Managing Device Groups

Overview

Device Groups help organize devices into groups typically based on organizational or operational criteria—such as network segment, security level, or any other criteria, including geography, function, or business unit.

SecureTrack supports two types of Device Groups:

  • Management Groups

    Management Groups are collections of devices defined and maintained by the administrator in SecureTrack. Management Groups can organize devices in a way that reflects the enterprise's structure, helping streamline policy design, compliance monitoring, and reporting. Management Groups are not automatically updated when devices are added or removed, and must be manually modified.

    See Management Device Groups

  • Cloud Organizations

    Cloud Organizations help administrators discover and onboard cloud accounts associated with an organization automatically with a single set of authentication credentials, and automatic import settings.

    See Cloud Organization Device Groups

 

Management Device Groups

When you select a group, the charts and tables show the data for the members of the group.

The options in the menu change according to which objects are selected in the tree. If you select more than one type of object, the menu is disabled.

What Can I do Here?

Create Management Groups

  1. In the Groups tree, select the parent group for the new group. If Multi-Domain is implemented, you can add groups under the each domain, but not directly under the All Devices group.

  2. Enter a unique name for the new group in Group name and click Save.

    Each group directly under the same parent group must have a unique name. If you want to rearrange the groups after they are created, you must delete and re-add the groups that you want to move.

Rename Management Groups

  1. In the Groups tree, select the group to rename.

  2. Edit the name and click Save.

Delete Management Groups

  1. In the Groups tree, select the group to delete

  2. Click and click Delete.

Add/Remove Devices from Management Groups

  1. In the Groups tree, select a group.

  2. Select the devices to move and use the and buttons to move them into or out of the group.

You can also enter text into the search fields and press Enter or click to filter the lists of devices.

Change Admin Credentials for all Devices in Management Groups

  1. In the Groups tree, select a group.

  2. Click and click Change Credentials.

  3. Enter and confirm any of the new credential details, including username, password, or both. If relevant for the device, you can also enter and confirm a new enable password. If you leave fields blank, those details are not updated.

  4. Click Apply to save the new credentials for the devices in SecureTrack.

    Note: SecureTrack stops retrieving policies from the devices until you configure the matching credentials on the devices.

The changes to device groups take effect immediately.

 

Cloud Organization Device Groups

Configure Cloud Organizations to automatically discover and onboard member accounts, eliminating the need to manually import each new account. Define the authentication credentials once for the Cloud Organization, and reuse them for any account you explicitly associate with the organization.

Add a Cloud Organization by configuring the organization settings, including credentials and settings to automatically import accounts. You can also import accounts manually at any time. See Add Cloud Organizations and Manually Import Accounts for Cloud Organizations.
The Cloud Organizations page in Device Groups displays the Cloud Organizations, their settings, and options available to manage them.

After configuring a Cloud Organization, you can associate existing and new devices with the Cloud Organization.

See adding a device for: 

Generic Cloud Organization Settings

The table below describes the generic settings for a Cloud Organization.

Field Name Description

Name

The display name for the Cloud Organization.

Proxy Server

Optional. The proxy server and settings to connect to the Cloud Organization:

  • IP/Hostname: Mandatory. The IP address or Hostname of the proxy server.

  • Port: Mandatory. The port to connect to on the proxy.

  • Username: Optional. The username, if the proxy server requires authentication.

  • Password and Confirm Password: Optional. The password, if the proxy server requires authentication.

Amazon Cloud Organization Settings

The table below describes the Cloud Organization settings specific to Amazon AWS.

Field Name Description

Organization ID

Mandatory.

The unique identifier representing the Cloud Organization and its member accounts.

The Organization ID is generated when the organization is created. You can get it from the AWS Management Console or via the AWS CLI.

Organization Unit ID

Optional.

The ID of the Organization Unit (OU) with the accounts to import. The OU name is not a valid value.

  • If not defined, TOS imports all the accounts under the AWS Root Account.

  • When defined, TOS imports the accounts assigned to the specified OU, including any child OUs and their accounts.

To import accounts at a more granular level, define the cloud organization multiple times using different Names, and specifying the Management Groups that contain the accounts to import for each Name.

Assume Role

The IAM user or role to assume for the organization. The role must have the required IAM policy with minimum required permissions for SecureTrack.

Access Key

The username for authentication to the Cloud Organization.

Secret Access Key

The password corresponding to the Access Key for authentication to the Cloud Organization.

Azure Cloud Organization Settings

The table below describes the Cloud Organization settings specific to Microsoft Azure.

Field Name Description

Tenant ID

Mandatory.

The unique identifier representing the Cloud Organization and its subscriptions.

Management Group

Optional.

The ID of the Management Group that contains the accounts to import.

  • If not defined, TOS imports all accounts for the tenant specified by Tenant ID.

  • When defined, TOS imports the accounts assigned to the specified Management Group, including any child Management Groups and their subscriptions.

To import accounts at a more granular level, define the cloud organization multiple times using different Names, and specifying the Management Groups that contain the accounts to import for each Name.

See Overview on Management Groups.

Application Client ID

The unique identifier of the application, automatically generated on registering the application in Microsoft Entra ID. See Register an application in Microsoft Entra ID.

Application Secret

Also called the Client Secret, the credential used by the Application Client for authentication. The Application Secret is manually generated in the Azure portal. See Register an application in Microsoft Entra ID.

Automatic Import Settings

When configuring a Cloud Organization, you can enable automatic discovery and import for the organization's accounts, and also configure the default behavior for usage analysis.

  • Auto import frequency
    When enabled, automatic imports occur daily at midnight. To change the scheduled time, contact Tufin Customer Support.

  • Manual import
    Manually import on demand, even when automatic import is enabled. Manual import behavior differs depending on whether auto import is enabled or disabled. See Manually Import Accounts for Cloud Organizations.

Both automatic and manual import processes only add new entities.
Existing entities that have been deleted or removed are not automatically removed during import.

The table below describes the automatic import settings you can configure for a Cloud Organization.

Field Name Description

Automatic import settings

When selected, imports accounts on a predefined automated schedule. Monitoring/usage analysis features when enabled for the cloud organization are inherited by all devices.

Collect traffic logs for rule usage analysis

  • AWS: Collects traffic logs using AWS CloudWatch (the default). To use S3 Buckets, manually configure the device’s settings. For the specific settings to configure, see Adding an AWS device.

  • Azure: Collects traffic logs using Azure Firewall and NSG (supported from R24-1).

Collect traffic logs for object usage analysis

Azure only.
Requires Collect traffic logs for rule usage analysis.
When selected, collects traffic logs using NSG (supported from R24-2).

Enable Rule Optimizer recommendations

Requires Collect traffic logs for rule usage analysis and Collect traffic logs for object usage analysis.

For Azure, supported from R25-2 PHF1 and later.

When selected, enables recommendations to tighten the permissiveness rules using traffic usage data. See Rule Optimizer.

Enable topology

When selected, collects routing information to build the network Map.

Automatic VPN/VNet import

Determines if SecureTrack automatically detects changes in the vendor environment, and updates the device list and revision history with the changes.

  • VPCs: When selected, reflects added, deleted, or updated accounts in the device list and revision history. These changes are also displayed in the Map when a scheduled sync occurs or when you manually Sync the map.

  • VNets: When selected, reflects added or deleted VNets in the device list and revision history. (NIMA: should I add the topology map too?).

Prerequisites

Before you add a Cloud Organization, ensure you have required credentials for your vendor.

Add Cloud Organizations

Add a Cloud Organization with the required settings.

  1. Select Cloud Organizations, and then click + ADD CLOUD ORGANIZATION. The Add Cloud Organization page is displayed.

  2. Define the settings for the Cloud Organization, as described in:

  3. Optional. Define the settings for automatic account import, as described in Automatic Import Settings.

    If automatic account import settings are not configured for the Cloud Organization, you can manually import accounts when needed.

  4. Click Save.

Manually Import Accounts for Cloud Organizations

Manually import accounts for Cloud Organizations when needed, regardless of whether automatic import has been enabled. The behavior for manual import depends on whether automatic import is enabled for the Cloud Organization.

Though manual import is supported, to ensure that all accounts are imported, automatic import is recommended.
In large cloud environments, the volume of accounts can increase the duration of manual imports and impact performance.

When you manually import accounts:

  • If automatic import is enabled, the accounts are imported based on the settings configured for automatic import.

  • If automatic import is disabled, the accounts are imported into the default domain in TOS.

  • These automatic import settings are enabled by default :

    • Collect traffic logs for rule usage analysis

    • Enable Topology

    • Automatic VPC Import

Transit Gateways and Load Balancers must be manually imported.

 

  1. Select Cloud Organizations.

  2. From the list of Cloud Organizations, select the organization for which to manually import accounts, and from the context menu, select Import Accounts.

TOS initiates and completes the import process without requiring any intervention on your part.

Edit/Delete Cloud Organizations

After configuring a Cloud Organization, you can edit its settings, including automatic account import settings, and delete existing organizations.

Editing Cloud Organization settings

Changes to automatic account import settings affect only newly imported accounts. Existing accounts are not affected.

Deleting Cloud Organizations

Deleting a Cloud Organization removes it from SecureTrack.
Each account associated with the organization will use the credentials most recently defined for it in the organization's settings for authentication. For AWS this is the Secret Key ID and the Secret Access Key. For Axure

  1. From the navigation bar, select Cloud Organizations.

  2. From the list of Cloud Organizations, select the organization, and from the context menu, select:

How Do I Get Here?

SecureTrack > Monitoring > Device Groups