Clean Install of TOS Aurora on Azure

Overview

This procedure is for the clean installation of TOS Aurora on the Azure platform, including setting up the AzureVM . To add a node to an existing cluster, start with multi-node cluster.For all other installation and upgrade options, see Installing and Upgrading.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

High Availability (HA)

High availability is not supported in this release.

Remote Collectors (RCs)

Remote collectors can be deployed on Azure.

Prerequisites

  • You must allow access to required Ports and Services.
  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter for the tos install command, all of which can be obtained from your account team, based on the procedure Calculate resources - clean install.

  • All resources need to be dedicated to the TOS Aurora machine. Do not use shared CPU or memory and if the datastore is shared, the disk performance must meet the requirements at all times.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • There are some load limitations for deploying on cloud. Check with your account team that deployment on this platform is supported for your load model before going ahead.

  • Large deployments are not supported on Azure.

  • Your server requires an SSD disk with 7,500 IOPS and 250 MB/s throughput or higher.

  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

  • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

    To find the first network interface, run the following command:

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    • The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.

  • You will need to configure three partitions: /opt, /tmp and /var, as well as a separate disk for etcd. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*

    /tmp/

     

    /var/

     

    etcd
    Central cluster / remote cluster primary data node / HA data nodes 60 GB 150 GB 350 GB 25 GB 200GB 128 GB
    Worker node (central and remote clusters) 50 GB 50 GB 50 GB 25 GB 60 GB N/A

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the other directories.

Downloads

  • Download the TOS R24-1 PHF1.0.0 installation package from the Download Center.

    • The downloaded files are in .tgz format <FILENAME>.tgz.

Procedure

Read and understand Prerequisites before you start.

Download and extract the installation package (see Downloads section above).

Follow the steps below in sequence.

For additional help, refer to the Microsoft Azure official documentation - Create a Linux virtual machine in the Azure portal

  1. Log in to your Azure portal.

  2. Navigate to Marketplace and create a VM.

  3. Under the Basics tab, enter/select the following information:

    • Subscription - your Azure subscription name
    • Resource Group - your Azure resource group name
    • Virtual Machine Name - a name of your choice to identify the VM e.g. myVirtualMachine-0
    • Region - select from the list
    • Image - select one of the following from the list:
      • CentOS 7.8 or 7.9
      • Red Hat Enterprise Linux 7.8 or 7.9
      • Red Hat Enterprise Linux 8.8
      • Rocky Linux 8.8
    • Size - select CPUs and memory as advised by your account team
    • Authentication type - select SSH public key
    • User name - enter azureuser
    • SSH public key source - select generate new key pair
    • Key pair name - use the default name provided

  4. Under the Disks tab, enter/select the following information

    • OS disk type - select Premium SSD
    • Encryption - default

  5. Select Create and attach a new disk.

  6. Enter the disk details:

    • Enter a Name of your choice.
    • Set Host caching to Read/write.
    • Select a storage type that is SSD with 7,500 IOPS and 250MB/s throughput, or higher.
    • Set Storage Size GiB to the disk space sizing requirement given to you by your account team.

  7. Save the disk defintions.

  8. If you want a public IP:

    • Select the Networking tab
    • Under Public IP, click Create new.
    • Enter a name.
    • Select SKU - Standard.

  9. Under the Tags tab, create two tags, replacing <your name> and <your environment name> with names of your choice:

    • owner: <your name>
    • env: <your environment name>
  10. Click Review and Create
  11. Click Create. The generate new key pair prompt appears.
  12. Generate a new key pair. Click Download private key and create resource. The private key will be downloaded to your PC as a file with suffix .pem. It will be needed to log into the VM console.

  13. Navigate to the directory on your PC that contains the .pem file just downloaded (<pem_key_name>) and change its permissions to prevent other users from running it.

    If your PC is running on a Linux-like operating system:

    [<ADMIN> ~]# chmod 400 <pem_key_name>
    chmod 400 <pem_key_name>

  14. You can now log in to the VM console whenever required.

    Log in to the Azure VM console where <pem_key_name> is the name of the .pem file downloaded previously from the Azure portal, <azureuser> is the name of your Azure user on the VM and <IP> is its private or public IP. The private and optional public IPs can be seen on the Networking tab.

    [<ADMIN> ~]# ssh -i <pem_key_name> <azureuser>@<IP>
    ssh -i <pem_key_name> <azureuser>@<IP>
  15. In the portal, select the newly created VM and then select the Networking tab.

  16. Select Add inbound port rule and create a rule with the properties below:

    • SourceAny
    • Source port ranges: *
    • Destination: Any
    • Destination port ranges: 31443, 31617, 31514, 31099, 31843, 30161, 30514, 31161 - see Ports and Services to see why
    • Protocol: Any
    • Action: Allow
    • Priority: 310
    • Name: TOS_Aurora or other name of your choice
    • Description: TOS_Aurora or other description of your choice

For additional help, refer to the MicrosoftAzure official documentation - Create a public load balancer to load balance VMs using the Azure portal and Configure port forwarding in Azure Load Balancer using the portal

  1. Log in to your Azure portal.

  2. Navigate to Load Balancers.

  3. Select Create. The Create load balancer window appears.

  4. Enter the following details:

    • Resource Group - the Azure resource group specified for your VM
    • Name - a suitable name for the load balancer
    • Type: Public if you want a public IP address, otherwise Internal.
    • SKU: Standard
    • Public IP address: (When type is Public). This is different from the public IP address of your VM. If you already have an IP address for the load balancer, select Use existing and enter the IP, otherwise leave the default Create new.
    • Public IP address name : (When type is Public). Enter a suitable name to refer to the public IP address.
    • IP Address Assignment: (When type is Internal). Select Dynamic.
    • Availability zone: Select Zone redundant.

    • Tags. Specify two tags, replacing <your name> and <your environment name> with names of your choice. It is recommended to use the same values used for your VM:

      • owner: <your name>
      • env: <your environment name>

    Leave the default values for all other fields.

    Click Create.

  5. Select the load balancer you just created.
  6. Select Overview and note the public IP address; you will need this shortly.

  7. Configure the load balancer backend pool:

    1. Select Backend pools.
    2. Select Add. The Add backend pool window appears.

    3. Enter details:

      • Name - a suitable name of your choice for the backend pool
      • Virtual Network - your virtual network
      • Virtual Machines - add the VM you created previously

    4. Click Add at the bottom of the page. The pool will be added.

  8. Configure the load balancer health probe:

    1. Select Health Probes.
    2. Select Add. The Add health probe window appears.

    3. Enter details:

      • Name - a suitable name of your choice for the health probe
      • Protocol: TCP
      • Port: 31443
      • Interval5
      • Unhealthy threshold: 2

    4. Click Add at the bottom of the page. The health probe will be added.

  9. Configure load balancing rules:

    1. Select Load Balancing Rules.
    2. Select Add The Add load balancing rule window appears.

    3. Add a load balancing rule with the following values:

      • Name: Any name of your choice
      • Frontend IP address: Enter the public IP address of the loadbalancer, noted above from the overview
      • Protocol: TCP
      • Port: 443
      • Backend port: 31443
      • Backend pool: Select the backend pool added above
      • Health probe: Select the health probe added above
      • Leave other fields with their default values.

    4. Click Add at the bottom of the page. The rule will be added.

    5. Repeat steps b. to d. for additional load balancing rules, entering a suitable name for each, with protocol, port and backend port. All rules are listed below - see Ports and Services for more information.

      Protocol

      Source

      Target

      Purpose
      TCP 443 31443

      Mandatory
      TCP 61617 31617

      Remote collector connectivity
      TCP 9099 31099

      OPM devices
      TCP 8443 31843

      Remote collector connectivity

      TCP

      9090

      31090

      Remote collector connectivity

      TCP

      6514

      31514

      TCP syslogs
      UDP 514 30514

      UDP syslogs
      UDP 161 30161

      SNMP monitoring
      UDP 10161 31161

      SNMP monitoring
    6. Click OK.

If not done already, set up partitions according to the Prerequisites.

  1. If you are not currently logged in as user root, do so now.

    [<ADMIN> ~]$ su -
    su -

  2. If you want to change the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

    [<ADMIN> ~]# hostnamectl set-hostname <mynode>
    hostnamectl set-hostname <mynode>

  3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos). 

    [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
    echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

  4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

  5. Configure the server timezone.

    [<ADMIN> ~]# timedatectl set-timezone <timezone>
    timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

    [<ADMIN> ~]# timedatectl list-timezones
    timedatectl list-timezones

  6. Disable SELinux:

    • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

      SELINUX=disabled
    • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
  7. Reboot the machine and log in.
  8. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. See Install Wireguard and follow the steps for your Linux distribution.
  9. Reboot the machine and log in.

  10. Install screen and rsync:

    RHEL/CentOS 7 

    [<ADMIN> ~]# yum install -y rsync screen
    yum install -y rsync screen

    RHEL/Rocky Linux 8 

    [<ADMIN> ~]# dnf install -y rsync screen
    dnf install -y rsync screen

  11. Disable the firewall:

    [<ADMIN> ~]# systemctl stop firewalld
    systemctl stop firewalld
    [<ADMIN> ~]# systemctl disable firewalld
    systemctl disable firewalld

  12. Create the TOS Aurora load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf
    vi /etc/modules-load.d/tufin.conf

  13. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter

  14. Load the above modules now:

    [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 
    cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

    Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

  15. Check that Wireguard has loaded correctly. 

    [<ADMIN> ~]# lsmod |grep wireguard
    lsmod |grep wireguard

    The output will appear something like this:

    wireguard              201106  0
ip6_udp_tunnel         12755  1 wireguard
udp_tunnel             14423  1 wireguard

    If Wireguard is not listed in the output, contact support.

  16. Create the TOS Aurora kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf
    vi /etc/sysctl.d/tufin.conf

  17. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot. 

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1

  18. Apply the above kernel settings now:

    [<ADMIN> ~]# sysctl --system
    sysctl --system
For maximum security, we strongly recommend not installing any RPMs on your VM other than those specifically mentioned in this section.

The etcd database should be on a separate disk to improve the stability of TOS Aurora and reduce latency. Moving the etcd database to a separate disk ensures that the kubernetes database has access to all the resources required to ensure an optimal TOS performance.

See Mount The etcd Database to a Separate Disk - New Azure VM.

Deploy the Install File

  1. On the target machine, create the directory /opt/tufin/data, if it does not exist already.

  2. Transfer the run file (already downloaded and extracted) to the /opt/tufin/data directory.

  3. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

    4. [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

  4. Extract the TOS run file from its archive.

    [<ADMIN> ~]$ tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    tar -xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

  5. Run the TOS Aurora run file.

    [<ADMIN> ~]$ sudo cd /opt
    sudo cd /opt
    [<ADMIN> ~]$ sudo sh <runfile>
    sudo cd /opt sudo sh <runfile>

  6. You must have permissions to execute TOS CLI commands. Grant permissions as shown below or allow use of sudo command.

    [<ADMIN> ~]# chmod +x /usr/local/bin/tos
    chmod +x /usr/local/bin/tos

Start the Install

  1. Run the screen command:

    [<ADMIN> ~]# screen -S install
    screen -S install

  2. Run the install command, replacing the parameters:

    • <SERVICE-CIDR> with the CIDR you want to use for the Kubernetes service network, as described in Prerequisites

    • <MODULE-TYPE> with one of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange
      • RC for a remote collector
    • <LOAD> with small, medium or large, as instructed by your account team, as described in Prerequisites
    [<ADMIN> ~]# tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --load-model=<LOAD> [--dry-run] -d
    tos install --modules=<MODULE-TYPE> --primary-vip=external --services-network=<SERVICE-CIDR> --load-model=<LOAD> [--dry-run] -d

    Where

    • --dry-run: Optional parameter to verify the procedure in advance by going through all the stages without installing anything.

    • -d: Creates a debug log. We recommend including this debug flag when running tos install.

    Examples:

    # tos install --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium -d

    # tos install --modules=RC --primary-vip=external --services-network=10.10.10.0/24 --load-model=large --dry-run -d

  3. The EULA is displayed. After reading, enter 'q' to exit the document and then enter 'y' to accept the EULA and continue until the command completes.

  4. You can now safely exit the CLI screen session:

    [<ADMIN> ~]# exit
    exit

  5. If the installation was for a central (main) cluster, log into TOS Aurora at your load balancer address with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

    If the installation was for a remote collector, connect it to the central cluster.

Post-Install Configuration

Professional Services

If you are a PS (Tufin Professional Services) customer,

  1. Restart the PS web service

    [<ADMIN> ~]$ sudo systemctl start tufin-ps-web
    sudo systemctl start tufin-ps-web

  2. Enable the PS cron job

    Edit the cron file

    [<ADMIN> ~]# crontab -e
    crontab -e

    Delete the # character from the beginning of the PS-scripts line

    # 1 * * * * cat /opt/tufin/securitysuite/ps/PS-Scripts

SSL Certificates

Secured connections to TOS Aurora require a valid SSL certificate. Such a certificate is generated during the installation. It is automatically renewed when it expires and also when upgrading to later versions of TOS Aurora. When connecting for the first time after certificate renewal, you will be prompted to accept the new certificate. You can also use your own CA signed certificate, but such certificates will not be renewed automatically.

SAN Certificates

If you have FortiManager devices in SecureTrack, add a SAN signed certificate to each device.

License Activation

Relevant only for central clusters, skip for remote collectors.

After the license is activated, have all TOS users enable the automatic license mechanism in their browser. For more information, see Tiered License Usage Monitoring.

Reactivate your license. In some cases, particularly when hardware is changed, license validity gets lost in the upgrade process. If activation is lost, this will not limit the functionality of TOS Aurora but future upgrades will not be possible until the license is reactivated.

  • Check the status - go to Admin > Licenses. The License window appears.

  • If the status shown in the window is anything other than Activated, follow the instructions in Activate License.

Restoring Tufin Extensions (formerly Tufin Marketplace) Applications and Data

If you had Tufin Extensions (formerly Tufin Marketplace) applications installed on TOS Classic:

  1. Download the applications from the Tufin Marketplace.

  2. Reinstall the applications.

  3. For STRE, copy the backed up folder saved previously to /opt/tufin/data/volumes/ps/reportpack.

  4. For other Tufin Extensions (formerly Tufin Marketplace) apps, follow the instructions for each app, as described in Prerequisites.

Using Syslog for Accountability and More

You can use syslog to send accountability and other information from your devices to SecureTrack - see Sending Additional Information via Syslog. If you want to use this feature and you have installed TOS on-premise, you must also set up a Syslog VIP Address.

Adding Worker Nodes to Your Cluster

TOS Aurora is now deployed as a single node Kubernetes cluster. See Multi-Node Cluster for more information about adding additional nodes.

Setting up External Backups

We recommend setting up backups on external storage.

Setting up Scheduled Backups

We recommend creating a backup policy as soon as possible.

DR (Disaster Recovery)

If you want to use the DR feature to setup TOS redundancy across sites, see Disaster Recovery.

TOS Monitoring

TOS Monitoring lets you monitor the status of the TOS cluster and its nodes by generating a notification whenever a change in status occurs, such as a node failing, or a usage threshold reached, such as CPU or disk usage. We recommend that you set up TOS notifications in TOS Monitoring (see TOS Monitoring).

Additional Configuration

A number of additional parameters can be set now or later e.g. session timeout and SNMP - see Configuring TOS.

SecureChange Settings

Relevant only for central clusters; skip for remote collectors.

If you have SecureChange:

  1. If you are not already logged in to SecureTrack, log in now.

  2. Create a new SecureTrack administrator user that SecureChange and SecureApp will use to get SecureTrack information. If you have already configured multi-domain management, make this user either a super administrator or multi-domain administrator, depending on whether you want to restrict the administrator to selected domains.

  3. Sign into SecureTrack.

    • Using SSO: From R22-1, TOS uses Single Sign-On (SSO) authentication method by default.

      1. Log into TOS.

      2. For your first login session, you must change your password:

      3. You are automatically logged into SecureTrack. To log into SecureChange, type https://<IP>/securechangeworkflow or https://<IP>/tufinapps/securechange in the browser URL, where <IP> is the cluster VIP or external load-balancer IP.

    • Not using SSO:

      1. For your first login session, you must change your password. SecureChange users are separate from SecureTrack users; there is no connection between a SecureTrack user and SecureChange user with the same name.

      2. In this prompt window, you can also enter an email address for administrative email notifications. We recommend using the address of an email list so you can easily edit the list of recipients.

      3. Login to SecureChange at https://<IP>/securechangeworkflow or https://<IP>/tufinapps/securechange where <IP> is the cluster VIP or external load-balancer IP, with your admin credentials.

  4. Go to Settings > Miscellaneous.

    5. Enter a value for Server DNS name - the DNS server to use for links in email notifications. This can be an IP address in the format 11.22.33.44 or a FQDN in the format https://mydomain.com. The SecureChange DNS name is published by SecureChange so it can be accessed from external sources. For example, it is embedded in notification mails sent by SecureChange, which include a link to a ticket, such as an email notifying a handler assigned with a task, or informing a requester that the ticket has been successfully resolved.

  5. Go to Settings > SecureTrack:

    1. Enter the SecureTrack administrator username, created previously.

    2. If you want a link from SecureChange to SecureTrack and from SecureTrack to SecureChange, select Show link to SecureTrack. These two links will appear in the applications icon menu in both systems:

    3. If you want to change how often SecureChange tests its connectivity to SecureTrack, change the value of Connection check interval.

    4. Click Test connection to verify that SecureChange has a connection to SecureTrack.

    5. Click Refresh license status so that SecureTrack and SecureChange share the highest level of connectivity.

    6. Click Save.