Tufin

Overview#


Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack This integration was integrated and tested with version 19.3 of Tufin Orchestration Suite

Tufin Playbook#


Use Cases#


Gather network intelligence from SecureTrack and SecureApp, perform topology queries in SecureTrack, and submit change tickets from SecureChange.

Configure Tufin on Demisto#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Tufin.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • TOS IP or FQDN
    • TOS User Credentials
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Maximum number of rules returned from device durring a policy search
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#


Commands#


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. tufin-search-topology
  2. tufin-search-topology-image
  3. tufin-object-resolve
  4. tufin-policy-search
  5. tufin-get-zone-for-ip
  6. tufin-submit-change-request
  7. tufin-search-devices
  8. tufin-get-change-info
  9. tufin-search-applications
  10. tufin-search-application-connections

1. tufin-search-topology#


Search the Tufin Topology Map

Base Command#

tufin-search-topology

Input#
Argument NameDescriptionRequired
sourceSource address/addresses (may contain multiple, comma separated values) e.g. 192.168.100.32 or 192.168.100.32/32,192.168.100.33Required
destinationDestination address/addresses (may contain multiple, comma separated values) e.g. 192.168.100.32 or 192.168.100.32/32,192.168.100.33Required
serviceService parameter can be a port (for example, “tcp:80”, “any”) or an application (for example, “Skype”, “Facebook”).Optional
Context Output#
PathTypeDescription
Tufin.Topology.TrafficAllowedbooleanTraffic Permitted
Tufin.Topology.TrafficDevicesstringList of devices in path
Command Example#

!tufin-search-topology destination=10.2.2.0/24 source=192.168.60.0/24

Human Readable Output#

image

2. tufin-search-topology-image#


Search the Tufin Topology Map, returning an image

Base Command#

tufin-search-topology-image

Input#
Argument NameDescriptionRequired
sourceSource address/addresses (may contain multiple, comma separated values)Required
destinationDestination address/addresses (may contain multiple, comma separated values)Required
serviceService parameter can be a port (for example, “tcp:80”, “any”) or an application (for example, “Skype”, “Facebook”).Optional
Context Output#

There is no context output for this command.

Command Example#

!tufin-search-topology-image destination=10.2.2.0/24 source=192.168.60.0/24

Human Readable Output#

image

3. tufin-object-resolve#


Resolve IP address to Network Object

Base Command#

tufin-object-resolve

Input#
Argument NameDescriptionRequired
ipIP Address to Resolve to Network ObjectRequired
Context Output#
PathTypeDescription
Tufin.ObjectResolve.NumberOfObjectsnumberNumber of objects that resolve to given IP address.
Command Example#

!tufin-object-resolve ip=10.3.3.3

Human Readable Output#

image

4. tufin-policy-search#


Search the policies of all devices managed by Tufin

Base Command#

tufin-policy-search

Input#
Argument NameDescriptionRequired
searchThe text format is for a field is fieldname:text for example source:192.168.1.1 or bareword for free text search. See the search info documentation in Securetrack Policy Browser page for more information.Required
Context Output#
PathTypeDescription
Tufin.Policysearch.NumberRulesFoundnumberNumber of rules found via search
Command Example#

!tufin-policy-search search="source:192.168.1.1"

Human Readable Output#

image

5. tufin-get-zone-for-ip#


Match the IP address to the assigned Tufin Zone

Base Command#

tufin-get-zone-for-ip

Input#
Argument NameDescriptionRequired
ipIP AddressRequired
Context Output#
PathTypeDescription
Tufin.Zone.IDstringTufin Zone ID
Tufin.Zone.NameunknownTufin Zone Name
Command Example#

!tufin-get-zone-for-ip ip=10.10.12.1

Human Readable Output#

image

6. tufin-submit-change-request#


Submit a change request to SecureChange

Base Command#

tufin-submit-change-request

Input#
Argument NameDescriptionRequired
request-typeRequest TypeRequired
priorityRequest PriorityRequired
sourceSource or TargetRequired
destinationDestination (Mandatory for FW Change)Optional
protocolProtocol (Mandatory for FW Change)Optional
portPort (Mandatory for FW Change)Optional
actionAction (Mandatory for FW Change)Optional
commentCommentOptional
subjectTicket SubjectRequired
Context Output#
PathTypeDescription
Tufin.Request.StatusunknownStatus of the request submission
Command Example#

!tufin-submit-change-request request-type="Decommission Request" priority=High source=192.168.1.1 subject="This host is infected with ransomware"

Human Readable Output#

image

7. tufin-search-devices#


Search SecureTrack devices

Base Command#

tufin-search-devices

Input#
Argument NameDescriptionRequired
nameDevice nameOptional
ipDevice IPOptional
vendorDevice vendorOptional
modelDevice modelOptional
Context Output#
PathTypeDescription
Tufin.Device.IDunknownDevice ID
Tufin.Device.NameunknownDevice name
Tufin.Device.VendorunknownDevice vendor
Tufin.Device.ModelunknownDevice model
Tufin.Device.IPunknownDevice IP
Command Example#

!tufin-search-devices vendor=Cisco

Human Readable Output#

image

8. tufin-get-change-info#


Get information on a SecureChange Ticket (Ticket ID retrieved from Tufin UI)

Base Command#

tufin-get-change-info

Input#
Argument NameDescriptionRequired
ticket-idSecureChange Ticket IDRequired
Context Output#
PathTypeDescription
Tufin.Ticket.IDunknownTicket ID
Tufin.Ticket.SubjectunknownTicket subject
Tufin.Ticket.PriorityunknownTicket priority
Tufin.Ticket.StatusunknownTicket status
Tufin.Ticket.RequesterunknownTicket requester
Tufin.Ticket.WorkflowIDunknownTicket workflow ID
Tufin.Ticket.WorkflowNameunknownTicket workflow name
Tufin.Ticket.CurrentStepunknownTicket current step
Command Example#

!tufin-get-change-info ticket-id=250

Human Readable Output#

image

9. tufin-search-applications#


Search SecureApp applications

Base Command#

tufin-search-applications

Input#
Argument NameDescriptionRequired
nameApplication nameOptional
Context Output#
PathTypeDescription
Tufin.App.IDunknownApplication ID
Tufin.App.NameunknownApplication name
Tufin.App.StatusunknownApplication status
Tufin.App.DecommissionedunknownIs the application decommissioned
Tufin.App.OwnerIDunknownApplication owner ID
Tufin.App.OwnerNameunknownApplication owner name
Tufin.App.CommentsunknownApplication comments
Command Example#

!tufin-search-applications name="3Rivers"

Human Readable Output#

image

10. tufin-search-application-connections#


Get SecureApp application connections

Base Command#

tufin-search-application-connections

Input#
Argument NameDescriptionRequired
application-idApplication IDRequired
Context Output#
PathTypeDescription
Tufin.AppConnections.IDunknownConnection ID
Tufin.AppConnections.NameunknownConnection name
Tufin.AppConnections.StatusunknownConnection status
Tufin.AppConnections.Source.IDunknownConnection source ID
Tufin.AppConnections.Source.TypeunknownConnection source type
Tufin.AppConnections.Source.NameunknownConnection source name
Tufin.AppConnections.Destination.IDunknownConnection destination ID
Tufin.AppConnections.Destination.TypeunknownConnection destination type
Tufin.AppConnections.Destination.NameunknownConnection destination name
Tufin.AppConnections.Service.IDunknownConnection service ID
Tufin.AppConnections.Service.NameunknownConnection service name
Tufin.AppConnections.CommentunknownConnection comment
Tufin.AppConnections.ApplicationIDunknownApplication ID
Command Example#

!tufin-search-application-connections app_id=215

Human Readable Output#

image

Troubleshooting#


Contact Tufin support via the Tufin User Portal, or by going to https://www.tufin.com/support