Tufin AKIPS Device Sync V2

Tufin AKIPS Device Sync V2: End-to-End Setup in rConfig V8.2.0

The V2 Tufin AKIPS driver pulls device inventory from a Tufin AKIPS appliance using its mlist query language over the /api-db endpoint, and feeds the results through the unified V2 pipeline. This guide follows the same model as the Statseeker V2 setup — only the Setup tab fields and upstream-side conventions are different.

Platform	rConfig V8 Support	Auth supported	V2 Status
Tufin AKIPS	V8.2.0+	HTTP Basic (user + pass)	Lab tested

Interactive demo

Mental Model: End Goal First

The point of setting up a V2 integration is to land in a steady state where rConfig’s device inventory is continuously reconciled against AKIPS on a schedule, with no operator in the loop. That end state looks like this:

A Scheduled Task of type Integration V2 Job runs the AKIPS instance in Apply mode on a cron, e.g. nightly. It runs the same six-stage pipeline you’ll run interactively in this guide, writes any create and update decisions to rConfig, leaves any conflicts or ambiguous matches in Problem Devices for review, and notifies you on completion.

To get there, you walk a one-time setup and a sanity-check loop:

Create the integration instance — AKIPS connectivity and auth in the Setup tab. Validate with Test Connection.
Set up a default Device Profile the synced devices will inherit from. AKIPS does not surface per-device profile metadata, so you must rely on the instance default.
Run an Extract Preview to confirm your mlist query returns the right AKIPS devices.
Run a Sync Preview to walk the full pipeline (canonicalize → reconcile → decide) without writing.
Run a Full Sync (Apply) once the preview’s decisions look right.
Schedule the integration to run on a cron from the rConfig scheduler.

Prerequisites

Tufin AKIPS:

A reachable AKIPS appliance with the /api-db endpoint enabled
A service-user username + password with permission to run mlist queries
Network connectivity from rConfig to the AKIPS appliance (HTTPS recommended)
A passing familiarity with mlist query syntax — the default query covers most discovery cases, but you may want to customise it

rConfig V8.2.0+:

Administrator access
A clear answer to: which Device Profile every AKIPS device should adopt by default. AKIPS-extracted devices do not carry per-device profile metadata, so a default profile on the integration instance is effectively required.

Step 1 — Create the Integration Instance (Setup Tab)

1.1 Open the V2 driver picker

Navigate to Settings → Integrations, then click New V2 Integration.

Placeholder — V2 driver picker (Settings → Integrations → New V2 Integration) with Tufin AKIPS highlighted

The Tufin AKIPS card carries a Lab tested badge — click it to open the Setup tab.

1.2 Fill in the schema-driven Setup tab

The form is rendered from akips.schema.php and is laid out in two sections.

Placeholder — Tufin AKIPS Setup tab with Connectivity and Authentication sections expanded

Connectivity

Field	Default	Notes
Base URL	required	Root of the AKIPS appliance, e.g. `https://akips.example.com`. No trailing slash needed.
API Path	`/api-db`	The mlist query endpoint. Rarely changed.
Timeout (Seconds)	`60`	HTTP request timeout. Range 1–300. AKIPS can be slow on large queries — keep the default or raise it.
Query Template	`mlist * sys SNMPv2-MIB.sysName SNMPv2-MIB.sysDescr`	The mlist query the driver runs. Edit to scope or enrich the data set.
Verify TLS Peer	`on`	Leave on for production. Disable only for self-signed labs.
Verify TLS Hostname	`on`	Leave on for production. Disable only for hostname mismatches in labs.
Import Source Tags	`off`	AKIPS does not expose tags natively — leave off unless your query template fabricates tag-like fields.

Authentication

Username + Password — sent as HTTP Basic Auth. Stored as a secret. AKIPS does not currently expose tokens for this endpoint.

1.3 Test the connection

Click Test Connection in the action bar. The driver runs mlist group * against /api-db with the configured Basic Auth.

Placeholder — Setup tab after a successful Test Connection (green status pill)

Common failures:

What you see	Most likely fix
Connection refused / timeout	Wrong Base URL or firewall in between rConfig and AKIPS.
`SSL` / `certificate` error	Self-signed cert — toggle Verify TLS Peer / Hostname off (lab only).
`200` with response body containing `not authorized`	Username or password wrong, or the user is not entitled to `mlist`.
`200` with response body containing `ERROR`	The `mlist group *` probe failed in AKIPS — the user likely has no group-read permission.
`403` / `404`	`/api-db` not exposed externally, or the AKIPS web tier is fronted by a different path prefix.

1.4 Save

Click Save. Move to Step 2 before running a preview.

Step 2 — Set Up the Default Device Profile (Inventory)

AKIPS records do not carry the same kind of per-device metadata as Statseeker, Zabbix or NetBox — there are no tags, custom fields or groups the driver can read for profile resolution. The schema explicitly declares device_profile.supported = false.

In practice this means:

Pick one rConfig Device Profile to use as the default for every AKIPS-extracted device.
Set that profile as the default profile on the integration instance.
If you need different profiles for different AKIPS device classes, create one AKIPS V2 instance per class and use the Query Template field to scope each instance to a specific subset (e.g. mlist * sys SNMPv2-MIB.sysName SNMPv2-MIB.sysDescr where group = "core-routers").

2.1 Create the default Device Profile

Navigate to Inventory → Device Profiles → New Device Profile, fill in vendor, category, template, credential set, and save. Note its slug.

Placeholder — Inventory → Device Profiles list

2.2 Pin the default profile on the instance

Back on the AKIPS integration Detail page, switch to the Policies view and set the Default Device Profile to the slug you just created.

Placeholder — AKIPS instance Policies view with the default Device Profile selected

2.3 Customise the mlist query (optional)

The default query is:

mlist * sys SNMPv2-MIB.sysName SNMPv2-MIB.sysDescr

This returns every device’s sysName (used as hostname) and sysDescr. You can extend it to also pull sysContact, sysLocation, IP addresses, or scope with where clauses — see Tufin’s mlist documentation for the full syntax.

Step 3 — Run an Extract Preview

Click Extract Preview in the action bar (amber download icon).

Placeholder — Tufin AKIPS Extract Preview tab with summary cards and result table

The driver issues the configured mlist query, parses the line-oriented response (device group attribute[.index] = value), and returns one row per parsed device.

Open a row’s Details hover to see the full parsed payload — confirm name, the IP address (extracted from any attribute value matching an IPv4 address regex) and the sysDescr are present.

For the full anatomy of this tab, see the Extract Preview Tab reference.

Step 4 — Run a Sync Preview

Click Preview Sync in the action bar (sky icon). Sync Preview runs the complete pipeline through decide and stops without writing.

Switch to the Run Insights tab to inspect the result.

Placeholder — Run Insights tab populated after a Tufin AKIPS Sync Preview

For AKIPS the most-watched stage metrics are:

extract.items_extracted — should match the Extract Preview count.
canonicalize.invalid — non-zero usually means a device returned no IP-shaped attribute value, or the parser could not pin down sysName.
reconcile.ambiguous — non-zero means more than one rConfig device matches the same AKIPS device.

If Open Problems is greater than zero, switch to the Problem Devices tab and triage the rows.

For the full anatomy of these tabs, see the Run Insights Tab reference and Problem Devices Tab reference.

Step 5 — Run a Full Sync (Apply)

When the Sync Preview decisions look correct and Open Problems is at an acceptable level, click Full Sync in the action bar (indigo icon).

Full Sync re-runs the full pipeline and finishes by executing the apply stage:

Creates new devices for each decision = create, attached to the instance default Device Profile.
Updates existing devices for each decision = update.
Updates integration_device_links (first_seen, last_seen).
Schedules an initial configuration backup for newly created devices.

Placeholder — Run Insights tab after a Full Sync, with the apply stage card populated

Re-check Problem Devices after Apply.

Step 6 — The Debug Console

For any of the runs above, you can swap the action-bar button for the Open Debug Console button (shimmer icon).

Placeholder — Debug Console modal mid-run for the AKIPS driver

For the full anatomy of the dialog, see the Debug Console reference.

Step 7 — Schedule the Sync

Once a manual Full Sync completes cleanly, navigate to Scheduled Tasks → Add Task → Integration V2 Job, pick the AKIPS instance, choose Apply mode, and set the cron schedule.

CLI Reference

# Sync Preview (does not write)
php /var/www/html/rconfig8/current/artisan rconfig:integration-v2-run --driver=akips --mode=preview

# Full Sync (Apply) by explicit instance ID, with debug output
php artisan rconfig:integration-v2-run 19 --mode=apply --debug

# Queue an async run
php artisan rconfig:integration-v2-run 19 --mode=apply --queue

Driver Reference

AKIPS fields the driver reads

Canonical field	AKIPS source
External ID	`name` (the AKIPS device name)
Hostname	`sys_name` (from `SNMPv2-MIB.sysName`) → fallback `name`
Primary IP	First IPv4 address found in any attribute value (regex)
Serial	not populated
Vendor	not populated
Model	not populated
Tags / Profile	not populated — relies on instance default Device Profile

Reconciliation policy

Strong match — by instance_link_external_id (AKIPS device name) only.
Medium match — hostname and primary IP both unique in rConfig.
No automatic medium-match auto-relink, no cross-family matching.

Missing upstream policy

The default mode is disable_link_only — when a previously-synced AKIPS device disappears from the query result set, rConfig disables the integration_device_links row but leaves the device intact.

Troubleshooting

Test connection passes but Extract returns zero devices. Run the configured Query Template directly against AKIPS via the web UI to confirm the query itself returns rows. The test connection only proves /api-db reachability with mlist group *, not your specific query.
Test connection returns ERROR or not authorized in the body even though HTTP is 200. The driver checks the response body for these tokens and treats them as failures. Verify the user has mlist permission for the queried scope.
Canonicalize flags many candidates as invalid. Most common: no IPv4 address present in any attribute value. Extend the Query Template to include attributes that carry IP addresses (e.g. interface IP attributes), or add the IP to sysLocation style fields the driver can scrape.
Profile resolution always falls back to default. This is expected — AKIPS does not expose per-device profile metadata. Either accept the default-profile model, or split the integration into multiple instances scoped by query template.
Reconciliation produces ambiguous matches. Two rConfig devices share the same hostname or primary IP. Resolve in Problem Devices by picking the correct target.
Slow runs / 504 / timeout. Raise Timeout (Seconds) up to the 300 maximum, or scope the Query Template to a smaller device set.

Device Sync V2 Overview
Statseeker Device Sync V2 — the model V2 setup
Extract Preview Tab
Run Insights Tab
Problem Devices Tab
Logs Tab
Debug Console
PRTG Device Sync V2
Scheduled Tasks