User's Guide Version R18-2

Transcription

1 User's Guide Version R18-2 For additional technical information, please see our support website, at:

2

3 Document Version Information This document is relevant for all R18-2 releases up to GA. Published on Thursday, August 23, :13

4 Tufin SecureApp User's Guide Contents Working with SecureApp Before you login, make sure you have: Operating System: Microsoft Windows XP or higher Screen resolution: 1280x800 or higher Browser: Microsoft Internet Explorer 11; Mozilla Firefox 58, 59, 60; Google Chrome 67 SecureApp contains a number of views, accessed from the main tabs at the top of the SecureTrack screen: When you first login, you see the Home or Dashboard view. You can configure the initial view and other personal preferences in Settings option. In the top-right corner of SecureApp you can: 1. Go to the SecureTrack login screen. 2. Logout of SecureChange/SecureApp. 3. View the following: Tufin Knowledge Center: 4

5 Tufin SecureApp User's Guide What can I do on this page? - Opens context-sensitive help from the Tufin Knowledge Center ( From the Knowledge Center you can view and search additional TOS topics, including API documentation and technical notes. If you do not have an internet connection, the link opens context-sensitive help from the local server. The local help files contain the same content as the User Guide. API Documentation - Opens the REST API documentation. Tufin Academy Online Training - Opens the Tufin Academy, where you can take online courses based on your role and expertise. 4. View a summary of executed activities in the Action log. At the bottom of SecureApp the status bar shows the license status: Document Version Information... 3 Working with SecureApp... 4 SecureApp Features by Vendor... 8 Managing Application Connections with SecureApp Example: Web Application Setting up SecureApp Installing TOS SecureChange and SecureApp Licensing Logging into SecureChange and SecureApp Connecting to SecureTrack Connecting to a Mail Server Configuring SecureApp Settings Tufin Knowledge Center: 5

6 Tufin SecureApp User's Guide Adding Users Basic Workflow Configuration Assigning Roles to Users Enabling Multi-Domain in SecureApp Managing Customers Building the Application Inventory Creating an Application or Application Pack Decommissioning Applications Managing Tags Managing Resources Discovering Application Connections and Resources Creating Resources Manually Self-Service Application Access Decommissioning Servers Importing and Exporting SecureApp Data Managing Cloud Resources Auto-Associate Cloud Resources Manually Associate a Cloud Resource Search Cloud Resources Managing Connections Defining New Connections Using Groups in Connections Interconnecting Applications Tufin Knowledge Center: 6

7 Tufin SecureApp User's Guide Building Interfaces to an Application Migrating Connections to other Applications Managing Customers Implementing Connections with SecureChange Basic Workflow Configuration Creating SecureChange Tickets Repairing Connections Handling Rejected Tickets Integration with Puppet Labs Tracking Changes to Applications Monitoring Application Status Finding Servers in Connections and Groups View Connectivity Map Application History Visualizing Application Dependencies Patents and Trademarks Tufin Knowledge Center: 7

8 Tufin SecureApp User's Guide SecureApp Features by Vendor These SecureApp features are supported for monitorable devices: Connections Import (setup tool) Check Point Cisco Juniper Fortinet Palo Alto Networks McAfee F5 VMware NSX Amazon AWS Cisco ACI Connections Discovery (using logs) Application Inventory Application\Connection Status Connection Analysis Application Connectivity Map Application History Application Compliance Application Connectivity Migration Application Decommission Cloud Console N/A Automated Application Visibility N/A Create Ticket Notes for specific devices: Cisco ACI You can migrate from an ACI application, but you cannot migrate to an ACI application. VMware NSX Application connectivity status and discovery is available for North-South traffic. Tufin Knowledge Center: 8

9 Tufin SecureApp User's Guide Tufin Knowledge Center: 9

10 Managing Application Connections with SecureApp Example: Web Application Chapter 1 Managing Application Connections with SecureApp Tufin SecureApp lets you manage and monitor the connections between network resources that your applications need. As part of the Tufin Orchestration Suite (TOS), SecureApp leverages SecureTrack for device and network knowledge. If you purchase a license for SecureChange, you can also provision accurate and secure firewall changes from the application view. With one click, you can open a ticket with the exact details of the connections that the network and security teams need. The servers that an application uses are usually spread across the network and rely on rules in multiple firewalls to make sure that communication can pass through the network. In SecureApp, even a business owner with no network management experience can define the servers and services that the application requires and track the progress of the implementation. Based on the topology of the network and the policy revisions retrieved from the network devices, SecureApp can translate those requirements into specific changes that the network and security teams must make in all of the relevant firewall policies. SecureApp gives you an intuitive interface to define your application critical connections. You can see a list of your applications, the connectivity that those applications rely on, and the status of the connectivity. SecureApp also lets you see at a glance if the connections for your application are blocked and lets you send a request to repair the connectivity. Example: Web Application Let's say your business generates revenue from a web application that has a portal for public access and a portal for administrative access. The public portal ( ) runs on a web server that is located in your DMZ network, and the administration portal ( ) runs on Tufin Knowledge Center: 10

11 Managing Application Connections with SecureApp Example: Web Application a web server that is located in your internal network. Both web servers send queries to a database server ( ) that is located in a separate internal segment of your network. In order to create the firewall rules to allow traffic for this application, you need to add rules to two different firewalls. After you do that, you still need to monitor the rules to make sure that no changes in the firewalls disrupt the traffic for the application. Because this web application is the core of your business, you cannot afford to have any downtime. Tufin Knowledge Center: 11

12 Managing Application Connections with SecureApp Example: Web Application With SecureApp, you can build this connection with the information that you know about the application. Tufin Knowledge Center: 12

13 Managing Application Connections with SecureApp Example: Web Application When you integrate with SecureChange, then you can create a SecureChange ticket that includes all of the information that the network and security teams need to approve and implement the changes. SecureApp sends you a notification if there is any disruption to this traffic so you can correct it immediately. Tufin Knowledge Center: 13

14 Setting up SecureApp Installing TOS Chapter 2 Setting up SecureApp Tufin Orchestration Suite (TOS) includes SecureTrack, SecureChange Basic and SecureApp Basic. The functionality of the products is defined by the license (see "SecureChange and SecureApp Licensing" on page 17) that is installed in SecureTrack. To setup SecureApp, you must: Install TOS (see "Installing TOS" below) Assign roles (see "Assigning Roles to Users" on page 34) with SecureApp permissions to users Installing TOS Tufin Orchestration Suite (TOS) includes SecureTrack, SecureChange, and SecureApp (see "Managing Application Connections with SecureApp" on page 10). The latest version is available for download from our support site ( After you install the TOS package, you can enable or disable the products. You can also easily upgrade TOS from a previous version. Note: Changes to the locale configuration of the operating system can cause errors when you install or upgrade TOS. Make sure that the LANG value of the locale is set to en_us.utf-8. Prerequisites Verify that your locale variable is set to en_us.utf-8: # locale LANG=en_US.UTF-8... Tufin Knowledge Center: 14

15 Setting up SecureApp Installing TOS LC_ALL=en_US.UTF-8 If the locale is set to something different, change the locale as follows: For TufinOS or CentOS 6.x a. Edit the file /etc/environment: LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 b. Logout and log back in, and confirm the locale settings are correct. For RHEL 6.x c. Edit the file /etc/sysconfig/i18n: LANG="en_US.UTF-8" SYSFONT="latarcyrheb-sun16" d. Logout and log back in, and confirm the locale settings are correct. If your server is behind a NAT, the NAT device must be configured to send one of the following headers for each request: X-Forwarded-Host - usually used when the NAT device is a reverse proxy HOST The header should also contain the remote host DNS name or IP. If a request does not include one of these headers, users will not be able to log in to SecureTrack. Installing TOS on a server To install Tufin Orchestration Suite on a server: 1. Login to the target server with the root user. Note: Do not login with a different account and use the sudo command. 2. Copy the installation package file to the server. Tufin Knowledge Center: 15

16 Setting up SecureApp Installing TOS 3. From the command line on the TOS server, verify package integrity with the command: sha1sum <filename> where <filename> is in the format: tos-<tos_version>-<release_level>-<tos_build>-finalrelease.run.tgz Compare the output to the number on the Tufin download site. 4. To extract the file, run: tar zxvf <filename> 5. Run the extracted file: /bin/sh <filename> where <filename> is in the format: tos-<tos_version>-<release_level>-<tos_build>-final-release.run 6. If prompted to disable SELinux, select Yes. 7. When prompted, you can enable or disable a TOS component: By default, SecureTrack, SecureChange, and SecureApp are enabled. To change the SecureTrack setting, enter: 1 To change the SecureChange/SecureApp setting, enter: 2 To change the Suite Administration setting, enter: 3 To apply the changes, enter: c To return to the product selection menu later, run: tos conf 8. To install a valid license (see "SecureChange and SecureApp Licensing" on page 17): Tufin Knowledge Center: 16

17 Setting up SecureApp Installing TOS a. Login to SecureTrack as an administrator. b. Go to: Settings > Administration > Licenses c. Click Install to browse to the license file on your computer and click Open. When you login to SecureChange and click on SecureApp you will see the application inventory page. The TOS products are now installed and ready for you to login with your web browser. Then, the next steps to get started with SecureChange or SecureApp are to configure: SecureTrack (see "Connecting to SecureTrack" on page 22) server connection Mail server (see "Connecting to a Mail Server" on page 24) connection (optional) LDAP directory connection to use LDAP user accounts Local users and user roles Then you are ready to build your applications and create workflows to manage your change requests, according to your product license (see "SecureChange and SecureApp Licensing" below). SecureChange and SecureApp Licensing A SecureTrack license grants you a SecureApp Basic license, allowing you to access up to three SecureApp applications (the first three you created in the system, in chronological Tufin Knowledge Center: 17

18 Setting up SecureApp Installing TOS order). Any additional application you want to create or access requires a separate license, which is installed through the SecureTrack licensing mechanism. SecureApp gives unlicensed applications a temporary Plug-and-Play status, which is a 30- day grace period during which you can continue to access these applications while you purchase any additional license you require. After 30 days, the status of Plug-and-Play applications changes to Unlicensed, and their content becomes inaccessible. SecureChange Basic is the version of SecureChange that is included when you purchase SecureTrack. SecureChange Basic lets you use the pre-defined workflows (see "Basic Workflow Configuration" on page 31) to manage network requests for your organization with all of the SecureChange features, except workflow customization. All other workflows and the SecureChange provisioning capabilities are only available for fully licensed SecureChange users. When you purchase SecureChange and install the license, you can customize the workflows to match the processes that your organization uses to handle network requests, including conditional workflows and automatic actions. SecureChange is then integrated with SecureApp so that you can open change requests directly from SecureApp with the precise access requests to implement the SecureApp connections. To install a license: In SecureTrack, go Settings > Administration > Licensing view your current TOS license status. To install a new license, click Install to browse to your license file. To view the SecureApp license status: 1. In SecureTrack, go to Settings > Administration > Licensing and click on the SecureApp tab to view the license details: Available Licenses shows the number of licenses you have and their names. Tufin Knowledge Center: 18

19 Setting up SecureApp Installing TOS License Status shows the total number of applications you have, and specifies the sub-total number of applications in each status: Licensed, Plug-and-Play and Unlicensed. 2. In SecureApp, go to the Applications view to see the license status in the applications list: Plug-and-Play applications are indicated by the icon: After 30 days, the status of these Plug-and-Play application changes to unlicensed, as indicated by the icon. The application content can no longer be accessed, so the application Name appears as text instead of a link: Tufin Knowledge Center: 19

20 Setting up SecureApp Logging into SecureChange and SecureApp The bottom left status bar indicates your license status. After you install a new license in SecureTrack, go to SecureApp's status bar and click Refresh license status to retrieve the updated data. Logging into SecureChange and SecureApp Before you login, make sure you have: Operating System: Microsoft Windows XP or higher Screen resolution: 1280x800 or higher Browser: Microsoft Internet Explorer 11; Mozilla Firefox 58, 59, 60; Google Chrome 67 To log into SecureChange and SecureApp: 1. Go to: <server> is the IP address or DNS name of the SecureChange and SecureApp server. If the browser warns you that it is not familiar with the site's security certificate, allow the browser to continue to the site. You can prevent the certificate warning from appearing in the future ( Tufin Knowledge Center: 20

21 Setting up SecureApp Logging into SecureChange and SecureApp The initial login screen appears: 2. The initial administrator is: User name: admin Password: admin a. You must change the administrator password when you login for the first time. After the initial password change, the administrator password can be reset from the command line. b. You can enter an address that administrative notifications are sent to. We recommend that you enter the address of an list so that you can easily edit the list of people who receive messages. This administrator can only configure the Settings in the Settings tab. Then, the next steps to get started with SecureChange or SecureApp are to configure: SecureTrack (see "Connecting to SecureTrack" on page 22) server connection Mail server (see "Connecting to a Mail Server" on page 24) connection (optional) LDAP directory connection to use LDAP user accounts Tufin Knowledge Center: 21

22 Setting up SecureApp Logging into SecureChange and SecureApp Local users and user roles Then you are ready to build your applications and create workflows to manage your change requests, according to your product license (see "SecureChange and SecureApp Licensing" on page 17). Connecting to SecureTrack SecureChange and SecureApp must be configured to integrate with SecureTrack. You can connect to SecureTrack that is enabled on the same server or installed on a remote server. In a SecureTrack distributed deployment you must connect to the central server. Note: To use SecureTrack on a remote server, both servers must have the same version of TOS. To confirm this, on each server run: st version and scw version. The information must be the same on both servers. Prerequisites Create a dedicated SecureTrack account that SecureChange and SecureApp use to get SecureTrack information. If SecureTrack does not use domains, assign the user Administrator permissions. If SecureTrack uses domains, either: Assign the user Super Admin permissions so that in SecureChange and SecureApp you see the devices in all of the domains. Assign the user Multi-Domain admin permissions and select the domains that have the devices that you want to see in SecureChange and SecureApp. You cannot see in SecureChange and SecureApp the devices in domains that are not selected. To configure SecureChange and SecureApp to connect to SecureTrack: Tufin Knowledge Center: 22

23 Setting up SecureApp Logging into SecureChange and SecureApp 1. In SecureChange and SecureApp, select Settings > SecureTrack: 2. Enter the SecureTrack account credentials: If you are using SecureTrack on the same server with SecureChange and SecureApp: 1. Select Local host. 2. Enter the SecureTrack administrator username and SecureTrack administrator password. If SecureChange and SecureApp are on a remote server: 1. Select Remote host. Tufin Knowledge Center: 23

24 Setting up SecureApp Logging into SecureChange and SecureApp 2. In IP / Hostname, enter the IP address or a resolvable hostname of the SecureTrack server. 3. Enter the SecureTrack administrator username and SecureTrack administrator password. 4. Enter the Internal IP of SecureChange server. This is the IP address of the SecureChange server on your internal network. If no address is listed, the IP address will be taken from Settings > Miscellaneous > Server DNS name. 3. (optional) Select Show link to SecureTrack to give all users a link to SecureTrack above their username: 4. (optional) Change the Connection check interval, which configures how often SecureChange test its connectivity to SecureTrack. 5. Click Save. If the settings are correct, a confirmation message appears. Connecting to a Mail Server For SecureChange and SecureApp to send users notifications regarding their requests and tasks, you must enter the details of the SMTP server that SecureChange and SecureApp should send mail to, and an address to be used in the s' From fields. To enable automatic notifications: 1. Get the server and authentication information for your organizational SMTP server. Tufin Knowledge Center: 24

25 Setting up SecureApp Logging into SecureChange and SecureApp 2. Go to Settings > Mail: 3. Enter SMTP information for: SMTP Server: SecureTrack can send notifications and alerts directly (using its SMTP engine), or act as an client, and send s to an organizational SMTP server. In order to send s to an SMTP server, configure its IP address in this option. The default setting for the SMTP Mail Server is localhost, which sends s directly. SMTP Port: The port used by your SMTP server. Source Address: The address chosen by SecureTrack in the SMTP messages sent (for example: This can be used for easy identifications of messages coming from SecureTrack. Tufin Knowledge Center: 25

26 Setting up SecureApp Logging into SecureChange and SecureApp SMTP server requires authentication: Select this if your SMTP server requires authentication for sending , and type the username and password that will be used by SecureTrack to communicate with the SMTP server. Enable SMTP over SSL: Select if your SMTP requires certificate encryption when sending and receiving s. If you require encryption then select to trust all certificates or list specified certificates. Note: The option Trust only the certificate below requires TufinOS 2.15 or above. For non-tufinos users, this option requires PHP version 5.6 or above. 4. Click Save. A confirmation message is displayed. You can also set: Retry interval (in minutes) to resend messages: How long a failed message waits until SecureChange and SecureApp try again to send it. Expiration interval (in days) for unsent messages: How many days SecureChange and SecureApp attempt to send the message until SecureChange and SecureApp stops attempting to send it. Configuring SecureApp Settings You can manage these general SecureApp settings: Server Name: The name syntax for IP addresses not associated with a server (that were discovered by connection discovery). Connection Management: Handling rejected changes, external connections, number of days to run connection discovery, set the number of connections to show per page ACI Configuration: Select the user that is assigned as the owner of added Cisco ACI applications (see "Building the Application Inventory" on page 45). Tufin Knowledge Center: 26

27 Setting up SecureApp Logging into SecureChange and SecureApp To set the server name to use for IP addresses not associated with a server (that were discovered by connection discovery): 1. Go to Settings > SecureApp Settings. 2. In the two text boxes enter the text that is appended before and/or after the IP address. 3. Select the Use the resolved DNS name, if available option if you want to use the DNS server that is configured in the operating system to resolve the DNS name listed for the IP address. To configure connection management settings: 1. Go to Settings > SecureApp Settings. 2. Set these options: Rejected tickets: Select to allow a user to ignore rejected changes (see "Handling Rejected Tickets" on page 123). Tufin Knowledge Center: 27

28 Setting up SecureApp Logging into SecureChange and SecureApp External Connections: Select to allow external resources to be used in both the source and destination of connections (see "Adding Resources to Connections Manually" on page 89). Connection Discovery: The default duration days to run connection discovery (see "Discovering Application Connections and Resources" on page 54). Connections List Paging: The number of connections shown per page. Adding Users SecureChange and SecureApp permissions are based on users, groups and roles. SecureChange and SecureApp let you use, either: User accounts that you configure in SecureChange User accounts that you import from an LDAP server We recommend that you assign roles to groups so that the role applies to any user that is a member of the group. Predefined roles are: Auditor - Can only create reports Business Owner - Can manage SecureApp applications and connection (see "" on page 37), and submit tickets Requester - Can only submit requests Security Administrator - Can create and manage workflows, handle requests, and can configure SecureChange and SecureApp settings in the Settings tab System Administrator - Can only configure SecureChange and SecureApp settings in the Settings tab Just to get you started, create: Users with the Requester role for anyone who submits requests Users with the Security Administrator role reviews, approves or implements requests. Tufin Knowledge Center: 28

29 Setting up SecureApp Logging into SecureChange and SecureApp You can add users and groups to SecureChange and configure their roles and permissions. You can also configure an alternative authentication method so that the user passwords are verified with a separate authentication system. To add a local user or user group: 1. Go to Settings > Users. 2. In the New list, select User or Group, and click Add: Tufin Knowledge Center: 29

30 Setting up SecureApp Logging into SecureChange and SecureApp 3. Provide user or group details: 4. Click Done. Tufin Knowledge Center: 30

31 Setting up SecureApp Logging into SecureChange and SecureApp The details of the user or group are shown in the Details tab, where you can also edit the details: Once users and groups are added, you can manage group membership. 5. To assign the new user permissions, click on the Roles tab and select one or more roles. 6. Click Save. Your new user accounts have permission to log into SecureChange and SecureApp. You now can configure workflows (see "Basic Workflow Configuration" below). Basic Workflow Configuration To implement application connections in the firewall policies, you must create a ticket that is processed by SecureChange as a new request. To create a new request, you must have an active workflow configured in SecureChange. SecureChange includes 4 basic workflows that you can use out-of-the-box: Tufin Knowledge Center: 31

32 Setting up SecureApp Logging into SecureChange and SecureApp Access Request - Submit request with specified access > Business approval > Technical design > Security review > Implementation Group Object Request - Submit group object change request > Approval > Implementation Generic Request - Submit request > Approval > Implementation Remove Access - Submit remove access request > Approve access removal > Implement access removal In SecureChange Basic, you can configure the assignments for these workflows and use these workflows with their default configurations. If you have a license for SecureChange, you can: Make workflows that match the process in your organization by customizing the workflows and creating new ones. Configure the following additional workflow types: Server decommissioning Rule decommissioning Rule recertification To activate a workflow: 1. Login to SecureChange as a user that is assigned to the Security Administrator role (see "Adding Users" on page 28). If you are logged in as a different user, click Logout from the user menu: Tufin Knowledge Center: 32

33 Setting up SecureApp Logging into SecureChange and SecureApp 2. In Workflows, click one of the workflows or a workflow template. 3. To change the name of the workflow and other workflow properties: a. Click Workflow properties. b. Change the name of the workflow c. Select the step that a ticket returns to if the requester reopens it. After all of the steps in the workflow are complete, the requester is prompted to confirm that the request is complete. If the requester sees that the request is not complete, the requester can reopen the ticket. The ticket then returns to the step selected here so that the work can be redone. d. Click OK. 4. For each step in the workflow, assign participants: a. Click the step. b. In the Assignments tab, select the Assignment mode. For a simple workflow, select Auto-assigned for SecureChange to automatically assign the ticket to a participant. You can also configure conditions, based on which, the step is skipped. c. Select users that can perform this step in the workflow. 5. When all steps are marked as valid, set the workflow status to Active. 6. Click Save. SecureChange is now ready for end-users to login and submit requests. Next, you can: Manage requests Configure SecureChange settings Customize workflows Tufin Knowledge Center: 33

34 Setting up SecureApp Logging into SecureChange and SecureApp Create reports Assigning Roles to Users Permissions to use SecureApp are given to a user based on the roles that are assigned to the user. To allow a user to use SecureApp, you must assign to them a role that has SecureApp permissions in Settings > Users. You can change the permissions for each role in Settings > Roles. The permissions that impact the use of SecureApp are: View My Requests and create requests - A user with this permission can create SecureChange tickets (see "Creating SecureChange Tickets" on page 117) and follow the progress of the ticket in SecureChange > My Requests View SecureApp and access SecureApp applications - A user with this permission can view existing applications (see "Building the Application Inventory" on page 45), configure application connections (see "Managing Connections" on page 85) for applications that they own or for applications that they are an editor of. A user that does not have this permission cannot use SecureApp and does not see the SecureApp tab in the application bar. View connection status - See if the connection is connected or blocked. Run connection status analysis - A user with this permission can click on the status of a connection and see the analysis of the routing and firewall rules (see "Managing Connections" on page 85) that impact the traffic in the connection. View security compliance violation - Run compliance analysis (see "Checking Security Compliance" on page 94) and see if the connection is compliant with organizational security policies or if it might require special approval. Discover application connections and resources - A user with this permission can use connection discovery (see "Discovering Application Connections and Resources" on page 54) to get suggested source, service and destination information based on the rule log information from your firewall devices. Create new applications - A user with this permission can create new applications (see "Building the Application Inventory" on page 45) that the user is the owner of. The user can also add other users to the list of editors for the applications. Edit all applications and change ownership - A user with this permission can edit any application and assign another user as the owner of an application. Tufin Knowledge Center: 34

35 Setting up SecureApp Logging into SecureChange and SecureApp Create closed ticket - A user with this permission can create a closed ticket (see "Creating SecureChange Tickets" on page 117), that is a ticket that does not go through the workflow process. This can be useful so that: A SecureChange ticket exists for connections that are already configured in the devices so that auditors can see the access request in the ticketing system. The next ticket created from the connection does not include any previous changes. Note: When you create a closed ticket, revisions that match the ticket are shown in the Change browser in SecureChange as unauthorized, because they do not pass through an approval step in SecureChange. View application access portal - A user with this permission can use the application access portal to request access to an application (see "Self-Service Application Access" on page 66) without logging into SecureApp. This page also includes the permissions for SecureChange. The default roles have these SecureApp permissions: Permission Auditor Business Owner Requester Security Administrator System Administrator View My Requests and create requests Access SecureApp Connection analysis Security compliance analysis Connection discovery Create applications Configure applications and owners Create closed ticket View application access portal Change system settings To change the permissions for a role or user: 1. Go to: Settings > Roles Tufin Knowledge Center: 35

36 Setting up SecureApp Logging into SecureChange and SecureApp 2. Select the role that you want to edit. 3. In Permissions, change the permissions for the role. 4. In Users: To add a user, click on the user in Available users. To remove a user, click on the user in Selected users. 5. Click Save. Tufin Knowledge Center: 36

37 Logging into SecureChange and SecureApp Chapter 3 Working with Applications and Connections All network applications require connectivity between network resources. Some applications require many different types of connectivity in order to work. For example, a basic website can require connectivity: From the internet to a web server over HTTP From the web server to a database server over specific ports If any of these connections is blocked by a firewall, users cannot access the website. The business owner can keep a list of all of the required connectivity, but cannot create a detailed set of instructions for implementing the connectivity in the firewalls. The network and security teams can analyze the locations of each server to decide which firewalls need to have rules to allow the connectivity, but they cannot easily manage all of the firewall rules to make sure they are all maintained correctly. Managing Applications and Connections The SecureApp menu includes these features that you can use to manage your applications and connections: Applications displays the inventory of applications. Server Lookup lets you search for a server and see all the server connections and groups. Cloud Console lets you manage all cloud resources that are not associated with a SecureApp application. Tufin Knowledge Center: 37

38 Logging into SecureChange and SecureApp If multi-domain mode (see "Enabling Multi-Domain in SecureApp" on page 39) is enabled, the SecureApp menu includes: Home displays the inventory of applications and application packs in the default domain. Customers displays the customer list. Select a specific customer to view the inventory of applications and application packs that belong to the customer. Server Lookup lets you search for a server and see all the server connections and groups. Cloud Console lets you manage all cloud resources that are not associated with a SecureApp application. Applications In SecureApp, the business owner keeps a list of all of their applications with the required connectivity for each application. The connectivity is defined in terms that are easy for the business owner to provide. SecureApp translates the connectivity into terms that are easy for the technical teams to implement. The business owner can publish relevant application connections,making them available for re-use by other users. To define application connectivity: 1. Define a new application (see "Building the Application Inventory" on page 45). 2. Define the resources (see "Managing Resources" on page 53) (servers, services and users) that the application requires. 3. Create a new connection (see "Managing Connections" on page 85) and add the resources to the connection. 4. Create a ticket (see "Implementing Connections with SecureChange" on page 114) in SecureChange to request that the firewall/network team allow access for the connection. Tufin Knowledge Center: 38

39 Enabling Multi-Domain in SecureApp 5. (optional) Publish the connections (see "Building Interfaces to an Application" on page 104) to make them available for reuse by other users. 6. Monitor (see "Tracking Changes to Applications" on page 126) the connection. Enabling Multi-Domain in SecureApp MSSPs and large enterprises commonly must control the provisioning process for many business entities, such as customers, business partners, or departments. In some organizations the customers are allowed to communicate with each other, and in other organizations communication between customers is strictly prohibited. When you enable multi-domain mode, you can: Manage applications for each customer separately Allow or prohibit connections between customers When you enable multi-domain, you must choose either: Segregated domains: Customers are separated from each other and each connection can only include resources from one customer. Interconnected domains: Customers are all in one environment and each connection can include resources from multiple customers. This is helpful if multiple customers use the same IP addressing scheme. For example, Customer 1 assigns an IP address to a server and Customer 2 assigns the same IP address for one of its clients. Using multicustomer mode in SecureApp, you can distinguish between customers and manage each one accordingly. When multi-customer mode is set to interconnected, the business owner can also create applications packs. To enable multi-domain mode: Tufin Knowledge Center: 39

40 Enabling Multi-Domain in SecureApp 1. Check with the SecureTrack administrator to make sure that there are domains configured in SecureTrack. 2. Go to Settings > Multi-Domain, and then select one of the following options: Segregated domains - Design and automation of connections and change requests is allowed only within a domain/customer Interconnected domains - Design and automation of connections and change requests is allowed across domain/customer boundaries Note: Multi-domain mode applies to both SecureChange and SecureApp, and the selection cannot be undone. 3. Click one of the following: Update Domains (Recommended) - Retrieve the domain list from SecureTrack now. Save - Save this configuration. The list of domains is updated once a day at midnight. After you enable multi-domain mode and the list of domains is updated, you can go to Customers to: Import customers into SecureApp (see "Managing Customers" on page 41) Create applications and connections (see "" on page 37) for each customer Tufin Knowledge Center: 40

41 Enabling Multi-Domain in SecureApp Managing Customers The Customers window lets you view and manage your customers and their applications. Customers is only available if multi-customer-mode is enabled. The information displayed is Status and Name (name of the customer). The status can be one of the following icons: What can I do? Connection status information for this customer is not available. All connections for this customer are connected. One or more connections for this customer is not connected. Import Customers (see "Import Customers" on page 42) - Click customer domains from SecureTrack. to import the View a Customer's Inventory - Click a customer name to view the inventory for that customer. Delete a Customer (see "Delete a Customer" on page 43) - Select the customer, click, and select Decommission. All customer data will be removed from SecureApp. Decommission a Customer (see "Decommission a Customer" on page 44) - Select the customer, click, and select Decommission. Filter - Enter text in the filter box to list only the customers that match the text you enter. Sort - Click on a column header to toggle sorting in ascending or descending order. Tufin Knowledge Center: 41

42 Enabling Multi-Domain in SecureApp How do I get here? To go to to the Customers page: 1. In SecureApp, click Customers. The customer list appears. Import Customers After enabling multi-domain mode (see "Enabling Multi-Domain in SecureApp" on page 39), in either segregated or interconnected mode, you must import the customers from SecureTrack before you can work with the customers. To import customers: 1. Go to the Customers page. 2. Click. The Import Customers window appears. 3. From the Import Customers window, select each customer that you want to import, and click Add. Tufin Knowledge Center: 42

43 Enabling Multi-Domain in SecureApp 4. Click OK. For each customer, you can click on the customer name and then create applications and connections (see "" on page 37) for the customer. Delete a Customer When you delete a customer all applications associated with the customer are removed, and the history of the application will no longer be available. Note: A decommissioned application can remain in the system without affecting the application license quota. If you wish to maintain the history, you can decommission the customer instead. To delete a customer: Deleting a customer will remove the customer from SecureApp. 1. Go to the Customers page. 2. Select a customer from the list of customers displayed 3. Click and select: Delete The Confirm Deletion dialog appears. 4. Click. The customer is removed from the list, and all applications associated with the customer are removed from SecureApp. Tufin Knowledge Center: 43

44 Enabling Multi-Domain in SecureApp Decommission a Customer When you decommission a customer: All resources of the selected customer become unavailable for use in new connections or applications. New applications or server resources cannot be added for this customer. The customer is marked with a strikethrough in the customer list. All applications belonging to the customer are marked with a strikethrough. Note: Open every application belonging to decommissioned customer and create a ticket to close all of the access associated with the customer. To decommission a customer: 1. Go to the Customers page. 2. Select a customer from the list of customers displayed 3. Click and select: Decommission The customer displays with a strikethrough font. Tufin Knowledge Center: 44

45 Building the Application Inventory 4. The Confirm Decommission dialog appears. 5. Click. Building the Application Inventory With SecureApp, you can build a list of all of your business applications and the connections that they rely on to function. This lets you easily maintain your connectivity requirements. Applications An application has properties, including name, owners, editors, and viewers. You configure the connectivity requirements that include all of the connections the sources, protocols and destinations of network traffic. If you have more than one customer, you can enable multicustomer (see "Enabling Multi-Domain in SecureApp" on page 39) mode to create applications for each customer and have data segregation (segregated) or IP address differentiation (interconnected). Cloud Applications You can import applications from cloud platforms and monitor them in SecureApp. Cloud applications are marked in the applications inventory with the icon of the cloud vendor, and cloud servers are marked in the resources with the icon of the cloud vendor. Amazon AWS - Use the Cloud Console (see "Managing Cloud Resources" on page 79) to add AWS applications. Tufin Knowledge Center: 45

46 Building the Application Inventory Cisco ACI - When you add a Cisco ACI Platform to SecureTrack, the application are automatically shown in SecureApp as read-only. Connections are not created for contracts with only a filter from the common tenant, or without a provider, consumer, or filter. SecureApp imports applications from up to 10 tenants and up to 50 application profiles per tenant. The ACI applications are created with the owner selected in SecureApp Settings (see "Configuring SecureApp Settings" on page 26). The ACI applications are created with these properties imported from Cisco ACI: SecureApp Property Application Connections Local service group Local service Network object group Subnet Host ACI Property Application Profile Contract Filter Filter entry EPG Subnet Virtual IP/static endpoint What can I do? Create an Application or Application Pack (see "Creating an Application or Application Pack" on page 47) - Click (or if multi-domain is enabled). Filter - View only your applications or all applications, and enter text in the filter box to list only applications that matched the text. Build Connections - Click on the application or application pack name to manage its connectivity requirements. Change Properties - Select the application and click editors of the application. to change the name, owner or Delete or Decommission - Select the application or application pack and click : Select Delete to remove all application or application pack data from SecureApp. Select Decommission to request to remove all connections (see "Decommissioning Applications" on page 49) for the application from the firewall policies. Note: Application packs cannot be decommissioned. Migrate - Select the application and click to migrate the application. Note: Application packs cannot be migrated. Tufin Knowledge Center: 46

47 Building the Application Inventory Show decommissioned applications - Check Show decommissioned applications to toggle the display of decommissioned applications. Decommissioned applications are marked with a strikethrough. How do I get here? To view the applications inventory, if multi-domain is not enabled: 1. Go to SecureApp > Applications. To view your application inventory, if multi-domain is enabled: 1. Go to SecureApp > Home. To view a customer's application, if multi-domain is enabled: 1. Go to SecureApp > Customers. 2. Click on the desired customer name to select a specific customer. Creating an Application or Application Pack Applications An application has properties, including name, owners, editors, and viewers. You configure the connectivity requirements that include all of the connections the sources, protocols and destinations of network traffic. Application Packs When multi-customer (see "Enabling Multi-Domain in SecureApp" on page 39) mode is set to interconnected, the business owner can create applications packs, which are a set of published connections to applications that are grouped together. Application packs let a business owner manage a related set of connections through a single group. For example, a business owner can bundle the connections to a DNS server, an authentication server, an Exchange mail server, and an internal database into an application pack. After the application pack is published, the customer connects to the application pack and gets connections that include all of the required connectivity. Tufin Knowledge Center: 47

48 Building the Application Inventory The icons used to identify applications and application packs are: application application pack To create an application or application pack: 1. Navigate to the application inventory. 2. Click. (For multi-domain mode, click.) 3. Select or enter the following information: Field Type (for multi-domain mode only) Value to enter or select - for an application pack - for an application Tufin Knowledge Center: 48

49 Building the Application Inventory Field Name Description Value to enter or select Enter the name of the application pack (optional) Enter a description Owner Select Editors or Viewers (optional) If you have permissions to assign an Owner to the application pack, select the SecureApp user who will be responsible for the application. (optional) From the list of users, manage which users can edit or view the connections or resources. Filter the users displayed in the user list using the filter options displayed in the dialog. 4. Click. The new application or application pack opens. You can now manage its resources (see "Managing Resources" on page 53) and connections (see "Managing Connections" on page 85). To define application pack connectivity: 1. Define a new application pack. 2. Select the published application connections to include in the pack. 3. Add a custom tag to each connection. 4. (optional) Publish the application pack to make it available for reuse by other users. 5. Monitor the application pack. Decommissioning Applications Managing firewall rules in the context of an application also gives you a simple solution for removing all access that is used by an application. Because SecureApp has a list of all of the connections that an application uses, you can decommission an application and request to remove all access associated with the application from the firewall policies. This process cleans up the firewall policies from unused access to prevent unnecessary security or performance risks. Tufin Knowledge Center: 49

50 Building the Application Inventory When you decommission an application: The connections in the application are deleted. The servers in the application are deleted. The application cannot be edited. The history information is available. All access changes are entered into the next ticket that you create. To decommission an application: 1. Go to: SecureApp > Applications 2. Select the application from the list. 3. Click and select: Decommission You see the application with an empty list of connections. 4. Click Create Ticket. A SecureChange ticket opens with access requests to remove all access that was requested for the application. If no tickets were opened for the application, you do not need to open a ticket to remove any access. 5. Complete all of the fields of the request and click Submit. Tufin Knowledge Center: 50

51 Building the Application Inventory Managing Tags Tags are labels that name a connection to an application pack. The tag can be used to identify the functionality of the connection for users. Every connection to application pack must be associated with a tag before it can be published. A single tag can be associated with multiple connections, letting you group related connections with a single, meaningful name. Tags are unique to a specific customer. Note: Tag management is available if multi-domain mode is set to interconnected. To manage tags: 1. Navigate to the application inventory window: Click SecureApp > Home to display the inventory for the default customer, or Click SecureApp > Customers, then select a customer 2. Select an application pack. 3. Click to display the Tags dialog. On this dialog you can: Add a tag - Click Edit a tag - Click to add a new tag. to edit the tag name. Tufin Knowledge Center: 51

52 Building the Application Inventory Delete a tag - Click to delete a tag. Filter - Filter the available connections by the text entered. Associate a tag with a connection - Select a connection for a tag and click to associate the tag with the connection. Remove a tag association - Select a connection for a tag and click remove the tag association for the connection. to Save tag associations - Click to save the current associations. Associating a Tag With a Connection A tag can be associated with multiple connections. The dialog lets you manage the connection to application pack associations for each tag. 1. Select a tag from the left panel of the dialog. 2. Click. The Add Interfaces dialog appears. 3. Click and select the desired interfaces. Use the <CTRL> and <SHIFT> keys while clicking to select the multiple interfaces. Tufin Knowledge Center: 52

53 Managing Resources 4. Click. 5. Click to save your changes. Removing Associations From a Tag A tag can be associated with multiple connections. The dialog lets you remove one or more connection associations from a tag. 1. Select a tag from the left panel of the dialog. 2. Select a interface from the right panel of the dialog. 3. Click. The interface association with the tag is removed. 4. Click to save your changes. Managing Resources Network applications require that software components in different locations connect to each other and transfer data using specific services. The resources defined in SecureApp are: Source and Destination: Define where the software components for your applications are installed: Servers and server groups: Can be hosts, IP ranges, subnets, load balancers and virtual servers. Users: Defined by name and IP. Services/Application identities: Services: Selected from SecureApp's services list of common services and/or defined custom services and service groups. Application identities: The application level protocol used to connect sources and destinations, such as Facebook Apps. When creating your connections, you can select application identities from a predefined list in SecureApp. Tufin Knowledge Center: 53

54 Managing Resources To define resources, you can either: Automatically discover connection resources (see "Discovering Application Connections and Resources" below) from device usage logs Automatically discover application connections and resources from firewall policies using the Application Setup Tool. (For more information, contact Professional Services.) Import resources (see "Importing and Exporting SecureApp Data" on page 77) from an external database or file Manually create individual or groups of servers (see "Creating Servers" on page 60), users (see "Creating Users" on page 63) or services (see "Creating Services" on page 65) Note: Application identities are not created but selected from a comprehensive list available in SecureApp. Once you define these resources, you can use them to build the required connections (see "Managing Connections" on page 85). Note: If a server is already defined for another application, you can use that server in the connection without defining a new server for your application (see "Managing External Applications" on page 102). If you edit the IP address of a resource or a member of a resource group, you can save the change and open a ticket to update the firewall rules that use the resource. The ticket includes "Drop" access requests for the connections that use the old details of the resource and "Accept" access requests for the same connections with the new details of the resource. Discovering Application Connections and Resources To help you build the connections that your application needs, SecureApp can suggest source, service, and destination information based on the rule log information from your firewall devices. After you manually add resources (see "Creating Resources Manually" on page 60) for your application to the source or destination fields, you can use connection discovery to identify real connections that use those resources. You can then add the discovered resources to the connection to complete the connection information. Tufin Knowledge Center: 54

55 Managing Resources Note: To run connection discovery, you must be the owner or an editor of the application. For example, you know that your CRM application requires connections to the CRM database server, but you don't know where those connections come from and what services they use. To help you define the connections that the CRM requires: Manually create a resource for the CRM database server with its IP address and add it to the destination of the connection. When you click to start connection discovery, SecureApp reviews the actual allowed or denied network traffic that was sent to the CRM database server and was logged by your firewalls. The discovery results show you the sources and services that were in the traffic to that server. To complete the connection, you just have to add the relevant sources and services from the list of discovered resources to the connection. Note: Connection discovery is not supported for connections that have AWS servers in the source or destination. To discover AWS connections, go to the connectivity map (see "View Connectivity Map" on page 131) and click Discover. To run connection discovery: 1. Verify with your network administrator that: The traffic that you want to discover is routed through a firewall device and does not use IPv6 addresses The firewall device has an accept or deny rule (for example, a cleanup rule) that logs traffic hits The firewall device is monitored by SecureTrack and configured to send syslogs to SecureTrack ( 2. Login to SecureApp. 3. Go to Settings > SecureApp Settings, and define: Server Name - The syntax that is used as the name for discovered IP addresses that are not associated with a server. Tufin Knowledge Center: 55

56 Managing Resources You can add text that is appended before and/or after the IP address. You can use the DNS server that is configured in the operating system to resolve the DNS name listed for the IP address. Connection Discovery - The default duration of the discovery in days. 4. Go to SecureApp and click on the application for which you want to discover connections. 5. Identify a connection for which you want to discover connections, or create a new connection and add at least one server from your application to the source or destination field of a connection. Because connection discovery lets you discover connections for your application, the field that the discovery is based on must only include servers that belong to your application. It cannot include servers from another application, users or ANY. 6. Click Save Connections. Tufin Knowledge Center: 56

57 Managing Resources 7. In the connection, go to Discovery > Start discovery to start the discovery. Unless you stop the discovery, it runs for the number of days set in Settings > SecureApp Settings at the time the discovery starts. Note: No more than 10 connections can have connection discovery running concurrently. 8. Select the fields that you want to discover for the connection. The field that the discovery is based on is locked resources in it while discovery is running. and you cannot change it or the Tufin Knowledge Center: 57

58 Managing Resources As the discovery continues, the number of discovered resources is shown. You can open the list of discovered resources while discovery is running or you can stop the discovery. After you stop the discovery, before you can run discovery again you must clear all of the discovered resources. 9. Click on the number of discovered resources to see the results. Tufin Knowledge Center: 58

59 Managing Resources The results show up to 100 servers with their IP addresses, and 100 services with their protocol and timeout. Note: Some reasons a connection may not be discovered are: the traffic is not routed to pass through a monitored firewall policy, the traffic was not logged by a firewall rule, the firewall is not configured to send syslogs to SecureTrack, the IP address or service is translated with NAT 10. To edit the name of a server, or the name and timeout of a service, you can select it and edit the name and timeout value. 11. To add discovered resources to the connection, select the resources and click Save. For any discovered resource that does not already exist in SecureApp, the resource is added to SecureApp. All discovered server resources are single hosts. If you find that there are many discovered hosts in a subnet, consider manually creating a subnet and add it to the connection. If you find that there are many server or service results, you can also select the resources to create them, add them to a resource group and add the resource group to the connection. 12. To clear the discovery results, you must: Select the resources that you want to add to the connection and click Save. Delete resources that are not relevant to your application and click Save. Any new resources are saved and the connection is saved with the selected resources. 13. To stop connection discovery, go to: Discovery > Stop discovery You can create a ticket for changes that you make while connection discovery is running or after it is stopped. Tufin Knowledge Center: 59

60 Managing Resources Creating Resources Manually To define resources, you can manually specify the details for servers, services or users and add them to connections. This is one of the ways to define resources, in addition to importing (see "Importing and Exporting SecureApp Data" on page 77) and discovering (see "Discovering Application Connections and Resources" on page 54). Note: Application identities are selected from a predefined list in SecureApp and therefore cannot be created manually. Creating Servers Servers are network resources that you can add to the source or destination of a connection to define the connection traffic. When you define a server or server group, it is associated with your application. Other application owners can add these servers to connections for their applications from the Applications resources, or they can connect to your application interfaces (see "Building Interfaces to an Application" on page 104). (The application interface defines the connections that other application owners must use to connect to your application.) You can define either: A server that represents a host or group of hosts defined either as a: Host - A single IPv4 or IPv6 address IP range - A range of IPv4 or IPv6 addresses defined by start and end addresses Subnet - A subnet of IP Virtual server - A server, or load balancer, monitored by SecureTrack and defined by a Virtual IP; the server reroutes traffic to a group of servers, or virtual-server group members, that can equally process that traffic When you add a virtual server to the source of a connection, tickets opened for that connection allow traffic from the IP addresses of the virtual server group members. When you add a virtual server to the destination of a connection, tickets opened for that connection allow traffic to the virtual IP address of the virtual server. Tufin Knowledge Center: 60

61 Managing Resources A server group that contains a list of server members that are already defined in SecureApp In order to make changes to connections, it may be easier to add server groups to the connections. In this way: You can change a list of group members without adding or removing the group object from the connections that use it. When you create a ticket, the ticket includes all firewall changes that need to be implemented as a result. After you add a server to connections, you can also replace that server with a group (see "Changing a Connection by Editing Server Group Membership" on page 101). To define a new server or server group for an application: 1. From the list of applications, click on the application that the server is associated with. The application connectivity is shown. 2. In Resources, click on Servers to see the servers in your application. Note: To define a new server for a different application, you can click on Applications and select the application that the server is associated with. 3. Click and select either New server or New server group. 4. Enter the details for the server or server group. Server - Select the type of server (IP range, Host, Subnet or Virtual server). The server can represent: Host - a single IP address. You can enter the DNS name as the Name and click to automatically fill in the IP address, or you can enter the IP address and click to automatically fill in the DNS name. If you do not have DNS configured, the name is filled in automatically based on the Server Name syntax in Settings > SecureApp Settings. Tufin Knowledge Center: 61

62 Managing Resources Subnet - a set of IP addresses defined by a network address and subnet mask. IP range - a set of IP addresses defined by a start and end address. Virtual server - a server, or load balancer, with a virtual IP address that reroutes traffic to a group of servers, or virtual-server group members, that can equally process that traffic. You can search for the virtual IP or the IP address of one of the virtual-server group members and select the virtual server to add. Server group - Enter the name and description of the group. You can select the servers to include in the group, or you can click New Server to create a new server and automatically add the new server to the group, or save the group without any servers and add the servers later. After you create a group, to search for members within the group, you can: Select the group from the Resources and click. View a connection where the group is used and click on the name of the group. 5. Enter the name (mandatory) and IP address of the server. Note: When you create a server without an IP address, the new server can be used as a "place holder" to be filled in later by another user. A server without an IP 6. Click Save. address is shown in SecureApp with the icon, and a server with an IP address is shown with the icon. You can then assign the IP address by editing the server details at another time, or copy the IP of another server when you deploy an application (see "Migrating an Application to a Different Environment" on page 108). You can now add the server or server group to a connection, or select the server or server group and click to change the details. To define a cloud resource for an application: Tufin Knowledge Center: 62

63 Managing Resources VM instances are added as server resources when they are associated with an application. See Auto-Associate Cloud Resources (see "Auto-Associate Cloud Resources" on page 81) or Manually Associate a Cloud Resource (see "Manually Associate a Cloud Resource" on page 83) for details. Cloud resources associated with an application display as server resources with the icon. The state of the instance is displayed, as follows: - Instance is active - Instance is inactive. If the name of the instance is shown with strikethrough font, then the instance has been terminated in the cloud or monitoring of that instance was removed from SecureTrack. Note: The icon does not identify connectivity status. It identifies only the state of the instance. Select the cloud instance and click to change the details. Creating Users You can add users to the source or destination of a connection. To define a new user or user group: 1. In Applications, click on an application. Tufin Knowledge Center: 63

64 Managing Resources The application connectivity is shown. 2. In the list of resources, click on Users to open the list of users available to all applications. 3. Click and select either: New local user - a user that you can associate with a specific IP address New LDAP user - a user account in an LDAP server Note: Because SecureApp does not connect to an LDAP server in this version, the LDAP user is not associated with an IP address. Therefore, in SecureChange, if the access request has been configured in the workflow to show User from Palo Alto Networks devices then when you open a ticket for a connection that uses an LDAP user, the LDAP user name is shown in the User field of the access request. If not, then the LDAP user is not included in the ticket. New user group - a group that can include users and LDAP users 4. Enter the details for the user or user group. User - Enter the name and IP address of the user. LDAP user - Enter the name of the user. User group - Enter the name and description of the group, and select the local or LDAP users to include in the group. You can also click New Local User or New LDAP User to create a new user and automatically add the new user to the group. After you create a group, to search for members within the group you can either: Select the group from the Resources and click. View a connection where the group is used and click on the name of the group. 5. Click Save. You can now add the user or user group to a connection, or select the user or user group and click to change the details. Tufin Knowledge Center: 64

65 Managing Resources Creating Services SecureApp includes a comprehensive list of pre-defined services. You can also add your own custom services to add to connections. These custom services can be added to the global list of services available to all applications, or to the local list available only to the current application. For example, often you have an application that uses a specific port. This port is not used by other applications. You are going to need to create a custom service for this specific application. However, there is no need to have it listed as an available service when creating connections for other applications. Therefore, you can create the new service as a local service. You can also create a service group to be included in the application's local list. After creating your new local service/service list, you can then easily select from it when defining a connection for this application. However, when creating connections for other applications, these custom local services are not included in the full list of services (global) that can be used by all applications. Note: Application identities are also used to connect sources and destinations, but are selected from a predefined list in SecureApp and not created manually. To define a new service or service group: 1. In Applications, click on an application. The application connectivity is shown. 2. In the resources list, click on Services to open the list of services available to all applications. 3. Click the Global or Local tab, depending if you want the new service/service group to be available to all applications or just to the current application. 4. Click and select either New to create a new service or New group to create a new service group. 5. Enter the details for the service or service group. Tufin Knowledge Center: 65

66 Managing Resources New service - Enter the name, protocol, port number, timeout value in seconds (optional) and description of the service. New service group - Enter the name and description of the group, and select the services to include in the group. You can also click New Service to create a new service and automatically add the new service to the group. Note: If you are adding a new local service group, both global and local services are listed and can be selected for your new group. When you are adding a new global service group, only global services are listed and can be selected for your new group. After you create a group, to search for members within the group you can either: Select the group from the Resources and click. View a connection where the group is used and click on the name of the group. 6. Click Save. You can now add the service or service group to a connection. Note: Global user defined services can be edited when they are not part of a connection of any application. Local services can always be edited. Global predefined services cannot be edited. Self-Service Application Access In certain cases, users who are not application owners or editors may require specific types of access to an application. For example: An end user may require web access to sensitive applications that have access control on the network level. Developers who use an external API may need to pull data from servers that are protected by firewalls. A system administrator who is not on the application team may need to access an application server to perform maintenance operations. Tufin Knowledge Center: 66

67 Managing Resources The types of access users need are usually known in advance. The application owner can define this connectivity using SecureApp, and then allow users to submit application access requests through a designated portal the Application Access Portal. To allow users to request access to applications: 1. You must define access to an application with a self-service group 2. A user must request access from the Application Access Portal 3. You must process to the request for access Defining Access to an Application To make an application accessible to users, the application owner first defines the allowed connectivity. This includes two main operations: 1. Creating a server group that users can ask to join. 2. Adding this server group to connections that are part of the requested application. For example, users may request access to the Access application. In this case, the application owner defines a group called Users, to which users can be added. Next, the owner adds this group to the Source field of the Access connection that has the company s server in its Destination field. To define access to an application: 1. Define a server group that users can ask to join: a. In the Resources panel, go to the Servers list and either: Tufin Knowledge Center: 67

68 Managing Resources Create a new server group: Click and select New group from the menu. Edit an existing server group: Select the group and click. b. Define the group details. Note: The details you define here will be displayed in the Application Access Portal. This information helps users to choose the type of access to request. Name Enter the name that you want users to see in the Application Access Portal as the Access Type. Tufin Knowledge Center: 68

69 Managing Resources Comment Enter the text that you want users to see in the Application Access Portal as the Access Type Description. Options Check Allow requests to join this group from the Application Access Portal. Through the Application Access Portal, users will be able to request access to connections that include this group. Note: Place a link to the Application Access Portal on an intranet site that requesters use to submit requests, or send them the link by . The URL for the Application Access Portal: cationaccess/applicationaccessportal.seam?clear=1 Where the <SecureApp_IP_Address> is the IP address of your SecureApp server. This URL is also found in the Application Access Portal link in the New Group or Edit Group windows. c. Click Save. The list of servers shows this group as a group icon that has a black arrow, indicating that users can ask to join this group: 2. Add the new group to the Source fields of connections you want to make available to users, and then click Save Connections. 3. Make sure that all requesters have a SecureApp user account. If not, create these users (see "Adding Users" on page 28). 4. Allow users to view the Application Access Portal, used to submit access requests: Go to Settings > Users > Permissions, and select View application access portal. 5. To customize the automatic notifications that SecureApp sends when application access requests are submitted and processed, go to Settings > Mail Notifications and edit these templates as needed: Tufin Knowledge Center: 69

70 Managing Resources Requested access to application (to owner) sent to the application owner once a user submits a new application access request through the Application Access Portal. The application owner is required to review the request and either approve or reject it. If the owner approves the application access request, the next step is to open a ticket that specifies the required firewall updates. Requested access application submitted (to requester) sent to the requester after submitting a new application access request through the Application Access Portal. This notification confirms that the request has been received. Request to access application completed sent to the requester once the application can be accessed. This notification is sent after the application owner approves the request, and the ticket specifying the required firewall updates is completed. Request to access application rejected notifies the requester that the application access request has been denied, and suggests contacting the application owner for more information. For detailed instructions on using mail notifications, see Customizing Mail Notifications in the SecureChange User Guide. The connections to which you added the group are now available through the Application Access Portal, and users can submit requests to access the application. Requesting Access to an Application Users request access to applications by going to the Application Access Portal, searching for the relevant application and submitting an access request. Note: External users go to the Application Access Portal using a URL. Place a link to the Application Access Portal on an intranet site that requesters use to submit requests, or send them the link by . To request access to an application: 1. Go to the Application Access Portal at: tionaccess/applicationaccessportal.seam?clear=1 Tufin Knowledge Center: 70

71 Managing Resources Where the <SecureApp_IP_Address> is the IP address of your SecureApp server. This URL is also found in the Application Access Portal link in the New Group or Edit Group windows. 2. To search for the applications that you want to access, enter free text into the Search field and click. You can search for text that appears in: Application Name Access Type (the group name defined in SecureApp) Access Type Description (the group comment defined in SecureApp) 3. Select the Access Type that you need. The Application Access Portal automatically completes the request details in the bottom pane: Tufin Knowledge Center: 71

72 Managing Resources The Access Type and Access Type Description are set by the selected search result. IP address shows the name of the computer you are using to submit the request. If the DNS server configured in the operating system cannot resolve the hostname, it shows the computer s IP address. You can enter a different hostname, IP address, subnet or range, as needed. 4. Enter a Comment to explain why you require access to this application. 5. Click Submit. A confirmation message shows that the access request was submitted and gives you a Confirmation ID. You also receive an notification. 6. If you want to request another access type or request access to another application, click Return to Application Access Portal. Tufin Knowledge Center: 72

73 Managing Resources Processing Self-Service Requests When a user submits a self-service request, the application owner receives an notification and is required to process the request. To process a self-service request: 1. In SecureApp, select the application specified in the notification and display its Connectivity view. 2. To review requests for access, click the button: The Requests for application access window shows all pending requests: 3. To handle a request, select it from the list, review its details and then click to approve it or click to reject it. The Action column of the request shows whether it is approved or rejected. To remove the specified Action, click Clear. 4. To execute the specified Action, click Save. If the request is approved, SecureApp creates a server object that represents the IP address in the request for application access. This object is shown in the Servers list and is added to the group indicated by the request Access Type. If the request is rejected, SecureApp sends the user an notification that the request was denied. 5. Click Create Ticket. The ticket is automatically filled with the details of the request for access. Tufin Knowledge Center: 73

74 Managing Resources 6. Click Submit to submit the ticket in order to update the firewall rules and allow this user to access the requested application. The ticket now moves through the steps of the selected workflow. After this ticket is closed by the ticket handler: If this ticket is completed, the firewall allows this user to access the application and SecureApp sends the user an notification that the request has been approved. If this ticket is rejected, SecureApp sends the user an notification that the request has been denied. Decommissioning Servers When you take a server out of the network, you must also delete it from your network devices to keep your devices clean and efficient. You can delete the server from your Resources panel and then create a ticket to remove all firewall access associated with this server. If you want to review the connectivity that is dependent on the server, you can review the impact of decommissioning the server (see "Reviewing Impact of Decommissioning Servers" on page 75) before you delete the server. To delete a server: 1. In the Resources panel, select the server from the Servers list. 2. Click to open the delete menu and select Delete. You are notified that this server will be removed from any groups or connections it is part of. 3. Click Yes to confirm the deletion. This operation removes the server from all connections (local and external) and groups. 4. Create a ticket to request an update of all firewall rules that include the decommissioned server. Tufin Knowledge Center: 74

75 Managing Resources Reviewing Impact of Decommissioning Servers When you decommission a server, you can see the details of where the server is used. You can replace the server or move the server to another application in order to mitigate the impact of decommissioning the server. This process makes sure that all defined connectivity is maintained after the server is decommissioned and removed from the firewall rules. To decommission a server: 1. In the Resources panel, select the server from the Servers list. 2. Click to open the delete menu and select Decommission. 3. Review the list of applications that use the selected server. Tufin Knowledge Center: 75

76 Managing Resources You can click on (Export) to export a list of the dependencies in CSV format, including: affected connections, depended servers, depended groups, affected interfaces 4. Click Show Details to see the list of connections and interfaces that use the selected server. To filter the connections and interfaces by application, select the application from the list of applications. To move the selected server to another application, click Move server and select the application to move the server to. After you move the server, the list of connections and interfaces that use the selected server is updated. To replace the server in all connections with another server or server group, click Replace server and select a server from another application to replace the selected server. After you replace the server, the list of connections and interfaces that use the selected server is updated. Tufin Knowledge Center: 76

77 Managing Resources To remove the server from the connections and interfaces, click Decommission. Importing and Exporting SecureApp Data When you start working with SecureApp or when you need to create a large number of servers, server groups, and connections, you can use the SecureApp API to efficiently create your applications. You can download a Microsoft Excel spreadsheet from your SecureApp server where you can enter the details of your servers, server groups, and connections. Then you can import the spreadsheet into SecureApp to create the specified servers, server groups, and connections. You can also use the SecureApp REST API to export application data from SecureApp. For more about the SecureApp REST API, see the TOS Developer's Guide ( Importing Data into SecureApp with the Application Setup Tool To import server, server group, and connection data into SecureApp: 1. Go to this URL to download the Import Application Template: pository/import_applications/download_template 2. Enter the server, server group and connection details in the template file as shown below. Tufin Knowledge Center: 77

78 Managing Resources 3. Go to this URL to upload the Excel file and its contents into SecureApp: pplications/upload Building the Template File The template file includes 4 sheets: servers, services, connections, application identities Servers - In the servers worksheet you can define servers with IP addresses and groups with group members. The columns in the worksheet are: Column Name id name Description The import ID of the server or group. You can enter the ID of a server in the members column of the servers worksheet to add a server to a group. You can enter the ID of a server or group in the source or destination column of the connections worksheet to add a server or group to a connection. Error messages for the import process include the IDs of servers or groups to help you identify the line in the file to change. Note: This is not the same as the object ID used in the REST APIs. The name shown in SecureApp for the server or group. Note: If you upload the file and there is an existing server or server group with the same name, it will be replaced by the server or server group defined in this import application file. details To add a single server, enter an IP address To add an IP range, enter <start_ip>-<end_ip> To add a subnet, enter <IP>/<mask> To add a group, enter 'group' and fill in the members field comment The comment shown in SecureApp for the server or group. members The list of server IDs for servers that are members of the group. (Separated by semi-colons) application name customer The application that the server or group is created in. (Multi-domain only) The customer that the application is in. Services - In the services worksheet is a list of all of the predefined services in SecureApp. You can enter the ID of a service or services in the service/application identity column of the connections worksheet to add a service to a connection. Connections - In the servers worksheet you can define connections between servers or server groups. The columns in the worksheet are: Column Name id Description The import ID of the connection. Error messages for the import process include the IDs of connections to help you identify the line in the file to change. Note: This is not the same as the connection ID used in the REST APIs. Tufin Knowledge Center: 78

79 Managing Cloud Resources Column Name name comment application name source IDs service / application identity IDs destination IDs Description The name shown in SecureApp for the connection. Note: If you upload the file and there is an existing connection with the same name, the details in this import application file are added to the existing connection. The comment shown in SecureApp for the connection. The application that the connection is created in. The list of server or server group IDs that are in the source of the connection. The list of service or application identity IDs that are in the service of the connection. The list of server or server group IDs that are in the destination of the connection. Application Identities - In the application identities worksheet is a list of all of the predefined application identities in SecureApp. You can enter the ID of an application identity in the service/application identity column of the connections worksheet to add an application identity to a connection. Managing Cloud Resources The cloud console gives you automated visibility into your cloud environment, displaying detailed information about every VM that is not associated with an application. The information displayed includes Vendor (an icon identifying the specific cloud vendor), Hostname, VPC Name, Type, Status, IP, Security Groups, Tags, Region, and Availability Zone. If multi-domain mode (see "Enabling Multi-Domain in SecureApp" on page 39) is enabled, the cloud console also includes a filter that lets you display cloud resources for a specific customer. The page initially displayed is empty. Enter a search term to display the specific cloud resources you wish to view and manage. Tufin Knowledge Center: 79

80 Managing Cloud Resources What can I do? Search (see "Search Cloud Resources" on page 84) for instances - Enter a search term and click. Supported search fields: hostname, tag Click to display search syntax information. Auto-Associate Cloud Resources (see "Auto-Associate Cloud Resources" on page 81) - Automatically associate VM instances with a SecureApp application. Manually Associate a Cloud Resource (see "Manually Associate a Cloud Resource" on page 83) - Manually associate a single VM instance with a SecureApp application. Filter by customer - (if multi-domain mode is enabled) Select the specific customer in. View Cloud Console Manager - Click on the hostname of a cloud device to display its console manager. Sort - Click on a column header to toggle sorting in ascending or descending order. Navigate to this page To navigate to the Cloud Console: 1. In SecureApp, click Cloud Console. The Cloud Console appears. Tufin Knowledge Center: 80

81 Managing Cloud Resources Auto-Associate Cloud Resources The auto-associate feature lets you automatically associate VMs with a SecureApp application, by specifying which tag in the VM will contain the name of the SecureApp application. When a new VM is created, SecureApp will look for the specified tag and automatically associate the new VM with the application named in the tag. The auto-associate button identifies if auto-associate is currently enabled: - currently enabled - currently not enabled When auto-associate is first enabled, SecureApp checks all existing instances for the specified tag. Each existing VM instance with the specified tag will be associated with the named SecureApp application. If the application is not already listed in SecureApp, it will be created in SecureApp. If a decommissioned application of the same name is in SecureApp, the association will fail. If multi-customer mode is enabled but the application exists for a different customer, the association will fail. Servers that have been deleted from the resources of an application will not be re-added by subsequently by auto-associate. You can manually add the association. Every server in SecureApp requires a unique name. If you import a server with a name that is not unique in SecureApp, SecureApp will add a number to the end of the name provided to ensure uniqueness. When multi-domain is enabled, of a VPC is detached or migrated to a different domain, the instance will be terminated in SecureApp. Prerequisites Note: Make sure that you have enough licenses available in your SecureApp Bundle for the number of SecureApp applications you plan to use. Contact your Tufin representative if you have licensing questions. Procedure To enable auto-associate: Tufin Knowledge Center: 81

82 Managing Cloud Resources 1. Click. The Auto-associate dialog appears. 2. Enter the desired tag name. 3. Select Enable auto-association. 4. Click. To disable auto-associate: 1. Click. The Auto-associate dialog appears. 2. Clear the Enable auto-association checkbox. 3. Click. To delete the auto-associate tag name: Tufin Knowledge Center: 82

83 Managing Cloud Resources 1. Click. The Auto-associate dialog appears. 2. Delete the Tag Key entry. 3. Clear the Enable auto-association checkbox. 4. Click. Manually Associate a Cloud Resource You can manually associate VM instances with a SecureApp application. Every server in SecureApp requires a unique name. If you import a server with a name that is not unique in SecureApp, SecureApp will add a number to the end of the name provided to ensure uniqueness. When multi-domain is enabled, of a VPC is detached or migrated to a different domain, the instance will be terminated in SecureApp. Prerequisites Note: Make sure that you have enough licenses available in your SecureApp Bundle for the number of SecureApp applications you plan to use. Contact your Tufin representative if you have licensing questions. Procedure To manually associate a single cloud resource: 1. Select a VM instance. Ctrl-click to select multiple instances. Tufin Knowledge Center: 83

84 Managing Cloud Resources 2. Click. The Auto-associate dialog appears. 3. Select the desired tag name. 4. Click. Search Cloud Resources The Cloud Console (see "Managing Cloud Resources" on page 79) lets you search for specific VM instances to display. If a specific field is not specified, all fields are searched. Search syntax and supported fields for the search are: text1 - Returns VMs where text1 is found in any field (case-sensitive) " " - Returns VMs with the exact phrase in any field, for example: "dns server" (case-insensitive) <fieldname>:<text> - Returns VMs with the text in the specified field, for example: tag:key Supported field names are: hostname, tag If you specify more than one field in the search, only VMs matching both field values are shown hostname:<text> - Returns VMs where the hostname contains the specified strings (case-insensitive) tag:<tag>/<value> - Returns VMs with a tag key matching <key> and a tag value tag matching <value> (case-insensitive) You can search for a tag key only (for example: tag:key) or value only (for example: tag:/value) Tufin Knowledge Center: 84

85 Managing Connections For example, the following search will display all VM instances whose hostname contains the word "dnsapp" and that also contains the word "infrastructure" in any tag. hostname:dnsapp tag:/infrastructure Procedure To search for instances: 1. Enter the search criteria. 2. Click. Managing Connections Application connectivity includes each network connection that the application needs. To build the connectivity requirements for the application, you add connections and then add resources to the source, service and destination of the connections. For the Source, you can add: Servers (see "Creating Servers" on page 60) and server groups that are defined for the application (hosts, subnets, IP ranges and load-balancer virtual servers). Network resources that are defined for external applications (see "Managing External Applications" on page 102) Users or user groups (see "Creating Users" on page 63) Any For the Service/Application Identity, you can add: Pre-defined services Custom services (see "Creating Services" on page 65) or service groups Application Identities Any For the Destination, you can add: Servers (see "Creating Servers" on page 60) and server groups that are defined for the application (hosts, subnets, IP ranges and load-balancer virtual servers). Network resources that are defined for external applications (see "Managing External Applications" on page 102) Any Tufin Knowledge Center: 85

86 Managing Connections If you have a large number of connections, you can configure how many connections (see "Configuring SecureApp Settings" on page 26) are shown on each page. You can enter the page to go to or click Next or Prev to navigate the connections pages. Note: To let users create connections that use servers from other applications in both the source and destination, the administrator must enable this permission in Settings > SecureApp Settings: Allow users to create connections with external resources in both source and destination What can I do on this page? On this page you can: Create a connection (see "Defining New Connections" on page 88), an application interface (see "Building Interfaces to an Application" on page 104), or a connection to application (see "Creating a Connection to Application" on page 107) Edit the connection - Add resources manually (see "Adding Resources to Connections Manually" on page 89) or with connection discovery (see "Discovering Application Connections and Resources" on page 54), remove resources from the connection, or change the list of members in a group that is used in the connection (see "Changing a Connection by Editing Server Group Membership" on page 101). In the connection, click for these actions: Edit connection name and comment - Select Properties to edit the name or comment of the connection. Duplicate connection Repair connection (see "Repairing Connections" on page 97) Delete connection - Remove the connection and its details from the application Publish connections - If you have application interfaces or application packs (see "Creating an Application or Application Pack" on page 47), click to publish the connections to application pack to make them available for use. If a new connection Tufin Knowledge Center: 86

87 Managing Connections is added or a connection is deleted, you must republish for the changes to update other applications. Note: Every connection in the application pack must have a tag associated with it so it can be published. Check connection compliance (see "Checking Security Compliance" on page 94) - Verify if the connection is compliant with organizational security policies, based on the SecureTrack Unified Security Policy. (Requires View security compliance violation permission (see "Assigning Roles to Users" on page 34)) Sort the connections - You can sort the connections by these criteria: Name, Date created, Date modified, Status, Tickets, Application, Discovered (Discovery status), Comments. To sort the connections, select from the Sort by dropdown box and click on the ascending or descending arrow. Search in the connections - You can enter one or more application connection search terms (not case-sensitive) to show only the matching connections, external connections, application interface, connections within an application interface, and connections to applications. Review the connection status - See if the connection is connected or blocked. This requires View connection status permission (see "Assigning Roles to Users" on page 34). Click on the status to see a detailed analysis of the routing and firewall rules that impact the connection. This requires Run connection status analysis permission (see "Assigning Roles to Users" on page 34). Create Ticket - If you have a license for SecureChange (see "SecureChange and SecureApp Licensing" on page 17), you can create a SecureChange ticket (see "Implementing Connections with SecureChange" on page 114) to implement the changes to the ticket that you made since the last time you created a SecureChange ticket. If you do not have a license for SecureChange, you can click View Ticket to see the connections in an access request format. You can then export the ticket contents to a CSV file so that you can forward the access request details to the team responsible for implementing firewall changes. Tufin Knowledge Center: 87

88 Managing Connections Handle Rejected Tickets (see "Handling Rejected Tickets" on page 123) - Click handle a rejected ticket. to How do I get here? Applications > Create an application or select an existing application Defining New Connections Each connection is built using servers, users, application identities, and services, to represent the traffic that must be allowed by firewalls so an application can work. If you already have a connection that uses similar resources to the connection you want to build, you can duplicate the connection and change it to build the new connection. To define a new connection for an application: 1. In Applications, click on the application for which you are defining a connection. The list of application connections is shown. 2. Click to add a new connection for the application. 3. Select the Type of connection. 4. Enter a name for the new connection. You can also add a comment to describe the connection. 5. Click Save. To duplicate a connection: Tufin Knowledge Center: 88

89 Managing Connections 1. Find the connection that you want to duplicate. 2. In the connection, go to and select Duplicate connection. 3. You can edit the name of the new connection. It has automatically been given a default name; the original connection's name,"copy" and a number. 4. Click Save New connections are always added to the top of the list. You can use the Sort by menu to sort the list to change the order of the connections. Adding Resources to Connections Manually Each connection is built using servers, users, services, and groups which represents the traffic that must be allowed by firewalls for the application to work. To edit a new or existing connection for an application: Source or Destination: Drag and drop servers from the Resources panel to the source and destination of the connection. Note: When you type in the search box, the list is filtered by name or IP address. You can add servers from the current application (Servers) or another application (Applications): Servers: Drag and drop servers that are defined for the application (see "Managing Resources" on page 53) or the Internet object from the Servers tab. Tufin Knowledge Center: 89

90 Managing Connections The Internet object includes all public IP addresses except for addresses that are defined in other SecureTrack zones. If you do not have SecureTrack zones defined then the Internet zone is treated as ANY. Applications: Add servers that are associated with other applications (see "Managing External Applications" on page 102). To allow connections which use servers from the same domain, but are from another application, an administrator has to set the permissions by going to Settings > SecureApp Settings and selecting Allow users to create connections with external resources in both source and destination Service/Application Identities: Drag and drop from the Resources panel to the connection's service. Note: When you type in the search box, the list is filtered by name or port number. Services: A list of predefined services Application Identities: A list of predefined application identities To remove a resource from the connection or remove an entire connection: 1. To remove a single resource from the connection, hover over the resource in the connection and click. 2. To remove all of the resources in a field, hover over the field box and click. 3. To remove the entire connection, click on the status icon of the connection and click Delete connection. After you finish editing the connection, you can create a SecureChange ticket (see "Creating SecureChange Tickets" on page 117) to implement the changes. Also, any firewall rules that partially match the defined connections are automatically marked in SecureTrack Policy Browser with the name of the application and the application owner. Tufin Knowledge Center: 90

91 Managing Connections Defining Connections Between Domains When using Interconnected Domains (see "Enabling Multi-Domain in SecureApp" on page 39), you can create connections between one domain to an application interface (see "Building Interfaces to an Application" on page 104) of another domain. To define a connection between domains 1. From the application, click to add a new connection for the application. 2. For Type, select Connection to Application. 3. Enter a Name for the new connection. You can also add a Comment to describe the connection. Tufin Knowledge Center: 91

92 Managing Connections 4. For the Interface, click Browse and select the interface from another domain (see "Building Interfaces to an Application" on page 104). 5. Click Save. The connection is created with the service and server defined in the other domain. The server is either in the Source or Destination, depending on how the interface was configured. 6. Drag and drop from the Resources panel to the Add servers box in the new Connection. 7. Click Create Ticket. Tufin Knowledge Center: 92

93 Managing Connections Adding Connections from the Connectivity Map The Connectivity Map (see "View Connectivity Map" on page 131) lets you see a visual model of all the connections to the application, including every cloud instance that is associated with the application and every device that has an explicitly defined connection to the application. Add a connection to the SecureApp application right from the info dialog. All cloud instance connections found during application discovery will be listed in the Add Connection dialog. Procedure To add an application connection: 1. Click on a device element in the application map. The Info window appears. Tufin Knowledge Center: 93

94 Managing Connections 2. Click and select Add Application. The Add Connection dialog appears. 3. Enter the connection information. 4. Click. Checking Security Compliance Before creating a ticket for an application, you can check if the connections are compliant with organizational security policies, based on the Unified Security Policy which is defined in SecureTrack. Verifying the connectivity now, before submitting the ticket, allows you to: Fix the connectivity to be compliant before submitting the ticket, and avoid having the ticket rejected Add a note with an explanation when submitting the ticket to justify the request Note: You need View security compliance violation (see "Assigning Roles to Users" on page 34) permissions. To check the application's connections compliance: Tufin Knowledge Center: 94

95 Managing Connections Above the connections, click the Compliance button. If all connections have been successfully analyzed and are compliant with all policies, a message informing you of this appears in the top right of the window. If there are one or more connections that are not compliant or could not be analyzed, the RISK page opens. You can see the result for each connection. The Connection dropdown box lists them in order of severity. Select the one that you want to view. The connections are each listed with a square in one of these colors: Tufin Knowledge Center: 95

96 Managing Connections Red: The connection violates at least one policy. A detailed report of the violation(s) is displayed. Green: The connection does not violate any configured policies. Yellow: The system cannot run a compliance check on this connection. A security compliance check cannot be run when: It is not a complete connection (missing source, target or service) The connection uses an LDAP user as a source The connection uses an application identity Tufin Knowledge Center: 96

97 Managing Connections Repairing Connections After your connectivity is approved and is already running properly, there may be network changes that suddenly break a connection or a connection interface. For example, a new firewall rule might block a specific connection. Note: You can revert changes made to a server, service or group. Deleting a server, service, or group cannot be reverted. To quickly repair a connection: 1. Detect the connection to be repaired: The Business Owner receives a "Blocked connection notification" - An automatic alert with information on the date and time on which the specified connection was blocked. Any other user who is an editor of the application and has the following permissions (see "Assigning Roles to Users" on page 34) may notice the broken connection and ask to repair it: View My Requests and create requests - A user with this permission can create SecureChange tickets and follow the progress of the ticket in SecureChange > My Requests. View SecureApp and access SecureApp applications - A user with this permission can view existing applications, configure application connections for applications that they own or for applications that they are an editor of. View connection status - A user with this permission can view the connection status icon. 2. Make sure these requirements are met: The Access Request workflow is activated in SecureChange. The disconnected connection meets these requirements: The connection status is disconnected ( ). At least one open ticket that requested access for this connection has been closed. The connection was not edited since the last ticket that allowed it was approved. Tufin Knowledge Center: 97

98 Managing Connections There are no other open tickets for the application that includes this connection (to verify this, make sure the number of tickets in the ticket icon is zero: ). 3. Repair the connection: a. In the Connectivity tab, choose one of the following depending on the connection type: If this is a disconnected connection, go to and select Repair connection. If this is a disconnected interface, click to repair it. b. In the New Request window, select the Access Request workflow and click Create. SecureApp creates a new request that is unique in two respects: It concerns a specific connection (as opposed to all connections) It requests to restore access that was previously granted (as opposed to approving all changes made throughout the application) - The Comment field asks to repair the connection with the specified name. Accordingly, the Access Request field automatically shows the details of the connection to be repaired. The ticket is processed as part of the SecureChange workflow. If it is approved, the broken connection is restored. Tufin Knowledge Center: 98

99 Managing Connections Using Groups in Connections To simplify working with servers with common details, you can replace a server with a server group (see "Replacing a Server with a Group" below). All connections (internal and external) that include the individual server are updated to include this group. In addition, when you want to change the server in a connection, you only have to add the server to the group (see "Changing a Connection by Editing Server Group Membership" on page 101). Replacing a Server with a Group You can replace a specific server with a server group, so that the server becomes a member of the new group. All connections (internal and external) that include the individual server will be updated to include this group. You can add other servers to this new group as part of this procedure or after the group is created. To replace a server with a group: 1. Select the server from the list of resources, click and select Replace with group. Tufin Knowledge Center: 99

100 Managing Connections 2. Define details for the new group: Enter the group Name (mandatory) and provide a descriptive Comment. In the Options section, check Allow requests to join this group from the Application Access Portal to permit users to request access to applications (see "Self-Service Application Access" on page 66) that use this group. Select group members the server you replaced with this group is the group's default member (you can click Clear remove it from the group). To include additional servers in the group: Click New Server to define a new server and add it to this group. To filter the list of servers you can add to the group, enter the search criteria and click. To add an existing server, hover over it on the list of available servers and click Add. Tufin Knowledge Center: 100

101 Managing Connections To remove the selected servers from the group, click Clear all. 3. Click Replace to perform the replacement and create the new group of servers. The Servers list and all connections that included this server are updated to show the new group, with the server as its member. 4. Click Create Ticket to submit a ticket to implement the changes that result from the new list of group members. Note: If you allowed users to request to join this group from the Application Access Portal (see "Self-Service Application Access" on page 66), the group icon includes a black arrow: Changing a Connection by Editing Server Group Membership In order to make changes to connections, it may be easier to add server groups to the connections. In this way: You can change a list of group members without adding or removing the group object from the connections that use it. When you create a ticket, the ticket includes all firewall changes that need to be implemented as a result. To change the list of members in a group: 1. Select the group from the list of resources and click. 2. Add or Clear servers from the list. You can also click New Server to create a new server and add it to the group. 3. Click Save. 4. Click Create Ticket to submit a ticket to implement the changes. Tufin Knowledge Center: 101

102 Managing Connections Interconnecting Applications When an application has connections with external application you can connect by using the application as a resource (see "Managing External Applications" below), and also by creating interfaces to allow other applications to connect (see "Building Interfaces to an Application" on page 104). Managing External Applications An external application is another application that contains resources that do not belong to the current application. From SecureApp, in addition to the resources in the current application, you can connect to resources in an external application. You can do these tasks without even exiting the current application view: View the external applications and servers Add the external application's servers to the current application's connections Create a new application Create a new server or new server group in the external applications Note: To let users create connections that use servers from other applications in both the source and destination, the administrator must enable this permission in Settings > SecureApp Settings: Allow users to create connections with external resources in both source and destination To manage external applications: 1. In Resources, click Applications. 2. Next to an application's name, click to view the servers and server groups included in the application. 3. Drag and drop the server/server groups to a connection's source or destination. 4. To create a new application: a. Click and select New Application. Tufin Knowledge Center: 102

103 Managing Connections b. Enter the Name, and select an Owner. c. Optionally, you can enter a Description and Select editors. d. Click Save. 5. To add a new server or new server group to another application: a. Select the application. b. Click and select New server or New server group. c. Enter the details and click Save. Moving a Server If for any reason you find that an existing server is in the wrong application, you can move a server from one application to another. When you move a server, you keep the server's original configuration and connections. You do not have to create new tickets because the server location has no impact on the firewall rules. You may need to move a server when: You configured servers in one application, and decide to move them to separate applications. A server was placed in the wrong application. A server was found using discovery and you want to move it to another application. A server cannot be moved if: The server belongs to a group. The server is used in connection discovery. The server is used in an interface. You do not have permissions for the other application. Tufin Knowledge Center: 103

104 Managing Connections The move will put an external server on both the source and destination sides of a connection, and the Connection Management setting has been configured to not allow this. Note: To let users create connections that use servers from other applications in both the source and destination, the administrator must enable this permission in Settings > SecureApp Settings: Allow users to create connections with external resources in both source and destination To move a server from one application to another: 1. Select the server from the list of resources, click and select Move server. 2. Click on the application that you want to move the server to and click Select. Building Interfaces to an Application Frequently, other application owners must get access to your application. It is difficult for them to know exactly which servers to connect to and which services to use. This can occur when: You want to connect to servers that are associated with other applications (see "Managing External Applications" on page 102). To allow connections which use servers from the same domain, but are from another application, an administrator has to set the permissions by going to Settings > SecureApp Settings and selecting Allow users to create connections with external resources in both source and destination When working in Interconnected Domains (see "Enabling Multi-Domain in SecureApp" on page 39) mode, and you want to connect to an application from another domain. You can build an application interface that defines the connections that other application owners must use to connect to your application. The application interface includes the servers and services needed to connect to your application. It also shows other application owners where they need to add their servers in order to build the necessary connections to your application. To use application interfaces, you must: 1. Create the application interface (see "Building an Application Interface" on page 105): Tufin Knowledge Center: 104

105 Managing Connections a. Create an application interface with a name and an optional comment. b. Add interface connections to the application interface that include the servers and services that are needed to access the application. c. Publish the application interface to make it available to other applications. 2. In another application create the connection to the application interface (see "Creating a Connection to Application" on page 107): a. Other application owners create connections to the application in their applications and select the necessary application interface. b. Application owners add their servers to the connection to the application and open a ticket to allow the access. For example, all websites in your organization must connect to a database. The database application requires that the web server connect to the database server and to a user authentication server. As the database application owner, you can build an interface that includes a connection to the database server with the correct services, and another connection to the user authentication server. Now any website owner in your organization can use the interface that you created to add the necessary connections, and the website owner just needs to add the web servers that are used in the website. Building an Application Interface To enable servers from other applications, and in multi-domain environments, servers from other domains, to connect to servers in your application, you need to create an application interface. Note: Only users that have a role (see "Assigning Roles to Users" on page 34) with the Create and edit application interfaces permission can build, change or publish application interfaces. To build an application interface: 1. In your application, click. Tufin Knowledge Center: 105

106 Managing Connections 2. In the Type list, select Application interface and enter the name of the interface. Other application owners identify the interface that they need by the name you enter here. You can click to change the name or comment of the interface later. 3. Click Save. 4. In the interface, build the connections. Note: You are creating a connection for the interface, not connections within the application. a. From the interface row, click. b. Enter the name of the connection and click Save. c. Add servers and services to the connection. After you add a server to either the Source or Destination field, Connected Servers is added to the other side of the connection to show other application owner where to add their servers. You can add multiple connections to the interface. 5. When you are finished building the interface, click Publish. Note: Every time you change the interface, you must click Publish to update the interface for all applications that use it. Now, any application owner with permission to view this application can create a new connection with this application interface. Tufin Knowledge Center: 106

107 Managing Connections Creating a Connection to Application In order to connect to the application interface of another application, you need to create a different type of connection to be used specifically for connecting to other applications. To create a connection to connect to an application interface: 1. In your application, click New. 2. In the Type list, select Connection to application. 3. Click Browse to find the interface that you want to use. 4. Select the application interface and click Select. 5. Add your servers to the connections. After you finish editing the connection, you can create a SecureChange ticket (see "Creating SecureChange Tickets" on page 117) to implement the changes. Also, any firewall rules that partially match the defined connections are automatically marked in SecureTrack Policy Browser with the name of the application and the application owner. Tufin Knowledge Center: 107

108 Managing Connections Migrating Connections to other Applications When you are using an application with the same or similar structure in a different environment, instead of reconfiguring it each time, you have two options: Use the application lifecycle automation feature to migrate the application (see "Application Lifecycle Automation" below). Create a template to be used as a baseline when configuring the application (see "Creating and Using Templates" on page 113). Application Lifecycle Automation An application lifecycle consists of several phases. Typically, these phases are development, testing and production. Each phase takes place in a different environment that uses different servers. However, the connectivity definitions remain exactly the same: Starting from the development phase, the connectivity includes most services and network objects required by the application. In all phases, the connectivity requires the same firewall rules. The main difference between these environments is that the same network objects need to connect to different servers: development, testing or production. Therefore, whenever you migrate your application to a new environment, you must reassign the IP addresses of all network objects used in your connections. This process can be time-consuming, cumbersome and error-prone, especially because you need to repeat it whenever you update and remigrate your application. Another challenge of moving between environments is to make sure you enforce the relevant security approval process. For example: When you move from the testing environment to the production environment, you need to use a stricter security approval process. SecureApp helps you handle such challenges by automating the application lifecycle. SecureApp guides you through the first migration process, and then saves your settings and automates all subsequent remigrations. Migrating an Application to a Different Environment You can migrate connections from existing applications to other applications and select servers in the target applications that replace the servers from the source application. For Tufin Knowledge Center: 108

109 Managing Connections example, this lets you duplicate the relationships between resources for application deployment in development, testing and production environments. Prerequisites The first time you migrate your application, it is important to carefully configure the migration settings. SecureApp saves these settings, so you can easily reuse them in all future remigrations. Before you migrate your application, make sure that your application meets these migration requirements: All application interfaces are published (so they are available to other applications). The servers and connections you want to migrate are NOT being edited while you perform the migration. When you migrate an application to a cloud platform, you must create the destination application with all of the resources required by the new application. We recommend that you also do this when you migrate an application to a non-cloud platform. Procedure To migrate your application in a new environment: 1. In the Applications list, select your application and then click to open the migration wizard: The migration steps are: Select application to migrate connections to Servers that are used in connections External servers that are used in connections (if any) Connections to applications (if any) Tufin Knowledge Center: 109

110 Managing Connections Summary 2. To select an application, select the Target application to which you want to copy your connections. You can either: Click New to define a new application (see "Building the Application Inventory" on page 45). Click to select an existing application. Enter the name of an existing application. Note: If you select an existing application, current connections of the target application are deleted so that the source application and target application have the exact same connectivity. 3. Click Next. 4. To define the servers to create in the target application, you can either: Select a target server manually - For each source application server, select a server from the target application. Create new servers in the target application: To create a server group (see "Creating Servers" on page 60), select New > New group. To create a single server (see "Creating Servers" on page 60), select New > New. Exclude servers - Select a server from the source application and select Not Needed from the list of target servers. Copy servers from the source application: To copy a specific server, select it from the source application and select Copy > Copy Selected. Tufin Knowledge Center: 110

111 Managing Connections To copy all servers that are not already mapped to servers in the target application, select Copy > Copy unmapped. The naming convention of a copied server is "<source server name>_copy1 (source server IP address)", for example: "DNS Server 2_Copy1 ( )". You can rename the target server after the migration is completed. 5. Click Next. 6. To define the external connections to create in the target application (if any): a. Select each item from the external servers list of the source application. b. In the Application list, choose either: An external server - Select the external server you want to use in the target application. You can select the same external server, or replace it with a different external server. Exclude an external server - Select Not Needed. 7. Click Next. 8. To define the connections to application to create in the target application (if any): Tufin Knowledge Center: 111

112 Managing Connections a. Select an item from the source application's connection to applications list (on the left). b. In the Application list, choose either: A connection to application - Select the application that the target application needs to access and select the target interface from the Interface list. Exclude a connection to application - Select Not Needed. Note: You cannot re-use the same interface in different connections to applications. Map each connection to application to a different interface. 9. Click Next. 10. To migrate the servers and connections, click Migrate. Tufin Knowledge Center: 112

113 Managing Connections SecureApp migrates the source connectivity to the target application according to your settings. The settings are saved and are used again (see "Remigrating an Application" below) when you remigrate the application. Remigrating an Application When you migrate an application (see "Migrating an Application to a Different Environment" on page 108), SecureApp remembers the resource mappings. After that, every time you migrate the application you can easily re-use these mappings when you remigrate your application. Prerequisites Before you remigrate your application make sure that your application meets these migration requirements: All application interfaces are published so that they are available to other applications. The servers and connections you want to migrate are NOT being edited while you the migration the application. Procedure To remigrate your application: 1. In the Applications list, select the application you want to remigrate and then click the Migrate button. 2. Update the resource mappings (see "Migrating an Application to a Different Environment" on page 108). Creating and Using Templates You can create and use application templates in order to: Provide other users with the basic process to be used when creating applications. Design a baseline to use for creating applications. This is useful when many applications have a similar structure. Tufin Knowledge Center: 113

114 Implementing Connections with SecureChange To create and use a template: 1. Create an application with the basic servers and connections you need. You can even leave the server IP addresses empty. This is your template. Note: Servers without an IP address are listed with a different icon ( with an IP ( ). ) than servers 2. Migrate your template to a new application (see "Migrating an Application to a Different Environment" on page 108). 3. Open the new application, assign IP addresses to the servers, and configure any changes in the new application (see "Adding Resources to Connections Manually" on page 89). Managing Customers MSSPs and large enterprises commonly must control the provisioning process for many business entities, such as customers, business partners, or departments. These are defined as customers in SecureApp. For guidelines on how to create connections in multi-customer mode, see Building Connections. Implementing Connections with SecureChange If you have a license for SecureChange (see "SecureChange and SecureApp Licensing" on page 17), you can create a SecureChange ticket (see "Implementing Connections with SecureChange" above) to implement the changes to the ticket that you made since the last time you created a SecureChange ticket. After you build the connections for your applications, you can create tickets to implement the connections on your firewalls directly from SecureApp. SecureApp enters the technical details of the connections into a SecureChange ticket so that the network and security teams know exactly what changes need to be made. You can follow the progress of the tickets in SecureChange. After the tasks in the ticket are completed, the connection status indicates that the connection is connected properly. If the Tufin Knowledge Center: 114

115 Implementing Connections with SecureChange ticket is rejected, you can choose to revert the requested changes so that the SecureApp connections match the firewall rules, or you can resubmit the changes in a new ticket and modify the changes so that the ticket is not rejected. Basic Workflow Configuration To implement application connections in the firewall policies, you must create a ticket that is processed by SecureChange as a new request. To create a new request, you must have an active workflow configured in SecureChange. SecureChange includes 4 basic workflows that you can use out-of-the-box: Access Request - Submit request with specified access > Business approval > Technical design > Security review > Implementation Group Object Request - Submit group object change request > Approval > Implementation Generic Request - Submit request > Approval > Implementation Remove Access - Submit remove access request > Approve access removal > Implement access removal In SecureChange Basic, you can configure the assignments for these workflows and use these workflows with their default configurations. If you have a license for SecureChange, you can: Make workflows that match the process in your organization by customizing the workflows and creating new ones. Configure the following additional workflow types: Server decommissioning Rule decommissioning Rule recertification To activate a workflow: Tufin Knowledge Center: 115

116 Implementing Connections with SecureChange 1. Login to SecureChange as a user that is assigned to the Security Administrator role (see "Adding Users" on page 28). If you are logged in as a different user, click Logout from the user menu: 2. In Workflows, click one of the workflows or a workflow template. 3. To change the name of the workflow and other workflow properties: a. Click Workflow properties. b. Change the name of the workflow c. Select the step that a ticket returns to if the requester reopens it. After all of the steps in the workflow are complete, the requester is prompted to confirm that the request is complete. If the requester sees that the request is not complete, the requester can reopen the ticket. The ticket then returns to the step selected here so that the work can be redone. d. Click OK. 4. For each step in the workflow, assign participants: a. Click the step. b. In the Assignments tab, select the Assignment mode. For a simple workflow, select Auto-assigned for SecureChange to automatically assign the ticket to a participant. You can also configure conditions, based on which, the step is skipped. Tufin Knowledge Center: 116

117 Implementing Connections with SecureChange c. Select users that can perform this step in the workflow. 5. When all steps are marked as valid, set the workflow status to Active. 6. Click Save. SecureChange is now ready for end-users to login and submit requests. Next, you can: Manage requests Configure SecureChange settings Customize workflows Create reports Creating SecureChange Tickets After you build the connections that your application needs, you can create a SecureChange ticket to request that those connections be allowed. The details of the connections are automatically entered into the Access Request fields of the ticket. You can enter additional information to the ticket and submit the ticket. If you create a ticket after you change the source, destination or service of a connection, the ticket includes "Drop" access requests for the traffic that is no longer included in the connection and "Accept" access requests for the traffic that is included in the new connection. If you edit the IP address of a resource or a member of a resource group, you can save the change and open a ticket to update the firewall rules that use the resource. The ticket includes "Drop" access requests for the connections that use the old details of the resource and "Accept" access requests for the same connections with the new details of the resource. If you delete a connection, the ticket includes "Drop" access requests for the traffic that was included in the connection. Note: You can only create a ticket with a "Drop" access request if the access is not also required by other connections in SecureApp. If you try to create a "Drop" access request for access this is in use, SecureApp shows you the connections that use the access. Tufin Knowledge Center: 117

118 Implementing Connections with SecureChange To create a ticket in SecureChange: 1. Build the connections that your application requires. 2. Click Create Ticket. 3. Select a SecureChange workflow to use for the request. Only workflows that have Access Request fields are shown. SecureApp highlights the workflow that you selected the last time you created a ticket. If you do not want the ticket to go through the workflow process, you can select Create a closed ticket. This can be useful so that: You have a SecureChange ticket for connections that are already configured in the devices so that auditors can see the access request in the ticketing system. The next ticket created from the connection does not include any previous changes. Note: When you create a closed ticket, revisions that match the ticket are listed in the Change browser in SecureChange as unauthorized because they do not pass through an approval step in SecureChange. Tufin Knowledge Center: 118

119 Implementing Connections with SecureChange The new request is shown with the details of the connections changes already entered into the Access Request field and comments that show the actions in SecureApp that created the access request. Click on View original request to see the connections as they are shown in SecureApp. 4. Edit the request information. To see the context of the ticket, you can click Original Application Change to see the ticket as it was when it was submitted from SecureApp. Tufin Knowledge Center: 119

120 Implementing Connections with SecureChange This can be very helpful because while viewing the technicalities of what needs to be done in the task view, it can be difficult to understand the actual goal of the task. When you view the SecureApp ticket you see the request as it was sent. For example, the requester simply changed an IP address, and cannot access certain sites. 5. Click Submit. The SecureChange request continues through the selected workflow. In SecureApp, the application and connections have a ticket icon to show that there are open tickets for them. You can: Click on to see the list of open tickets. Click on an open ticket to go to that ticket in SecureChange. The SecureChange ticket shows a link to the associated application in SecureApp. Tufin Knowledge Center: 120

121 Implementing Connections with SecureChange If the ticket icon is marked with a rejection, at least one of the tickets for the connection was rejected (see "Handling Rejected Tickets" on page 123) and requires action. Repairing Connections After your connectivity is approved and is already running properly, there may be network changes that suddenly break a connection or a connection interface. For example, a new firewall rule might block a specific connection. Note: You can revert changes made to a server, service or group. Deleting a server, service, or group cannot be reverted. To quickly repair a connection: 1. Detect the connection to be repaired: The Business Owner receives a "Blocked connection notification" - An automatic alert with information on the date and time on which the specified connection was blocked. Any other user who is an editor of the application and has the following permissions (see "Assigning Roles to Users" on page 34) may notice the broken connection and ask to repair it: View My Requests and create requests - A user with this permission can create SecureChange tickets and follow the progress of the ticket in SecureChange > My Requests. View SecureApp and access SecureApp applications - A user with this permission can view existing applications, configure application connections for applications that they own or for applications that they are an editor of. View connection status - A user with this permission can view the connection status icon. 2. Make sure these requirements are met: The Access Request workflow is activated in SecureChange. The disconnected connection meets these requirements: The connection status is disconnected ( ). Tufin Knowledge Center: 121

122 Implementing Connections with SecureChange At least one open ticket that requested access for this connection has been closed. The connection was not edited since the last ticket that allowed it was approved. There are no other open tickets for the application that includes this connection (to verify this, make sure the number of tickets in the ticket icon is zero: ). 3. Repair the connection: a. In the Connectivity tab, choose one of the following depending on the connection type: If this is a disconnected connection, go to and select Repair connection. If this is a disconnected interface, click to repair it. b. In the New Request window, select the Access Request workflow and click Create. SecureApp creates a new request that is unique in two respects: It concerns a specific connection (as opposed to all connections) It requests to restore access that was previously granted (as opposed to approving all changes made throughout the application) - The Comment field asks to repair the connection with the specified name. Accordingly, the Access Request field automatically shows the details of the connection to be repaired. Tufin Knowledge Center: 122

123 Implementing Connections with SecureChange The ticket is processed as part of the SecureChange workflow. If it is approved, the broken connection is restored. Handling Rejected Tickets SecureApp shows all tickets that are open for connection changes, including tickets that were rejected. For rejected tickets, the requested changes are not implemented in the relevant firewall policy, but SecureApp shows the changes to the connection as if they were implemented. You can click on the number of rejected tickets to see the list of tickets with links to each ticket in SecureChange, and an information tooltip that shows the reason for the rejection. When a ticket is rejected you can: Revert the changes that were made in the connection so that the connection does not show changes that were not implemented. Reapply the changes to the connection so that you can modify the changes and submit them in the next ticket that you create. Ignore the rejected ticket and keep the changes in the connection even though they were not implemented. You can revert or reapply changes that impact the connection traffic, including added or removed resources, group membership, and changed resource details except for the resource name and comment. You cannot revert or reapply the changes if a resource in the ticket was deleted, the changes were already reverted manually, or the details of a resource in the ticket were changed after the ticket was submitted. To handle rejected tickets: Tufin Knowledge Center: 123

124 Implementing Connections with SecureChange 1. Click on and select the rejected ticket that you want to handle. The changes that were requested in the rejected tickets are shown. 2. Review the changes that were requested in the ticket and click Reason to see the reason for the rejection. 3. To handle the rejected changes, click either: Ignore rejection - Leaves the change in the connection. Because the change was rejected and not implemented in the firewalls, the connection does not accurately show the access allowed by the firewalls. Tufin Knowledge Center: 124

125 Implementing Connections with SecureChange Revert changes - Returns the connection to the state it was in before you submitted the ticket. Reapply changes - Reapplies the changes in the ticket to the connection so you can modify and re-submit the changes in a new ticket. After you handle the rejected ticket, SecureApp does not notify you again of the rejected changes from the ticket. Integration with Puppet Labs SecureApp can be used to automatically provision security policies to iptables firewalls through Puppet from Puppet Labs. The integrated solution leverages application connectivity information from SecureApp to automatically provision inbound and outbound rules on any involved server that has a Puppet-managed iptables firewall. To integrate with Puppet you must install the Tufin SecureApp plugin from Puppet Forge on the puppet master and configure it for each of the puppet slaves that you manage. Then, the plugin connects to SecureApp once every 30 minutes to check for changes in the connections that impact the iptables firewalls. If there are changes, the changes are implemented automatically through the puppetlabs-firewall module. To integrate Puppet with SecureApp: 1. Download the Tufin SecureApp plugin from Puppet Forge to the puppet master: ( 2. To install the plugin, run: puppet module install tufin-secureapp 3. To set the IP address of the SecureApp server in the plugin, run: /etc/puppet/manifests/site.pp 4. For each of the puppet slaves that you want to integrate with SecureApp, add this class: Tufin Knowledge Center: 125

126 Tracking Changes to Applications Implementing Connections with SecureChange class {'secureapp': Where: secureapp_host => "ip_of_secureapp_host", secureapp_username => "secureapp_username", secureapp_password => "secureapp_password" } ip_of_secureapp_host is the IP address of your SecureApp server secureapp_username is the username of a SecureApp user that has permissions to view the applications that impact the iptables firewalls secureapp_password is the password of the SecureApp user that is listed in the class If you want to manually retrieve the changes from SecureApp for a specific puppet slave, run this command on the puppet slave: puppet agent --test --debug verbose Tracking Changes to Applications After you define the connections for your applications, you can: Track the changes made in SecureApp to the application information See the status of the application based on if the traffic defined in the connections is blocked Review changes in tickets that were rejected, and choose to: Revert the changes that were made to the connections Ignore the rejected ticket and keep the changes in SecureApp Reapply the changes to the connection so you can resubmit the ticket Tufin Knowledge Center: 126

127 Tracking Changes to Applications Monitoring Application Status Monitoring Application Status SecureApp receives updates of changes made to firewall policies and routing tables from SecureTrack topology. Based on the latest active policy available for all devices involved in the connection, SecureApp shows you if the connections defined for your applications are blocked, and immediately sends an alert to the application owner. The connection status is recalculated when a new policy is received, when the connection is changed, or when the system is upgraded or restarted. Note: IPv6 is not supported for this TOS feature. Note: Connection monitoring is a feature which is currently available to all customers, but will require a purchased license in the future. SecureApp monitors the connection from the time the first ticket is created to request that the connection is implemented. Here you can see: Each of the devices that pass the specified traffic and the rules that impact the traffic Note: AWS devices are not shown in connection analysis. Interactive Map - A map of the topology for the selected device Show Query - The connection that the analysis is based on Notes: To make sure that the status is as accurate as possible, update the topology information in SecureTrack to match your network topology. Tufin Knowledge Center: 127

128 Tracking Changes to Applications Finding Servers in Connections and Groups To see the status of an application, look at the Status column for the application in the list of applications. If any of the connections is not connected, the status of the application shows the non-connected status. To see the status of a connection, look at the Status column for the connection in the list of connections. If SecureTrack cannot connect to SecureApp, SecureApp does not receive policy or topology updates. After you repair the connectivity to SecureApp, the status indicator is updated when SecureTrack receives a new revision or recalculates the topology. The statuses indicators are: N/A - The connection status is not available because: The connection is incomplete The connection contains users in the source The connection contains ANY in both the source and destination The connection includes a Class A network Monitoring is disabled in SecureTrack SecureApp cannot connect to SecureTrack Calculating - The connection is currently being calculated to determine if it is connected or not connected. Connected - The connection is connected because there is a valid routing from the source to the destination, and there are no firewall rules in the path that block the connection. Not connected - There are firewall rules in the valid route paths that block the connection traffic. Published - (App Pack only) The connections in the application pack have been published. Finding Servers in Connections and Groups You can look up a specific server to see all the connections and groups it is part of. This is useful in several cases: When you notice heavy traffic to a particular IP address, and want to find out who owns this server and which applications use it. When you add a new server to SecureApp, and need to check if this IP address already exists. When you inspect specific resources, and need to find all servers that communicate with these resources. Server Lookup allows you to search for any server in the SecureApp system. The search results show all of the servers that match either: Tufin Knowledge Center: 128

129 Tracking Changes to Applications Finding Servers in Connections and Groups Text in the Server Name, IP Address or Comment fields - You can also search for exact matches (case-sensitive) of the search text to narrow the results. Subnet defined by IP address and netmask - You can show the servers that contain the specified subnet, servers that are contained within the specified subnet, or servers that match the subnet exactly. For example: Subnet that contains - If you enter the subnet /24, the results include servers such as /16 and /24. If you enter the subnet /32, the results include hosts that have the IP address Contained in subnet - If you enter the subnet /16, the results include servers such as /24 and hosts such as /32. After you search for servers, you can select a server from the search results and see the connections or groups where this server is used, either explicitly or as part of a group object. To look up a server: 1. Go to Server Lookup: 2. In the Server Lookup view, select the Text or Subnet search and its parameters. For Text, the parameters are: All, Server Name, IP Address and Comment For Subnet, the parameters are: Subnets that contain - Shows all networks that include the specified subnet, including the subnet itself, even if it is a host. Contained in subnet - Shows all objects that have an IP address in the subnet, including the subnet itself. Exact match - Shows only servers that match the exact specified string. 3. Click. Tufin Knowledge Center: 129

130 Tracking Changes to Applications Finding Servers in Connections and Groups 4. Select an object from the list. The top pane lists all servers that match your criteria and specifies their details: Application (a link to the application details), Name, IP Address and Comment. 5. Select a server from the search results list to view the Connectivity and Groups it is part of in the bottom panes: The Connectivity pane shows all the connections this server is part of (the server is highlighted in orange). If this server is part of a group, you can click the [Info] link to open the Group Members window and see the other servers contained in this group. The Groups pane lists all the groups of which this server is a member. You can click on a group to open the Group Members window and see the other servers contained in this group. Tufin Knowledge Center: 130

131 Tracking Changes to Applications View Connectivity Map View Connectivity Map The Connectivity Map (see "View Connectivity Map" above) lets you see a visual model of all the connections to the application, including every cloud instance that is associated with the application and every device that has an explicitly defined connection to the application. The lines connecting the devices are color-coded, as follows: - (solid grey) The connection between the source and destination is modeled with at least one connection defined - (green dashes) Some services are allowed between the source and destination instances, but have not been modeled - (red dashes) Some services are blocked between the source and destination instances, but have not been modeled If services that are not modeled are both blocked and allowed, the connection will display as blocked in the map - The direction of the modeled traffic (Traffic can also be bidirectional) Tufin Knowledge Center: 131

132 Tracking Changes to Applications View Connectivity Map Clicking on an element in the map displays information about that element. If the element is a device, the information displayed is the device name and the IP address. If the element is a connection, the information displayed is the list of connections, including a color-coded line identifying if the connection has been modeled. Application discovery ( ) downloads the most recent log files from the cloud host, and updates the cloud instances in the connectivity map. The discovery process looks at the most recent 7 day history in the logs. Discovery results are removed from SecureApp after 30 days. What can I do? View additional information - Click on a cloud instance, device, or connection to display additional information. Add Connection - Right-click on an edge between two cloud instances and click Add Connection to a new connection to the application, or add a connection from the Info window (see "Adding Connections from the Connectivity Map" on page 93). Search - Click and search the map by cloud instance or device name. Matches are displayed as you type, and highlighted in the map. Zoom - Zoom in or out with the zoom controls ( ) or with your mouse wheel. Rearrange the map - Click and drag to navigate around the map or to move network objects on the map. Tufin Knowledge Center: 132

133 Tracking Changes to Applications Application History Each time you open the interactive map, the objects are distributed on the map according to the network topology. If you have less then 1000 object on the map, you can drag an object to lock it to a specific location until you leave the map view. Application discovery - Click to start the discovery process. Note: The application discovery process may incur charges from your cloud services provider for downloading the log files from the cloud host. Application History Every change that you make to an application is tracked in SecureApp in the History tab. The history tab lists who did the action and when. There you can see actions such as: New connection - The first time a connection is defined. Connection changed - When you add or remove a resource from a connection. Opened ticket - When you create a SecureChange ticket for the changes since the last ticket was created. Resource changed - When you change the details of a resource that is used in a connection. For each action, you can hover over the history entry and click on in the Changes column to see a tabular list of the changes to resource or connection.(empty embedded topic) What can I do? View extended information - Hover over an entry Click on to see Export - Click to export the history report a PDF. Tufin Knowledge Center: 133

134 Tracking Changes to Applications Visualizing Application Dependencies Visualize application dependencies (see "Visualizing Application Dependencies" below) - Click the Dependencies tab to view application dependencies. Manage connections (see "Managing Connections" on page 85) - Click the Connections tab to manage the application dependencies. Navigate here To view the application history: 1. In SecureApp, click on the name of an application. 2. Click on History. Visualizing Application Dependencies Applications often connect to other applications in order to use their servers. For example: A web application may connect to other applications to get billing, DNS, database (SQL) and exchange services. Such connections between applications are called dependencies. SecureApp helps you understand your application's dependencies at a glance, by visualizing the connectivity between applications. To view your application's connectivity dependencies: 1. In the Applications list, click your application Name. By default, SecureApp displays the application's Connectivity tab. 2. Click the Dependencies tab. Tufin Knowledge Center: 134

135 Tracking Changes to Applications Visualizing Application Dependencies SecureApp shows a visual representation of your application, surrounded by all applications it is connected to. Tufin Knowledge Center: 135