Initial Setup

Before Installation

Confirm that you have either a Google Chrome or Mozilla Firefox internet browser.

Download an installation file from the Tufin Extensions website (formerly Marketplace).
In SecureTrack, create a user with Security Administrator level permissions. Log into SecureTrack with that user.

Install ISPA

You may need to install a new version of ISPA in these cases:

You are installing ISPA on a new environment.
You uninstalled ISPA.
You need to upgrade to a TOS Aurora version that requires a new installation.

Follow these steps to install ISPA:

In a Tufin Distributed Architecture (DA) environment, ISPA is installed on the SecureTrack Central Server (CS).

Using SSH, log into the TOS Aurora server.
Create a directory called /opt/extensions.
Copy the installer run file (already downloaded) to /opt/extensions.
Go to /opt/extensions.
Go to the folder and run the installer file:

# sh ispa-v<VERSION>.k3s.run

ISPA is installed in the TOS Aurora cluster on the data node.

A license is required if you are running TOS Aurora R23-1 or earlier, or you have a legacy (non-tiered) TOS license - see Installing a License.

Before Running ISPA for the First Time

Before you can get started with IPAM Security Policy App (ISPA), you need the following:

TOS Configurations

Configure zones and domains.

ISPA Configurations

The attributes that IPAM systems configure are crucial for an effective integration with Tufin Orchestration Suite (TOS). Since this process takes time, we recommend that you start work on gathering this information as soon as possible. In general, the attribute values, which filter the imported subnets for specific zones, are optional. However, they are required if you need to select a specific zone based on the attribute name.

ISPA retrieves subnet and attribute data using API, and the user with API credentials must have the following permissions to integrate with each IPAM:

IPAM	Minimum Required Permissions
BlueCat	`API user` user access type set to `yes`
efficientIP	Read-only custom permissions role, which allows reading from `ip_block_subnet_count` and `ip_block_subnet_list` endpoints
InfoBlox	Read-only custom permissions role, which allows reading from `extensibleattributedef` and `network` endpoints
IPControl	Read-only administrator user with a role that includes container permissions
NetBox	User with `view` action permissions for the `ipam \| IP address` and `ipam \| prefix` models
phpIPAM	User in the `operators` group
SolarWinds	Account should be enabled. If you are using Active Directory for authentication, you must add the domain name prior to the username. For example: `domain\username` For API connections, ISPA uses port 17778.

Log into ISPA

You can access ISPA from inside SecureTrack or by logging in directly. ISPA integrates with SecureTrack usernames.

Access ISPA from SecureTrack

From R23-1, use the app launcher icon (), select IPAM Security Policy App.

Note that this option only appears after ISPA installation.

Log in to ISPA Directly

In your browser, enter the following URL:
https://<TOS_Aurora_Host>/apps/ispa
where <TOS_Aurora_Host> is your TOS Aurora IP address. ISPA uses TOS Aurora for authentication.
The Login page appears.
Enter your TOS Aurora user credentials and click Log In.