Firewall Policy Management: Tufin cannot detect PAN interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall Policy Management: Tufin cannot detect PAN interfaces

L2 Linker

Hello Everybody,

I am running a PoC with Tufin SecureTrack and have some problems with PAN firewalls (PA-500 and PA-2020 running PANOS 4.1.7, PA-5050 running 4.1.12).

In a nutshell sounds like Tufin detects only the interfaces that in PAN XML configuration file are listed within the default vsys:

  <vsys>
    <entry name="vsys1">

...

      <import>
        <network>
          <interface>
            <member>tunnel.1</member>
            <member>tunnel.2</member>
            <member>tunnel.3</member>
            </interface>
        </network>
      </import>

...

  </vsys>

whilst all ethernet interfaces are ignored, even if corresponding routes are properly detected; of course this causes a mess with the network topology...

I wonder whether it is safe - i.e. does not turn my firewall into a brick or causes any problem to the user traffic - to edit PAN XML file and just write down missing ethernet interfaces within vsys1: does anybody have any hints or experience with Tufin?

Thanks,

Bucche

1 accepted solution

Accepted Solutions

L2 Linker

Sounds like nobody else is interested in this issue, but just in case someone else will work with Tufin in the future...

You can safely edit XML configuration file and add/reorder missing interfaces (I haven't tried to remove an interface yet, but I guess it works); just for the record, missing interfaces were created before a PANOS upgrade, the only ones listed into VSYS were those we added after such upgrade.

Tufin needs a little bit of hammering:  according to Tufin support, SecureTrack should have detected the new interfaces after a restart of the corresponding service

[root@tufin]#  st stat | grep <FW-NAME>

<FW-NAME>          10.0.0.1  23    Palo Alto Networks    -     evaluation     Started

Once you know the id of the firewall, e.g. 23, you restart corresponding process

[root@tufin]# st restart 23

Stopping SecureTrack process for server <FW-NAME> - 10.0.0.1 (Id: 23)

SecureTrack process stopped for server 10.0.0.1 (Id: 23)

Error: Can't connect to remote host using URL 'https://localhost/securetrack/api/devices/deviceChanged'. reason: Operation timed out after 300000 milliseconds with 0 bytes received

Since I got above error message and Tufin did not detect newer configuration, I restarted again the service corresponding to <FW-NAME> from GUI (Settings-Administration menu) and the interfaces were properly detected, as well as the new configuration file.

In order to fix Tufin network topology, however, I had to restart Tufin server (shutdown -r) and now I can see <FW-NAME> in SecureTrack map.

So long

View solution in original post

1 REPLY 1

L2 Linker

Sounds like nobody else is interested in this issue, but just in case someone else will work with Tufin in the future...

You can safely edit XML configuration file and add/reorder missing interfaces (I haven't tried to remove an interface yet, but I guess it works); just for the record, missing interfaces were created before a PANOS upgrade, the only ones listed into VSYS were those we added after such upgrade.

Tufin needs a little bit of hammering:  according to Tufin support, SecureTrack should have detected the new interfaces after a restart of the corresponding service

[root@tufin]#  st stat | grep <FW-NAME>

<FW-NAME>          10.0.0.1  23    Palo Alto Networks    -     evaluation     Started

Once you know the id of the firewall, e.g. 23, you restart corresponding process

[root@tufin]# st restart 23

Stopping SecureTrack process for server <FW-NAME> - 10.0.0.1 (Id: 23)

SecureTrack process stopped for server 10.0.0.1 (Id: 23)

Error: Can't connect to remote host using URL 'https://localhost/securetrack/api/devices/deviceChanged'. reason: Operation timed out after 300000 milliseconds with 0 bytes received

Since I got above error message and Tufin did not detect newer configuration, I restarted again the service corresponding to <FW-NAME> from GUI (Settings-Administration menu) and the interfaces were properly detected, as well as the new configuration file.

In order to fix Tufin network topology, however, I had to restart Tufin server (shutdown -r) and now I can see <FW-NAME> in SecureTrack map.

So long

  • 1 accepted solution
  • 2830 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!