Clean Install of TOS Aurora on GCP

Overview

This procedure is for the clean installation of TOS Aurora on Google Cloud Platform (GCP). To add a node to an existing cluster, see Adding a Node on GCP. For all other installation and upgrade options, see Installing and Upgrading.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

After the installation you will have created a single data node TOS cluster to which you can add additional worker nodes. There is no need to install TOS on any additional nodes. Worker nodes require an operating system only, and with high availability, data is replicated between the nodes.

Syslog Destination

Due to a GCP limitation, UDP syslogs cannot be sent to the load balancer and must instead be sent directly to the nodeport - see Sending Additional Information Using Syslog.

High Availability (HA)

High availability is supported for GCP over three availability zones, giving you a higher level of resilience and availability when deploying on this cloud platform. Note that all availability zones must be in the same region. See High availability.

Remote Collectors (RCs)

Remote collectors can be deployed on GCP. They are supported in and between different GCP regions.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • To ensure optimal performance and reliability, the required resources need to always be available for TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

  • Verify that you have sufficient resources (CPUs, disk storage and main memory) to run TOS Aurora. The required resources are determined by the size of your system. See Sizing Calculation for a Clean Install.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and reboot before reinstalling (see Uninstalling TOS)

  • The TOS installation removes all TOS files, directories and backups left on the machine from old deployments. If you have any files you want to keep, move them to a safe external location before starting this procedure.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Once TOS Aurora has been installed, changing the host nameor IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • The Virtual Machine Operating System guest family must be Linux, and the operating system guest version must be RHEL 8.x

Operating System Requirements

  • OS distribution:

    • Red Hat Enterprise Linux 8.10

    • Rocky Linux 8.10

  • Disks:

    • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

    • The disk for the operating system and TOS data requires three partitions: /opt, /var and /tmp.

    • Partition sizes:

      • /opt: Use the Sizing Calculator to determine the partition size

      • /var: 200 GB

      • /tmp: 25 GB

    • We recommend allocating the /opt partition all remaining disk space after you have partitioned the OS disk and moved etcd to a separate disk.

  • Secure boot must be disabled.

  • For R24-2 PGA.0.0 and later, if you are using NFS your backup server needs to be running NFS 4.

    From R24-2 PHF1.0.0 and later, if you are running NFS 3 on your backup server it will not work because of a security vulnerability. If you want to ignore the security vulnerability to enable NFS 3, you need to run the following commands on all TOS servers that are using TufinOS 4.20 and later:

    systemctl unmask rpcbind.socket rpcbind.service
    systemctl unmask rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service

Procedure

Follow the steps in sequence.

  1. For additional help, refer to the official documentation Create and start a VM instance.

    1. In the Google Cloud console, navigate to Compute Engine > VM instances

    2. Click +CREATE INSTANCE.

    3. Configure:

      • Name:

      • Region/Zone: As appropriate

      • Machine family: GENERAL-PURPOSE

      • Series: E2

      • Machine type: Custom

      • Cores / Memory: According to the load-model parameter value received from your account team.

    4. Under Boot Disk, click CHANGE.

    5. Configure the boot disk.

      • Make sure tab Public Images is selected.

      • Operating system: Red Hat Enterprise Linux or Rocky Linux

      • Version:

        • Red Hat Enterprise Linux 8.10

        • Rocky Linux 8.10

      • Boot disk type: SSD persistent disk

      • Size: The value received from your account team.

    6. Click Select. The boot disk settings will be saved.

    7. Select Advanced options.

    8. Select Networking.

    9. Configure Networking:

      • Network tags: default-allow-ssh allow-nginx-ingress

      • Hostname: Optional

    10. (Optional) Host name: Type a host name or use the default device value.

    11. Click CREATE.

  2. Create a firewall rule to allow traffic to nginx nodeport and health checking

    Leave default values for all parameters not mentioned.

    1. Navigate to VPC Network > Firewall

    2. Click +CREATE FIREWALL RULE

    3. Configure:

      • Name: allow-nginx-ingress

      • Network: default

      • Direction: Ingress

      • Action: Allow

      • Targets: Specified target tags

      • Target tags: allow-nginx-ingress

      • Source filter: IPv4 ranges

      • Source IPv4 ranges: 0.0.0.0/0

      • Second sourced filter: None

      • Protocols and ports: Specified ports and protocols - TCP 31443

    4. Click CREATE.

  3. For more information about managing instance groups, see the vendor documentation Group unmanaged VMs together.

    Leave default values for all parameters not mentioned.

    1. Navigate to Compute Engine > Instance groups

    2. Click +CREATE INSTANCE GROUP.

    3. Select New unmanaged instance group (not the stateless or stateful options).

    4. Configure:

      • Name:

      • Location: As defined for your VM

      • Network / Subnetwork: Same network used by the instance or Default

      • VM Instances: Select the new VM created previously

    5. Under Port mapping, click ADD PORT

    6. Enter port details

      • Name: https

      • Number: 31443

    7. Add additional TCP ports, by repeating the previous two steps, depending on the features you intend to use from the list below.

      Port

       

      Purpose

       

      Cluster Type

      (Central cluster/Remote collector)

      31099

      OPM devices

      Central cluster

      31514

      TCP syslogs

      Central cluster

      31422

      Event Streaming

      Central cluster/remote collector

      8443

      RC sync - Revisions and control

      Remote collector

      31617

      JMS - configuration metrics and device statuses

      Remote collector

      31843

      SecureTrack client

      Central cluster (only if deploying remote collector)

    8. Click CREATE. The instance group will be created.

  4. Leave default values for all parameters not mentioned.

    1. Navigate to Health checks.

    2. Click +CREATE HEALTH CHECK.

    3. Select/Enter values:

      • Name

      • Protocol: TCP

      • Port: 31443

    4. Leave default values for health criteria, or change according to your requirements.

    5. Click CREATE.

  5. After launching the instance, you need to create a separate load balancer for each of the ports you are going to need. These ports are listed in the Target column in the table below. Some ports are only needed if you are deploying a remote collector.

    Protocol

     

    Source

     

    Target

     

    Purpose

     

    Cluster Type

    (Central Cluster/Remote Collectors)

    TCP

    443

    31443

    Mandatory. UI connectivity.

    Central cluster

    TCP

    9099

    31099

    OPM devices

    Central cluster

    TCP

    6514

    31514

    TCP syslogs

    Central cluster/
    Remote collector

    TCP

    8422

    31422

    Event streaming

    Remote collector

    TCP

    9090

    31090

    Allows central cluster to receive data from remote collector cluster

    Remote collector

    TCP

    31843

    8443

    RC sync - Revisions and control

    Remote collector

    TCP

    61617

    31617

    JMS - configuration metrics and device statuses

    Remote collector

    TCP

    8443

    31843

    SecureTrack client

    Central cluster (only if deploying remote collector)

    Repeat this step for each port in the table that you are going to need.

    For more information, see the vendor documentation Set up the load balancer.

    Leave default values for all parameters not mentioned.

    1. Navigate to Network Services > Load balancing.

    2. Click +CREATE LOAD BALANCER.

    3. Under Network Load Balancer (TCP/SSL), click START CONFIGURATION.

    4. Select the following options:

      • Internet facing or internal only: Only between my VMs.

      • Multiple regions or single region: Single region only
      • Load Balancer type: Proxy
    5. Click Continue.
    6. Enter/Select the following information:
      • Load Balancer name
      • Region
      • Network

    7. Click Backend configuration.

    8. In the Backend Configuration section, enter/select the following:

      • Backend type: Instance group

      • Protocol: TCP

      • Named port: https (the name of the port you created for the instance)

      • Timeout: 30

    9. In the Instance Groups section, enter/select the following:

      • Instance group: The instance group created previously

      • Port numbers: The target port

      • Health check: The health check created previously

    10. In the New Frontend IP and port section, enter/select the following:

      • Name:

      • Subnetwork: The network you are using

      • IP address: The IP Address of the machine you want to send the traffic to

      • Port number: The source port

    11. Click DONE.

    12. Click CREATE.

  6. Repeat this step for each of the ports you open.

    For more information, see the vendor documentation Create a new firewall rule.

    1. Navigate to VPC Network > Firewall

    2. Click CREATE FIREWALL RULE

    3. Configure:

      • Name

      • Logs: Off

      • Network: Default

      • Priority: 1000

      • Direction of traffic: Ingress

      • Action on match: Allow

      • Targets: Specified target tags

      • Target tags: (example) syslog-ingress

      • Source filter: IPv4 ranges

      • Source IPv4 ranges: 0.0.0.0/0

      • Second source filter: None

      • Protocols and ports: Specified protocols and ports - UDP 30514

    4. Click CREATE.

    5. Navigate to VM instances and select the VM created previously

    6. Click EDIT

    7. Go to Network Tags and add the target tag specified above

  7. To connect via ssh you can add an existing ssh key to GCP via UI or use the gcloud utilily to generate key and add it.

    To generate a key using gcloud:

    1. Download gcloud to your workstation.

    2. Run gcloud auth login command to login to your account. Variable <PROJECT_ID> can be set once globally to avoid entering it each time.

      gcloud config set project "<PROJECT_ID>"
      gcloud config set project "<PROJECT_ID>"
      gcloud compute ssh --zone "<ZONE>" "<VM_INSTANCE_NAME>" 
      gcloud compute ssh --zone "<ZONE>" "<VM_INSTANCE_NAME>"

  8. If not done already, set up partitions according to the Prerequisites.

    1. If you are not currently logged in as user root, do so now.

      [<ADMIN> ~]$ su -
      su -

    2. If you want to change the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

      [<ADMIN> ~]# hostnamectl set-hostname <mynode>
      hostnamectl set-hostname <mynode>

    3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos). 

      [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
      echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

    4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

    5. Configure the server timezone.

      [<ADMIN> ~]# timedatectl set-timezone <timezone>
      timedatectl set-timezone <timezone>

      where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

      [<ADMIN> ~]# timedatectl list-timezones
      timedatectl list-timezones

    6. Upgrade the kernel:

      [<ADMIN> ~]# dnf upgrade
      dnf upgrade

    7. Disable SELinux:

      • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

        SELINUX=disabled
      • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
    8. Reboot the machine and log in.

    9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. The wireguard version must match the operating version you are installing.

      10. [<ADMIN> ~]# sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
      sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
      [<ADMIN> ~]# sudo yum install kmod-wireguard wireguard-tools
      sudo yum install kmod-wireguard wireguard-tools
    10. Reboot the machine and log in.

    11. Install tmux and rsync:

      [<ADMIN> ~]# dnf install -y rsync tmux
      dnf install -y rsync tmux

    12. Disable the firewall:

      [<ADMIN> ~]# systemctl stop firewalld
      systemctl stop firewalld
      [<ADMIN> ~]# systemctl disable firewalld
      systemctl disable firewalld

    13. Create the TOS Aurora load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

      [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf
      vi /etc/modules-load.d/tufin.conf

    14. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

      br_netfilter
      wireguard
      overlay
      ebtables
      ebtable_filter
      br_netfilter wireguard overlay ebtables ebtable_filter

    15. Load the above modules now:

      [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 
      cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

      Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

    16. Check that Wireguard has loaded correctly. 

      [<ADMIN> ~]# lsmod |grep wireguard
      lsmod |grep wireguard

      The output will appear something like this:

      wireguard              201106  0
ip6_udp_tunnel         12755  1 wireguard
udp_tunnel             14423  1 wireguard

      If Wireguard is not listed in the output, contact support.

    17. Create the TOS Aurora kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

      [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf
      vi /etc/sysctl.d/tufin.conf

    18. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot. 

      net.bridge.bridge-nf-call-iptables = 1
      fs.inotify.max_user_watches = 1048576
      fs.inotify.max_user_instances = 10000
      net.ipv4.ip_forward = 1
      net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1

    19. Apply the above kernel settings now:

      [<ADMIN> ~]# sysctl --system
      sysctl --system
    For maximum security, we recommend only installing official security updates and security patches for your Linux distribution, as well as the RPMs specifically mentioned in this section.

  10. The etcd database should be on a separate disk to improve the stability of TOS Aurora and reduce latency. Moving the etcd database to a separate disk ensures that the kubernetes database has access to all the resources required to ensure an optimal TOS performance. This will require some down time as you are going to have to shut down TOS before separating the disks.

    1. Run the tmux command.

      [<ADMIN> ~]$ tmux new-session -s TOS-Install
      tmux new-session -s TOS-Install

    2. Go to /opt/misc/.

    3. Go to the Download Center and click the TOS R24-2 PHF4.1.0 installation file.

    4. Select how you want to download the installation package: Download to Computer or Copy link (valid for 10m).

    5. If you copied the link, run the following command within ten minutes:

      curl -o [Name the file].run.gz  “<LINK>”
      curl -o [Name the file].run.gz  “<LINK>”

      Where <LINK> is the link you copied from the Download Center.

      Make sure the server can download from https://tosportaldownloads.tufin.com.

    6. If you downloaded to the computer, copy the compressed file from your local computer to the server.

    7. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

      8. [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
      sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
      [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
      sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

    8. Extract the TOS run file from its archive.

      [<ADMIN> ~]$ tar xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
      tar xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

      9. The run file name includes the release, version, and build number.

      TOS file example: R24-2-pga0.0-final-4577.run

    1. Run the TOS Aurora run file.

      [<ADMIN> ~]$ sudo sh <runfile>
      sudo sh <runfile>

    2. You must have permissions to execute TOS CLI commands. Grant permissions as shown below or allow use of sudo command.

      [<ADMIN> ~]# chmod +x /usr/local/bin/tos
      chmod +x /usr/local/bin/tos

    3. Run the install command, replacing the parameters:

      • <MODULE-TYPE> with one of the following values:

        • ST for SecureTrack only
        • ST, SC for both SecureTrack and SecureChange
        • RC for a remote collector
      • <SERVICE-CIDR> with the CIDR you want TOS Aurora to use for the Kubernetes service network, as described in Prerequisites

      • <PODS-CIDR> (Optional) with the CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16

      • <LOAD> with the load-model parameter value obtained from your account team as described in Prerequisites.
      [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=external --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
      sudo tos install --modules=<MODULE-TYPE> --primary-vip=external --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d

      Example:

      # sudo tos install --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium -d

    4. The EULA appears. After reading, enter 'q' to exit the document and then enter 'y' to accept the EULA and continue until the command completes.

    5. You can now safely exit the CLI tmux session:

      [<ADMIN> ~]$ exit
      exit

    6. Go to the TOS Aurora login page by going to the URL of the load balancer DNS in your browser.

    7. Log in with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

      1. On the primary data node, check the TOS status.

        [<ADMIN> ~]$ tos status
        tos status

      2. In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

        3. Example output:

        [<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 36%  

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

    Post-Install Configuration

    SSL Certificates

    Secured connections to TOS Aurora require a valid SSL certificate. Such a certificate is generated during the installation. It is automatically renewed when it expires and also when upgrading to later versions of TOS Aurora. When connecting for the first time after certificate renewal, you will be prompted to accept the new certificate. You can also use your own CA signed certificate, but such certificates will not be renewed automatically.

    SAN Certificates

    For every FortiManager device you intend to monitor, add a SAN signed certificate.

    License Activation

    Relevant only for central clusters, skip for remote collectors.

    After the license is activated, have all TOS users enable the automatic license mechanism in their browser. For more information, see Site Usage Monitoring.

    Using Syslog for Accountability and More

    To include accountability and rule usage information in TOS Aurora you must configure your devices to send syslogs. For more information see Sending Additional Information via Syslog.

    Adding Worker Nodes to Your Cluster

    TOS Aurora is deployed as a single node Kubernetes cluster. See Multi-Node Cluster for more information about adding additional nodes.

    Setting up External Backups

    We recommend setting up backups on external storage.

    Setting up Scheduled Backups

    We recommend creating a backup policy as soon as possible.

    DR (Disaster Recovery)

    To setup TOS redundancy across sites, see Disaster Recovery.

    Sending Cluster Health Status to Tufin

    Enabled by default, system information is sent periodically to Tufin Support for the purpose of troubleshooting and identifying performance issues. It can be disabled (see Sending Cluster Health Status). The information includes:

    • DB status and size

    • Backup status

    • Kubernetes status and metrics

    • CPU metrics

    • Memory status

    • I/O

    • Configuration changes

    • TOS status

    • Cluster performance

    It does not include IP addresses, personal user information, or device information. All the information sent is encrypted and is accessible only to Tufin support teams.

    The information is sent to Tufin from TOS users' browsers to the Tufin sub-domain mailbox.tufin.com, therefore requests from user browsers to this sub-domain must be allowed.

    TOS Monitoring

    TOS Monitoring lets you monitor the status of the TOS cluster and its nodes by generating a notification whenever a change in status occurs, such as a node failing, or a usage threshold reached, such as CPU or disk usage.

    We recommend that you set up notifications in TOS Monitoring (see TOS Monitoring).

    Additional Configuration

    A number of additional parameters can be set now or later e.g. session timeout and SNMP - see Configuring TOS.

    SecureChange Settings

    Relevant only for central clusters; skip for remote collectors.

    If you have installed SecureChange:

    1. Go into SecureChange by one the following means:

      • Sign in to TOS with the URL given previously and then select SecureChange from the app launcher.

      • Sign in directly to SecureChange by entering https://<IP>/tufinapps/securechange in the browser.

    2. Configure the DNS.

      1. Go to Settings > Miscellaneous.

      2. Delete the default value that appears in the field Server DNS name. Enter a value for Server DNS name - the DNS server to use for links in email notifications. This can be an IP address in the format 11.22.33.44 or a FQDN in the format https://mydomain.com. The SecureChange DNS name is published by SecureChange so it can be accessed from external sources. For example, it is embedded in notification mails sent by SecureChange, which include a link to a ticket, such as an email notifying a handler assigned with a task, or informing a requester that the ticket has been successfully resolved.

    3. Additional setup that can be done now or later:

      • Internal SSO Authentication. Internal SSO is enabled by default when TOS is installed, giving user access to all TOS components using the same credentials - SecureTrack, SecureChange, SecureApp, and extensions. When disabled, there is no connection between a SecureTrack user and SecureChange user with the same name.
      • Mail server connection
      • LDAP directory connection to use LDAP user accounts
      • Local users and user roles
      • Subsequent password changes can be made from the command line , see SecureChange Command Line Reference.

      • Change access to SecureTrack from SecureChange

        1. Go to Settings > SecureTrack:

        2. Change the default SecureTrack administrator. For SecureChange to access SecureTrack data, a SecureTrack administrator must be specified. By default this is the predefined user 'Admin' and everything will work fine if you leave it as it is. However, if you want a different user, create a new administrator and enter the user name. If you have already configured multi-domain management, this user can be either a super administrator or multi-domain administrator, depending on whether you want to restrict the administrator to selected domains.

        3. Remove link to SecureTrack . By default you can go from SecureChange to SecureTrack by selecting the SecureTrack link in the app launcher. If you want to remove this option, unmark the checkbox.

        4. Change connection check interval. The default value for the frequency of SecureChange testing connectivity to SecureTrack can be changed if desired.

        5. Click Test connection to verify that SecureChange has a connection to SecureTrack.

        6. Click Refresh license status. This will ensure that SecureTrack and SecureChange share the highest level of connectivity.

        7. Click Save.