Monitoring Huawei Devices

Overview

The Open Policy Model (OPM) lets you use Tufin to monitor firewall devices that are not supported by default. Tufin provides device connectors that collect the device's configuration and policy data and import it into SecureTrack.

The Huawei device connectors support onboarding Huawei routers and firewalls. SecureTrack connects to these devices over SSH and pulls topology and rule data based on the sync schedule set in Tufin-Integrations.

Prerequisites

Before you begin, make sure:

  • Your system is running TOS R24-2 PHF4 or later

  • You have access to the Customer Portal to download the OPM package

  • You have admin credentials for SecureTrack and SecureChange

  • You have sudo permissions on the TOS machine to run the installer

  • You can upload files to the TOS machine. Recommended path is /opt/misc.

  • The TOS server has either SSH access or HTTP/OAuth port access, depending on the vendor

  • If you are installing the OPM agent on a non-TufinOS system, make sure the python3 and bzip2 packages are installed.

You do not need to uninstall existing OPM packages before upgrading. The installer detects and upgrades previous versions automatically.

Install the OPM Package

Install the OPM package from the shell on the TOS machine. The steps are the same for new installations and upgrades.

  1. Go to the Download center and download Huawei Firewall & Router.

  2. In the Product list, select Device Connectors (OPM).

  3. Download the package for your vendor.

    The package title reflects the product name in the Download center, but the file name itself will follow the standard install format, such as: install-<vendor>-0.1.77.aur.run

  4. Upload the downloaded file to the TOS machine. The recommended path is /opt/misc.

  5. From the command line, run:

    sh <package-name>

    Replace <package-name> with the file you downloaded.

  6. When prompted, enter:

    • SecureTrack Username and Password

    • SecureChange Username and Password

  7. Wait for the installation to complete. The installer installs PS Proxy and Tufin Integrations if they are not already present. If an older version is installed, the script upgrades it.

    These credentials are used by the OPM scripts to make API requests. You can update them later in Tufin Integrations.

    Terminal output showing successful install of Huawei OPM agent

Add a Device

  1. In SecureTrack, go to Monitoring > Devices > Device Viewer.

  2. Click Add Device and select Add OPM Device.

  3. In the ADD OPM DEVICE popup, fill in the following fields:
    Field Name What to Do
    Vendor

    Select the correct vendor from the list.

    This may appear as UNKNOWN if your system is running a version earlier than R24-2 PHF6.

    OPM agent

    Select the registered agent for the vendor.

    This appears only if the agent was installed successfully

    TypeChoose the supported device type from the list, such as Router or Firewall.
    Display nameEnter the name to display in SecureTrack
    IP Enter the IP address of the device.

    • OPM supports both Router and Firewall device types.

    • TOS must have SSH connectivity to the device to retrieve topology and policy information.

Configure Device Properties

After clicking Next, SecureTrack shows additional fields. Fill in the required values below.

  • The SSH user must have admin (read/write) access to the device.

    This allows SecureTrack to retrieve configuration data and run all required commands.

  • For Firewall devices, the user must also be able to switch between virtual systems.

Field Name What to Do

arguments

(optional) Leave blank unless instructed otherwise
enable_pass... (optional) Enter the enable password to switch to system-view mode, if required by the device.
password* Enter the SSH password for the device.
username* Enter the SSH username for the device.

Click Save to finish adding the device.

Use Tufin Integrations to configure how SecureTrack syncs with your OPM-managed device. This includes assigning the device to a cluster, scheduling sync jobs, and reviewing job history.

Tufin Integrations is the updated web interface for managing OPM devices. The OPM package installs this interface automatically if it is not already present.

When configuration is complete, SecureTrack runs a script that connects to the device, retrieves configuration data (such as interfaces, routes, and rules), and imports it into SecureTrack. This process replaces real-time monitoring with scheduled or manual data collection.

The sync does not happen automatically. The script runs only when triggered manually or by the scheduler.

  1. Open Tufin Integrations using one of the following:

    • In the SecureTrack menu, click the TUFIN SUITE APPS icon (top left), then select Tufin Integrations from the list of Tufin Extensions.

    • Or go to https://<tos-vip>/apps/integrations.

  2. From the DASHBOARD, select the OPM client or vendor to configure.

  3. In the devices table, right-click the device you added in SecureTrack and choose how to assign it:

    • Migrate to main– Monitor the device from the main cluster

    • Migrate to RC4– Monitor the device from a configured Remote Collector

      • This option appears only if a Remote Collector is configured in TOS.

      • The menu shows the name of the available Remote Collector (for example, RC4), which may vary by environment.

    • Stop – Disable monitoring for this device

    You can assign different devices to different clusters. For example, you can monitor one OPM device from the main cluster and another from a Remote Collector.

  4. Set the sync schedule:

    1. Set Schedule interval (for example: daily, weekly, or monthly).

    2. Choose the Time or Day of execution.

    3. Select the Log Level. The default is INFO.

      Support may ask you to switch to DEBUG if troubleshooting is needed.

      Log Level Descriptions:
      • INFO – Default; shows general activity and success events.
      • DEBUG – Adds detailed logs for troubleshooting.
      • WARNING, ERROR, CRITICAL – Used internally to flag issues at increasing severity. You usually do not need to change these.

    4. Check the Enabled box to enable the script.

    5. Click Save.

  5. Click SAVE & RUN to immediately trigger the sync script.

Each script execution retrieves the configuration from all devices assigned to the vendor’s OPM agent.

You can verify the results in the Run Details popup:

  • In the Agent Runs table, click the blue information icon information icon in the Run Details column.

  • The popup shows the status, start and end time, and a message for each device in the run.

After running the sync, you can verify that SecureTrack received the device configuration and created a revision.

  1. Go to Monitoring > Device Viewer in SecureTrack.

  2. Search for the device you onboarded using: vendor = 'device name'

    This is the current label shown for device connectors in SecureTrack.

  3. Click the device name to open its details.

  4. Go to the Revisions History tab.

  5. Confirm that a new revision appears with a recent timestamp. It may take a few minutes for a new revision to appear, depending on sync timing and job load.

You can also verify the sync status in the Agent Runs table in Tufin Integrations.

Each successful run indicates that configuration data was collected from all devices assigned to the selected device connectors.

How Do I Get Here?

SecureTrack > Monitoring > Devices > Device Viewer