Managing Device Groups

Overview

Device Groups help organize devices into groups typically based on organizational or operational criteria—such as network segment, security level, or any other criteria, including geography, function, or business unit.

SecureTrack supports two types of Device Groups:

• Management Groups

  Management Groups are collections of devices defined and maintained by the administrator in SecureTrack. Management Groups can organize devices in a way that reflects the enterprise's structure, helping streamline policy design, compliance monitoring, and reporting. Management Groups are not automatically updated when devices are added or removed, and must be manually modified.

  See Management Device Groups

• Cloud Organizations

  Cloud Organizations help administrators discover and onboard cloud accounts associated with an organization automatically with a single set of authentication credentials, and account import settings.

  See Cloud Organization Device Groups

 

Management Device Groups

When you select a group, the charts and tables show the data for the members of the group.

The options in the menu change according to which objects are selected in the tree. If you select more than one type of object, the menu is disabled.

What Can I do Here?

• Delete Devices

• Manage Devices

• Change Admin Credentials for all Devices in a Group

Create Management Groups

1. In the Groups tree, select the parent group for the new group. If Multi-Domain is implemented, you can add groups under the each domain, but not directly under the All Devices group.

2. Enter a unique name for the new group in Group name and click Save.

   Each group directly under the same parent group must have a unique name. If you want to rearrange the groups after they are created, you must delete and re-add the groups that you want to move.

Rename Management Groups

1. In the Groups tree, select the group to rename.

2. Edit the name and click Save.

Delete Management Groups

1. In the Groups tree, select the group to delete

2. Click and click Delete.

Add/Remove Devices from Management Groups

1. In the Groups tree, select a group.

2. Select the devices to move and use the and buttons to move them into or out of the group.

You can also enter text into the search fields and press Enter or click to filter the lists of devices.

Change Admin Credentials for all Devices in Management Groups

1. In the Groups tree, select a group.

2. Click and click Change Credentials.

3. Enter and confirm any of the new credential details, including username, password, or both. If relevant for the device, you can also enter and confirm a new enable password. If you leave fields blank, those details are not updated.

4. Click Apply to save the new credentials for the devices in SecureTrack.

   Note: SecureTrack stops retrieving policies from the devices until you configure the matching credentials on the devices.

The changes to device groups take effect immediately.

 

Cloud Organization Device Groups

Configure Cloud Organizations to automatically discover and onboard member accounts, eliminating the need to manually import each new account. Define the authentication credentials once for the Cloud Organization, and reuse them automatically for any account you explicitly associate with the organization.

See:

Cloud Organization Settings

Automatic Account Import Settings

Add Cloud Organizations

Manually Import Accounts

After configuring a Cloud Organization, you can associate existing and new AWS devices with the Cloud Organization. See Add a Device for Amazon AWS Cloud Platform.

Cloud Organization Settings

The Cloud Organizations page in Device Groups displays the Cloud Organizations, their settings, and options available to manage them.

The table below describes the settings you can configure for a Cloud Organization.

Field Name	Description
Vendor	The cloud provider associated with the Cloud Organization. Currently, only Amazon AWS is supported.
Name	The display name for the Cloud Organization.
Organization ID	Mandatory. The unique identifier representing the Cloud Organization and its member accounts. In AWS, the Organization ID is generated when the organization is created. You can get it from the AWS Management Console or via the AWS CLI.
Organization Unit ID	Optional. The ID of the Organization Unit (OU) with the accounts to import. The OU name is not a valid value. If not defined, TOS imports all the accounts under the AWS Root Account. When defined, imports the accounts assigned to the specified OU. If the OU includes child OUs, TOS also imports the accounts from those OUs. To import accounts at a more granular level, you can define the cloud organization multiple times, using different Names and specifying the OU IDs that correspond to the accounts you want to import.
Assume Role	The IAM user or role to assume for the organization. The role must have the required IAM policy with minimum required permissions for SecureTrack.
Access Key	The username for authentication to the Cloud Organization.
Secret Access Key	The password corresponding to the Access Key for authentication to the Cloud Organization.
Proxy Server	Optional. The proxy server and settings to connect to the Cloud Organization: IP/Hostname: Mandatory. The IP address or Hostname of the proxy server. Port: Mandatory. The port to connect to on the proxy. Username: Optional. The username, if the proxy server requires authentication. Password and Confirm Password: Optional. The password, if the proxy server requires authentication.

 

Automatic Account Import Settings

When configuring a Cloud Organization, you can optionally enable automatic discovery of member accounts, and define the default monitoring behavior for the imported accounts. For multi-domain environments, you can import accounts into a specific domain in TOS.

• Auto account import frequency
  When automatic import is enabled, accounts are imported daily at midnight. To change the scheduled time, contact Tufin Customer Support.

• Manual account imports
  Manually import accounts on demand, even when automatic import is enabled. Manual import behavior differs depending on whether auto account import is enabled or disabled. See Manually Import Accounts.

The table below describes the automatic account import settings you can configure for a Cloud Organization.

Field Name	Description
Domain	In multi-domain environments, the TOS domain into which to import accounts.
Collect traffic logs for rule usage analysis	When selected, uses AWS CloudWatch, the default, to monitor logs. To use S3 Buckets, enable it manually for import by editing the device settings. For the specific settings to configure, see Adding an AWS device.
Rule Optimizer recommendations	When selected, enables recommendations to tighten the permissiveness rules using traffic usage data.
Enable topology	When selected, collects routing information to build the network Map.
Automatic VPC import	When selected, automatically imports and reflects all VPC changes (added, edited, deleted) in SecureTrack.

Prerequisites

Before you add a Cloud Organization, ensure you have the:

• Organization ID

• Access Key and Access Key Secret

See Cloud Organization Settings.

Add Cloud Organizations

Add a Cloud Organization with the required settings.

1. Select Cloud Organizations, and then click + ADD CLOUD ORGANIZATION. The Add Cloud Organization page is displayed.

   

2. Define the settings for the Cloud Organization, as described in Cloud Organization Settings.

3. Optional. To automatically import accounts for the Cloud Organization or import into a specific domain in TOS, do the following:

   • Select Automatic account import.

   • For multi-domain environments, select the Domain into which to import accounts.

4. Optional. Configure the settings for the imported account, as described in Automatic Account Import Settings.

   If automatic account import settings are not configured for the Cloud Organization, you can manually import accounts whenever needed.

5. Click Save.

Manually Import Accounts

Manually import accounts for Cloud Organizations when needed, regardless of whether automatic account import has been enabled.

The behavior for manual account import depends on whether automatic account import is enabled for the Cloud Organization.

When you manually import accounts:

• If automatic account import is enabled, the accounts are imported based on the settings configured for automatic import. If a domain is configured, accounts are imported into the configured domain.

• If automatic account import is disabled, the accounts are imported into the default domain in TOS.

• These configuration settings are enabled by default :

  • Collect traffic logs for rule usage analysis

  • Enable Topology

  • Automatic VPC Import

 

1. Select Cloud Organizations.

2. From the list of Cloud Organizations, select the organization for which to import accounts, and from the context menu, select Import Accounts.

   

TOS initiates and completes the import process without requiring any intervention on your part.

Edit/Delete Cloud Organizations

After configuring a Cloud Organization, you can edit its settings, including automatic account import settings, and delete existing organizations.

Editing Cloud Organization settings

Changes to automatic account import settings affect only newly imported accounts. Existing accounts are not affected.

Deleting Cloud Organizations

Deleting a Cloud Organization removes it from SecureTrack.
Each account associated with the organization will use the Secret Key ID and the Secret Access Key most recently defined for it in the organization's settings for authentication.

1. From the navigation bar, select Cloud Organizations.

2. From the list of Cloud Organizations, select the organization, and from the context menu, select:

   • Edit: Update the settings. See Cloud Organization Settings and Automatic Account Import Settings.

   • Delete: Remove the Cloud Organization from SecureTrack.

How Do I Get Here?

SecureTrack > Monitoring > Device Groups