Tufin - Firewall Management
Tufin is management software that provides visibility into UConn's network infrastructure. Staff can use Tufin's capabilities to identify the location of objects on the network, assist with mapping the network to create firewall policies, or compare firewall revisions to identify when a change was made.
Dashboard Overview
Upon signing in to Tufin, you will be greeted with the following screen.
The dashboard is full of useful information. On the left side, you will see all the firewalls currently in Tufin, along with any VDOMs they [may] have set up. Clicking on any of the firewalls/VDOMs will update the dashboard with the information from the corresponding firewall/VDOM. Here is some useful information about the Dashboard:
The Risk section will show you policies that pose security risks to your environment/firewall. Clicking on any of the bars of the graph will bring you to the Risk section, which allows you to view which rules, in particular, are posing what type of risks.
The Change section shows all the recent commits/changes made on the selected firewall. You can compare revisions of changes using the Compare tab along the top of the window.
The Cleanup section shows the various types of cleanup that can be performed on the selected firewall. Clicking on any of the bars of the graph allows you to see what service, policy, rule, etc. is no longer needed.
Network Path Searching
When you click on the Map tab on the left side of the screen, you will see a screen that looks like a spider web; this is a visual representation of UConn's network – both firewalls and routers. The main use for this page is the Path Search feature (highlighted below), which is useful for troubleshooting network communication issues. For example, if you set up a new Linux server and find that it cannot communicate with Satellite for updates, this page will show you what firewall you need to put a policy on to allow traffic.
Searching a Path
To display the Search Paths panel, click the second box next to Topology (as highlighted below). Enter the traffic details, including the source, destination, and the service/application. The Search Panel displays the selected path in the order of the minimum distance (least number of hops) from any source to any destination. Devices with an equal distance between the source and destination are listed in alphabetical order.
The image above is an example of tracing the path from a laptop connected to the VPN (137.99.8.138/32) to Tufin (137.99.24.83/32) via HTTPS. Path 1 shows all the devices traffic has to pass through; in this case, the traffic only needs to flow through the SDC Firewall.
Trace Status
If there is a green check mark next to the device, that means traffic is able to flow through it.Â
If there is a red circle with a line through it next to the device, that means traffic cannot flow through the device; it most likely needs a policy to allow the traffic.
Custom Ports
If the service/port/application is not showing up when searching, you can specify custom ports using the following:
tcp:port (e.g. tcp:2000)
udp:port (e.g. udp:3000)
icmp:port (e.g. icmp:4000)
Analyzing a Network Path
In this example, Tufin (137.99.24.83/32) is unable to communicate with the SecurityDB (137.99.26.214/32) via MySQL, illustrated by the red circle with a line through it over the fw-sdc.net.uconn.edu-ITS-MSB device. This indicates that there is a missing policy in the ITS-MSB VDOM on the firewall fw-sdc.net.uconn.edu.
Clicking on the firewall on the left (highlighted above) will show you the incoming interface of the traffic, as well as the incoming interface's IP range. You can then click on Incoming Interfaces and select Next Devices to see the outgoing interface and IP range.
In this case, the incoming interface is lag59.524Â and the outgoing interface is lag59.526, meaning a policy needs to be set up in the ITS-MSB VDOM on FW-SDC, as shown below.
Source Interface | Source IP | Destination Interface | Destination IP | Service/Port |
lag59.524 | 137.99.24.83/32 | lag59.526 | 137.99.26.214/32 | MySQL (Port 3306) |
Object/IP/Policy Lookup
This section of Tufin, found under Browser (Magnifying Glass) > Object Lookup, can be used to look up objects and their associated policies on firewalls, as well as IP addresses and subnets that are being used throughout the network. By default, searching will look through all of the firewalls. However, you can select specific firewalls or VDOMs via the list on the left.
Searching for Objects/IPs and Related Policies
To search for objects, enter the IP address or the name of the object. By default, the search will browse through both IP and Name via Text. This can be adjusted by using the drop-down boxes.
Text - Name, IP, or Comments: Refine your search using the Name, IP, or Comment fields. You can search for exact matches (not case-sensitive) of the search text to narrow the results. By default, the results show all matching objects in all devices, but you can select one or more specific devices to search in.
Subnet - IP Address & Subnet Mask: Enter the IP address and subnet mask you would like to search for. The results will include the objects that contain the subnet that you enter, objects that are contained in the subnet that you enter, or objects that match the subnet that you enter exactly.
For example:Subnets that contain:Â If you enter the subnet 10.10.10.0/24, the results include network objects such as 10.10.0.0/16 and 10.10.10.0/24. If you enter the subnet 10.10.10.1/32, the results include host objects that have the IP address 10.10.10.1.
Contained in subnet:Â If you enter the subnet 10.10.0.0/16, the results include network objects such as 10.10.10.0/24 and hosts such as 10.10.10.1/32.
You can select an object from the search results and see the rules or groups where the object is used.
After searching for your IP/Object, be sure to click the dropdown box next to Show rules with: and select Object and related groups; this will not only show rules with the object you have searched for, but it will also show rules for groups that your object is a part of.
Reporting
Tufin includes reports that provide real-time information about your security posture. Most reports can be scheduled or manually generated within minutes and relate to the current policy. You can also configure reports to run against past policies. These can be found under the Report section.
There are two sections available for reporting. The first section focuses on device-based reports, meaning you need to select specific firewalls or VDOMs to run these reports. The second section focuses on device-agnostic reports, which allow you to run reports based on IPs, Ports, and Services.
Device Reports
To create a new device report, click New Report (highlighted in the above screenshot).Â
Pick which firewall or VDOM you want to run the report against. You can select multiple VDOMs by holding down CTRL or Shift.
To run a report against an entire firewall (including all VDOMs), select the main firewall instead of the individual VDOM (e.g. fw-dept.net.uconn.edu instead of fw-dept.net.uconn.edu-PCI).
Choose a report type. While there are almost 20 different reports to choose from, these are the most common:
New Revision Report: The New Revision Report lists all changes on the selected devices since the last revision, such as updates to rules, hosts, and global properties. It also includes rules that have been affected by objects and are reported as changed. It is generated automatically whenever a new revision is retrieved in SecureTrack.
Advanced Change Report: The Advanced Change Report enables you to examine, in detail, the policy changes of selected devices. There are two different types:
Incremental: Lists the differences between each individual revision with its predecessor.
Accumulated: Lists the differences between the latest and initial revisions.
Rule Change Report: The Rule Change Report lists the changes made to selected rule(s) in a selected firewall over a specified amount of time. You can use this report to:
Pinpoint the exact point in time a rule changed and who made the change.
Become notified immediately when sensitive rules are changed.
Object Change Report: The Object Change Report lists the changes made to specific objects. This report includes network objects, services, and users. You can use this report to:
Pinpoint the exact point in time an object was changed and who made the change.
Become notified immediately when sensitive objects are changed, such as firewall objects or critical network objects.
Rule and Object Usage Report: The Rule and Object Usage Report displays statistics for most-used, least-used, and unused rules and objects. It calculates, for each rule or object, the amount of logged network traffic that was passed or blocked. You can use this report to:
Optimize the rulebase by identifying which rules are not being used (should be considered for removal), and which rules are very heavily used (may be moved up in the rulebase).
Analyze objects usage, including member objects within group objects. Objects identified as unused are candidates for removal, even when the rule itself is not.
Note: Rules that have been created or changed during the reporting period are marked as New or Changed. For these rules, the presented usage data may not accurately reflect the current situation.
Select specific criteria related to your report (e.g., specific users who made firewall changes, policies that have been changed, policies/objects that you are looking to find the usage on). Choose who you want to receive the report and if you would like to run it on a schedule.
Once you have finished creating the report, you can find the report under General Reports > My Reports. All reports that you create will be available here.
To run the report, simply click on the small Play button.
Select the timeframe for which you would like to run the report; choose whether you want the report to run in the window (as HTML or PDF) or whether you want to save it to the repository for access at a later time
To access reports in the repository, click on Report > Reports Repository. You can view them in the browser, via PDF, or via CSV by clicking on the respective icons.
Device-Agnostic Reports
Tufin provides a Reporting Pack add-on that offers device-agnostic ad hoc and scheduled reporting capabilities, which can be found by clicking the 9 dots at the top of the screen and choosing SecureTrack Reporting Essentials.
Starting with the report templates on the Report List, you can create a report to run automatically at specified time intervals, you can run a report manually, or you can create and save report settings for reuse. You can view a generated report in your browser, and/or save the report as a PDF or CSV file.
After you create a report and fill in the parameters, you have the option to run the report or save it.
Run Report: generates a new instance of the report in the Report Repository with a unique repository ID. The parameters of a generated report cannot be reused or edited.
Save Report: creates a pre-filled report template with a unique ID for reuse. This ID does not change if the saved report is edited.