Device Monitoring

TOS Aurora monitors the various components of your network and security infrastructure, and provides tracking, analysis, and reporting tools for the received policy revisions for any monitored device. You can manage TOS Aurora from any PC that has HTTPS access to TOS Aurora's web interface.

For increased scalability, TOS Aurora's Distributed Architecture enables multiple TOS Aurora servers to perform device monitoring and processing. Each distributed component can receive revisions and traffic logs. All management, revision viewing, and reporting is done on the TOS Aurora central server.

TOS Aurora uses a few different technologies to monitor each vendor's devices:

  • Cisco, Fortinet, and Juniper: By default, TOS Aurora uses periodic polling where TOS Aurora connects to each firewall or network device using SSH according to a configurable frequency (by default, 5 minutes) and retrieves its configuration. In addition, TOS Aurora can be configured as a Syslog server for the monitored devices to provide real-time monitoring.

  • Palo Alto Networks: TOS Aurora connects to each firewall or network device via the REST API, according to a configurable frequency (by default, 5 minutes) and retrieves its configuration.

  • Check Point: TOS Aurora uses Check Point OPSEC™ (Open Platform for Security) to track all the changes made by administrators to Check Point management servers (CMAs, Provider-1 MDSs, and SmartCenters). Whenever an administrator saves or installs a policy, TOS Aurora is immediately notified of the change. A secure OPSEC connection is then used to retrieve the new security policy. When a Check Point management server contains multiple Policy Packages, TOS Aurora records all packages with each revision.

  • Check Point Security Gateway OS: For Security Gateway OS Monitoring, TOS Aurora also directly monitors the operating system of Check Point gateways. TOS Aurora polls each gateway with SNMP according to a configurable frequency and retrieves configuration and performance data. OS monitoring requires a separate license.

Automatic Revisions: For devices monitored in real-time, if no revisions for a monitored device are received within a configurable frequency, TOS Aurora also performs automatic, scheduled fetches of the device's database. If any changes are found, TOS Aurora records a new revision, defined as an Automatic Revision. This enables policy change coverage for changes that were implemented when TOS Aurora was not monitoring devices (for example, before device monitoring was set up), and for direct changes such as via cpconfig for Check Point management servers. The default automatic fetch frequency is 60 minutes.

Device monitoring occurs seamlessly and automatically, without user intervention. Whenever TOS Aurora discovers changes made to the policy, TOS Aurora records a new revision of the policy. The configuration is parsed, analyzed and stored in TOS Aurora's database. TOS Aurora uses this information to generate scheduled and on-event reports, and several types of real-time change notifications:

  • Email reports with configurable levels of detail, to registered TOS Aurora administrators

  • Syslog messages to a Syslog server, with details about the changes made

  • SNMP traps to registered applications, with details about the changes made

TOS Aurora's policy change notifications supply real-time policy change tracking and integration with external security management frameworks (for example: SIM and SOC).

TOS Aurora includes a watchdog mechanism, which ensures that the TOS Aurora processes are up and running at all times. This diagram illustrates the interactions between the TOS Aurora server and other devices in the security policy management process.