Installing and Upgrading ISPA

Oveview

This procedure describes how to install or upgrade TOS application extensions.

Upgrades

To upgrade an existing extension, download and install the latest version. You do not need to uninstall the existing version.

Upgrades to IPAM Security Policy App (ISPA) provide newly-supported features, bug fixes, and integrate changes from TOS.

Backward Compatibility: This extension is tested for backwards compatibility with the current and two previous versions of TOS.
Support and Bug Fixes:
- Tufin provides customer support for the most recent version of this extension.
- If there are issues related to TOS as well, support is provided if you are on the current version, or one of the previous two versions of TOS.
- Bugs fixes are applied only to the latest version of this extension.

To check your current version, click > About.

Before Installation

Confirm that you have either a Google Chrome or Mozilla Firefox internet browser.
Extensions applications may require additional hardware and resources, depending on utilization. Consider expanding your resources if heavy use of the application is intended.
If you are not using TufinOS, we recommend that you open a support ticket for a walkthrough before installing an Extension application for the first time.

In SecureTrack, create a user with Security Administrator level permissions. Log into SecureTrack with that user.

Install/Upgrade ISPA

You can download all installation files from the Customer Portal Download Center, either locally or to a relevant server.

From the Download Center, select the Extension to download.
After downloading the file, log in to the primary data node using SSH.
Create a directory called /opt/extensions, and do the following:
1. Copy and paste the downloaded installer run file to the directory.
2. Run the command:
  
  # sh reportpack-v<VERSION>.k3s.run

ISPA is installed on the TOS cluster.

A license is required if you have a legacy (non-tiered) TOS license - see Installing a License.

Troubleshooting Installation

Error Message	Next Steps
Error: TOS isn't running	Potential cause: You are not using TufinOS, and the issue may be related to operating system user permissions. Solution: Contact Tufin Support for instructions.

Error Message

Next Steps

Error: TOS isn't running

Potential cause: You are not using TufinOS, and the issue may be related to operating system user permissions.

Solution: Contact Tufin Support for instructions.

Before Running ISPA for the First Time

Before you can get started with IPAM Security Policy App (ISPA), you need the following:

TOS Configurations

Configure zones and domains.

ISPA Configurations

The attributes that IPAM systems configure are crucial for an effective integration with Tufin Orchestration Suite (TOS). Since this process takes time, we recommend that you start work on gathering this information as soon as possible. In general, the attribute values, which filter the imported subnets for specific zones, are optional. However, they are required if you need to select a specific zone based on the attribute name.

ISPA retrieves subnet and attribute data using API, and the user with API credentials must have the following permissions to integrate with each IPAM:

IPAM	Minimum Required Permissions
BlueCat	`API user` user access type set to `yes`
efficientIP	Read-only custom permissions role, which allows reading from `ip_block_subnet_count` and `ip_block_subnet_list` endpoints
InfoBlox	Read-only custom permissions role, which allows reading from `extensibleattributedef` and `network` endpoints
IPControl	Read-only administrator user with a role that includes container permissions
NetBox	User with `view` action permissions for the `ipam \| IP address` and `ipam \| prefix` models
phpIPAM	User in the `operators` group
SolarWinds	Account should be enabled. If you are using Active Directory for authentication, you must add the domain name prior to the username. For example: `domain\username` For API connections, ISPA uses port 17778.