Monitoring Devices in TOS

NetSec Engineer This topic is intended for Network Security Engineers who are responsible for troubleshooting network connectivity, adding devices, and auditing compliance.

Overview

TOS monitors the various components of your network and security infrastructure, and provides tracking, analysis, and reporting tools for the received policy revisions for any monitored device. You can manage TOS from any PC that has HTTPS access to TOS's web interface.

For increased scalability, TOS's Distributed Architecture enables multiple TOS servers to perform device monitoring and processing. Each distributed component can receive revisions and traffic logs. All management, revision viewing, and reporting is done on the TOS central server.

Adding a physical or virtual firewall device to TOS adds the device to the list of Monitored Devices and gives you visibility to the device policy and revisions. Only SecureTrack Administrators can add and manage devices. If you configured your system for multi-domain management, devices can be added by Multi-Domain Administrators in a selected domain, or Super Administrators in a selected domain, or when All Domains is selected.

Devices are added by default to the Central Cluster. If you are running a distributed deployment, you can choose whether to attach the devices to the Central Cluster or to a Remote Collector. Later, you can choose whether to migrate the device (or the device group) to a different cluster.

Devices and Licensing

SecureTrack automatically attaches new devices to an available license component (SKU) - the one with the longest duration. If there is an available perpetual license, SecureTrack will attach the device to that license. If not, SecureTrack will choose the subscription license with the latest expiration date. If there is no available license, the device will be considered Plug and Play, and you will have 30 days to contact Tufin and purchase a license for your device. When disabling devices, the attached SKUs become available and you can use them with other devices.

Devices Installation

You can install devices from these manufacturers using a simple wizard. The wizard will prompt you for required device information such as the device type, IP address, user name, and password. The required information is different for each device type.

All devices need to use TLS 1.2. SecureTrack will not retrieve revisions from devices that use TLS 1.0 or 1.1.

You can only add, edit, or delete TOS entities (such as devices, users, and rules) using the TOS user interface or API commands. Using any other method may cause data corruption that will necessitate a restore of your data.

For a list of supported devices, see Supported Devices and Platforms.

Monitor Vendor Devices

TOS uses a few different technologies to monitor each vendor's devices:

  • Cisco, Fortinet, and Juniper: By default, TOS uses periodic polling where TOS connects to each firewall or network device using SSH according to a configurable frequency (by default, 5 minutes) and retrieves its configuration. In addition, TOS can be configured as a Syslog server for the monitored devices to provide real-time monitoring.

  • Palo Alto Networks: TOS connects to each firewall or network device via the REST API, according to a configurable frequency (by default, 5 minutes) and retrieves its configuration.

  • Check Point: TOS uses Check Point OPSEC™ (Open Platform for Security) to track all the changes made by administrators to Check Point management servers (CMAs, Provider-1 MDSs, and SmartCenters). Whenever an administrator saves or installs a policy, TOS is immediately notified of the change. A secure OPSEC connection is then used to retrieve the new security policy. When a Check Point management server contains multiple Policy Packages, TOS records all packages with each revision.

  • Check Point Security Gateway OS: For Security Gateway OS Monitoring, TOS also directly monitors the operating system of Check Point gateways. TOS polls each gateway with SNMP according to a configurable frequency and retrieves configuration and performance data. OS monitoring requires a separate license.

Automatic Revisions

For devices monitored in real-time, if no revisions for a monitored device are received within a configurable frequency, TOS also performs automatic, scheduled fetches of the device's database. If any changes are found, TOS records a new revision, defined as an Automatic Revision. This enables policy change coverage for changes that were implemented when TOS was not monitoring devices (for example, before device monitoring was set up), and for direct changes such as via cpconfig for Check Point management servers. The default automatic fetch frequency is 60 minutes.

Device monitoring occurs seamlessly and automatically, without user intervention. Whenever TOS discovers changes made to the policy, TOS records a new revision of the policy. The configuration is parsed, analyzed and stored in TOS's database. TOS uses this information to generate scheduled and on-event reports, and several types of real-time change notifications:

  • Email reports with configurable levels of detail, to registered TOS administrators

  • Syslog messages to a Syslog server, with details about the changes made

  • SNMP traps to registered applications, with details about the changes made

TOS's policy change notifications supply real-time policy change tracking and integration with external security management frameworks (for example: SIM and SOC).

TOS includes a watchdog mechanism, which ensures that the TOS processes are up and running at all times. This diagram illustrates the interactions between the TOS server and other devices in the security policy management process.