Device Monitoring

TOS Classic monitors the various components of your network and security infrastructure, and provides tracking, analysis, and reporting tools for the received policy revisions for any monitored device. You can manage TOS Classic from any PC that has HTTPS access to TOS Classic's web interface.

For increased scalability, TOS Classic's Distributed Architecture enables multiple TOS Classic servers to perform device monitoring and processing. Each distributed component can receive revisions and traffic logs. All management, revision viewing, and reporting is done on the TOS Classic central server.

TOS Classic uses a few different technologies to monitor each vendor's devices:

  • Cisco, Fortinet, and Juniper: By default, TOS Classic uses periodic polling where TOS Classic connects to each firewall or network device using SSH according to a configurable frequency (by default, 5 minutes) and retrieves its configuration. In addition, TOS Classic can be configured as a Syslog server for the monitored devices to provide real-time monitoring.
  • Palo Alto Networks: TOS Classic connects to each firewall or network device via the REST API, according to a configurable frequency (by default, 5 minutes) and retrieves its configuration.
  • Check Point: TOS Classic uses Check Point OPSECâ„¢ (Open Platform for Security) to track all the changes made by administrators to Check Point management servers (CMAs, Provider-1 MDSs, and SmartCenters). Whenever an administrator saves or installs a policy, TOS Classic is immediately notified of the change. A secure OPSEC connection is then used to retrieve the new security policy. When a Check Point management server contains multiple Policy Packages, TOS Classic records all packages with each revision.
  • Check Point Security Gateway OS: For Security Gateway OS Monitoring, TOS Classic also directly monitors the operating system of Check Point gateways. TOS Classic polls each gateway with SNMP according to a configurable frequency and retrieves configuration and performance data. OS monitoring requires a separate license.

Automatic Revisions: For devices monitored in real-time, if no revisions for a monitored device are received within a configurable frequency, TOS Classic also performs automatic, scheduled fetches of the device's database. If any changes are found, TOS Classic records a new revision, defined as an Automatic Revision. This enables policy change coverage for changes that were implemented when TOS Classic was not monitoring devices (for example, before device monitoring was set up), and for direct changes such as via cpconfig for Check Point management servers. The default automatic fetch frequency is 60 minutes.

Device monitoring occurs seamlessly and automatically, without user intervention. Whenever TOS Classic discovers changes made to the policy, TOS Classic records a new revision of the policy. The configuration is parsed, analyzed and stored in TOS Classic's database. TOS Classic uses this information to generate scheduled and on-event reports, and several types of real-time change notifications:

  • Email reports with configurable levels of detail, to registered TOS Classic administrators
  • Syslog messages to a Syslog server, with details about the changes made
  • SNMP traps to registered applications, with details about the changes made

TOS Classic's policy change notifications supply real-time policy change tracking and integration with external security management frameworks (for example: SIM and SOC).

TOS Classic includes a watchdog mechanism, which ensures that the TOS Classic processes are up and running at all times. This diagram illustrates the interactions between the TOS Classic server and other devices in the security policy management process.

System Diagram