Clean Install of TOS Aurora/TufinOS 3.110 on a VMWare ESXi Machine

  • The TufinOS 3 operating system reached EOL (end of life) on June 30, 2024 and is no longer supported. The final version - TufinOS 3.110 - was released in December 2023. If you are still running on TufinOS 3, we recommend upgrading to TufinOS 4 to get the benefit of the latest security patches.

  • TufinOS 4 does not support TOS releases earlier than R22-2 so if you are still running R22-1 or earlier, you must upgrade TOS before upgrading to TufinOS 4.

Overview

This procedure is for a clean installation of TOS Aurora with TufinOS 3.110 on a VMWare ESXi machine. Any existing data on the machine will be deleted.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

After the installation you will have created a single data node TOS cluster to which you can add additional worker nodes. This node is the primary data node, and there is no need to install TOS on any additional nodes. Worker nodes require an operating system only, and with high availability, data is replicated between the nodes.

High Availability (HA)

TOS Aurora can be set up to run as a high availability environment using three servers (nodes).

Distributed Deployment Using Remote Collectors

TOS Aurora can be set up to run as a distributed architecture using remote collectors (RC's).

The current procedure is meant for installing on both central and remote collector clusters. For more information, see remote collectors.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and remove all data and then reboot before reinstalling (see Uninstalling TOS)

  • Some commands must be preceded with screen, see Screen Command.
  • You cannot use IP Tables with TOS Aurora. In addition, all IP Tables rules will be flushed when installing.

  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. The resources required can be categorized by system size.

    To evaluate the size of system you need, see Sizing Calculation for a Clean Install.

  • All resources need to be dedicated to the TOS Aurora machine. Do not use shared CPU or memory and if the datastore is shared, the disk performance must meet the requirements at all times.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

  • The TOS installation removes all TOS files, directories and backups left on the machine from old deployments. If you have any files you want to keep, move them to a safe external location before starting this procedure.

VMware Requirements

  • Your ESX host must be running VMware ESXi 7.0 (requires TufinOS 3.80 and above / 6.7 / 6.5 only.
  • Your ESX host disk(s) must be SSD with 7,500 IOPS and 250MB/s throughput or higher.
ESXi 6 is already EOL (end of life). ESXi 7 is planned to reach EOL in April 2025

Network Requirements

  • You must allow access to required Ports and Services.
  • A 24-bit CIDR subnet on your network must be dedicated to TOS Aurora for the Kubernetes service network. It must not overlap with:

    • CIDR 10.244.0.0/16, which is already used for Kubernetes internal communication

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

    • Each other

  • If a proxy is configured on your system make sure this network is excluded.

  • You must have available the following dedicated IP addresses:

    • For on-premise deployments, a primary VIP that will serve as the external  IP address used to access TOS Aurora from your browser. The primary VIP will not be needed in the installation of the operating system, except in the final step - the installation command.
    • The physical network IP address of the first network interface used by the administrator for CLI commands. This is the IP address you will use in most steps of the procedure.

    • If additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP address.

    • Additional syslog VIPs can be allocated as needed.

    • The VIP, all node physical network IP addresses and all syslog VIPs must be on the first network interface.

    • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

      Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

  • You must have a DNS server that can resolve its own address using a reverse lookup.

Downloads

  1. Download the TufinOS 3.110 installation package from the Download Center.

  2. Download the TOS R24-2 PRC1.1.0 installation package from the Download Center.

    3. The downloaded files are in .tgz format <FILENAME>.tgz.

  3. Extract the TufinOS image from its archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS ISO file example: TufinOS-3.110-4368238-x86_64-Final.iso

  4. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256

    The output should return OK

  5. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

    [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

  6. Extract the TOS run file from its archive.

    The run file name includes the release, version, and build number.

    TOS file example: R24-2-PRC1.1.0-final-4577.run

The Install Procedure

Before you proceed, read and understand Prerequisites to avoid risk of failure.

Install TufinOS 3.110

  1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.

  2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.

  3. Edit the properties of the virtual CD/DVD drive, and do one of the following:

    Using vSphere:

    • As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.

    • Under Device Status, select Connect at power on.

    Using a workstation:

    • Under Device Status, select Connect at power on.

    • Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.

  4. Set the VM to boot to BIOS configuration

    1. Navigate to VM settings > VM options.
    2. Check: During the next boot, force entry into the BIOS setup screen.

  5. In BIOS > Boot, select CD-ROM Drive.

  6. In BIOS > Exit, select Exit Saving Changes. Click Yes.

  7. Save the settings.

  8. Restart the VM. TufinOS installation begins.

  9. In the virtual machine console, follow the installation prompts. When asked to enter the required configuration, enter aurora.

    When prompted, confirm and choose Yes.

  10. When the installation is complete, the virtual machine reboots. The default admin user credentials are:

    • Username: tufin-admin

    • Password: admin (you will be prompted to change this on first log in)

    • IP address: 192.168.1.100/24

  11. TufinOS 3.100 and later. Optional. Create a password for the root user.

    • Login as the tufin-admin user.

    • Run the following command:

      sudo passwd root

    • Enter the password and then retype it

Set Up TufinOS

  1. If you want to reset the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name:

    [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>

  2. Configure the server timezone:

    [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
    sudo timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

    To view a list of the time-zone formats that can be used, run:

    [<ADMIN> ~]$ sudo timedatectl list-timezones
    sudo timedatectl list-timezones

  3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

  4. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

    Run the command: 

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

  5. To assign a static IP address:

    1. Run the command: 

      2. [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
      sudo nmtui edit <Interface Name>

      and set the following parameters in the window:

      • Set IPv4 CONFIGURATION to Manual
      • Set Addresses for the physical IP, together with the chosen subnet
      • Set Gateway and DNS Servers to the IPs used by your organization
    2. Restart the network service. 
      3. [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service
      sudo systemctl restart NetworkManager.service

  6. Run:

    [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
    sudo nslookup <DNS SERVER IP>

    If the name of the server is displayed, the DNS server can resolve its own address using a reverse lookup.

    Example Output

    [<ADMIN> ~]$ sudo nslookup  1.2.3.4
4.3.2.1.in-addr.arpa	name=EXAMPLE.company.com

    If the name of the server is not displayed, set it using a reverse lookup entry at /etc/hosts.

    Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.

    [<ADMIN> ~]$ sudo cat /etc/hosts 
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost6 localhost6.localdomain6
1.2.3.4 admin.company.com admin
2.3.4.5 5.4.3.2.in-addr-arpa

     

Install TOS Aurora

  1. Run the screen command:

    [<ADMIN> ~]$ screen -S TOS-Install
    screen -S TOS-Install

  2. Transfer the TOS run file to /opt.

  3. Go to /opt.

  4. Run the TOS Aurora run file.

    [<ADMIN> ~]$ sudo sh <runfile>
    sudo sh <runfile>

  5. Run the install command, replacing the parameters:

    • <PRIMARY> - The VIP you will use to access TOS Aurora as described in Prerequisites

    • <SERVICE-CIDR> - The CIDR you want to use for the Kubernetes service network, as described in Prerequisites

    • <PODS-CIDR>Optional. The CIDR you want to use for the Kubernetes pods network, as described in Prerequisites. The default pods network is 10.244.0.0/16

    • <MODULE-TYPE> - One of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> - small, medium, large or extra-large, as provided by your account team, based on your sizing calculation.

    There is also an option to do a dry run, to verify the procedure in advance by going through all the stages without installing anything. To do a dry run, add the parameter --dry-run to the install command.

    [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
    sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d

    Examples:

    $ sudo tos install --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d

    $ sudo tos install --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d

  6. The EULA is displayed. After reading, enter q to exit the document. If you accept the EULA, enter y and wait until the command completes.

  7. You can now safely exit the CLI screen session:

    [<ADMIN> ~]# exit
    exit

  8. If the installation was for a central (main) cluster, log into TOS Aurora at https://<VIP> in your browser with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

    If the installation was for a remote collector, connect it to the central cluster.

    1. On the primary data node, check the TOS status.

      [<ADMIN> ~]$ tos status
      tos status

    2. In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

      3. Example output:

      [<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 36%  

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Post-Install Configuration

SSL Certificates

Secured connections to TOS Aurora require a valid SSL certificate. Such a certificate is generated during the installation. It is automatically renewed when it expires and also when upgrading to later versions of TOS Aurora. When connecting for the first time after certificate renewal, you will be prompted to accept the new certificate. You can also use your own CA signed certificate, but such certificates will not be renewed automatically.

SAN Certificates

For every FortiManager device you intend to monitor, add a SAN signed certificate.

License Activation

Relevant only for central clusters, skip for remote collectors.

After the license is activated, have all TOS users enable the automatic license mechanism in their browser. For more information, see Tiered License Usage Monitoring.

Using Syslog for Accountability and More

You can use syslog to send accountability and other information from your devices to SecureTrack - see Sending Additional Information via Syslog. If you want to use this feature and you have installed TOS on-premise, you must also set up a Syslog VIP Address.

Adding Worker Nodes to Your Cluster

TOS Aurora is deployed as a single node Kubernetes cluster. See Multi-Node Cluster for more information about adding additional nodes.

Setting up External Backups

We recommend setting up backups on external storage.

Setting up Scheduled Backups

We recommend creating a backup policy as soon as possible.

HA (High Availability)

To set up an HA environment, see High Availability.

DR (Disaster Recovery)

To setup TOS redundancy across sites, see Disaster Recovery.

TOS Monitoring

TOS Monitoring lets you monitor the status of the TOS cluster and its nodes by generating a notification whenever a change in status occurs, such as a node failing, or a usage threshold reached, such as CPU or disk usage. We recommend that you set up TOS notifications in TOS Monitoring (see TOS Monitoring).

Additional Configuration

A number of additional parameters can be set now or later e.g. session timeout and SNMP - see Configuring TOS.

SecureChange Settings

Relevant only for central clusters; skip for remote collectors.

If you have installed SecureChange:

  1. Go into SecureChange by one the following means:

    • Sign in to TOS with the URL given previously and then select SecureChange from the app launcher.

    • Sign in directly to SecureChange by entering https://<IP>/tufinapps/securechange in the browser.

  2. Configure the DNS.

    1. Go to Settings > Miscellaneous.

    2. Delete the default value that appears in the field Server DNS name. Enter a value for Server DNS name - the DNS server to use for links in email notifications. This can be an IP address in the format 11.22.33.44 or a FQDN in the format https://mydomain.com. The SecureChange DNS name is published by SecureChange so it can be accessed from external sources. For example, it is embedded in notification mails sent by SecureChange, which include a link to a ticket, such as an email notifying a handler assigned with a task, or informing a requester that the ticket has been successfully resolved.

  3. Additional setup that can be done now or later:

    • Internal SSO Authentication. Internal SSO is enabled by default when TOS is installed, giving user access to all TOS components using the same credentials - SecureTrack, SecureChange, SecureApp, and extensions. When disabled, there is no connection between a SecureTrack user and SecureChange user with the same name.
    • Mail server connection
    • LDAP directory connection to use LDAP user accounts
    • Local users and user roles
    • Subsequent password changes can be made from the command line , see SecureChange Command Line Reference.

    • Change access to SecureTrack from SecureChange

      1. Go to Settings > SecureTrack:

      2. Change the default SecureTrack administrator. For SecureChange to access SecureTrack data, a SecureTrack administrator must be specified. By default this is the predefined user 'Admin' and everything will work fine if you leave it as it is. However, if you want a different user, create a new administrator and enter the user name. If you have already configured multi-domain management, this user can be either a super administrator or multi-domain administrator, depending on whether you want to restrict the administrator to selected domains.

      3. Remove link to SecureTrack . By default you can go from SecureChange to SecureTrack by selecting the SecureTrack link in the app launcher. If you want to remove this option, unmark the checkbox.

      4. Change connection check interval. The default value for the frequency of SecureChange testing connectivity to SecureTrack can be changed if desired.

      5. Click Test connection to verify that SecureChange has a connection to SecureTrack.

      6. Click Refresh license status. This will ensure that SecureTrack and SecureChange share the highest level of connectivity.

      7. Click Save.