Monitoring Huawei Devices

Overview

Add Huawei Router and Firewall devices to TOS using the Open Policy Model (OPM). OPM lets you use TOS to monitor firewall devices that are not supported by default. Tufin provides device connectors that collect the device's configuration and policy data and import it into SecureTrack.

The Huawei device connectors support onboarding Huawei routers and firewalls. SecureTrack connects to these devices over SSH and pulls topology and rule data based on the sync schedule set in Tufin-Integrations.

Prerequisites

  • SSH access to all devices

  • Customer Portal access to download the OPM package

  • Admin credentials for SecureTrack and SecureChange

  • TOS server:

    • sudo permissions to run the installer

    • File upload permissions to /opt/misc

  • On systems with non-Tufin OS, python3 and bzip2 packages installed

Install the OPM Package

Install the OPM package from the shell on the TOS server. The steps are identical for both new installations and upgrades.

If you have existing OPM packages, the OPM installer automatically detects and upgrades older versions.

  1. Go to the Download center.

  2. Select Huawei Firewall & Router.

  3. Click Download to Computer.

  4. Upload the downloaded file to /opt/misc (recommended) on the TOS server:

    sh <package-name>

    where:

    <package-name> is the name of the package you downloaded in the format install-<vendor>-0.1.77.aur.run

  5. When prompted, enter:

    • SecureTrack Username and Password

    • SecureChange Username and Password

  6. Wait for the installation to complete. The installer installs PS Proxy and Tufin Integrations if they don't exist. If an older version is installed, the script upgrades it.

    These credentials are used by the OPM scripts to make API requests. You can always update them later in Tufin Integrations.

Add a Device

Add a Huawei firewall or router device to TOS.

To allow SecureTrack to retrieve configuration data and run all required commands, the SSH user must have admin (read) access to the device.

For Firewall devices, the user must also be able to switch between virtual systems.

  1. In SecureTrack, go to Monitoring > Devices > Device Viewer.

  2. Click Add Device, and then select Add OPM Device.

  3. In the ADD OPM DEVICE define the device details:

    • Vendor: The vendor with the device to add.
      For versions earlier than R24-2 PHF6, select UNKNOWN as the vendor. For later versions, select the correct vendor.

    • OPM agent: The registered agent for the vendor. The agent is displayed only if it was installed successfully.

    • Type: The supported device type, such as Router or Firewall.

    • Display name: The name to display for this device in SecureTrack

    • IP: The IP address of the device.

  4. Click Next.The Configure Device properties form is displayed.

  5. Configure the device properties:

    • arguments: Leave blank unless instructed otherwise.

    • enable_pass...: The password to switch to system-view mode, if required by the device.

    • password*: The SSH password for the device.

    • username*: The SSH username for the device.

  6. To confirm settings and add the device, click Save.

Sync Device with SecureTrack

Use Tufin Integrations to configure how SecureTrack syncs with your OPM-managed device. Tufin Integrations is the updated web interface for managing OPM devices, automatically installed by the OPM package if it is does not exist.

Configuring SecureTrack to sync with your OPM-managed device includes:

  • Assigning the device to a cluster

    You can assign devices to different TOS clusters for monitoring. For example, you can monitor one OPM device from the main cluster and another from a Remote Collector. Remote Collectors are available only if they are configured in TOS.

  • Scheduling sync jobs

    Schedule automated syncs or trigger a manual sync on demand when monitoring is enabled for the device.

  • Reviewing job history

    View per-device status, start/end time, and message after each agent run.

When configuration is complete, SecureTrack runs a script that connects to the device, retrieves configuration data (such as interfaces, routes, and rules), and imports the data. This process replaces real-time monitoring with scheduled or manual data collection.

  1. To open Tufin Integrations, do one of the following:

    • Go to https://<tos-vip>/apps/integrations.

    • In SecureTrack , from the list of Tufin Extensions , select Tufin Integrations.

  2. From the DASHBOARD, select the OPM client or vendor to configure.

  3. Enable monitoring for the device and select the monitoring option:

    1. From the list of vendors on the left, select the vendor for the device to sync.

    2. To enable monitoring for this device, click Start.

    3. From the list of available devices, right-click the required device, and select the cluster from which to monitor the device:

      • Migrate to main: Monitor the device from the primary cluster.

      • Migrate to <remote_collector>: Monitor the device from a Remote Collector, for example, RC4.  Available only if a Remote Collector is configured in TOS. The actual name of the Remote Collector differs by environment.

      For automated or manual sync to run, you must enable monitoring for the device.

  4. Set the sync schedule:

    1. Set Schedule interval, for example: daily, weekly, or monthly.

    2. Choose the Time or Day of execution.

    3. Select the Log Level. The default is INFO.

    4. To enable the script, select Enabled.

    5. Click Save.

  5. To trigger the sync immediately, click SAVE & RUN. If not triggered manually, the sync is triggered as scheduled.

    Every script execution retrieves the configuration from all devices assigned to the vendor’s OPM agent.

  6. Verify the results in the Run Details popup:

    In the Agent Runs table, click the blue information icon information icon in the Run Details column.

    The popup shows the status, start and end time, and a message for each device in the run.

How Do I Get Here?

SecureTrack > Monitoring > Devices > Device Viewer