Monitoring Versa Networks Devices

Overview

The Open Policy Model (OPM) lets you use Tufin to monitor firewall devices that are not supported by default. Tufin provides device connectors that collect the device's configuration and policy data and import it into SecureTrack.

The Versa device connectors support onboarding Versa Directors using HTTP API and OAuth authentication. SecureTrack pulls topology and rule data from the Director on a defined schedule, based on sync settings in Tufin Integrations.

The Versa integration is supported only with Versa Director version 22.X or later.

Prerequisites

Before you begin, make sure:

  • Your system is running TOS R24-2 PHF4 or later

  • You have access to the Customer Portal to download the OPM package

  • You have admin credentials for SecureTrack and SecureChange

  • You have sudo permissions on the TOS machine to run the installer

  • You can upload files to the TOS machine. Recommended path is /opt/misc.

  • The TOS server has either SSH access or HTTP/OAuth port access, depending on the vendor

  • If you are installing the OPM agent on a non-TufinOS system, make sure the python3 and bzip2 packages are installed.

You do not need to uninstall existing OPM packages before upgrading. The installer detects and upgrades previous versions automatically.

Install the OPM Package

Install the OPM package from the shell on the TOS machine. The steps are the same for new installations and upgrades.

  1. Go to the Download center and download Versa Secure SD-WAN.

  2. In the Product list, select Device Connectors (OPM).

  3. Download the package for your vendor.

    The package title reflects the product name in the Download center, but the file name itself will follow the standard install format, such as: install-<vendor>-0.1.77.aur.run

  4. Upload the downloaded file to the TOS machine. The recommended path is /opt/misc.

  5. From the command line, run:

    sh <package-name>

    Replace <package-name> with the file you downloaded.

  6. When prompted, enter:

    • SecureTrack Username and Password

    • SecureChange Username and Password

  7. Wait for the installation to complete. The installer installs PS Proxy and Tufin Integrations if they are not already present. If an older version is installed, the script upgrades it.

    These credentials are used by the OPM scripts to make API requests. You can update them later in Tufin Integrations.

    Terminal output showing successful install of Huawei OPM agent

Add a Device

  1. In SecureTrack, go to Monitoring > Devices > Device Viewer.

  2. Click Add Device and select Add OPM Device.

  3. In the ADD OPM DEVICE popup, fill in the following fields:

    Field Name What to Do
    Vendor

    Select Versa Networks from the list.

    This may appear as UNKNOWN if your system is running a version earlier than R24-2 PHF6.
    OPM agent

    Select Tufin-Versa-Networks.

    This appears only if the agent was installed successfully.
    Type Select Director from the list.
    Display name Enter the name to display in SecureTrack
    IP Enter the IP address of the device.

  4. Click Next.

Configure Device Properties

After clicking Next, SecureTrack shows additional fields. Fill in the required values below.

Field Name What to Do
API port Enter the port used to connect to the Versa Director REST API. Default is 9182.
OAuth authenticate port Enter the port used for OAuth authentication. Default is 9183.
OAuth client ID* Enter the client ID provided by your administrator.
OAuth client secret*

Enter the secret provided with your client ID.

See how to create OAuth credentials in the Versa Director REST API.
Username* Enter the API username.
Password* Enter the API user password.

Click Save to finish adding the device.

TOS must have connectivity to both TCP 9182 and 9183 ports on the Versa Director.

Use Tufin Integrations to configure how SecureTrack syncs with your OPM-managed device. This includes assigning the device to a cluster, scheduling sync jobs, and reviewing job history.

Tufin Integrations is the updated web interface for managing OPM devices. The OPM package installs this interface automatically if it is not already present.

When configuration is complete, SecureTrack runs a script that connects to the device, retrieves configuration data (such as interfaces, routes, and rules), and imports it into SecureTrack. This process replaces real-time monitoring with scheduled or manual data collection.

The sync does not happen automatically. The script runs only when triggered manually or by the scheduler.

  1. Open Tufin Integrations using one of the following:

    • In the SecureTrack menu, click the TUFIN SUITE APPS icon (top left), then select Tufin Integrations from the list of Tufin Extensions.

    • Or go to https://<tos-vip>/apps/integrations.

  2. From the DASHBOARD, select the OPM client or vendor to configure.

  3. In the devices table, right-click the device you added in SecureTrack and choose how to assign it:

    • Migrate to main– Monitor the device from the main cluster

    • Migrate to RC4– Monitor the device from a configured Remote Collector

      • This option appears only if a Remote Collector is configured in TOS.

      • The menu shows the name of the available Remote Collector (for example, RC4), which may vary by environment.

    • Stop – Disable monitoring for this device

    You can assign different devices to different clusters. For example, you can monitor one OPM device from the main cluster and another from a Remote Collector.

  4. Set the sync schedule:

    1. Set Schedule interval (for example: daily, weekly, or monthly).

    2. Choose the Time or Day of execution.

    3. Select the Log Level. The default is INFO.

      Support may ask you to switch to DEBUG if troubleshooting is needed.

      Log Level Descriptions:
      • INFO – Default; shows general activity and success events.
      • DEBUG – Adds detailed logs for troubleshooting.
      • WARNING, ERROR, CRITICAL – Used internally to flag issues at increasing severity. You usually do not need to change these.

    4. Check the Enabled box to enable the script.

    5. Click Save.

  5. Click SAVE & RUN to immediately trigger the sync script.

Each script execution retrieves the configuration from all devices assigned to the vendor’s OPM agent.

You can verify the results in the Run Details popup:

  • In the Agent Runs table, click the blue information icon information icon in the Run Details column.

  • The popup shows the status, start and end time, and a message for each device in the run.

After running the sync, you can verify that SecureTrack received the device configuration and created a revision.

  1. Go to Monitoring > Device Viewer in SecureTrack.

  2. Search for the device you onboarded using: vendor = 'device name'

    This is the current label shown for device connectors in SecureTrack.

  3. Click the device name to open its details.

  4. Go to the Revisions History tab.

  5. Confirm that a new revision appears with a recent timestamp. It may take a few minutes for a new revision to appear, depending on sync timing and job load.

You can also verify the sync status in the Agent Runs table in Tufin Integrations.

Each successful run indicates that configuration data was collected from all devices assigned to the selected device connectors.

How Do I Get Here?

SecureTrack > Monitoring > Devices > Device Viewer