www.tufin.club

Tufin has officially released TOS R25-1. It's the first version of the Tufin Orchestration Suite of 2025. 
TOS R25-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R25-1:

Change Monitoring, Automation, and Orchestration

  • SecureTrack
    When looking at the revision history, comments can be added now. This feature is available for GCP, Meraki, Arista and other OPM devices.

  • SecureTrack
    In Cloud environments, syslogs via TCP can be encrypted with TLS now. 

  • SecureTrack
    Based on Network Configuration, a mapping of zones to interfaces (MZTI) is supported now. This is useful when working with USPs. 

  • SecureChange
    The user experience for "generic workflows" has been improved by introducing a new design and a panel for "Ticket Properties". 

  • SecureChange
    It's possible to automate userID from Network Tickets to Next Generation Firewalls like Panorama and FortiManager

  • SecureChange
    Further improvements in SecureChange SLA allow to pause, resume, and reset the SLA of tickets. Non-handler users can be excluded from the SLA, so the time used by handler teams can be calculated more accurate. 

  • SecureApp
    Applications may now include connections using LDAP user groups from specified networks.

  • TufinMate
    Tufin's AI Assistant is now generally available. It supports in troubleshooting network issues, opening Access Request tickets via Microsoft Teams using natural language and Microsoft Copilot is supported to get questions about Topology. 

Devices and Platforms

  • Arista EOS
    The Linux-based network operation system for Clouds is officially supported now. It's supported for Topology (e.g. VxLAN, MPLS, VPN) for IPv4 as well as IPv6, for USP as well as Change Automation.

  • AWS
    Unused Security Group (SG) rules across AWS environments are recognized now, so rule analytics, last-hit information in Rule Viewer as well as Security Best Practice reports are available. 

  • Azure
    Using USPs is possible for Azure Network Security Groups (NSGs) now. This might increase the security level of the cloud.

  • Azure
    Azure Network Security Groups (NSGs) with Application Security Groups (ASGs) are supported by the Designer in Access Request Workflows now. So changes can be automated, too. 

  • Check Point
    Check Point Last Hit Information is shown in the Rule Viewer for objects in rules. Therefore it's possible now to identitfy unused objects in rules. 

  • Cisco Meraki
    Automatic Target selection in SecureChange is supported now for Cisco Meraki, including USP checks before implementation. 

  • OPM
    OPM (Open Policy Management) devices can be integrated into TOS. Now, in Access Request Workflows Designer support for this kind of devices has been added. 

  • VMware
    NSX-T Gateway Firewalls can be integrated to SecureTrack now. So the policies and their revisions are visible, shown in Topopology, as well as checked against USPs. 

  • VMware
    NSX-T in Azure VMware Solution (AVS) is supported. It allows to extend the on-premis VM environment zu Microsoft Azure. 

  • Zscaler Internet Access (ZIA)
    ZIA devices are supported by SecureTrack now. They are shown in SecureTrack Topology (including VPN) and NGFW objects like URL categorization as well as FQDNs are supported. 

  • Zscaler Internet Access (ZIA)
    SecureTrack Rule Viewer shows rules, last-hit information. Additionally, reports are possible to identify unused rules and objects.

Tufin Appliances

  • Tufin G4 (T800 / T1200) & G4.5 (T820 / T1220) appliances can be connected to two different switches to provide them with Link Redundancy. 


Further improvements, as well as corrections, are included in R25-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

There are various status messages when backing up the Tufin Orchestration Suite. One of them is 
     IMPAIRED
If any backup is in this status, it's no longer possible to continue working with the data backup.

The reason for this status is a component in the Kubernetes cluster that is not working correctly when the backup has been created. 

To solve the problem, all backups with this status should first be deleted. Then ensure that the TOS cluster is in a good state. No problems should be reported when calling the “tos status” command. Then the backup will work as desired again.

 

 

 

The message "checker failure" might occur when checking the status of the Tufin Orchestration Suite. 

When looking at Tufin's knowledge base, this message is mentioned as "known bug" that is fixed in R24-1 PHF4.1.0 and R24-2 PHF1.0.0, respectively. If you cannot upgrade or get still the message, this procedure might help: 

  • Find as root the pod that is responsible for this message by using the command
    # kubectl get pods -owide | grep node-exporter
    tos-prometheus-node-exporter-zddqg                    2/2     Running     0 …

  • Check this pod, e.g. if it's running (can be skipped)
    # kubectl describe pod tos-prometheus-node-exporter-zddqg
    ...
  • Restarting the pod helps to return to a normal status
    # kubectl delete pod tos-prometheus-node-exporter-zddqg

You can check the status of this pod by using the first command shown above. Please give the pod to start (and to show a status "ok") about two minutes. Checking "tos status" before will still deliver "checker failure" because the pod is still not running well. 

 

 

 

Tufin has released TOS R24-2, the second version of the Tufin Orchestration Suite of 2024. 
TOS R24-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-2:

Deployment

  • Upgrade
    The upgrade process has been optimized and is shown in a more transparent way. This increases visibility and helps troubleshooting during upgrades.

Change Monitoring, Automation, and Orchestration

  • SecureChange
    SLA can be set for tickets. Starting with this version, business hours and non-working days can be considered by configuration.
  • SecureChange
    The page showing the tickets has been improved esp. regarding search tickets and manage saved queries. 

  • SecureTrack
    OPM devices are integrated better now. Supported is e.g. automatic mapping of zones to interfaces, matching rules in the Topology Map, etc. So they are also found by SecureChange as possible installation targets.
  • SecureTrack
    The Topology Map now supports both IPv4 and IPv6 routes. So it can be used in mixed environments also.
  • SecureTrack
    The Device Viewer includes the feature "Revision History" for all devices now. This is useful esp. for GCP, Cisco Meraki and OPM devices because they don't have the option for comparing revisions.

Devices and Platforms

  • Azure NSG
    SecureChange Designer now provides suggested changes for access across Azure NSGs and Azure firewall devices. 
  • Azure NSG
    SecureTrack Rule Viewer can interpret the configuration of NSGs, so e.g. "cleanup" as well as "unused objects" can be used.
  • Azure Firewall
    Azure firewalls in a Virtual WAN- Secured Hub deployment when routing is configured in the Azure Hub are supported. So based on the Topology, also USP violations as well as Designer / Verifier are supported. 

  • Cisco
    For Cisco FMC devices generic NAT is supported, so it can be used in Topology.

  • Fortinet
    UserID Automation for FortiManager is supported now, delivering improved visibility for the LDAP groups that are part of the User Groups and FSSO objects. This includes topology support as well as automation tools of SecureChange.
  • Fortinet
    For path analysis FQDN objects or DNS can be used.
  • Fortinet
    The support of enhanced VPN across Fortinet devices is improved (Dial-Up/dynamic VPN). The modelling of SD-WAN is improved.

  • Google
    GCP VPC firewalls can be used in Access Request workflows, they are automatically recognized based on information from the Topology. So also the Verifier can be used for these devices.

  • VMware
    NSX-T is supported by the Rule Viewer, last hit information for NSX-T Distributed firewall rules is available now.
  • VMware
    NSX-T VRFs can be imported as logical routers and be used in Topology.
  • VMware
    IPv6 is now supported for VMware NSX-T in the Interactive Map: Interfaces and Routes. So in SecureChange Designer, Provisioning and Verifier are supported.

 

Further improvements, as well as corrections, are included in R24-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

In earlier times, when using TufinOS 3.x (based on CentOS) it has been possible to check which ciphers are going to be used in SSL and TLS, respectivly. After upgrading to TufinOS 4.x (based on Rocky Linux) this is no more possible. 

Tufin Support states that this is "as designed" and "it's secure": 

Tufin routinely carries security tests for each supported version. If an issue is detected by public commercial tools or with customized penetration testing - it is handled immediately. As far as we can tell, based on tests by Tufin and many of our customers, there are no vulnerable ciphers loaded and available to use in TOS. 

 

 

 

When having users on a TufinOS, each user has an ID that can be checked in /etc/passwd, e.g.

# cat /etc/passwd | grep tufin-admin
tufin-admin:x:1000:1000::/home/tufin-admin:/bin/bash
#

If a user is added, ID1001 might be the ID for this new user. 
Checking system activity (e.g. with ps aux) might show this user quite active, even if not logged in. 

The reason for this effect is that TOS is running some processes with ID1001 - independently of "real usage" of this ID in /etc/passwd or not.
Processes using this ID are e.g. Java, MongoDB, Kafka, ... 

So don't wonder about users not logged in to CLI but using some resources, it's not an attack, but TOS working as designed by Tufin.