CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

  1. #1
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    5

    Question Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Hi,

    since some weeks my company is using Tufin SecureTrack and SecureChange. While implementing this tool in the last 6 month we got some experience with this tool but we also got some bad feedback from our end-users because of lack of possibilities. S I opened around 13 RfEs in the last 2 weeks in hope to get our users satisfied.

    So this thread ist not to blame against Tufin but I think we need just more experience with this tool and ways and ideas how to do that and/or how others are doing that.

    So please feel free to post websites about Reviews of Tufin, scrips, how-tos and so on. I found one blog about Tufin but unfortunately there aren't any new posts there since a very long time:

    http://mytcse.blogspot.de/

    At the moment I am reading and writing on https://portal.tufin.com - the official website - but there aren't really many users writing there.

  2. #2
    Join Date
    2015-05-27
    Location
    London
    Posts
    35
    Rep Power
    0

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    What are some of the things you're trying to do?

    Tufin has quite an extensive API so if it can't do something natively you can mostly write some code to do it from the data it has collected

  3. #3
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Quote Originally Posted by brian_netsec View Post
    Tufin has quite an extensive API so if it can't do something natively you can mostly write some code to do it from the data it has collected
    Sometimes that's used as a bit of a cop-out. "Oh, we've got an API, you can just write some code to do that!" Yeah, that's not practical for most organisations to do, beyond basic scripting.

    Part of what you need is a library of examples that use that API, so you can adapt them to your needs.

  4. #4
    Join Date
    2015-05-27
    Location
    London
    Posts
    35
    Rep Power
    0

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    In that case try the Tufin Developer Community...
    https://plus.google.com/communities/...53546062524001

  5. #5
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    5

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Hi brian_netsec,

    there are some things which what we and our users are fighting when using Tufin ;-)

    1.) Global Objects
    Unfortunately we are using global objects over all our 10 CMAs. The CMAs containing Firewalls which are responsible for a specific environment. So in most cases it is enough to add/modify rules and objects only on a specific CMA. But in the last years there were more and more scenarios which needs access over different CMAs. To make sure that Objetcs have the same name on all the CMAs we used global objects. And unfortunately Tufin does not support global objects. At the moment I am not sure if this is a technical limitation of OPSEC, CheckPoint, Tufin or if this is just a not implemented feature. So what we would love to have is the ability to add global objects, delete global objects and to modify them - put objects into groups and so on - all global.


    2.) Workflow Design - Approver:
    Most of our workflows are like that:
    a) Requester creats the access request
    b) the chief, boss, project leader must approve the request
    c) auto step which does "design and risk"
    d) administrator which modify the rules of the designer - in most cases go to Clobal Dashboard, add new global objects, wait until new revision arrives, re-design with new global objects, implement, verify against "saved policy"
    e) install the policy, verify against installed policy

    So independent the problematic with global objects there are several other problems and lack of usage:
    The person in step b) can only be one person (Manager assignment). It cannot be a group (you can design a workflow and put there a group with "self-assigned" but this is not the goal). The end user can only assign the ticket to one person - and why the hell this must be done using an e-mail address? Why cant this be a search field which is searching the AD or selecting a specific group of AD users and then these users can "assign the task" themself? So any idea how to address a group of people and make it easy to use for unexperienced end users? As long as it is manager-assigne to only one person no one is able to take this task if the assigned user is ill and did not set the "out of office" option under "My Settings".

    Further - after step e) when everything finished and the ticket will be closed - only the requester will get a response via email about the ticket. But there will be in general a group of people - a department - which requests a rule and which needs the information about what happend with the ticket. Not possible be cause it can only be one requester and not a group and no additional mail fields/recipients can be added.

    3.) Group Permissions:
    When you import an AD group or a local group and then check the two additional group permissions then this sound good but it is some kind of useless. What you can do with that is that you can see all requests of the other users of the same group - but only in "My Requests". But in "My Requests" you do not have the possibility to take over the request and work on it. This would be useful while there is the limitatuion of "manager-assignment" and just on person... The second permission allows you to take over a ticket when it is assigned to a group. But this mostly does not happend because - manager-assigment - just assigns the tickt to a specific user and not to a group. So this permission is rather useless. Further - for curiosity - when going to "Tasks" and have this group permissions enabled - in the Tasks predefined Filter list on the top left shows a filter of the group you belong to - but you cannot see anything because the perssions do not allow you to see Tasks of your group and assigned to a group-member. (Ok, you can set the global permission "User can see all other users tasks" but this will make it possible to see al tasks and not onthe the tasks of your group.
    So the existing permissions do not make it possible to restrict view to the specific group you belong to and just work with all your group members tasks and requests.

    PS: After the task is closed you do not have the possibility to have a look on the "history" of this task to se who implemented this task, who added comments, disregarded risks and so on. This is only possible if you are yourself the requester because this "history" can only be view under "Tasks" - not possible to do that under "My Requests" and for tasks (closed) of your group members.

    Any why the hell can you use a nice search filter under "Tasks" but just use a stupid "open, closed, need attention" filter under "my requests" ? If you and your group ist working heavily with SCW then you will find there 100+ tickets within a few months - finding a ticket there will be nearly impossible.

    4.) CLASS-A Network not allowed, any not allowed (Designer):
    When having ANY in src, dst or target the designer will not start. I talked about that with Tufin support and they explained me that this will not make really sense because "any" will be used i most cases to access to the internet - from a proxy to the internet. But "internet" in general will be everything instead privat addresses and Tufins goal is to shrink rules/access and not to expand it to more than neccessary. So this sound "OK" but why not give the user the decision and just post an info message?

    Next thing class-a networks. eg. 10.0.0.0/8 is not allowed when running designer. "You will probably not have such a big network behind only one firewall. There will be probably smaller parts of this large network behind different firewalls and so the rule would make no sense because Tufin does not want to allow more than neccessary. This sound OK, too, but why again not give the end user the decision and just print a warning "AR1, AR7, AR27, ... has large subnets. Tufin does to recommend to use such big subnets ...foo bar ..."? Further it should be a performance problem on some customers environments so they "blocked" it.

    Target "any" - not allowed when trying to run the designer. If you have a core network with lets say "10.10.10.0/24" and in a star topology around this network there are several firewalls directly connected to this core network and you want to allow the devices in the core network to communicate over all firewalls the why it is not allowed to install the policy on "ANY" target? I agree - in most scenarios you never need to install something on really every firewall but again - let decide the user and just show an info message.
    a

    This are some of the things which come to my mind at the moment and which I sent to my local distributor and they sent it to Tufin to open RfEs so they know about it but no idea if and when this will be (ever) implemented.
    So I would appreciate any tips and tricks on these topics.

    How do you design your access request workflows?

  6. #6
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    5

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Quote Originally Posted by northlandboy View Post
    Sometimes that's used as a bit of a cop-out. "Oh, we've got an API, you can just write some code to do that!" Yeah, that's not practical for most organisations to do, beyond basic scripting.

    Part of what you need is a library of examples that use that API, so you can adapt them to your needs.
    Having and offering an API is nice but for me it smells often a bit like "We did not finish all our ideas or we did not have the man power to do so. So let the customer itself do it and buy professional services and if the solution at the end looks fine then we will put it into the main code and publish a new release" - of course this is a little bit exaggregated but I think you know what I mean. In my opinion a product should offer everything using the GUI or the tool's interface and if you want to connect a different tool of your company to (Tufin) then you can use the API. But it should not be that there are missing features and these only can be implemented using the API.

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    APIs are important to have since there are many ways data can be consumed.
    Also the API often has to be completed before there can be a UI to use a specific feature.

    That said, I agree with the general sentiment that the API shouldn't be the only way to do something in a product.
    It could very well be that there wasn't enough time to develop the UI for the given feature before that version of the product shipped.
    Or any number of other reasons.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2016-02-10
    Posts
    12
    Rep Power
    0

    Default Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Thank you

    Quote Originally Posted by Nachtfalke View Post
    Hi brian_netsec,

    there are some things which what we and our users are fighting when using Tufin ;-)

    1.) Global Objects
    Unfortunately we are using global objects over all our 10 CMAs. The CMAs containing Firewalls which are responsible for a specific environment. So in most cases it is enough to add/modify rules and objects only on a specific CMA. But in the last years there were more and more scenarios which needs access over different CMAs. To make sure that Objetcs have the same name on all the CMAs we used global objects. And unfortunately Tufin does not support global objects. At the moment I am not sure if this is a technical limitation of OPSEC, CheckPoint, Tufin or if this is just a not implemented feature. So what we would love to have is the ability to add global objects, delete global objects and to modify them - put objects into groups and so on - all global.


    2.) Workflow Design - Approver:
    Most of our workflows are like that:
    a) Requester creats the access request
    b) the chief, boss, project leader must approve the request
    c) auto step which does "design and risk"
    d) administrator which modify the rules of the designer - in most cases go to Clobal Dashboard, add new global objects, wait until new revision arrives, re-design with new global objects, implement, verify against "saved policy"
    e) install the policy, verify against installed policy

    So independent the problematic with global objects there are several other problems and lack of usage:
    The person in step b) can only be one person (Manager assignment). It cannot be a group (you can design a workflow and put there a group with "self-assigned" but this is not the goal). The end user can only assign the ticket to one person - and why the hell this must be done using an e-mail address? Why cant this be a search field which is searching the AD or selecting a specific group of AD users and then these users can "assign the task" themself? So any idea how to address a group of people and make it easy to use for unexperienced end users? As long as it is manager-assigne to only one person no one is able to take this task if the assigned user is ill and did not set the "out of office" option under "My Settings".

    Further - after step e) when everything finished and the ticket will be closed - only the requester will get a response via email about the ticket. But there will be in general a group of people - a department - which requests a rule and which needs the information about what happend with the ticket. Not possible be cause it can only be one requester and not a group and no additional mail fields/recipients can be added.

    3.) Group Permissions:
    When you import an AD group or a local group and then check the two additional group permissions then this sound good but it is some kind of useless. What you can do with that is that you can see all requests of the other users of the same group - but only in "My Requests". But in "My Requests" you do not have the possibility to take over the request and work on it. This would be useful while there is the limitatuion of "manager-assignment" and just on person... The second permission allows you to take over a ticket when it is assigned to a group. But this mostly does not happend because - manager-assigment - just assigns the tickt to a specific user and not to a group. So this permission is rather useless. Further - for curiosity - when going to "Tasks" and have this group permissions enabled - in the Tasks predefined Filter list on the top left shows a filter of the group you belong to - but you cannot see anything because the perssions do not allow you to see Tasks of your group and assigned to a group-member. (Ok, you can set the global permission "User can see all other users tasks" but this will make it possible to see al tasks and not onthe the tasks of your group.
    So the existing permissions do not make it possible to restrict view to the specific group you belong to and just work with all your group members tasks and requests.

    PS: After the task is closed you do not have the possibility to have a look on the "history" of this task to se who implemented this task, who added comments, disregarded risks and so on. This is only possible if you are yourself the requester because this "history" can only be view under "Tasks" - not possible to do that under "My Requests" and for tasks (closed) of your group members.

    Any why the hell can you use a nice search filter under "Tasks" but just use a stupid "open, closed, need attention" filter under "my requests" ? If you and your group ist working heavily with SCW then you will find there 100+ tickets within a few months - finding a ticket there will be nearly impossible.

    4.) CLASS-A Network not allowed, any not allowed (Designer):
    When having ANY in src, dst or target the designer will not start. I talked about that with Tufin support and they explained me that this will not make really sense because "any" will be used i most cases to access to the internet - from a proxy to the internet. But "internet" in general will be everything instead privat addresses and Tufins goal is to shrink rules/access and not to expand it to more than neccessary. So this sound "OK" but why not give the user the decision and just post an info message?

    Next thing class-a networks. eg. 10.0.0.0/8 is not allowed when running designer. "You will probably not have such a big network behind only one firewall. There will be probably smaller parts of this large network behind different firewalls and so the rule would make no sense because Tufin does not want to allow more than neccessary. This sound OK, too, but why again not give the end user the decision and just print a warning "AR1, AR7, AR27, ... has large subnets. Tufin does to recommend to use such big subnets ...foo bar ..."? Further it should be a performance problem on some customers environments so they "blocked" it.

    Target "any" - not allowed when trying to run the designer. If you have a core network with lets say "10.10.10.0/24" and in a star topology around this network there are several firewalls directly connected to this core network and you want to allow the devices in the core network to communicate over all firewalls the why it is not allowed to install the policy on "ANY" target? I agree - in most scenarios you never need to install something on really every firewall but again - let decide the user and just show an info message.
    a

    This are some of the things which come to my mind at the moment and which I sent to my local distributor and they sent it to Tufin to open RfEs so they know about it but no idea if and when this will be (ever) implemented.
    So I would appreciate any tips and tricks on these topics.

    How do you design your access request workflows?

Similar Threads

  1. Tips on configuring QOS (Floodgate)
    By Raj909 in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 0
    Last Post: 2015-07-13, 17:00
  2. Tips for applying QOS on Checkpoint R75.20
    By Satish .J in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 5
    Last Post: 2015-01-31, 01:19
  3. Any Tips on CCMA Lab exam?
    By ferdy in forum CCMA Exam 156-100
    Replies: 0
    Last Post: 2012-09-29, 10:07
  4. Anyone have search tips to share??
    By B A Booracus in forum Miscellaneous
    Replies: 2
    Last Post: 2012-07-20, 19:35
  5. 3D analysis tool tips
    By varera in forum Miscellaneous
    Replies: 0
    Last Post: 2012-02-28, 07:31

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •