Install TOS

Overview

This procedure is for installing TOS R25-1 PGA.0.0 and is intended for all platforms and operating systems.

Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

Tufin Orchestration Suite (TOS) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

After the installation you will have created a single data node TOS cluster to which you can add additional worker nodes. There is no need to install TOS on any additional nodes. Worker nodes require an operating system only, and with high availability, data is replicated between the nodes.

Worker Nodes

If your TOS deployment requires additional resources, after installing and setting up TOS you can add worker nodes to the cluster. See multi-node cluster.

High Availability (HA)

TOS can be set up to run as a high availability environment using three servers (data nodes).

Distributed Deployment Using Remote Collectors

TOS can be set up to run as a distributed architecture using remote collectors (RCs).

The current procedure is meant for installing on both central and remote collector clusters. See remote collectors.

Prerequisites

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • Your server must be prepared for a TOS deployment. See Prepare the Server.

  • The TOS installation removes all TOS files, directories and backups left on the machine from old deployments. If you have any files you want to keep, move them to a safe external location before starting this procedure.

  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • Once TOS has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • All nodes in the cluster must run on the same operating system.

  • If you have made a previous unsuccessful attempt to install TOS, you must uninstall and reboot before reinstalling. See Uninstalling TOS.

  • See the Important Installation Information in the R25-1 Release Notes.

The Install Procedure

Before you proceed, read and understand the requirements to avoid risk of failure.

Download TOS

  1. Run the tmux command.

    [<ADMIN> ~]$ tmux new-session -s tosinstall
    tmux new-session -s tosinstall

  2. Create the directory /opt/misc/, if it does not exist already.

  3. Go to /opt/misc/.

  4. Go to the Download Center and click the TOS R25-1 PGA.0.0 installation file.

  5. Select how you want to download the installation package: Download to Computer or Copy link (valid for 10m).

  6. If you copied the link, run the following command within ten minutes:

    curl -o [Name the file].run.gz  “<LINK>”
    curl -o [Name the file].run.gz  “<LINK>”

    Where <LINK> is the link you copied from the Download Center.

    Make sure the server can download from https://tosportaldownloads.tufin.com.

  7. If you downloaded to the computer, copy the compressed file from your local computer to the server.

  8. Verify the integrity of the TOS installation packages by entering the following commands and comparing the output with the checksum information.

    9. [<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    [<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

  9. Extract the TOS run file from its archive.

    [<ADMIN> ~]$ tar xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
    tar xvzf tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

    10. The run file name includes the release, version, and build number.

    TOS file example: R25-1-pga0.0-final-4577.run

Install TOS

  1. Run the TOS run file.

    [<ADMIN> ~]$ cd /opt/misc/
    cd /opt/misc/
    [<ADMIN> ~]$ sudo sh <runfile>
    sudo sh <runfile>

  2. Rocky Linux/RHEL 8 only. Grant permissions to execute TOS CLI commands. 

    [<ADMIN> ~]$ chmod +x /usr/local/bin/tos
    chmod +x /usr/local/bin/tos

  3. Run the install command, replacing the parameters:

    • <PRIMARY>

      • On-prem. The VIP you will use to access TOS

      • Cloud.external

    • <SERVICE-CIDR> - The CIDR you will use for the Kubernetes service network.

    • <PODS-CIDR> Optional. The CIDR you will use for the Kubernetes pods network. The default pods network is 10.244.0.0/16

    • <MODULE-TYPE> - One of the following values:

      • ST for SecureTrack only
      • ST, SC for both SecureTrack and SecureChange/SecureApp
      • RC for a remote collector
    • <LOAD> - small, medium or large, as provided by your account team, based on your sizing calculation.

    There is also an option to do a dry run, to verify the procedure in advance by going through all the stages without installing anything. To do a dry run, add the parameter --dry-run to the install command.

    [<ADMIN> ~]$ sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d
    sudo tos install --modules=<MODULE-TYPE> --primary-vip=<PRIMARY> --services-network=<SERVICE-CIDR> --pod-network=<PODS-CIDR> --load-model=<LOAD> -d

    Examples:

    $ sudo tos install --modules=ST,SC --primary-vip=external --services-network=10.10.10.0/24 --load-model=medium -d

    $ sudo tos install --modules=ST,SC --primary-vip=192.168.1.2 --services-network=10.10.10.0/24 --load-model=medium -d

    $ sudo tos install --modules=RC --primary-vip=162.148.10.0 --services-network=10.10.10.0/24 --load-model=large -d

  4. The EULA appears. After reading, enter q to exit the document. If you accept the EULA, enter y and wait until the command completes.

  5. You can now safely exit the CLI tmux session:

    [<ADMIN> ~]# exit
    exit

  6. If the installation was for a central (main) cluster, log into TOS:

    • On-premises deployment. In your browser, go to https://<VIP> in your browser.

    • Cloud deployment. In your browser, go to the URL of the load balancer DNS

    Log in with user=admin, password=admin. If a warning message is shown regarding the site security certificate, 'accept the risk' and continue to the site. You will be prompted to set a new password.

  7. If the installation was for a remote collector, connect it to the central cluster.

    1. On the primary data node, check the TOS status.

      [<ADMIN> ~]$ tos status
      tos status

    2. In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

      3. Example output:

      [<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Single Node"

Nodes
  Nodes:
  - ["node1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 36%  

registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- ["postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC

Post-Install Configuration

SSL Certificates

Secured connections to TOS require a valid SSL certificate. Such a certificate is generated during the installation. It is automatically renewed when it expires and also when upgrading to later versions of TOS. When connecting for the first time after certificate renewal, you will be prompted to accept the new certificate. You can also use your own CA signed certificate, but such certificates will not be renewed automatically.

SAN Certificates

For every FortiManager device you intend to monitor, add a SAN signed certificate.

License Activation

Relevant only for central clusters, skip for remote collectors.

After the license is activated, have all TOS users enable the automatic license mechanism in their browser. For more information, see Site Usage Monitoring.

Using Syslog for Accountability and More

To include accountability and rule usage information in TOS you must configure your devices to send syslogs. For more information see Sending Additional Information via Syslog.

Adding Worker Nodes to Your Cluster

TOS is deployed as a single node Kubernetes cluster. See Multi-Node Cluster for more information about adding additional nodes.

Setting up External Backups

We recommend setting up backups on external storage.

Setting up Scheduled Backups

We recommend creating a backup policy as soon as possible.

HA (High Availability)

To set up an HA environment, see High Availability.

DR (Disaster Recovery)

To setup TOS redundancy across sites, see Disaster Recovery.

Sending Cluster Health Status to Tufin

Enabled by default, system information is sent periodically to Tufin Support for the purpose of troubleshooting and identifying performance issues. It can be disabled (see Sending Cluster Health Status). The information includes:

  • DB status and size

  • Backup status

  • Kubernetes status and metrics

  • CPU metrics

  • Memory status

  • I/O

  • Configuration changes

  • TOS status

  • Cluster performance

It does not include IP addresses, personal user information, or device information. All the information sent is encrypted and is accessible only to Tufin support teams.

The information is sent to Tufin from TOS users' browsers to the Tufin sub-domain mailbox.tufin.com, therefore requests from user browsers to this sub-domain must be allowed.

TOS Monitoring

TOS Monitoring lets you monitor the status of the TOS cluster and its nodes by generating a notification whenever a change in status occurs, such as a node failing, or a usage threshold reached, such as CPU or disk usage.

We recommend that you set up notifications in TOS Monitoring (see TOS Monitoring).

Additional Configuration

A number of additional parameters can be set now or later e.g. session timeout and SNMP - see Configuring TOS.

SecureChange Settings

Relevant only for central clusters; skip for remote collectors.

If you have installed SecureChange:

  1. Go into SecureChange by one the following means:

    • Sign in to TOS with the URL given previously and then select SecureChange from the app launcher.

    • Sign in directly to SecureChange by entering https://<IP>/tufinapps/securechange in the browser.

  2. Configure the DNS.

    1. Go to Settings > Miscellaneous.

    2. Delete the default value that appears in the field Server DNS name. Enter a value for Server DNS name - the DNS server to use for links in email notifications. This can be an IP address in the format 11.22.33.44 or a FQDN in the format https://mydomain.com. The SecureChange DNS name is published by SecureChange so it can be accessed from external sources. For example, it is embedded in notification mails sent by SecureChange, which include a link to a ticket, such as an email notifying a handler assigned with a task, or informing a requester that the ticket has been successfully resolved.

  3. Additional setup that can be done now or later:

    • Internal SSO Authentication. Internal SSO is enabled by default when TOS is installed, giving user access to all TOS components using the same credentials - SecureTrack, SecureChange, SecureApp, and extensions. When disabled, there is no connection between a SecureTrack user and SecureChange user with the same name.
    • Mail server connection
    • LDAP directory connection to use LDAP user accounts
    • Local users and user roles
    • Subsequent password changes can be made from the command line , see SecureChange Command Line Reference.

    • Change access to SecureTrack from SecureChange

      1. Go to Settings > SecureTrack:

      2. Change the default SecureTrack administrator. For SecureChange to access SecureTrack data, a SecureTrack administrator must be specified. By default this is the predefined user 'Admin' and everything will work fine if you leave it as it is. However, if you want a different user, create a new administrator and enter the user name. If you have already configured multi-domain management, this user can be either a super administrator or multi-domain administrator, depending on whether you want to restrict the administrator to selected domains.

      3. Remove link to SecureTrack . By default you can go from SecureChange to SecureTrack by selecting the SecureTrack link in the app launcher. If you want to remove this option, unmark the checkbox.

      4. Change connection check interval. The default value for the frequency of SecureChange testing connectivity to SecureTrack can be changed if desired.

      5. Click Test connection to verify that SecureChange has a connection to SecureTrack.

      6. Click Refresh license status. This will ensure that SecureTrack and SecureChange share the highest level of connectivity.

      7. Click Save.