Managing Zone Subnets

Zones can include IPv4 or IPv6 subnets with explicit network addresses or security groups. Security groups can be added or changed through the REST API or when you import a zone list from a CSV file.

The predefined zones are:

  • Internet: This zone represents all addresses that are considered public by SecureTrack, and excludes all addresses that are defined in the other zones. You cannot edit this zone.
  • Unassociated Networks: This zone includes all private addresses that are not included in any other defined zone. You cannot edit this zone.

    You can add this zone to any USP matrix and define the behavior of this zone relative to all other zones or to specific zones in the environment.

    The Unassociated Networks zone is included in the calculations for Violations in SecureTrack, Risk Analysis in SecureChange, and Compliance checks in SecureApp.

    The Unassociated Networks zone is not available for Policy Analysis, Compliance Policy definition, Business ownership, Risk reports, Configuration of risk security zones (Internal/DMZ/external) in Risk Configuration - General, or PCI profile definition.

  • Users Networks: This zone is where you can add the subnets that users use to connect to your network. (Available for devices that support User Identity functionality).

Zones can also include other zones to build a hierarchy. You can view and manage explicit network addresses in the Subnets tab of zones.

All the subnets of all zones selected in the zone list are displayed. For each subnet, the zone it belongs to is displayed. For effective zone content, select Include subnets of child zones to recursively display subnets that are indirectly included in the selected zones.

If there are many subnets, you can filter the list by one or more of the four fields: Zone, IP Address, Netmask, and Description. In the Filter row, type or select a filter. As you type, SecureTrack only shows you the subnets that match the IP Address and Netmask match the filters and that include the Zone and Description filters. For an IP Address, you can type a network address in CIDR notation (for example: 192.168.0.0/16 or 2001:db8::/32), and only included IP addresses are displayed.

If you change a zone in a way that creates a Compliance Policy violation, SecureTrack does not automatically send an alert. After you make changes to zones, we recommend that you run your Compliance Policy audits.

Upgrade Behavior for 'Unassociated Networks' Zones

When upgrading Tufin Orchestration Suite, the predefined Unassociated Networks zone is added to the Zone Manager during upgrade. If you are upgrading from a system that already contains a zone with the name “Unassociated Networks”, the existing zones are renamed, as follows:

  • The existing zones named Unassociated Networks will be renamed copy_of_Unassociated Networks, copy(2)_of_Unassociated Networks, and so on. For each domain in multidomain/MSSP mode, any existing zone that is named Unassociated Networks will also be renamed.

  • The existing USP matrices in each domain will be changed to reflect the renamed zones. They will include the name copy_of_Unassociated Networks (and not Unassociated Networks).

When you import new matrices after an upgrade, the name of the zone is taken from the CSV without being renamed.

To add a network address to a zone

  1. In Network > Zones, in the Subnets tab, click Add Subnet:

    Add network zone subnet

  2. Enter the subnet information.
    1. Select the zone for the subnet.
    2. Enter the network address.
    3. Select the net mask.
    4. Enter a description for the subnet.

    configure subnet

  3. Click Save.

To edit an existing subnet

  1. Click on one of fields for the subnet.

    For example, if you click on the zone field, you can change the zone for that subnet.

    edit subnet

  2. Edit the fields for the subnet.

    edit zone subnet

  3. Click Save.

To edit multiple subnets at the same time

  1. Select the subnets, and click Change Selected Subnets:

    change subnets

  2. Configure the common fields.

    Only the fields that you change are changed for all subnets. You cannot change all of the fields for the selected subnets because the subnets will all be the same.

    edit change subnets

  3. Click Save.

To delete one or more subnets, select them and click Delete Selected Subnets.