

  To find the first network interface, run the following command:

  [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

  sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

  Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Install TufinOS

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

Skip any steps that have already been done when following the quick-start guides T-800 / T-1200 or T1000XL / T-1100.

Install TufinOS via USB

Before beginning check that there are no physical USB thumb drives connected to the appliance and that there is no virtual media attached to the appliance via a remote management module (iDRAC for Gen 4.5, RMM for Gen 4 and Gen 3.5).

1. Insert the USB drive into the appliance and reboot the appliance.

The TufinOS 4.40 installer launches.

2. Select TufinOS 4.40 installation for TOS Aurora.

3. Select one of the following options:

• Install 4.40 via KVM

• Install 4.40 via serial - The serial option is only relevant if you are connecting a serial cable to the appliance, and you have a serial console configured to connect to the appliance (see TufinOS Requirements).

4. When prompted, select Yes.

5. When the installation is complete, reboot the appliance.

6. When the BIOS POST starts, remove the USB thumb drive with the TufinOS installation image.

7. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:

   • username:tufin-admin

   • password: admin

8. The system requires that you change the password on the first login.

Install TufinOS via RMM (Gen 4)

Before beginning check that there are no physical USB thumb drives connected to the appliance.

1. Open a browser, enter the RMM IP address and enter username and password to log in.

   

2. On the System tab, in the Remote Console Preview area, click on the black area and accept any warning messages until the KVM window appears.

   

3. In the KVM window go to Virtual Media > Virtual Storage. click on HD Image in Logical Drive Type and click Open Image.

   

4. Select the image file, and click Open.

5. Click Plug in > OK and confirm that the connection status is OK.

   

6. Reboot the appliance.

The TufinOS 4.40 installer launches.

7. Select TufinOS 4.40 installation for TOS Aurora.

8. Select Install 4.40 via KVM:

9. When prompted, select Yes.

10. When the installation is complete, reboot the appliance.

When the BIOS POST starts, detach the TufinOS installation image. Go to Virtual Media > Virtual Storage, click Plug out, and then OK.



11. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:

    • username:tufin-admin

    • password: admin

12. The system requires that you change the password on the first login.

Install TufinOS via RMM (Gen 3.5)

Before beginning check that there are no physical USB thumb drives connected to the appliance.

1. Open a browser, enter the RMM IP address and enter username and password to log in.

   

2. On the System tab, in the Remote Console Preview area, click on the black area and accept any warning messages until the KVM window appears.

   

3. In the KVM window go to Virtual Media > Virtual Storage. click on HD Image in Logical Drive Type and click Open Image.

   

4. Select the image file, and click Open.

5. Click Plug in > OK and confirm that the connection status is OK.

   

6. Reboot the appliance.

The TufinOS 4.40 installer launches.

7. Select TufinOS 4.40 installation for TOS Aurora.

8. Select Install 4.40 via KVM:

9. When prompted, select Yes.

10. When the installation is complete, reboot the appliance.

When the BIOS POST starts, detach the TufinOS installation image. Go to Virtual Media > Virtual Storage, click Plug out, and then OK.



11. Once the device has rebooted, log in again as tufin-admin. The default admin user credentials are:

    • username:tufin-admin

    • password: admin

12. The system requires that you change the password on the first login.

Set Up TufinOS

1. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:

   [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>

   sudo hostnamectl set-hostname <mynode>

2. Configure the server timezone:

   [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>

   sudo timedatectl set-timezone <timezone>

   where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

   To view a list of the time-zone formats that can be used, run:

   [<ADMIN> ~]$ sudo timedatectl list-timezones

   sudo timedatectl list-timezones

3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

4. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

   To find the first network interface

   Run the command:

   [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

   sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

5. To assign a static IP address:

   1. Run the command:

   [<ADMIN> ~]$ sudo nmtui edit <Interface Name>

   sudo nmtui edit <Interface Name>

   

   and set the following parameters in the window:

   • Set IPv4 CONFIGURATION to Manual
   • Set Addresses for the physical IP, together with the chosen subnet
   • Set Gateway and DNS Servers to the IPs used by your organization
   2. Restart the network service.

   [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service

   sudo systemctl restart NetworkManager.service
6. Verify that the DNS server can resolve its own address using a reverse lookup

   Run:

   [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>

   sudo nslookup <DNS SERVER IP>

   If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.

   Example Output

   [<ADMIN> ~]$ sudo nslookup  1.2.3.4
   4.3.2.1.in-addr.arpa	name=EXAMPLE.company.com
   

   If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.

   Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.

   [<ADMIN> ~]$ sudo cat /etc/hosts 
   127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
   ::1 localhost6 localhost6.localdomain6
   1.2.3.4 admin.company.com admin
   2.3.4.5 5.4.3.2.in-addr-arpa