T-900/T-1300 Quick Start Guide

Overview

The T-Series appliances are a Tufin-in-a-box solution that provides IT organizations with a quick, robust installation that lowers total cost of ownership.

Using distributed deployment architecture, Tufin’s T-Series appliances enable virtually unlimited scalability – multiple appliances can be connected on-demand at multiple sites, according to network needs. With enterprise-grade memory and SSD drives, the T-Series combines power and flexibility in several models to scale to the needs of mid-size to large enterprises and ensure optimal performance for your organization.

The T-900/T-1300 appliances come pre-installed with TufinOS and a TOS Aurora run file.

Shipping container contents

Item

Description

Appliance

T-900/T-1300 appliance

Cables

2 power cables

Documentation

1 page document with a link to this Quick Start Guide

Sticker with a link to unique iDRAC credentials

Other hardware

Rails

Appliance front bezel

Appliance hardware

Front view of the appliance

Item

Feature

Description

1

Left control panel (LCP) - Secondary

Contains the USB port and Mini-Displayport

2

2.5-inch drives

Enables you to install drives that are supported on your system

3

 Drive blank

Blank filler for the storage drive slot

4

 Right control panel (RCP) - Primary

Contains the system health LED, system ID, power button, Type-C USB port, and the host status LED

5

 Express Service Tag The Express Service Tag is a slide-out label panel that contains system information such as Service Tag, NIC, MAC address

Rear view of the appliance

Item

Feature

Notes

1

Power supply unit (PSU1)

PSU1 is the primary power supply unit of the system

2

PCIe expansion card riser blank

Blank filler for the PCIe expansion riser slot

3

PCIe expansion card riser OCP

2 x 10GbE BASE‑T

(T900: ens2fo-ens2f1, T1300: enP1s2f0-enP1s2f1)

4

Blank filler for the PCIe expansion riser slot.

Blank filler for the PCIe expansion riser slot

5

Power supply unit (PSU2)

PSU2 is the secondary power supply unit of the system

6

OCP NIC card

4 x 10/25GbE SFP28

(T900 & T1300: ens5f0np0, ens5f1np1, ens5f2np2

7

BOSS-N1 blank

Blank filler for the BOSS-N1 module slot

8

iDRAC dedicated port

Enables you to remotely access iDRAC

9

USB 3.0 port

The USB port is 9-pin and 3.0-compliant. This port enables you to connect USB devices to the system

10

USB 3.0 port

The USB port is 9-pin and 3.0-compliant. This port enables you to connect USB devices to the system

11

VGA port

Enables you to connect a display device to the system. When connected, the system supports display resolutions of up to 1920×1080 at 60 Hz

LED Light Indicators

See Status LED indicators in the Dell Installation and Service Manual for:

Rack Installation

See the Dell rack installation guide.

Connect the appliance to the network

  1. Connect the power cable.

  2. Boot up the appliance by pressing the Power button on the front panel.

  3. Connect the appliance to a KVM mouse and keyboard.

    The start-up screen is displayed.

  4. From the screen, press F10.

    The System Setup screen appears.

  5. If you intend to use remote access now or in the future, select iDRAC Settings. Otherwise select Device Settings.

  6. Select User Configuration.

  7. Change the IP address to your desired value. This must be done before you connect the appliance to the network. The IP address is required for iDRAC connectivity.

  8. Connect the appliance to the network..

    9. Configure remote access

    After you connect your appliance to the network, we recommend that you also configure Integrated Dell Remote Access Controller (iDRAC).

    iDRAC is a remote server management controller that allows you to securely access your Tufin appliance from any location. It enables you to upgrade TufinOS or TOS on the appliance without having to physically access the server as well as deploy, manage, configure, and troubleshoot from any location.

    Dell uses iDRAC to collect device information, which is required for hardware failures that fall under the appliance warranty. If iDRAC is not configured Dell's response time to resolve the hardware issues will be delayed.

    Set up iDRAC

    Prerequisites

    See the Dell iDRAC user guide for required ports and services here.

    1. In your browser, navigate to the IP address you defined for iDRAC connectivity in the Connect Your Appliance to the Network procedure.

      The start-up screen displays.

    2. Scan the sticker found on your Tufin appliance to view your root user and randomized password.

    3. Enter your credentials.

    4. In the Domain field, select This iDRAC.

      Log in.

    5. The iDRAC10 interface is displayed.

      6. You can now use the Virtual Console to access your Tufin appliance from any location.

    For more information, see iDRAC10 User's Guide.

Configure link redundancy on Tufin appliances

For appliances with two network connections, NIC bonding can be used to combine them into one virtual connection. This means that if one connection fails, the other can take over so the network keeps working.

However, this backup system will only works if one connection fails. If multiple connections fail at the same time, the link redundancy may not be successful.

Configure the network bond interface

This procedure describes configuring a network bond interface via nmtui.

  1. Log in to the appliance and switch to the root environment using,

    sudo su -
    /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n2

  2. Determine the first two network interfaces for network bond. Connect via SSH to your machine and run:

    /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n2
    /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n1

    The names of the existing interfaces are displayed. Note the names of the interfaces as you will need them for the procedure.

    Disconnect from the SSH connection and continue with the procedure via RMM or a monitor connected to TTY.

    Do not attempt to perform the rest of the procedure with SSH. Once the configuration is applied, you will lose connectivity to the machine.

  3. Start nmtui.

    nmtui
    nmtui

    The NetworkManager TUI screen appears.

  4. Select Edit a connection, and press Ok.

  5. Press Add.

  6. From the list of connection types, select Bond and press Enter.

    The Edit Connection screen appears.

  7. Enter:

    Profile name: <meaningful profile name, for example: bond0>

    Device: <port's device name>

  8. Add ports to the bond to be created:

    1. From the list to the left of the Slaves box, select Add.

    2. From the New Connection dialog box, select Ethernet as the connection type.

      The Edit Connection screen appears.

    3. Enter:

      Profile name: <meaningful profile name, for example: bond0-port1>

      Device: <the name of your first network interface that you wrote down in the Prerequisites>

    4. Press OK to return to the window with the bond settings.

    5. Repeat steps a-d to add the second port, with the following details:

      Profile name: <meaningful profile name, for example: bond0-port2>

      Device:<the name of your second network interface that you wrote down at the beginning of the procedure>

  9. Set the bond properties:

    Mode: Active Backup

    Primary: <name of first network interface>

    Link Monitoring: MII (recommended)

    Monitoring frequency: 100 ms

    Link up delay: 0 ms

    Link down delay: 0 ms

  10. Configure the IP address settings in the IPv4 CONFIGURATION.

    1. Select Manual and Show.

      The Manual configuration options appear.

    2. Configure according to your network requirements.

  11. Press OK to create.

    The new connection is activated.

  12. Press Back to return to the main menu.

  13. Deactivate the first network connection:

    1. Select Activate a Connection.

    2. Select the first network interface that supplied the machine connectivity, press the right arrow button, and press Deactivate.

  14. Make sure the bond0 interface is activated. It should have the (*) character before the name.

    Activate the bond0 interface if it is not activated.

  15. Press Back to return to the main menu.

  16. Select Quit to close the nmtui application.

Verify link redundancy

  1. Temporarily remove the network cable from one of the network devices and check if the other device in the bond handles the traffic.

    Note that software utilities are not the proper way to test link failure events. Tools that deactivate connections, such as nmcli, show only the bonding driver’s ability to handle port configuration changes and not actual link failure events.

  2. Display the status of the bond:

    cat /proc/net/bonding/bond0
    cat /proc/net/bonding/bond0

    Output example

    Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: eno12399np0 (primary_reselect always)
Currently Active Slave: eno12399np0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Slave Interface: eno12409np1
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 04:32:01:46:eb:e1
Slave queue ID: 0

Slave Interface: eno12399np0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 04:32:01:46:eb:e0
Slave queue ID: 0

Update BIOS and iDRAC firmware

There are no BIOS updates for T-900 and T-1300 appliances.

Log in to the appliance

  1. Connect via SSH to the IP address of the first network interface (if you have not changed it, use: 192.168.1.100).

  2. Log in as tufin-admin with password admin.

    On the first login, you will be prompted to change the default “admin” password. Do so now.

Check for TufinOS updates

Check the TufinOS 4 release history. If there is a newer version, update TufinOS.

Update TufinOS

  1. Run the tmux command.

    2. [<ADMIN> ~]# tmux new-session -s update
    tmux new-session -s update

  2. On the target machine, switch to the root user

    [<ADMIN> ~]$ sudo su -
    sudo su -

  3. Go to /opt/misc.

    [<ADMIN> ~]# cd /opt/misc
    cd /opt/misc

  4. Go to the Download Center and select TufinOS 4.70.

    Select how you want to download the installation package: Download to Computer or Copy link.

  5. If you copied the link, run the following command within ten minutes:

    curl -o [Name the file].run.gz  "<LINK>"
    curl -o [Name the file].run.gz  "<LINK>"

    Where <LINK> is the link you copied from the Download Center.

    Make sure the server has permissions to download from https://tosportaldownloads.tufin.com.

  6. If you downloaded to the computer, copy the compressed file from your local computer to the server.

  7. Extract the run file from the archive.

    [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS update file example: TufinOS-4.40-639387-x86_64-8.8-Final-Update.run.tgz

  8. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final-Update.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final-Update.sha256

    The output should return OK

  9. Execute the TufinOS update file: 

    [<ADMIN> ~]# sudo sh <update_file>.run
    sudo sh <update_file>.run

  10. When prompted to continue the update, enter yes.

    Do not interrupt the update process. Wait until the successful completion message appears.

  11. After the update is complete, reboot the node:

    [<ADMIN> ~]# sudo reboot
    sudo reboot

  12. Log in to the primary data node.

Set up the Appliance

  1. Give the node a unique name in the cluster

  2. If you want to reset the host name or IP of the machine, do so now. It cannot be done at a later stage. See Changing IP Address/Host Names.

  3. If you want to configure NIC bonding, do so now. It cannot be done at a later stage. See Link Redundancy on Tufin Appliances.

  4. Configure the server timezone.

    [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
    sudo timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

    To view a list of the time-zone formats that can be used, run:

    [<ADMIN> ~]$ sudo timedatectl list-timezones
    sudo timedatectl list-timezones
    Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.

  5. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

  6. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

    Run the command: 

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

  7. To assign a static IP address:

    1. Run the command: 

      2. [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
      sudo nmtui edit <Interface Name>

      and set the following parameters in the window:

      • Set IPv4 CONFIGURATION to Manual
      • Set Addresses for the physical IP, together with the chosen subnet
      • Set Gateway and DNS Servers to the IPs used by your organization
    2. Restart the network service. 
      3. [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service
      sudo systemctl restart NetworkManager.service

  8. Run:

    [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
    sudo nslookup <DNS SERVER IP>

    If the name of the server appears, the DNS server can resolve its own address using a reverse lookup.

    Example Output

    [<ADMIN> ~]$ sudo nslookup  1.2.3.4
4.3.2.1.in-addr.arpa	name=EXAMPLE.company.com

    If the name of the server does not appear, set it using a reverse lookup entry at /etc/hosts.

    Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.

    [<ADMIN> ~]$ sudo cat /etc/hosts 
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost6 localhost6.localdomain6
1.2.3.4 admin.company.com admin
2.3.4.5 5.4.3.2.in-addr-arpa

Install TOS

You can install the TOS version included with the appliance, or download the latest version from the customer portal.

We recommend downloading the latest version.

For the full procedure, see Install TOS.

Upgrade TOS

If you need to update TOS to a later version after it has been installed, see Update TOS.