On This Page
Using the Designer and Verifier Debug Tool
|
This topic is intended for TOS Administrators. |
Overview
You can use the Designer and Verifier Debug tool to help Tufin support debug and fix escalations relevant to Designer and Verifier on active access requests tickets. It is relevant for st-server, securetrack-job, and for topology-job services. The log-level for these services will be changed to debug while the script is running (10 minutes by default).
The tool can collects the following information on the specified ticket:
-
information on the relevant devices and their revisions
-
domains
-
legacy and stealth rules
-
access requests and parameters
-
log files
Tufin support uses this information to reproduce, analyze, and debug the scenarios to fully understand escalated issues and discover their cause without requiring a full system backup.
Limitations
-
If targets are replaced between ticket steps, the tool will collect information on both the old devices and the new devices.
-
Only access request tickets are supported.
-
The tool requires running Designer (and sometimes Verifier) on the ticket. Therefore, you can only run it on active access request tickets.
Prerequisites
-
A SecureTrack user with administrator privileges.
-
The user must have logged in to TOS for the first time and changed the default password.
The user name is not saved or collected as part of the tool.
Generate a debug file
- Set the log level to DEBUG by running:
tos config log-level set -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLog=DEBUGtos config log-level set -s securetrack-job -l com.tufin.securetrack.designer.DesignerDecisionLog=DEBUG -
Run Designer on a ticket and click Save Draft.
-
Switch to the
/tmpdirectory: - Copy the tool to the
/tmpdirectory: -
[<ADMIN> ~]$ sudo kubectl exec deployment/device-collector -c device-collector -- cat /usr/local/st/collect_designer_debug_info.sh > collect_designer_debug_info.sh
sudo kubectl exec deployment/device-collector -c device-collector -- cat /usr/local/st/collect_designer_debug_info.sh > collect_designer_debug_info.sh -
Run the tool:
-
Run the script:
[<ADMIN> ~]$ sudo sh collect_verifier_designer_debug_info.sh -ticketid <ticket id number> -user <admin user name>sudo sh collect_verifier_designer_debug_info.sh -ticketid <ticket id number> -user <admin user name> [-mgmts <management ids>]where:
ticketidis the ticket id number.-
mgmts(optional) is a list of management IDs separated by commas. useris the user name of an admin level user.
Additional parameters can be inserted. For the full list see Script parameters and Examples below.
-
When prompted enter/do the following. Press Enter afterwards:
-
Enter the user's password.
-
Verify that the log level changed to debug
-
Run Designer (and optionally Verifier) on the ticket.
- Send the file to Tufin Support.
- Reset the log-levels back to their default modes by running:
tos config log-level reset -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLogThe reset command reverts the logs back to the following configuration:
# tos config log-level set -s sc-server -l com.tufin.securechange=info # tos config log-level set -s st-server -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN # tos config log-level set -s st-server -l DesignerDecisionLog=WARN # tos config log-level set -s st-server -l com.tufin.securetrack.service.ticketDependencyRepository.TicketDependencyLog=WARN # tos config log-level set -s securetrack-job -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN # tos config log-level set -s topology-job -l com.tufin.securetrack.designer.DesignerDecisionLog=WARN # tos config log-level set -s verifier -l com.tufin.verifier=WARN
When the script is finished, an output file verifier_designer_debug_info.tar.gz will be created in directory /tmp.