Monitoring Aruba EdgeConnect Devices

Overview

Add Aruba EdgeConnect (formerly SilverPeak) Orchestrator devices to TOS using the Open Policy Model (OPM). OPM expands device coverage in TOS to additional vendors. Device connectors collect the device's configuration and policy data and import them into SecureTrack.

The Aruba device connector supports onboarding Aruba EdgeConnect Orchestrator using HTTPS API. SecureTrack pulls topology and rule data from the Orchestrator based on the sync schedule set in Tufin Integrations.

For supported features, see Features by Vendor in SecureTrack and Features by Vendor in SecureChange.

Prerequisites

  • EdgeConnect Orchestrator: HTTPS API access

  • Customer Portal access to download the OPM package

  • Admin credentials for SecureTrack and SecureChange

  • TOS server:

    • sudo permissions to run the installer

    • File upload permissions to /opt/misc

  • On systems with non-Tufin OS, python3 and bzip2 packages installed

Install the OPM package

Install the OPM package from the shell on the TOS server. The steps are identical for both new installations and upgrades.

If you have existing OPM packages, the OPM installer automatically detects and upgrades older versions.

  1. Go to the Download center.

  2. Select HPE Aruba Networking.

  3. Click Download to Computer.

  4. Upload the downloaded file to /opt/misc (recommended) on the TOS server:

    sh <package-name>

    where:

    <package-name> is the name of the package you downloaded in the format install-<vendor>-1.0.0.aur.run

  5. When prompted, enter:

    • SecureTrack Username and Password

    • SecureChange Username and Password

  6. Wait for the installation to complete. The installer installs PS Proxy and Tufin Integrations if they don't exist. If an older version is installed, the script upgrades it.

    These credentials are used by the OPM scripts to make API requests. You can always update them later in Tufin Integrations.

Device properties

The following properties are used for Aruba EdgeConnect Orchestrator devices:

Device Property Description
API key

API key used to authenticate with the EdgeConnect Orchestrator.

For instructions, see the Aruba Orchestrator API Key documentation.
FQDN (optional) For SaaS or cloud-based Orchestrators without a static IP. Used instead of the IP address.

Add a Device

Add an Aruba EdgeConnect Orchestrator to SecureTrack.

The API key must have Read-Only permission.

  1. In SecureTrack, go to Monitoring > Devices > Device Viewer.

  2. Click Add Device, then select Add OPM Device.

  3. In the ADD OPM DEVICE window, define the device details:

    • Vendor: HPE Aruba
    • OPM agent: Select the registered agent for Aruba
    • Type: EdgeConnect Orchestrator
    • Display name: Name to display in SecureTrack
    • IP: IP address of the device
  1. Click Next.
  2. Enter the API key and optional FQDN as needed.
  3. Click Save to confirm settings and add the device.

Sync Device with SecureTrack

Use Tufin Integrations to configure how SecureTrack syncs with your OPM-managed device. Tufin Integrations is the updated web interface for managing OPM devices, automatically installed by the OPM package if it does not exist.

Configuring SecureTrack to sync with your OPM-managed device includes:

  • Defining user credentials

    For API configuration, define the username and password to connect to SecureTrack and SecureChange.

  • Importing devices

    Run discovery to import the devices for vendors, and selectively enable and start them for monitoring.

  • Assigning the device to a cluster

    You can assign devices to different TOS clusters for monitoring. For example, you can monitor one OPM device from the main cluster and another from a Remote Collector. Remote collectors are available only if they are configured in TOS.

  • Scheduling sync jobs

    Schedule automated syncs or trigger a manual sync on demand when monitoring is enabled for the device.

  • Reviewing job history

    View per-device status, start/end time, and message after each agent run.

When configuration is complete, SecureTrack runs a script that connects to the device, retrieves configuration data (such as interfaces, routes, and rules), and imports the data. This process replaces real-time monitoring with scheduled or manual data collection.

  1. To open Tufin Integrations, do one of the following:

    • Go to https://<tos-vip>/apps/integrations.

    • In SecureTrack , from the list of Tufin Extensions , select Tufin Integrations.

  2. Set the user credentials for Tufin API:

    1. From the DASHBOARD, select Advanced, and then select TUFIN API CONFIGURATION.

    2. Define the username and password credentials for SecureTrack and SecureChange.

    3. Click Save.

      Credentials are automatically validated, and flagged if incorrect.

  3. Return to the Dashboard and select the OPM client or vendor with the devices to monitor.

  4. To import devices, do the following:

    1. Click IMPORT DEVICES and then click RUN DISCOVERY.

      The devices are displayed in the list.

    2. Select the parent management device, or select a specific device.

    3. Right-click and select Enable.

    4. Click Save.

      The enabled devices are added to the vendor list.

  5. To monitor enabled devices, right-click the device and select Start.

  6. From the list of available devices, right-click the required device, and select the cluster from which to monitor the device:

    • Migrate to main: Monitor the device from the primary cluster.

    • Migrate to <remote_collector>: Monitor the device from a Remote Collector, for example, RC4.  Available only if a Remote Collector is configured in TOS. The actual name of the Remote Collector differs by environment.

    For automated or manual sync to run, you must enable monitoring for the device.

  7. In the Configuration section, set the automated sync schedule:

    1. Set Schedule interval, for example: daily, weekly, or monthly.

    2. Choose the Time or Day of execution.

    3. Select the Log Level. The default is INFO.

    4. To enable the script, select Enabled.

    5. Click Save.

  8. To start collecting revisions immediately, click SAVE & RUN.

    If not triggered manually, the sync is triggered as scheduled.
    Every script execution retrieves the configuration from all devices assigned to the vendor’s OPM agent.

  9. Verify the results in the Run Details popup:

    In the Agent Runs table, click the blue information icon information icon in the Run Details column.

    The popup shows the status, start and end time, and a message for each device in the run.