TCSE R19-1 Fundamentals Lab Exercises

© Copyright 2003-2019, Tufin Software Technologies Ltd. 1

TCSE R19-1 Fundamentals Lab Exercises

Preface .......................................................................................................... 3
Chapter 1: Visibility and Monitoring .......................................................... 4
Exercise 1: Getting to know Tufin’s virtual lab................................................................................ 5
Exercise 2: Logging into SecureTrack ........................................................................................... 7
Exercise 3: Configuring Personal Settings ................................................................................... 10
Exercise 4: Adding Users and Administrators .............................................................................. 11
Exercise 5: Adding a New Device ................................................................................................ 14
Exercise 6: Device Groups........................................................................................................... 18
Exercise 7: Filtering Revisions ..................................................................................................... 20
Exercise 8: Viewing and Comparing Policy Revisions ................................................................. 21
Exercise 9: Comparing Cloud Policy Revisions ........................................................................... 23
Exercise 10: Using Tufin’s Interactive Map .................................................................................. 24

Chapter 2: Compliance and Cleanup ....................................................... 27

Exercise 11: Prepare your security zones .................................................................................... 28
Exercise 12: Create a new security zone matrix .......................................................................... 29
Exercise 13: Prepare a USP matrix file ........................................................................................ 30
Exercise 14: Import a USP matrix file .......................................................................................... 31
Exercise 15: Viewing violations .................................................................................................... 33
Exercise 16: Replacing Overly Permissive Rules - APG .............................................................. 35
Exercise 17: Replacing Overly Permissive Rules - SecureChange ............................................. 41
Exercise 18: Consolidating Duplicate Objects.............................................................................. 44
Exercise 19: Creating and implementing a Rule Decommission Workflow .................................. 45
Exercise 20: Creating and Implementing a Rule Recertification Workflow................................... 54
Exercise 21: Creating and implementing a Server Decommission Workflow ............................... 63
Exercise 22: Group Modification. Adding a Group Object to an Existing Group .......................... 68

Command Line Reference ........................................................................ 73

Patents and Trademarks ........................................................................... 76

© Copyright 2003-2019, Tufin Software Technologies Ltd. 2

TCSE R19-1 Fundamentals Lab Exercises

Preface
Welcome to the Tufin Certified Security Expert (TCSE) Fundamentals course. This course guide
contains exercises geared to your personal environment in the Tufin Training Lab.
Thank you for your interest in the Tufin Orchestration Suite (TOS). Tufin uses a policy-based
approach to identify, orchestrate and automate changes to some of the largest, most complex
networks in the world. Tufin does this in m inutes instead of days, all from a single pane-of-glass.

Tufin SecureTrack and Secure Change features include:

Scalable and distributed architecture

Multi-Domain management

Unified Security Policy

Policy Browser

Change tracking and reporting

Policy optimization

Cleanup measures

Risk analysis and management

Network Mapping

Access Requests

Rule Recertification

Rule Decommission

Server Decommission

For full Tufin Orchestration Suite documentation, visit Tufin’s knowledge center at:
https://forum.tufin.com/support/kc/latest/

© Copyright 2003-2019, Tufin Software Technologies Ltd. 3

TCSE R19-1 Fundamentals Lab Exercises

Chapter 1: Visibility and Monitoring

The objectives of the following lab practical exercises are to:

1. Familiarizing yourself with Tufin’s virtual lab environment

2. Log into SecureTrack
3. Configure your personal settings
4. Add a Checkpoint firewall device
5. Viewing and Comparing Policy Revisions
6. View the device in Tufin’s Interactive Map

© Copyright 2003-2019, Tufin Software Technologies Ltd. 4

TCSE R19-1 Fundamentals Lab Exercises

Exercise 1: Getting to know Tufin’s virtual lab

1) Each student is provided with a dedicated environment

2) To access the environment, you will need to log in to your personal virtual lab.
3) The recommend tools are listed below:
 MobaXterm/Putty
 Chrome/Firefox Browser

© Copyright 2003-2019, Tufin Software Technologies Ltd. 5

TCSE R19-1 Fundamentals Lab Exercises

Connecting to Tufin:
There are two options to connect to the Tufin Training Lab

• Option 1: Register for a virtual lab, found at the bottom of the course page within Tufin Academy
(https://portal.tufin.com/aspx/TrainingHome).

• Option 2 (for classroom courses): Login via the email link received from your instructor.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 6

TCSE R19-1 Fundamentals Lab Exercises

Exercise 2: Logging into SecureTrack

In this exercise, we will verify the Tufin Orchestration suite version and then log into SecureTrack.
1) Either use the built-in console or login using an SSH client, such as MobaXterm or Putty.
Built-in console

SSH Client
Copy/Paste External Address found under the Tufin VM into your client

© Copyright 2003-2019, Tufin Software Technologies Ltd. 7

TCSE R19-1 Fundamentals Lab Exercises

Type the following credentials to log in: username: tcse, password: tufin123
 Type [tcse@TufinOS ~]$ sudo tos ver to verify which version of TOS is installed on your
virtual machine.
2) Complete the information below:
Tufin Orchestration Suite Version: ____________
Build: __________
TufinOS Release: __________
TufinOS Build: _____________

3) To log into the Tufin web interface, click on the Tufin UI tab.

Alternatively, you may use the External Address: https://<External Address>

© Copyright 2003-2019, Tufin Software Technologies Ltd. 8

TCSE R19-1 Fundamentals Lab Exercises

4) Log in with username: admin, password: tufin123.

5) Go to Settings > Administration > Licenses, check license status and expiry date.

Note: If needed, please download the Tufin Evaluation License from the TCSE Courses Menu
located on the left of the Tufin Academy screen (https://portal.tufin.com/aspx/TrainingHome).

© Copyright 2003-2019, Tufin Software Technologies Ltd. 9

TCSE R19-1 Fundamentals Lab Exercises

Exercise 3: Configuring Personal Settings

In this exercise, we will explore the steps required to define personal user settings.
Go to Settings > My Settings, configure the settings as shown in the image below
 Verify the following settings:
 Set the Start Page to Compare
 Show modified objects only
 Default Graphical View
 Recent Revisions Timeframe value: Custom and 1000000 hours (one million)
 Save the configuration

© Copyright 2003-2019, Tufin Software Technologies Ltd. 10

TCSE R19-1 Fundamentals Lab Exercises

Exercise 4: Adding Users and Administrators

In this exercise, we will add users and administrators to SecureTrack and discover what each user
type is permitted to do.
1) Go to Settings > Configuration > Users:

2) Modify the email address of the admin user:

[email protected]
Confirm Administrative Alerts is set to Yes:

3) Click Save.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 11

TCSE R19-1 Fundamentals Lab Exercises

4) Click +New to add new users, with the following credentials, using tufin123 for the local
authentication password. There is no need to configure a TACACS+ server, in this training
environment.

Note: Usernames are case sensitive – Please enter usernames exactly as written below

Type Username Email Authentication Administrative Alerts

Super admin Kevin.White [email protected] TACACS+ No
Super admin John.Smith [email protected] Local Yes
Domain User Sarah.Jones [email protected] Local N/A

a) Make sure that Sarah.Jones’s user’s permissions are limited to viewing only the Palo
Alto devices under the HQ- California domain.

The users table should appear as below:

© Copyright 2003-2019, Tufin Software Technologies Ltd. 12

TCSE R19-1 Fundamentals Lab Exercises

5) To change users, click on user’s icon and then select Log out

6) Login to SecureTrack as: Sarah.Jones

When logged in as a user notice the difference in the Settings section:
Administrator view

User view

Note that according to the user settings (you defined as Admin), you can only see Palo Alto devices.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 13

TCSE R19-1 Fundamentals Lab Exercises

Exercise 5: Adding a New Device

In this exercise we will add a new device to be monitored. The device is a Check Point Security
Management Server VM.
1) Login to SecureTrack as: John.Smith
2) Go to Settings > Monitoring > Manage Devices.
3) Under Start monitoring a new device, select Checkpoint > SmartCenter.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 14

TCSE R19-1 Fundamentals Lab Exercises

4) Configure the following:

 Name for Display: R80-Training
 Domain: 1Toronto BCKP
 IP Address: 10.0.0.1
 Check Point SMC Version: Version R80

Note: Usage Analysis traffic collection and Topology are enabled by default.

5) Click Next.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 15

TCSE R19-1 Fundamentals Lab Exercises

6) Enter the following details:

 OPSEC Application Name: student
 Activation Key (also called the One Time Password or OTP): tufin123
7) Click Retrieve Certificate.

8) Click Next.
a) Click Custom to review the available SIC authentication combinations, before clicking NEXT.

b) Click Default to resume default OPSEC Settings:

9) Click Next.
10) Enter the following Management API connection details:
 User Name: api
 Password: tufin123

© Copyright 2003-2019, Tufin Software Technologies Ltd. 16

TCSE R19-1 Fundamentals Lab Exercises

11) Click Establish connection.

12) Click Next.

13) Click Next.

14) Save the configuration and then click Done.
15) Click on the Compare tab to see R80-Training being monitored (in green)
Note: This could take a couple of minutes to refresh.
16) Select R80-Training and verify a new policy revision was successfully retrieved.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 17

TCSE R19-1 Fundamentals Lab Exercises

Exercise 6: Device Groups

In this exercise, we will create a new device group and add devices to the group.
Later, we will examine the differences between a Group’s Risk Score and Overall Score.

1) Go to Settings > Monitoring > Device Groups.

2) Click on the Groups tab

3) Follow these steps to create a new group:

• Select Default.

• Click and click Create New Group.

4) For the name of the group, enter TCSE and click Save.
5) In the group tree on the left, select the TCSE group and add the RTR1 and RTR2 devices.
6) Click Save.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 18

TCSE R19-1 Fundamentals Lab Exercises

Note: Make sure ONLY the newly added TCSE group is selected in the device tree. You can use
the search engine (magnifying glass) to look up the required devices.
Tip: When you create device groups, the groups are shown in the device tree for the Dashboard and
the Risk, Cleanup and Change browsers

© Copyright 2003-2019, Tufin Software Technologies Ltd. 19

TCSE R19-1 Fundamentals Lab Exercises

Exercise 7: Filtering Revisions

In this exercise, we will filter the revision list to view only revisions installed by a specific administrator.
1) In Compare view, select the CMA-R80 device.
 In the middle strip, click Filter.
 By Show revisions in this time frame, select Show All.
 Configure the filter to show Installed Policy events by administrator aa
2) Click Apply filter.

3) Enter the filter again and click Reset filter.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 20

TCSE R19-1 Fundamentals Lab Exercises

Exercise 8: Viewing and Comparing Policy Revisions

In this exercise, we will view & compare two policy revisions on the SMC-Docklands and Palo Alto
devices. We will also create and review a Comparison Report.
7) In Compare view, select the R80-Training device.
8) In the Revision history pane (right hand side), select a revision.
9) In the middle strip, click View Policy

10) Mouse-over the group object below and review the tooltip:

11) Click one of the object groups and review its content in the newly opened window. Then close the
window.
12) Export the policy to PDF and save it to your Desktop:

13) In the Revision table, select CMA-R80 device revisions #18 and #20, and, in the middle strip,
click Compare.
Tip: Show all revisions.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 21

TCSE R19-1 Fundamentals Lab Exercises

14) In the Objects tab, review the changes made to the network objects.

15) Compare policy revisions 87 & 95 on the LA Cluster DG device.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 22

TCSE R19-1 Fundamentals Lab Exercises

Exercise 9: Comparing Cloud Policy Revisions

In this exercise, we will examine how devices are monitored in the cloud.

1) In Compare view, select the Amazon AWS-DataCenter-01 VPC device.

2) Select revisions 26 and 27 and click on Compare.

Tip: Show all revisions.

3) Click on Generate Report, compare your findings with your previous answer.

4) Select the OpenStack Data Center Migration device and click View Policy.

Note the differences between the AWS and OpenStack device

5) Select the NSX device, select a revision and click on View Policy.

6) Select the NSX-Distributed Firewall device, show revisions and click Compare.

Tip: Selecting compare, will automatically select the last two revisions.

7) Click on Generate Report and examine the results.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 23

TCSE R19-1 Fundamentals Lab Exercises

Exercise 10: Using Tufin’s Interactive Map

1) Go to Network > Interactive Map.

2) Click Synchronize (top right of screen) to sync topology

3) Select the Fast Topology Sync option.

4) Click Refresh Now (bottom left of screen) to complete the process.

5) Search for the R80-Training device using the search function (top right of screen).

6) Enter the details of the device interfaces. Right-click on the device and select Show interfaces.

1st Interface ___________ connected to _______________

2nd Interface ___________ connected to _______________
3rd Interface ___________ connected to _______________

© Copyright 2003-2019, Tufin Software Technologies Ltd. 24

TCSE R19-1 Fundamentals Lab Exercises

7) Select Path Analysis in the Interactive Map sub-menu

8) Search the following path:

 Source: 172.16.120.0/24
 Destination: 10.0.0.0/255.128.0.0
 Service: tcp:445 (click enter after typing the service)
 Show broken paths: not selected
 Click the Find Path button

9) Click on More details and save the query.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 25

TCSE R19-1 Fundamentals Lab Exercises

10) Search the following path:

 Source: 192.168.1.0/24
 Destination: 172.16.1.3/32
 Service: tcp:443 (click enter after typing the service)
 Show broken paths: not Selected
 Click the Find Path button

11) Right-click the R80-Training device and select Show matching rules:

© Copyright 2003-2019, Tufin Software Technologies Ltd. 26

TCSE R19-1 Fundamentals Lab Exercises

Chapter 2: Compliance and Cleanup

The objectives of the following lab practical exercises are to:

1. Prepare and create new Unified Security Zones

2. Prepare and import a USP matrix file
3. View violations
4. Replace Overly Permissive Rules
5. Consolidate Duplicate Objects
6. Create and implement a Rule Decommission Workflow
7. Create and implement a Rule Recertification Workflow
8. Create and implement a Server Decommission Workflow
9. Adding a Group Object to an Existing Group

© Copyright 2003-2019, Tufin Software Technologies Ltd. 27

TCSE R19-1 Fundamentals Lab Exercises

Exercise 11: Prepare your security zones

Zones can be imported or manually configured.

In this exercise, we will import USP Zones using a CSV file (TCSE Zones.csv) prepared in advance.

Note: Please download the TCSE Materials zip file, found within the 'File repository area' at the
bottom right of the Tufin Academy course page.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 28

TCSE R19-1 Fundamentals Lab Exercises

Exercise 12: Create a new security zone matrix

1. Login to SecureTrack as John.Smith

2. Go to Network > Zones

3. Select Import CSV

4. Select TCSE Zones.csv file (downloaded in the previous exercise) and click OK to import.

5. To view the zones subnet details, tick the relevant zones checkboxes from the ‘Zone List’ on the
left. Make sure ‘Include subnets of child zones’ is checked.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 29

TCSE R19-1 Fundamentals Lab Exercises

Exercise 13: Prepare a USP matrix file

Tufin’s Unified Security Policy™ allows you defining the controls to govern the traffic between the
security zones of your environment that you defined in Network > Zones (previous step).
The controls can define:

• Block All/Allow All traffic

• Allow only - Traffic is allowed only if the traffic service is in the list of services
• Block only - Traffic is blocked only if the traffic service is in the list of services

In this exercise, we will prepare the USP Matrix CSV file (TCSE Compliance Policy.csv) for import.
The policy will allow only tcp 587 access from the PCI Data zone to the Hosting zone.

Note: The TCSE Compliance Policy.csv file can be found within the TCSE Materials zip file, found
within the 'File repository area' at the bottom right of the Tufin Academy course page.

Scroll Down to….

© Copyright 2003-2019, Tufin Software Technologies Ltd. 30

TCSE R19-1 Fundamentals Lab Exercises

Exercise 14: Import a USP matrix file

1. Go to Audit > Compliance > Unified Security Policy

2. In the upper right corner, press New icon.

3. Create a new Unified Security Policy named TCSE USP

4. Click Save.
5. Click on the name of the new policy to enter it and press the Import button on the right corner of
the screen

© Copyright 2003-2019, Tufin Software Technologies Ltd. 31

TCSE R19-1 Fundamentals Lab Exercises

6. Select the TCSE Compliance Policy.csv file (downloaded in the previous exercise) and click OK
to import.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 32

TCSE R19-1 Fundamentals Lab Exercises

Exercise 15: Viewing violations

There are two triggers for violation calculation:

 New revision
 Topology synchronization

 Instead of waiting for a new revision, we will sync the topology. Go to Network > Interactive Map,
click Synchronize (top right of screen) to sync topology

 Select the Fast Topology Sync option.

 Click Refresh Now (bottom left of screen) to complete.

Tip: This maps the device interfaces to the SecureTrack Zones imported.
Let’s view the results in the Policy Browser
1) Go to Home > Policy Browser
2) Create a Search for violations: TCSE USP

© Copyright 2003-2019, Tufin Software Technologies Ltd. 33

TCSE R19-1 Fundamentals Lab Exercises

3) Select the R80-Training device

4) Click on Details under the rule #7 Violations column

5) View the violation reflected by the TCSE USP matrix.

Tip: One option at this stage, would be to update the firewall policy, so that it is in compliant with the
USP e.g. allow HTTPS traffic on rule #7.
Another option is to create an USP exception, to allow only https traffic.
Example: Posting the ‘Create an exception’ REST API, would have the following effect:
USP Exceptions definition

USP Exception in the Policy Browser

© Copyright 2003-2019, Tufin Software Technologies Ltd. 34

TCSE R19-1 Fundamentals Lab Exercises

Exercise 16: Replacing Overly Permissive Rules - APG

We are now going to identify permissive rules that need to be replaced with less permissive rules
1) Go to Home > Policy Browser
2) Search for Permissiveness Level: High

3) Select the CMA-R80 device and view the highly permissive rules

4) Select the Rule #6 and click Edit Metadata in the top right corner of the window.
Tip: User metadata can be added to each rule in the most recent policy revision for each device.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 35

TCSE R19-1 Fundamentals Lab Exercises

5) Select Legacy rule from the Advanced options drop-down.

Tip: Through the Policy Browser you can also run a search on any metadata added, for example all
rules that have Legacy rule checked

© Copyright 2003-2019, Tufin Software Technologies Ltd. 36

TCSE R19-1 Fundamentals Lab Exercises

Automatic Policy Generator™ (APG)

The APG automatically creates a secure, effective, and optimized firewall rulebase
To create an optimized rulebase:
6) Go to Analyze > Automatic Policy Generator
7) Create New APG Job.

8) Select the CMA-R80 device and select Rule #6.

Click Next (lower right corner of screen) to proceed to New job stage 2
In New job stage 2 window you can select the log source to perform the APG analysis.
File - Analysis is based on Syslog file collected in the past (hit the Browse button to upload)
Device - Analysis is based on a log file according to selected duration (in the following example below,
we have prepared a Syslog file due to time constraints)
9) Type a job name
10) Set the Log source to File

11) Browse to the Checkpoint.apg file located in the TCSE Materials folder.
12) Click Save (lower right corner of screen) to continue.
You will be directed to the main screen where you can view the job list.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 37

TCSE R19-1 Fundamentals Lab Exercises

13) Click Results to see the balance graph.

14) Click on the graph points and observe how the permissiveness & number of rules are changing
accordingly.
Your objective is to find a point of low permissiveness with a reasonable number of rules.
In our example, we selected a point which yields permissiveness level of 42 achieved with 45
rules. This new rule base will replace Rule #6 with permissiveness level of 42.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 38

TCSE R19-1 Fundamentals Lab Exercises

15) Click OK once you are satisfied with the point selection.
The following table represents the generated rules which will replace the original rule:
• The grey-out rules represent the original permissive rules
• The black-text rules represent the newly generated rules by the APG.

By expanding (+) or collapsing (-) rule sets, the permissiveness level will adopt automatically
A few guidelines:
• Aim to a low permissiveness value
• When expanding a rule, it becomes grey and new strict rules show up
• A rule with one source host, one destination host and one service has the smallest value of 1
• A rule with Source ANY, Destination ANY and Protocol ANY has the highest value of 100
Tip: You can always go back to the Balance Graph to set the desired permissiveness using the
points on the graph:

13) If you made any changes and are satisfied with the results, click on Save Rule Set.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 39

TCSE R19-1 Fundamentals Lab Exercises

14) Click on Replacement rules for export.

15) Click on Export to generate the CSV file.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 40

TCSE R19-1 Fundamentals Lab Exercises

Exercise 17: Replacing Overly Permissive Rules - SecureChange

We are now going to complete the flow by creating a SecureChange Access request to implement the
new rules in the firewall.
CSV Administration
The APG CSV file needs to be formatted in a format accepted by SecureChange. To do the format, all
wording and the Name, Port, Hits and Permissive columns need to be removed and an action column
i.e. ‘accept’ column needs to be added along with TCP and UDP ports, according to service type.

The below screenshot is taken from the Secure Change Access Request, Advanced options dialog
and explains how to format the APG CSV file to a format accepted by SecureChange.

1) In this exercise, we will use the prepared SecureChange APG Format.csv file TCSE Materials
folder.
Before After

© Copyright 2003-2019, Tufin Software Technologies Ltd. 41

TCSE R19-1 Fundamentals Lab Exercises

1) Login to SecureChange with the following credentials:

User: John.Smith
Password: tufin123
2) Select the My Requests tab and click on New Request.

3) Select the Firewall/Cloud Change Request.

4) Click Create.
5) Click on Advanced Options.

6) Select Paste from Excel and paste the formatted excel into the window:

7) Click OK and view the SecureChange access request.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 42

TCSE R19-1 Fundamentals Lab Exercises

8) Provide a Subject (name) for the request and click Submit.

As we do not have this particular Checkpoint device in the lab, we will conclude the exercise here.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 43

TCSE R19-1 Fundamentals Lab Exercises

Exercise 18: Consolidating Duplicate Objects

Identify duplicate objects:

1) In SecureTrack, go to Home > Cleanup
2) Select Duplicate network objects.
3) View the details of the below network objects

We can see that there are three objects for same IP.
4) Now go to Analyze > Object Lookup
5) Search by Text, IP, 192.168.3.105

6) Verify whether objects are attached to a rule or not

In our case, we can see a naming convention was implemented, but the two objects below were not
deleted, resulting in a bloated and inefficient firewall policy.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 44

TCSE R19-1 Fundamentals Lab Exercises

Exercise 19: Creating and implementing a Rule Decommission Workflow

Create a Rule Decommission workflow, to disable or delete rules, which are no longer required.

Select rules for decommission, add these rules to the workflow created and provision changes.

For this exercise, we will use Both SecureChange and SecureTrack.

The workflow should be based on a template and contain the following steps:

Rules to Remove/Disable => Business Approval => Technical Design and Implementation

Good Luck!

The Flow of the training is as follows:

 Prerequisites
 SecureChange: Create Rule Decommission workflow
 SecureTrack Policy Browser: Select rules for decommission
 SecureChange: Provision Changes
 Handle the Task/Ticket
 View decommissioned rule
Prerequisites

1) Log into SecureChange with:

 username: John.Smith
 password: tufin123

2) Go to Settings > Users

3) Verify that John Smith has the necessary permissions to create a change requests -
requestor Role and Create change requests and view ‘My Requests’ tab Permissions

© Copyright 2003-2019, Tufin Software Technologies Ltd. 45

TCSE R19-1 Fundamentals Lab Exercises

Note: When selecting a rule in the Policy Browser, the following perquisites are needed, in order for
the ‘Add to ticket’ button to be active:

• The Rule Decommission Workflow needs to be active in SecureChange.

• The same user needs to be logged in, in both SecureTrack and SecureChange.

SecureChange: Create Rule Decommission workflow

We will now create the following workflow.

1) Click on the New Workflow icon.

2) In Workflow properties, enter a meaningful workflow name: My Rule Decommission

Workflow and select the Rule decommission type.

3) Click OK.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 46

TCSE R19-1 Fundamentals Lab Exercises

Step 1: Rules to Disable/Remove

1) In Step#1 Properties tab, make sure the step name is: Rules to Disable/Remove

2) In the Fields tab, add the Rule Decommission field with the following:

Field display name: Rule Decommission Flow

3) Click OK

4) Add a text area field named Business Justification in the opening step.

5) Assign Any Participant to handle this step.

6) Click Save

© Copyright 2003-2019, Tufin Software Technologies Ltd. 47

TCSE R19-1 Fundamentals Lab Exercises

Step 2: Business Approval

1) Create a second step and name it: Business Approval

2) In the Fields tab, add the Rule Decommission field.

Note: The Field display name is entered automatically:

3) Add an Approve / Reject field and name it: Rule Decommission Approval

4) Add the FW-Operation and ITeam groups as the handlers.

5) Click Save

© Copyright 2003-2019, Tufin Software Technologies Ltd. 48

TCSE R19-1 Fundamentals Lab Exercises

Step 3: Design and Implementation

1) Create a third and final step and name it: Design and Implementation

2) In the Fields tab, add the Rule Decommission field and select the Designer (Allow all) and
Verifier tools.

3) Add the FW-Operation and ITeam groups as the handlers.

4) Activate the workflow

5) Click Save.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 49

TCSE R19-1 Fundamentals Lab Exercises

SecureTrack Policy Browser: Select rules for decommission

Note: If you were logged in to SecureTrack, when creating the Rule Decommission workflow, you
will have to logout and login again, to refresh SecureTrack with the new workflow created.

1) Login to SecureTrack with:

 username: John.Smith
 password: tufin123

2) In the Policy Browser, search all devices for rules with a last hit of greater than 180 days.

3) Select the R80-Training firewall and select Rule 5.

4) Add this rule to a ticket, by clicking on the Add to ticket button at the top right of the screen.

5) Click on the eye icon at the top right of the screen, to view selected rules

6) Review your rule selection

a. Select the rule
b. Select the Disable rules action

© Copyright 2003-2019, Tufin Software Technologies Ltd. 50

TCSE R19-1 Fundamentals Lab Exercises

c. Enter a Ticket Name

d. Select the My Rule Decommission Workflow Workflow.

1) Click Continue, found underneath the workflow selection area

TIP: You may need to allow popups.

SecureChange: Provision Changes

1) In SecureChange, go to the My Requests tab and highlight the ticket requested

2) Fill in the Business Justification field

3) Click Submit

Handle the Task/Ticket

1) Go to Tasks tab

2) Select the task

3) Accept the task step and approve disabling the rule.

4) Click Done

© Copyright 2003-2019, Tufin Software Technologies Ltd. 51

TCSE R19-1 Fundamentals Lab Exercises

5) Select the pending task once more. You should now be in Step#3
6) Accept the task and click on Designer to see the recommended changes.

7) Expand the device header and click on Update Policy.

8) Click on Commit to commit the changes to the device.

9) Click Continue.

NOTE: You might have to wait a few minutes for the policy to save on the firewall

10) Close the Designer window and click on Verifier to verify the change was successfully
implemented i.e. disabled.

11) Return to the task (by clicking on the task name).

12) Click Done

© Copyright 2003-2019, Tufin Software Technologies Ltd. 52

TCSE R19-1 Fundamentals Lab Exercises

View decommissioned rule

In SecureTrack, open the Policy Browser and view the disabled rule and its associated ticket.

You have successfully disabled a rule using the Rule Decommission workflow!

© Copyright 2003-2019, Tufin Software Technologies Ltd. 53

TCSE R19-1 Fundamentals Lab Exercises

Exercise 20: Creating and Implementing a Rule Recertification Workflow

Create a Rule Recertification workflow, to recertify rules or flag them for decommission.

Select rules for recertification/decertification, add these rules to the workflow created and provision
changes.

For this exercise, we will use Both SecureChange and SecureTrack.

The workflow should include the following steps:

Rules to Recertify/Decertify => Business Approval => Rule Recertification

Good Luck!

The Flow of the training is as follows:

 Prerequisites
 SecureChange: Create Rule Recertification workflow
 SecureTrack Policy Browser: Select rules for recertification
 SecureChange: Provision Changes
 Handle the Task/Ticket
 View decertified rule and decommission it

Prerequisites

Ensure the same user exists in both SecureTrack and SecureChange.

1) Log into SecureChange with:

 username: John.Smith
 password: tufin123

SecureChange: Create Rule Recertification workflow

1) Login to SecureChange with:

 username: John.Smith
 password: tufin123

© Copyright 2003-2019, Tufin Software Technologies Ltd. 54

TCSE R19-1 Fundamentals Lab Exercises

We will now create the following workflow.

2) Click on the New Workflow icon.

3) In Workflow properties, enter a meaningful workflow name: My Rule Recertification

Workflow and select the Rule recertification workflow type.

4) Click OK.

Step 1: Rules to Disable/Remove

1) In Step#1 Properties tab, make sure the step name is: Rules to Recertify/Decertify

2) In the Fields tab, add the Rule Recertification field with the following:

Field display name: Rule Recertification

© Copyright 2003-2019, Tufin Software Technologies Ltd. 55

TCSE R19-1 Fundamentals Lab Exercises

3) Click OK

4) Assign Any Participant to handle this step.

5) Click Save

Step 2: Business Approval

1) Create a second step and name it: Business Approval

2) In the Fields tab, add the Rule Recertification field.

Note: The Field display name is entered automatically:

© Copyright 2003-2019, Tufin Software Technologies Ltd. 56

TCSE R19-1 Fundamentals Lab Exercises

3) Add an Approve / Reject field and name it: Rule Decommission Approval

4) Add the FW-Operation and ITeam groups as the handlers.

5) Click Save

© Copyright 2003-2019, Tufin Software Technologies Ltd. 57

TCSE R19-1 Fundamentals Lab Exercises

Step 3: Design and Implementation

1) Create a third and final step and name it: Rule Recertification

2) In the Fields tab, add the Rule Recertification field and select the Update Metadata option.
Deselect the Read-only option.

1) Add the FW-Operation and ITeam groups as the handlers.

2) Activate the workflow

3) Click Save

SecureTrack Policy Browser: Select rules for recertification

Note: If you were logged in to SecureTrack, when creating the Rule Recertification workflow, you
will have to logout and login again, to refresh SecureTrack with the new workflow created.

2) Login to SecureTrack with:

 username: John.Smith
 password: tufin123

3) In the Policy Browser, search all devices for rules that are not certified (have no certification
date)

© Copyright 2003-2019, Tufin Software Technologies Ltd. 58

TCSE R19-1 Fundamentals Lab Exercises

4) Select the R80-Training firewall and select Rules 2, 8 and 9

5) Add these rules to a ticket, by clicking on the Add to ticket button at the top right of the screen

6) Click on the eye icon at the top right of the screen, to view selected rules

7) Review your rule selection

a. Select Action: Recertify rules
b. Enter a Ticket Name
c. Select the My Rule Recertification Workflow Workflow

8) Click Continue, found underneath the workflow selection area

TIP: You may need to allow popups.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 59

TCSE R19-1 Fundamentals Lab Exercises

SecureChange: Provision Changes

1) In SecureChange, go to the My Requests tab and highlight the ticket requested

2) Click Submit

Handle the Task/Ticket

1) Go to Tasks tab

2) Select the task

3) Accept the handling the task step and approve recertifying the rule

a. Provide a reason

4) Click Done

5) Select the pending task once more. You should now be in Step#3

6) Accept the task, select Rule 2 and Rule 9 and certify them for 180 days.

7) Click OK

© Copyright 2003-2019, Tufin Software Technologies Ltd. 60

TCSE R19-1 Fundamentals Lab Exercises

8) Decertify Rule 8 and provide a comment.

9) Click OK

10) Click Update metadata tool

11) Click Yes

© Copyright 2003-2019, Tufin Software Technologies Ltd. 61

TCSE R19-1 Fundamentals Lab Exercises

12) Once rule metadata has been updated, click Close

13) Click Done to finish step #3 and close the ticket

You have successfully recertified and decertified rules using the Rule Recertification feature!

View Decertified Rule and Decommission it

1) Return to SecureTrack Policy Browser

2) Look up decertified rules and select R80-Training Device

 At his stage the rule can be added to a new Rule Decommission ticket (which we covered in
the previous exercise).

© Copyright 2003-2019, Tufin Software Technologies Ltd. 62

TCSE R19-1 Fundamentals Lab Exercises

Exercise 21: Creating and implementing a Server Decommission Workflow

Remove a violating Object via Server Decommission

In this exercise we will remove the webserver_2 Object

1) Login to SecureChange using:

Username: John.Smith

Password: tufin123

2) Go to Workflows
3) Click New Workflow
4) Choose the Server Decommission Type.

5) Name the workflow: My Server Decommission

6) Click OK

© Copyright 2003-2019, Tufin Software Technologies Ltd. 63

TCSE R19-1 Fundamentals Lab Exercises

7) Create a 4-step workflow (with the Server Decommission field in all 3 steps):
NOTE: Do not forget adding the Server Decommission field in each step with its relevant tool. Assign
steps 2-4 to John Smith.

Step#1: Open Request

Step#2: Impact Analysis and Designer (Allow design only)
Step#3: Update and Commit
Step#4: Verification

8) Switch the workflow to Active and click Save

9) Go to My Requests tab

10) Click New Request

11) Choose the My Server Decommission workflow we created

12) Insert a subject: My Server Decommission
13) Insert an IP address of the server we would like to decimate: 172.16.1.4

14) Click OK and Submit

© Copyright 2003-2019, Tufin Software Technologies Ltd. 64

TCSE R19-1 Fundamentals Lab Exercises

Handle the ticket

15) Go to the Tasks tab

16) Click the ticket, you will enter step#2

17) Run the Impact Analysis tool

18) Return to the ticket

 Note the Impact Analysis indication in green

19) Run the Designer tool

© Copyright 2003-2019, Tufin Software Technologies Ltd. 65

TCSE R19-1 Fundamentals Lab Exercises

20) Close the Designer dialog and note the Designer indication in green

21) Click Done

22) Enter the ticket, where you will be located in step#3
23) Click on the Designer indication

24) In the upper right corner, click on Update Policy

25) Once the update is complete, Commit the change direct to the firewall

© Copyright 2003-2019, Tufin Software Technologies Ltd. 66

TCSE R19-1 Fundamentals Lab Exercises

26) Click on view results

27) Close the Designer dialog and click Done.

28) In step#4, click the Verifier tool
29) Return to the ticket and note the Verifier indication in green

30) Click Done

31) In SecureTrack, click the latest revision and then the View Policy button

32) Scroll down to Rule No. 8 and view the objects

You have successfully decommissioned the webserver_2 Object!

© Copyright 2003-2019, Tufin Software Technologies Ltd. 67

TCSE R19-1 Fundamentals Lab Exercises

Exercise 22: Group Modification. Adding a Group Object to an Existing Group

In this exercise, we will modify a group from a device by adding an object. The object will be added
from the same target device.
Note: You can only add objects from the same device that the group is configured on.

Modify the group by following the steps:

1. Create a group modification workflow
2. Create a request/ticket using the workflow
3. Handle the ticket
In this exercise, we will skip the Provisioning step
Good Luck!

1. Create a group modification workflow:

1) Make sure you are logged in to the SecureChange with:

 username: John.Smith
 password: tufin123

2) Go to the Workflows tab

3) Click the Group Change Template workflow

A 3-step workflow appears:

© Copyright 2003-2019, Tufin Software Technologies Ltd. 68

TCSE R19-1 Fundamentals Lab Exercises

4) Modify the workflow:

a. Go to Workflow properties
b. Modify workflow name: My Group Modification

5) In step #2, edit the Modify the Modify group field, to allow design and update only.

6) In step #3, edit the Modify the Modify group field, to allow commit only.

a. In the assignment tabs of steps 2 and 3, select Self Assigned and assign FW Operation
as the handler

b. Activate the workflow and click Save

© Copyright 2003-2019, Tufin Software Technologies Ltd. 69

TCSE R19-1 Fundamentals Lab Exercises

2. Create a ticket using the workflow above:

1) Click on My Requests tab

2) Click on New Request

3) Choose the workflow created for this exercise

4) Fill in the subject field: My Group Modification

5) Click on ‘Edit Group’

a. Choose a target device: In this exercise, we will use R80-Training device

b. In the Device field, search for: R80-Training and then click Add

c. Click OK.

6) Add an existing object to the group

a. Click on the menu icon on the top right of the editing table

b. Choose Select existing object

© Copyright 2003-2019, Tufin Software Technologies Ltd. 70

TCSE R19-1 Fundamentals Lab Exercises

c. Search for:
 Type: Network
 Name: LAN
 Click Search and Click: Add

7) Add a second object:

a. Search for:
 Type: Host
 Name: CP-R80.10-Gateway
 Click Search and Click: Add

8) Click OK, close the dialog and Submit the ticket

© Copyright 2003-2019, Tufin Software Technologies Ltd. 71

TCSE R19-1 Fundamentals Lab Exercises

3. Handle the ticket

1) Go to the Tasks tab

2) Step#2: Accept the task, run the Designer and Update the firewall policy

3) Close the Designer dialog, select Approve (insert a reason) and click Done

4) In Step#3, open the Designer tool and commit the changes to the firewall.

a. Click Close and Done

© Copyright 2003-2019, Tufin Software Technologies Ltd. 72

TCSE R19-1 Fundamentals Lab Exercises

Appendix I
Command Line Reference
The SecureTrack processes can be managed from the command line with these commands:
st_add_user
Adds a SecureTrack Administrator. This command is useful if the Administrator's SecureTrack
password has been forgotten. The command initiates a series of prompts, for username, password,
full name, and options for the new Administrator.

st info
The st info command line collects SecureTrack logs and additional information, and places it in a file
named st_info.tgz.

st info does not collect any part of the security policy (rules, objects, etc) or your organization's
security configuration.

SecureTrack's web interface has an equivalent action.

st reconf [IP]
Notifies SecureTrack processes of an updated configuration. To notify a specific connection, specify
the device IP address as an additional parameter.

st restart [IP]
Stops and restarts all running connections to all devices. To restart a specific connection, specify the
device IP address as an additional parameter. SecureTrack's web interface has an equivalent action.

st start [-s] [IP]

Starts the connections with all of the devices that are configured in SecureTrack. To start a specific
connection, specify the device IP address as an additional parameter. Use the –s flag for stealth
mode: does not provide feedback. SecureTrack's web interface has an equivalent action.
st stat
Prints status information about the monitored devices, SecureTrack processes, and license and
version information. The command returns this information for each device:
• Management - Management server name or device name
• IP - IP address
• ID - SecureTrack ID# for the device
• Type - Device type
• PID - SecureTrack Process ID
• License - License status
• Status - Connection status

© Copyright 2003-2019, Tufin Software Technologies Ltd. 73

TCSE R19-1 Fundamentals Lab Exercises

The command returns the status of these processes:

• Web server - the TOS web server
• Database - the TOS database
• Syslog processes - the SecureTrack processes that handle syslogs
• Job queue server - the server that handles TOS jobs such as reports
• Tufin Jobs service - the service that handles calculations for the dashboard browsers
• Tomcat server - the dynamic server that renders certain features in TOS
• SSL connection - the service used for communication between servers in Distributed
Architecture
You can also see some of this information in SecureTrack in Settings > Administration > Status.

st stop [IP]
Stops all running connections to the devices.
To stop a specific connection, add the device IP address.
SecureTrack's web interface has an equivalent action.

st version
Displays the product version and build number. This information is also displayed in st stat.
tos conf
Displays status of Tufin Orchestration Suite products, and prompts to change these settings.

tos version
Displays TufinOS and TOS versions currently installed.

tos backup [--st] [--conf-only] [--stop-all] [--scw] <backup_file>

Creates a backup of Tufin Orchestration Suite's current configuration and databases for restore and
disaster recovery purposes. The backup includes all files necessary to restore a TOS server, but does
not include files that are part of the operating system, such as postgresql.conf.
--st - Makes a backup of the SecureTrack database and configuration only
--conf-only - Makes a partial backup that includes only SecureTrack configuration information.
You must use --conf-only with --st only.
--stop-all - Stops all SecureTrack and SecureChange processes before performing the backup.
Use this option only if you need to make sure that revisions from after the time the backup is run are
not included in the backup.

When --stop-all is used, some traffic usage information may be lost.

--scw - Makes a backup the SecureChange database and configuration only

© Copyright 2003-2019, Tufin Software Technologies Ltd. 74

TCSE R19-1 Fundamentals Lab Exercises

<backup_file> - the name of the backup file. The file is compressed in TGZ format.
By default, the backup operation is performed while SecureTrack monitoring processes are active. A
database locking mechanism ensures database integrity.
When the Tufin databases take up most of the hard drive's disk space, this command may fail if the
backup is made to a local (non-NFS) file.

tos restore [--st] [--scw] <backup_file>

Restores from a backup file to an existing TOS installation.
--st - Restores the SecureTrack database and configuration
--scw - Restores the SecureChange database and configuration (including SecureApp)
The restore completely replaces the existing configuration and database of the TOS products
specified by --st, --scw, or both.

The target restore server must have the same TOS version and the same amount of installed RAM
as the source backup server.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 75

TCSE R19-1 Fundamentals Lab Exercises

Appendix II
Patents and Trademarks
PATENTS
https://www.tufin.com/patents/

TRADEMARKS
Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software
Technologies Ltd.

All other product names mentioned herein are trademarks or registered trademarks of their respective owners.

Some TOP plugins include software developed by Terrapin Communications, Inc. and its contributors for RANCID.

© Copyright 2003-2019, Tufin Software Technologies Ltd. 76