On This Page
Configuring TOS
Overview
Various TOS settings can be configured using the TOS CLI. This topic covers some of the more common settings you can make to suit the needs of your organization that can be configured using tos config.
All commands must be run on the primary data node as a user with root privileges.
Avoid New Lines in TOS Logs
A way to avoid a new line for each entry in TOS logs.
-
Values:
false - write a new line for each log entry
true - do not write a new line for each log entry
-
Default: false.
Get the Current Value for Avoid New Lines in Logs
A value will only be returned if you have previously used tos config set to set this parameter.
If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set Avoid New Lines in Logs
[<ADMIN> ~]# tos config set -p logging.avoidNewLines=<TRUE-FALSE> -s secure-channel-coordinatorwhere <TRUE-FALSE> is true or false.
Example
# tos config set -p logging.avoidNewLines=true -s secure-channel-coordinator
Certificate Countdown to Expiry
Set the number of day ahead of central/remote collector cluster certificate expiry, to renew the certificate.
-
Values: 32-394 (days)
-
Default: 32 (days)
Get the Current Value
A value will only be returned if you have previously used tos config set to set this parameter.
[<ADMIN> ~]# tos config get -p secure.channel.certificate.renew.expiryIsLessThanInDaysIf you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set a New Value
[<ADMIN> ~]# tos config set -p secure.channel.certificate.renew.expiryIsLessThanInDays=<DAYS> -s secure-channel-coordinatorwhere <DAYS> is the number of days ahead of the certificate expiry date that the certificate will automatically be renewed.
Example
# tos config set -p secure.channel.certificate.renew.expiryIsLessThanInDays=45 -s secure-channel-coordinator
Certificate Expiry Check Time
Set the time at which to check central/remote collector cluster certificate expiry.
-
Values: Any valid spring-based cron format
-
Default: 0 30 04 ? * SAT
Get the Current Value
A value will only be returned if you have previously used tos config set to set this parameter.
[<ADMIN> ~]# tos config get -p secure.channel.certificate.cronIf you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set a New Value
[<ADMIN> ~]# tos config set -s secure-channel-coordinator -p secure.channel.certificate.cron="<SPRINGCRON>"where <SPRINGCRON> is any valid spring-based cron format e.g. 0 0 9-17 * * MON-FRI (on the hour nine-to-five weekdays).
Example
# tos config set -s secure-channel-coordinator -p secure.channel.certificate.cron="0 0 9-17 * * MON-FRI"
Certificate Validity Period
Set the period for which automatically renewed central/remote collector cluster certificates will be valid.
-
Values: 31-395 (days)
-
Default: 395 (days)
Get the Current Value
A value will only be returned if you have previously used tos config set to set this parameter.
[<ADMIN> ~]# tos config get -p secure.channel.certificate.renew.expiryIf you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set a New Value
[<ADMIN> ~]# tos config set -p secure.channel.certificate.renew.expiry=<DAYS>where <DAYS> is the number of days that the certificate will remain valid.
Example
# tos config set -p secure.channel.certificate.renew.expiry=60
SNMP Inbound Monitoring
SNMPv2 get/walk receives requests via port 161. Listening at this port is disabled by default.
-
Values:
false - do not listen at port 161
true - listen at port 161
-
Default: false
Get the Current Value for SNMP Inbound Monitoring
A value will only be returned if you have previously used tos config set to set this parameter.
[<ADMIN> ~]# tos config get -p snmp.inboundMonitoringEnabledIf you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set SNMP Inbound Monitoring
[<ADMIN> ~]# tos config set -p snmp.inboundMonitoringEnabled=<TRUE-FALSE> -s monitor-towerwhere <TRUE-FALSE> is true or false.
Example
# tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
The TOS Time Zone
TOS has its own timezone and it is independent of your host server timezone.
-
Values: Area only, area/location and some abbreviations as they appear in the tz database. For the complete list, see column 'TZ identifier' in the Wikipedia list of tz zones.
-
Default: Taken from the server at installation time.
Get the Current TOS Time Zone
A value will only be returned if you have previously used tos config set to set this parameter.
If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set the TOS Time Zone
[<ADMIN> ~]# tos config set -p server.timezone=<TIMEZONE>where <TIMEZONE> is the appropriate time zone.
Example
# tos config set -p server.timezone=Europe/Berlin
If you want to change the date or time, see Changing the Time and Date.
VMC on AWS Private URLs
By default TOS uses a public URL to monitor VMC on AWS. You can change this to a private URL. This URL is used for all devices monitored by TOS.
Private URL example:
https://demo-environment.vmwarevmc.com/policy/api/v1/
Public URL example:
https://demo-environment.vmwarevmc.com/vmc/reverse-proxy/api/orgs/eaec1ad1-dbc2-4495-86d1-30aaaef62faf/sddcs/9ccfbb09-48f4-4480-9753-e6389b84cbf1/sks-nsxt-manager/policy/api/v1/
Set Private URL
-
Run the following command:
Set Public URL
-
Run the following command:
Web Session Inactivity Timeout
The period of inactivity that will cause a user session to expire and force the user to log in again.
-
Values: Integer + m/h/d; e.g. 90m, 24h, 2d
-
Default: 30m
Get the Current Maximum Inactivity Timeout
A value will only be returned if you have previously used tos config set to set this parameter.
[<ADMIN> ~]# tos config get -p web.session.inactivityTimeoutIf you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set the Maximum Inactivity Timeout
[<ADMIN> ~]# tos config set -p web.session.inactivityTimeout=<INT><PERIOD>where
-
<INT>is an integer. -
<PERIOD>is the time period - m, h or d for minutes, hours or days respectively.
Example
# tos config set -p web.session.inactivityTimeout=90m
Maximum Web Session Duration
The time after which the user will be prompted to log in again, even if active.
-
Values: Integer + m/h/d; e.g. 90m, 24h, 2d
-
Default: 12h
Get the Maximum Duration
A value will only be returned if you have previously used tos config set to set this parameter.
If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS service, all will appear.
Set the Maximum Duration
[<ADMIN> ~]# tos config set -p web.session.maxDuration=<INT><PERIOD>where
-
<INT>is an integer. -
<PERIOD>is the time period - m, h or d for minutes, hours or days respectively.
Example
# tos config set -p web.session.maxDuration=8h
Sending Cluster Health Status to Tufin
Disable Sending Cluster Health Status
Enable Sending Cluster Health Status
Set Frequency for Sending Cluster Health Status
The default frequency is once every 30 seconds. To change the frequency, use the following command:
tos config set -s tos-ui -p tos.mailbox.poll.next.interval=<INTERVAL>where <INTERVAL> must be a Duration value between 10 seconds and 10 minutes. For example 15s or 5m.
Disable Topology Sync for Users
You can disable the Synchronize option in the Sync Topology Map to prevent users from triggering both Fast and Full Topology Syncs in the UI.
In large enterprises with many users, running a Fast Sync can cause downtime, during which path analysis remains unavailable until the sync completes. To ensure path analysis remains available without depending on an on-going Fast Sync to finish, you can disable the Synchronize option in the UI.
Run the following command:
tos config set -p
topology.ui.synchronization.disabled=true -s topology-facade -cwhere:
topology.ui.synchronization.disabled = true disables the Synchronize option in the UI. Default is false.
Enable Enhanced Last Hit Information for Check Point Devices
Enable last hit information from Check Point syslogs using the Open Policy Model (OPM) infrastructure.
When enabled, this mode replaces the legacy method, and provides improved performance and stability in environments that include Check Point devices.
Behavior changes
-
Expanded visibility: Last hit information is available for both rules and objects both in the Rule Viewer and in STRE (SecureTrack Reporting Essentials, compared to only for rules in legacy mode.
-
Data initialization: When switching to this mode, all existing last hit information is cleared and reinitialized.
Legacy features
When enhanced last hit collection is enabled, the following legacy features are not available:
-
Automatic Policy Generator
-
Rule and Object Usage report
Enable Enhanced Last Hit Information
-
Run the following command:
Disable Enhanced Last Hit Information
-
Run the following command:
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague