Clean Install of TOS Aurora on GCP

Overview

This procedure is for the clean installation of TOS Aurora on Google Cloud Platform (GCP). To add a node to an existing cluster, see Adding a Node on GCP. For all other installation and upgrade options, see Installing and Upgrading.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

After the installation you will have created a single data node TOS cluster to which you can add additional worker nodes. This node is the primary data node, and there is no need to install TOS on any additional nodes. Worker nodes require an operating system only, and with high availability, data is replicated between the nodes.

UDP traffic is not supported in GCP.

High Availability (HA)

High availability is supported for GCP over three availability zones, giving you a higher level of resilience and availability when deploying on this cloud platform. Note that all availability zones must be in the same region. See High availability.

Remote Collectors (RCs)

Remote collectors can be deployed on GCP. They are supported in and between different GCP regions.

Prerequisites

  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter <LOAD>, provided by your account team, based on the procedure Calculate resources - clean install.

  • All resources need to be dedicated to the TOS Aurora machine. Do not use shared CPU or memory and if the datastore is shared, the disk performance must meet the requirements at all times.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • You will need to allow access to required Ports and Services.
  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

  • You need to configure a separate partition for /opt, a separate disk for etcd, and the boot disk needs at least 300 GB of available storage. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    Boot disk

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*

    etcd

    Central cluster / remote cluster primary data node / HA data nodes 300 GB 80 GB 170 GB 370 GB 128 GB
    Worker node (central and remote clusters) 150 GB 70 GB 70 GB 70 GB N/A

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the boot disk and etcd.

  • For PGA, if you are using NFS your backup server needs to be running NFS 4.

    From PHF1.0.0 and later, if you are running NFS 3 on your backup server it will not work because of a security vulnerability. If you want to ignore the security vulnerability to enable NFS 3, you need to run the following commands on all TOS servers that are using TufinOS 4.20 and later:

    systemctl unmask rpcbind.socket rpcbind.service
    systemctl unmask rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service

     

  • The TOS installation removes all TOS files, directories and backups left on the machine from old deployments. If you have any files you want to keep, move them to a safe external location before starting this procedure.

Downloads

  • Download the TOS R24-2 PGA.0.0 installation package from the Download Center.

  • The downloaded files are in .tgz format <FILENAME>.tgz.

Procedure

Follow the steps in sequence.