Installing and Logging in to ISPA

Before Installation

  • Confirm that you have either a Google Chrome or Mozilla Firefox internet browser.

  • Extensions applications may require additional hardware and resources, depending on utilization. Consider expanding your resources if heavy use of the application is intended.

  • If you are not using Tufin OS, we recommend that you open a support ticket for a walkthrough before installing an Extension application for the first time. Note the initial setup for all Extensions applications is the same.

  • In SecureTrack, create a user with Security Administrator level permissions. Log into SecureTrack with that user.

Install Process

These instructions apply if you are:

  • Installing ISPA for the first time.

  • Upgrading to a TOS Aurora version that requires a new installation.

  • Upgrading ISPA.

Retrieve Installation File

You can download all Extensions application files, either locally or downloaded to a relevant server, from the Customer Portal Download Center.

  1. From the Download Center, select the Extension to download.

  2. Select the method for downloading the installation package: Download to Computer or Copy link (valid for 10m). Using the link requires the server to have access to download from https://tosportaldownloads.tufin.com.

  3. If you downloaded the package, upload it from your local computer to the primary data node to the directory c:/opt. Upload the file as is; do not extract it first.

  4. If you copied the link, run the following command. If the link has expired, get a new link from the Download Center.

    curl -o ispa-v<APP-VERSION>-k3s.run “<LINK>”
    curl -o ispa-v<APP-VERSION>-k3s.run “<LINK>”

    where

    • <APP-VERSION> is the version number (as written in the file name in the Download Center).

    • <LINK> is the link you copied from the Download Center.

Procedure

In a Tufin Distributed Architecture (DA) environment, ISPA is installed on the SecureTrack Central Server (CS).

  1. Using SSH, log into the TOS Aurora server.

  2. Create a directory called /opt/extensions.

  3. Copy the installer run file (already downloaded) to /opt/extensions.

  4. Go to /opt/extensions.

  5. Go to the folder and run the installer file:

    # sh ispa-v<VERSION>.k3s.run

ISPA is installed in the TOS Aurora cluster on the data node.

A license is required if you are running TOS Aurora R23-1 or earlier, or you have a legacy (non-tiered) TOS license - see Installing a License.

Troubleshooting Installation

Error Message

Next Steps
Error: TOS isn't running If you receive this message while trying to install an Extension and you are not using Tufin OS, the issue may be related to your OS user permissions. Please contact Tufin Support for instructions.

Before Running ISPA for the First Time

Before you can get started with IPAM Security Policy App (ISPA), you need the following:

TOS Configurations

  • Configure zones and domains.

ISPA Configurations

  • The attributes that IPAM systems configure are crucial for an effective integration with Tufin Orchestration Suite (TOS). Since this process takes time, we recommend that you start work on gathering this information as soon as possible. In general, the attribute values, which filter the imported subnets for specific zones, are optional. However, they are required if you need to select a specific zone based on the attribute name.

  • ISPA retrieves subnet and attribute data using API, and the user with API credentials must have the following permissions to integrate with each IPAM:

    IPAM

    Minimum Required Permissions

    BlueCat

    API user user access type set to yes

    efficientIP

    Read-only custom permissions role, which allows reading from ip_block_subnet_count and ip_block_subnet_list endpoints

    InfoBlox

    Read-only custom permissions role, which allows reading from extensibleattributedef and network endpoints

    IPControl

    Read-only administrator user with a role that includes container permissions

    NetBox

    User with view action permissions for the ipam | IP address and ipam | prefix models

    phpIPAM

    User in the operators group

    SolarWinds

    Account should be enabled.

    If you are using Active Directory for authentication, you must add the domain name prior to the username. For example: domain\username

    For API connections, ISPA uses port 17778.

Log into ISPA

You can access ISPA from inside SecureTrack or by logging in directly. ISPA integrates with SecureTrack usernames.

Access ISPA from SecureTrack

From R23-1, use the app launcher icon (), select IPAM Security Policy App.

Note that this option only appears after ISPA installation.

Log in to ISPA Directly

  1. In your browser, enter the following URL:

    https://<TOS_Aurora_Host>/apps/ispa

    where <TOS_Aurora_Host> is your TOS Aurora IP address. ISPA uses TOS Aurora for authentication.

    The Login page appears.

  2. Enter your TOS Aurora user credentials and click Log In.