Firewall Policy Management: Tufin cannot detect PAN interfaces

Bucche — Thu, 05 Sep 2013 10:39:00 GMT

Hello Everybody,

I am running a PoC with Tufin SecureTrack and have some problems with PAN firewalls (PA-500 and PA-2020 running PANOS 4.1.7, PA-5050 running 4.1.12).

In a nutshell sounds like Tufin detects only the interfaces that in PAN XML configuration file are listed within the default vsys:

	<vsys>
	<entry name="vsys1">

...

	<import>
	<network>
	<interface>
	<member>tunnel.1</member>
	<member>tunnel.2</member>
	<member>tunnel.3</member>
	</interface>
	</network>
	</import>

...

</vsys>

whilst all ethernet interfaces are ignored, even if corresponding routes are properly detected; of course this causes a mess with the network topology...

I wonder whether it is safe - i.e. does not turn my firewall into a brick or causes any problem to the user traffic - to edit PAN XML file and just write down missing ethernet interfaces within vsys1: does anybody have any hints or experience with Tufin?

Thanks,

Bucche

Re: Firewall Policy Management: Tufin cannot detect PAN interfaces

Bucche — Mon, 09 Sep 2013 15:29:47 GMT

Sounds like nobody else is interested in this issue, but just in case someone else will work with Tufin in the future...

You can safely edit XML configuration file and add/reorder missing interfaces (I haven't tried to remove an interface yet, but I guess it works); just for the record, missing interfaces were created before a PANOS upgrade, the only ones listed into VSYS were those we added after such upgrade.

Tufin needs a little bit of hammering: according to Tufin support, SecureTrack should have detected the new interfaces after a restart of the corresponding service

[root@tufin]# st stat | grep <FW-NAME>

<FW-NAME> 10.0.0.1 23 Palo Alto Networks - evaluation Started

Once you know the id of the firewall, e.g. 23, you restart corresponding process

[root@tufin]# st restart 23

Stopping SecureTrack process for server <FW-NAME> - 10.0.0.1 (Id: 23)

SecureTrack process stopped for server 10.0.0.1 (Id: 23)

Error: Can't connect to remote host using URL 'https://localhost/securetrack/api/devices/deviceChanged'. reason: Operation timed out after 300000 milliseconds with 0 bytes received

Since I got above error message and Tufin did not detect newer configuration, I restarted again the service corresponding to <FW-NAME> from GUI (Settings-Administration menu) and the interfaces were properly detected, as well as the new configuration file.

In order to fix Tufin network topology, however, I had to restart Tufin server (shutdown -r) and now I can see <FW-NAME> in SecureTrack map.

So long

topic Firewall Policy Management: Tufin cannot detect PAN interfaces in General Topics

Firewall Policy Management: Tufin cannot detect PAN interfaces

Re: Firewall Policy Management: Tufin cannot detect PAN interfaces