tufin T-1100 User manual
T-1100/1100XL Quick Start Guide
Version 11.6
Table of Contents
Table of Contents 2
Introduction 3
T-1100 Front and Rear Panels 5
Front Panel 5
Front Panel LEDs and Buttons 5
Rear Panel 7
Setting Up The T-1100 8
Setting up the Remote Management Module 9
Prerequisites 9
Installing and Configuring TOS Aurora 14
Restoring Factory Defaults 20
Appendix: Installing and Configuring Tufin Orchestration Suite Classic 22
Install TOS Classic 22
Configure SecureTrack 23
Configure SecureChange 26
T-1100/1100XL Quick Start Guide
Table of Contents
Copyright 2003-2022, Tufin Software Technologies Ltd. 2
Introduction
Overview
Congratulations on choosing the T-1100 appliance from Tufin Technologies, the industry’s most comprehensive firewall operations management
solution.
Information in this guide applies to both the T-1100 and the T-1100XL. (All references to T-1100 include T-1100XL as well.)
The Tufin T-1100 appliance is designed to simplify integration and use of Tufin Orchestration Suite (TOS) by providing a unified hardware and
software solution. The T-1100 is preinstalled with TufinOS, a proprietary hardened Linux operating system, and the Tufin Orchestration Suite,
which includes these software solutions: SecureTrack, SecureChange and SecureApp. By default, all TOS products are enabled. You can modify
these settings according to your needs.
This document provides:
lDescriptions of the appliance panels
lA step-by-step guide to getting the appliance and software up and running
lInstructions for restoring factory defaults
Your Appliance and Tufin Orchestration Suite (TOS)
The T-Series appliances come pre-installed with TufinOS and are designed to support both TOS Aurora and TOS Classic.
TOS Aurora is the latest version of TOS and we recommend that you install TOSAurora on your appliance. If you require TOS Classic, consult
your Tufin Sales Engineer before installation. Support for TOSClassic ends on December 31, 2022.
You will need to choose the desired TOS product and install it using the instructions provided in this document. However, before you install TOS,
we recommend the following:
lFamiliarize yourself with the appliance
lSet up your appliance
lConfigure Remote Management Module (RMM)
Shipping Container Contents
All Tufin appliances are lab-tested rigorously by our network security experts. You will find these items in the shipping container:
Item Description
Appliance T-1100 appliance
Cables 2 power cables
1 RJ-45 (CAT 5e) network cable
1 DB9 console cable
USB flash drive USB flash drive for appliance recovery
Documentation This Quick Start Guide
Other hardware Rack mounting kit
Appliance front bezel
Contact Support
Our worldwide technical services team is available to you through the web, email, or telephone. See http://www.tufin.com/support for your
preferred mode of communication. We look forward to supporting all of your current and future firewall operation’s needs.
If you need immediate assistance, please call 1-877-270-7711.
T-1100/1100XL Quick Start Guide
Introduction
Copyright 2003-2022, Tufin Software Technologies Ltd. 3
About Tufin and Trademarks
Tufin at a Glance
Offices: North America, EMEA, and Asia-Pacific
Customers: More than 2100 in over 50 countries
Leading verticals: Finance, telecom, energy and utilities, healthcare, retail, education, government, manufacturing, transportation, and auditors
Channel partners: More than 240 Worldwide
Technology Partners: Amazon Web Services, BMC, Blue Coat, Check Point, Cisco, F5 Networks, Fortinet, Forcepoint, Juniper Networks,
Microsoft Azure, OpenStack, Palo Alto Networks, VMware and more
Trademarks
2022 Tufin Technologies Ltd.
Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product names mentioned herein are
trademarks or registered trademarks of their respective owners.
T-1100/1100XL Quick Start Guide
Introduction
Copyright 2003-2022, Tufin Software Technologies Ltd. 4
T-1100 Front and Rear Panels
These sections describe the different elements in the front and rear panels.
Front Panel
Item Description
A VGA port
B 2 USB 3.0 ports
C Front panel LEDs and buttons
D Hard drive bay 0
E Hard drive bay 1
F Hard drive bay 2
G Hard drive bay 3
H Hard drive bay 4
I Hard drive bay 5
J Hard drive bay 6
K Hard drive bay 7
Front Panel LEDs and Buttons
All control buttons and status LEDs are located on the front of the appliance.
Item Feature Description
A System ID button
with integrated LED
(green)
When pressed, it toggles the ID LEDs on the front and back of the appliance.
B Halt button When pressed, it puts the server in a halt state so that the memory can be downloaded for diagnostics.
C Onboard LAN LED
(green)
Indicates NIC activity for each of the two onboard network interfaces.
D System cold-reset
button
When pressed, it reboots the appliance.
E HDD activity/ fault
LED (green/red)
Indicates HDD activity when green, or an HDD fault when red. This is an aggregated indication for all hard
disk drives in the system. Each hard disk contains its own activity and fault indicators.
F System status
(green/red)
Indicates system status as follows:
lSteady green indicates system in standby or ready for operation.
T-1100/1100XL Quick Start Guide
T-1100 Front and Rear Panels
Copyright 2003-2022, Tufin Software Technologies Ltd. 5
Item Feature Description
lBlinking green indicates degraded operation (e.g., power supply nonredundancy, part of system
memory mapped out by BIOS).
lBlinking red indicates one or more non-critical fault conditions.
lSteady red indicates one or more critical fault conditions.
G Power button with
integrated LED
(green)
When pressed, it toggles the system power. When continuously lit, indicates the presence of power supply
output power in the appliance. The LED turns off when the power supply is turned off or the power source
is disrupted.
T-1100/1100XL Quick Start Guide
T-1100 Front and Rear Panels
Copyright 2003-2022, Tufin Software Technologies Ltd. 6
Rear Panel
Item Description Notes
A Power supply 1
B Power supply 2
C Onboard LAN (eth0)
D Onboard LAN (eth1)
E Video connector
F RJ45 serial port
G 3 USB 3.0 ports
H RJ45 Remote Management Module (RMM) For more about this interface, see Setting up the Remote Management Module.
I External NIC (eth3)
J External NIC (eth2)
T-1100/1100XL Quick Start Guide
T-1100 Front and Rear Panels
Copyright 2003-2022, Tufin Software Technologies Ltd. 7
Setting Up The T-1100
Connect Your Appliance to the Network
1. Connect the power cable.
2. Boot up the appliance by pressing the Power button on the front panel.
3. Your appliance has a predefined IP address - 192.168.1.100/24. Before connecting your appliance to your network, make sure to
change the IP address.
4. Connect a network cable to the eth0 port (Chapter 2: Rear Panel, item C) and to a PC (with a crossover cable), or to a local network that is
in the same subnet as the eth0 port.
5. If you are using a crossover cable, configure the terminal to match the following appliance console port settings:
l57600 bits per second
l8 Data bits
lParity: None
lStop bit: 1
lFlow Control: None
Configure Remote Management Module (RMM)
For easier appliance management, we recommend that you also configure the Remote Management Module (RMM) after you connect your
appliance to your network and before you install Tufin Orchestration Suite. Using RMM, you can upgrade TufinOS or TOS on the appliance without
having to physically access the server (see Setting up the Remote Management Module).
T-1100/1100XL Quick Start Guide
Setting Up The T-1100
Copyright 2003-2022, Tufin Software Technologies Ltd. 8
Setting up the Remote Management Module
The remote management module (RMM) or IPMI port in Tufin appliances lets you connect to an administration web interface for the appliance. You
can configureRMMby either using BIOS or using SSH or a Console.
lBIOS:Select this option if the appliance is not yet connected to the network and you need to configure it locally.
lSSH/Console:Select this option if the appliance is already connected to the network.
Prerequisites
We recommend that the remote computer on which you install and use RMMshould be on the same local network as the appliance.
In addition, it should include the following:
lWeb browser:We recommend Internet Explorer with anti-virus enforcement and browser protection disabled.
lJava: Java version 8 or later.
lPorts: These ports must be open between the appliance and the TufinOS remote installation computer:
Use Port
HTTP 80 (TCP)
HTTPS 443 (TCP)
KVM 7578, 7582 (UDP/TCP)
Virtual Media 5120, 5123, 5124, 5127 (UDP/TCP)
Configure RMM Using BIOS
1. Reboot/power on the appliance.
2. In the next screen, press the F2 key to enter the BIOS setup.
T-1100/1100XL Quick Start Guide
Setting up the Remote Management Module
Copyright 2003-2022, Tufin Software Technologies Ltd. 9
3. In the next screen, go to Setup Menu.
4. Select Server Management and enter the BMC LAN Configuration.
T-1100/1100XL Quick Start Guide
Setting up the Remote Management Module
Copyright 2003-2022, Tufin Software Technologies Ltd. 10
5. Edit the settings as required.
6. Save settings and reboot the appliance.
T-1100/1100XL Quick Start Guide
Setting up the Remote Management Module
Copyright 2003-2022, Tufin Software Technologies Ltd. 11
Configure RMM Using SSH or a Console
1. Make sure that the MGMT port for the appliance is connected to the network.
2. Configure network settings:
a. Connect the appliance using SSH or a console.
b. Set the following network settings:
ipmitool lan set 3 ipaddr <rmm_ip>
ipmitool lan set 3 netmask <subnet_netmask>
ipmitool lan set 3 defgw ipaddr <default_gateway_ip>
3. Verify the configuration:
ipmitool lan print 3
4. Ping theRMMIP address to confirm connectivity:
ping <RMMIPAddress>
5. Configure the user settings:
a.a. Check the existing user list:
ipmitool user list 3
b. Create a new user or modify settings for an existing User ID.
ipmitool user set name <user_id> <username>
ipmitool user set password <user_id>
ipmitool channel setaccess <channel number> <user id> [callin=on|off] [ipmi=on|off]
[link=on|off] [privilege=level]
For example:
T-1100/1100XL Quick Start Guide
Setting up the Remote Management Module
Copyright 2003-2022, Tufin Software Technologies Ltd. 12
ipmitool user set name 3 myuser
ipmitool user set password 3
ipmitool channel setaccess 1 3 callin=on ipmi=on link=on privilege=4
c. Enable the new user:
ipmitool user enable <user_id>
6. In a browser, log into the Web Interface and confirm that you can connect using the username and password defined in the previous step.
https://<RMMIPAddress>
7. (Optional) Login to the RMM and make additional security adjustments:
a. Connect to the WebUI (https://<ip_address>) and login with the created user.
b. In the WebUI, go to Configuration >Users:
i. Disable the root and anonymous users.
ii. Delete any other users.
c. If you want to change the SSL certificate for the server, go to Configuration >SSL and upload the certificate file.
d. If you want to force all connections to the RMM to use HTTPS, go to Configuration >Login and enable Force HTTPS.
Now you can securely connect to the RMM to do remote administration tasks. For more about using the RMM, refer to the Intel® Remote
Management Module 4 (Intel® RMM4) User Guide at http://www.intel.com/support/motherboards/server/sb/CS-032371.htm.
T-1100/1100XL Quick Start Guide
Setting up the Remote Management Module
Copyright 2003-2022, Tufin Software Technologies Ltd. 13
Installing and Configuring TOS Aurora
This topic includes instructions to install and configure Tufin Orchestration Suite (TOS) Aurora 11.6 and later running on TufinOS .
You must install the version of TOS Aurora that is found on your appliance before upgrading to any later version of TOS Aurora.
Note: After you install TOS Aurora on the appliance, you will be unable to revert it to TOS Classic.
Network Requirements for TOS Aurora
Before you install TOS Aurora, ensure the following network requirements:
lAllow access to the required ports and services.
lDedicate a 24-bit CIDR subnet on your network to TOS Aurorafor internal use. It must not overlap with CIDR10.244.0.0/16or with the
physical and VIP (Virtual IP) network addresses of yourSecureTrack Auroraservers.
lDedicate two different IP addresses to TOS Aurora:
lThe virtual IP(VIP) that will serve as the external IPaddress used to accessTOS Aurorafrom your browser and from devices that
send it data. The VIP will not be needed in the installation, except in the last step - the installation command.
lThe physical network IP that will serve as the internal IPaddress used by the administrator for CLI commands and this is the one
you will use in all other steps of the installation.
lIf additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP. The
VIP and all the physical network IPs must be on the same subnet.
Install TOS Aurora
1. Reconfigure TufinOS
a. Open a command line via SSH to the IP address of eth0 (if you have not changed it: 192.168.1.100).
b. Log in as tufin-admin with password admin
You are prompted to change the default password when you first log in.
c. Run the following commands:
screen -S switch
sudo switch-tos-mainstream
d. When prompted to reconfigure TufinOS, select yes. This process can run about five minutes.
e. Reboot the appliance.
f. Reconnect to the appliance (steps 1a-1b).
g. To install TOS Aurora, run the following commands:
screen -S install
cd /opt/tufin/data/aurora
sudo sh <filename>
The installation file is in /opt/tufin/data/aurora.
2. Configure the appliance for TOS Aurora
a. To access the appliance with Mozilla Firefox or Google Chrome, browse with https to the IP address of eth0. If you have not
changed the IP address, browse to https://192.168.1.100.
b. Accept the certificate.
c. The login window appears. Log in as admin with password admin, and click Login.
You are prompted to set a new password.
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 14
d. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using. For example: ens33.
e. Do one of the following:
l(Recommended) Run the commandsudo nmtui edit <Interface Name>.
In the window, set the parameters as follows:
lSet IPv4 CONFIGURATION to Manual.
lSet Addresses to the internal machine IP together with the chosen subnet.
lSet Gateway and DNS Servers to the IPs used by your organization.
l(or) Edit the configuration files directly:
1. Edit the file /etc/sysconfig/network-scripts/ifcfg-eno1.
2. Change line BOOTPROTO=dhcp to BOOTPROTO=static.
3. Add entries at the end of the file:
IPADDR=<NEWIP>
NETMASK=<MyNetmask>
GATEWAY=<MyGateway>
DNS1=<DNS_IP1>
DNS2=<DNS_IP2>
where
<NEWIP> is the internal machine IP.
<MyNetmask> ,<MyGateway>,<DNS_IP1>,<DNS_IP2> are the appropriate values for your network.
f. Restart the network service.
service network restart
3. Installing TOS Aurora
a. Run the install command, replacing the parameters:
sudo tos install --modules=<MODULE-TYPE> --loadbalancer-ip=<VIP> --services-
network=<SERVICE-CIDR>
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 15
l<MODULE-TYPE>with one of the following values:
lSTforSecureTrackonly
lST,SCfor bothSecureTrackandSecureChange
lRCfor a remote collector
l<VIP>with the external IP that you will use to accessTOS Aurora
l<SERVICE-CIDR>with the CIDR that you wantTOS Aurorato use
Example:
sudo tos install --modules=ST,SC --loadbalancer-ip=192.168.1.2--services-
network=10.10.10.0/24
The End User License Agreement (EULA) appears.
b. After reading, enter qto exit the document and then enter yto accept the EULA and continue until the commands completes.
c. Type Exit to leave the CLI.
Configure SecureTrack
1. Log in as admin with password admin, and click Login.
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 16
You are prompted to set a new password.
2. The first time that you log into SecureTrack, you can use the First-Time Wizard to configure the following settings:
lActivate your SecureTrack license: Relevant only for central clusters. Skip for remote collectors.
For complete instructions, see Activate License.
lSet the Time Zone: TheTOS Auroraapplication has its own timezone, independent of your host node and the default is UTC. If
UTC is not the timezone you want to use,see The TOS Aurora Time Zone.
lSet up your IP Addresses: To set up your Syslog VIP address, see Syslog VIP Addresses.
Primary and VIP addresses can be changed if needed. For more information, see Changing IP Addresses.
lAdd Nodes to your cluster: TOS Aurora is deployed by default as a single node Kubernetes cluster. See Multi-Node Processing
for more information about adding additional nodes.
Configure SecureChange
1. Create a SecureTrack Administrator User:
a. Go to at https://<SecureTrack_IP> where IP is the cluster VIP.
b. Log in to SecureTrack as tufin-admin with password admin.
c. Create a new SecureTrack Administrator user.
Note: If you are going to configure SecureChange for multi-domain management, make the user either a
super administrator or multi-domain administrator, depending on whether you want to restrict the
administrator to selected domains.
For more information, see Managing TOS Aurora Users.
2. Log in to SecureChange:
a. Go to https://<IP>/securechangeworkflow where<IP>is thecluster VIP.
b. Log in to SecureChange as tufin-admin with password admin.
You are prompted to change the password.SecureChangeusers are separate fromSecureTrackusers; there is no connection
between aSecureTrackuser anda SecureChangeuser with the same name.
On the prompt window, you can also enter an email address for administrative email notifications. We recommend using the
address of an email list so you can edit the list of recipients easily.
3. Configure the SecureChange Settings
a. Go to Settings>Miscellaneous.
b. Enter a value for Server DNS name. The DNS server is used for links in email notifications. This can be an IP address in the
format 11.22.33.44 or a FQDN in the format https://mydomain.com.
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 17
The SecureChange DNS name is published bySecureChangeso it can be accessed from external sources. For example, it is
embedded in notification mails sent bySecureChange, which include a link to a ticket, such as an email notifying a handler
assigned with a task, or informing a requester that the ticket has been successfully resolved.
c. Go to Settings>SecureTrack.
d. Enter the SecureTrack administrator username, which was created previously.
e. If you want a link to SecureTrack to be available in the SecureChange applications icon, select Show link to SecureTrack.
f. If you want to change how often SecureChange tests its connectivity to SecureTrack, change the value of the Connection check
interval.
g. Click Test connection to verify that SecureChange has a connection to SecureTrack.
h. Click Save.
4. Additional SecureChange Configurations
These tasks can be done now or at a later stage.
lConnect to a mail server. For instructions, see Connecting to a Mail Server.
l(optional) Connect to an LDAP directory to use LDAP user accounts. For instructions, see Importing LDAP Users and Groups.
lCreate local users and user roles. For instructions, see SecureChange Users and User Roles.
If you need to reset the password of the initial Administrator (username: admin), see Reset Password.
Upgrade TufinOS and TOS Aurora
After you install the pre-loaded TOS Aurora, you can upgrade to a newer version of both TufinOS and TOS Aurora.
Confirm the TufinOS and TOS Versions
Retrieve the TufinOS an TOS Aurora versions from your appliance.
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 18
lRun these commands to confirm the TufinOS and TOS Aurora versions on your appliance:
# cat /etc/redhat-release
TufinOS Linux release 3.81 build 123456 (Final)
# sudo tos version
TOS Aurora: 21.3 (PGA.0.0) Final
...
Check for Updates
In the Release Notes Knowledge Center, you can review the release notes for every version of TufinOS and TOS Aurora.
lFor each version of TufinOS, see the Compatibility and Requirements page for a list of supported TOS Aurora versions. For example,
see see TufinOS 3.81Release Notes.
lFor each version of TOS Aurora, the Release Notes include resolved issues, deprecated features, the supported upgrade paths, and
instructions for upgrading. For example, see this page for TOS Aurora R21-3.
Upgrade TufinOS
Although your appliance comes with TufinOS preinstalled, you may need to reinstall it if something changed with your hard drives - data was
corrupted or hardware was replaced.
We recommend that you use RMMto install a newer version of TufinOS on your appliance (see Installing TufinOS via Remote Management
Module (RMM) for Gen 3.5 Appliances).
Upgrade TOS Aurora
To upgrade your version of TOS Aurora, see Upgrade From TOS Aurora.
T-1100/1100XL Quick Start Guide
Installing and Configuring TOS Aurora
Copyright 2003-2022, Tufin Software Technologies Ltd. 19
Restoring Factory Defaults
You can restore the factory defaults on the appliances by using the provided USB flash drive.
Warning! Restoring factory defaults will delete all information on the appliance including database records, backup files and
logs.
1. Backup the Tufin Orchestration Suite (TOS) databases (SecureTrack and SecureChange).
a. Aurora only:
i. Run this command:
# sudo tos backup create
You can continue working while the backup is running.
ii. Run this command as many times as you need to check the status of the backup:
# sudo tos backup status
When the backup is complete, you will see the file name with a timestamp.
b. Run this command:
Aurora: # sudo tos backup export
Classic: # sudo tos backup <backup file>
2. Save the backup file on external storage because the output file will be deleted from the appliance when you restore factory defaults.
3. Run this command for both Aurora and Classic:
# sudo tos version
Record the build numbers to refer to when you restore the backup files.
4. Insert the USB flash drive into the USBport, and reboot the appliance by pressing the Power button or by typing reboot.
The appliance automatically boots from the USB Flash Drive.
Note: If the appliance does not boot automatically from the USB Flash Drive, you may need to configure the BIOS boot
option to do so.
5. Once the appliance is up, you are prompted to specify what console is used.
lkvm: For Classic-supported installation.
lkvm-aurora: For Aurora-supported installation.
lserial: For Classic-supported installation using serial console.
lserial-aurora: For Aurora-supported installation using serial console.
If there is no reply within 60 seconds, all installation messages are directed to the serial console.
If you are restoring TufinOS 3.50 or below, replace:
lserial-aurora with serial-tos2
lkvm-aurora with kvm-tos2
6. Before the installation program resets the system, you will be advised that all data will be removed from the appliance. Enter Continue to
restore factory defaults.
TufinOS is installed, after which you are prompted to reboot the appliance. Make sure to first remove the USB flash drive, or the appliance
will boot from it again. The appliance reboots with factory default settings.
7. Download and install TOS:
T-1100/1100XL Quick Start Guide
Restoring Factory Defaults
Copyright 2003-2022, Tufin Software Technologies Ltd. 20
Other manuals for T-1100
1
This manual suits for next models
1
Table of contents
Other tufin Network Hardware manuals
