Tufin has released TOS R22-2, the second version of the Tufin Orchestration Suite of 2022.
TOS R22-2 is available as GA and can be downloaded from the Tufin Portal (login required).
Since the support of TOS Classic provided by Tufin ends within the next weeks, this version is available for TOS Aurora only. Some improvements of TOS Aurora R22-2:

Change Automation and Orchestration

  • SecureChange
    The Designer results include now not only the recommendations for rules but also the Access Request.

  • SecureChange
    If an auto-step with provisioning fails due to ticket dependencies, a new run of the Designer is needed. Then, the auto-step could be tried again. Now, the Designer can be run in this auto-step for provisioning to consider the latest changes.

  • SecureChange
    IPv6 Addresses can now be used in automation, e.g. Target selection, Designer, and Verifier. This is possible when Check Point R8x or FortiManager is used.

  • SecureChange
    In Rule Decommission workflows, now Designer and Provisioning can be split into separate (manual/automatic) steps.

  • SecureChange
    The Rule Decommission workflow now allows the dynamic assignment of steps using a script if the criteria for the assignment are e.g. too complex.

  • SecureChange
    If SecureChange is configured in "Interconnected Domains" mode, now Risk Analysis is possible in Access Requests, even if there are overlapping IP addresses in different Domains. In this case, a flag needs to be set in SecureTrack.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to automatically add access to either the pre- or post-sections on Panorama devices per device group or globally.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to create new rules with a custom log forwarding profile automatically.

  • SecureChange (Palo Alto Panorama, FortiManager)
    The Designer can now be customized to automatically create new rules with custom security profile groups. Such a custom security profile group is available for different Panorama device groups or FortiManager Administrative Domains.

  • SecureChange (Cisco ASA)
    The Designer now can automatically create network and service objects instead of adding them inline into rules and groups. Possible for Access Request workflow and Clone Network Object workflow.

  • SecureChange
    Access Requests allow to use now User Identity (i.e. add LDAP group in Source) independently of the Topology Mode (on or off).

Devices and Platforms

  • Microsoft Azure
    The Azure Firewall Policy Network and Application Rules are now fully integrated into the Rule Viewer.

  • Microsoft Azure
    The Topology now shows matching rules when running a path analysis on the Map.
  • Microsoft Azure
    The Topology now supports Azure Load Balancers which are integrated here now.
  • Fortinet
    Support of Fortinet SD-WAN for Topology and Policy Visibility. 

  • Fortinet
    Support of IPsec VPN configured in FortiGate devices that are managed by a FortiManager - they are modeled in the Topology now.

  • Forcepoint
    The Stonesoft rules are now shown in Rule Viewer.

  • New version support: Tufin TOS now supports
    • Check Point R81.20
    • Cisco ISO-SE - 17.7.1, IOS-XR - 7.5.1, IOS - 15.9.3M4
    • F5 BIG-IP v16.1.2
    • Forcepoint Stonesoft SMC - 6.10.7
    • Fortinet FortiManager 7.2
    • Juniper SRX 22.1R1

Security, Risk, and Compliance

  • SecureTrack
    Shadowing Rules are integrated and displayed in Rule Viewer, making the review of rule bases easier.

Deployment and Monitoring

  • Backup of Tufin Orchestration Suite
    • Backup files now can be stored directly on external S3 storage services. These storage providers are supported: AWS S3 Storage, AWS Blog Storage, Google Storage, and Minio S3 compatible storage.
    • The expiration dates of backups now can be modified, so backup files can be kept for a longer time.

  • Clustering TOS Aurora is possible for the case of disaster, i.e. running TOS on two different sites is possible when using the same S3 compatible external cloud storage service for backup files. The standby cluster can be switched to active in case of failure of the first one. The TOS is restored from the latest backup file.

  • RADIUS Authentication and Authorization can be configured to run automatically on SecureTrack. So there is no more a need to manually define and manage each SecureTrack user accessing SecureTrack. To implement this, a Vendor Specific Attribute (VSA) is used.

Help and Training

  • The "Help function" is extended and includes now a direct link to Tufin Training videos on YouTube.

  • The TOS version is now also displayed in the SecureChange Help menu.


  • SecureTrack
    The Rule Information now includes the Palo Alto Panorama UUID
  • SecureChange
    The API call "GET Domains" returns now the Domain Description allowing consideration of different domains.
  • SecureChange
    Script Triggers for Workflow events (get, create, update) can also be used for Marketplace Apps now.
  • SecureChange
    The priority of a ticket can now be updated using a script.
  • SecureChange
    If steps are "self assigned" to groups, a list of users shows potential handlers (candidates). This information can now be used in scripts.
  • SecureChange
    When using GET to get information about users / IDs, now the user name is also returned by this call.


If you are using SecureTrack reports, please find a list of depreciated reports that are removed with R22-2 here.

Further improvements, as well as corrections, are included in R22-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com





Tufin has released TOS R22-1, the first version of the Tufin Orchestration Suite of 2022.
TOS R22-1 is available as GA and can be downloaded from the Tufin Portal (login required).

Please be aware that R22-1 is available for TOS Aurora only (!).
TOS Classic is supported until the end of 2022, but with the release TOS R21-3

R22-1 delivers some improvements, e.g.

Change Automation and Orchestration

  • SecureApp
    Full Support of Tufin SecureApp in TOS Aurora as it has been supported in TOS Classic.

  • Check Point Inline Layers
    Starting with this version, SecureChange supports Check Point Inline Layers for Access Requests. This support includes the ability to add, edit and delete Inline Layer rules in Access Request Workflows.

  • Palo Alto Panorama Application Automation
    Now it is possible to enter applications in Path Analysis of SecureTrack or Access Request of SecureChange without being bound to Default Ports.

Devices and Platforms

  • Microsoft Azure
    Firewalls of Microsoft Azure are supported now. The support includes visibility of rule collections, NAT, network/application rules, and more. Changes are documented in SecureTrack as they are for other firewall vendors. The integration also includes the Topology Map.

  • Check Point / Fortinet
    For these vendors are Wildcard objects supported now for policy view and comparing policies. So the search in Rule Viewer might be easier, too. Besides SecureTrack, also SecureChange supports Wildcard objects in workflows, e.g. Access Requests, Server Decommission, or Server Clone.

  • Tufin API
    It is possible to add and/or edit Cisco routers using an API.

  • Juniper MX
    Using the Rule Viewer is possible for Juniper MX, as the use of USP violations is.

Security, Risk, and Compliance

  • Using a Vault Server
    Administrators have the option to store access credentials using a CyberArk vault server. This is possible for selected devices (Fortinet FortiManager, Palo Alto Panorama, Check Point (SmartCenter, CMA, MDS), Cisco ASA, and Juniper SRX). After establishing a connection between SecureTrack and the vault server, any access to the device (e.g. revision retrieval, dynamic topology, provisioning) is authenticated using this connection.

  • Rule Viewer
    The search capabilities of the SecureTrack Rule Viewer allow very complex queries. It is possible to save and reuse Rule Viewer queries now.

  • New Dashboard Widgets
    For Cleanup Candidates and Rules with Violations new widgets have been introduced. They allow having a look at trends regarding these topics.

Deployment and Monitoring

  • Single Sign-On for TOS
    It has taken a long, long time - now Single Sign-On (SSO) is possible for SecureTrack and SecureChange. So a user can log in at SecureTrack and is authenticated for SecureChange also (if the user is allowed to log in on both systems). This option is available for LDAP, RADIUS, TACACS+, SAML, and local authentication. Using SAML LDAP allows two-factor authentication.

  • TOS Monitoring using SNMP
    It is possible to use SNMPv3 for TOS Monitoring. SNMPv3 Traps are supported as well as SNMPv3 Walk/Get.

  • TOS Monitoring improved
    The monitoring allows now to check the Database status as well as the Deployment status (HA Mode only).

  • High Availability for TOS Aurora
    TOS Aurora now supports High Availability mode, i.e. machines can be configured to work as a HA Cluster to improve availability.

GraphQL API (get further information about this API here)

  • SecureTrack
    Rule Queries can be saved and reused. Administrators can publish them to all users. The SecureTrack API offers new options now: Create a new query, Edit a query, Delete a query, and Change the query owner.

  • SecureTrack
    Trends for Cleanup Candidates and Rules with Violations can be requested using the SecureTrack API. It is possible to consider the type of metric, the time span, and the domains that are queried.

  • SecureTrack
    A search for Network Objects is possible. Network Objects can be any group that is defined by a device in an environment. This can include host machines, VMs, or ranges of IP addresses. They can be filtered by name, type, vendor, and state.


  • SecureTrack
    For Cisco devices, the Device bulk API can be used. Enhanced POST is possible for adding new Cisco routers (IOS and IOS XE), Cisco XR, and Nexus devices.

  • SecureTrack
    SecureApp Applications can be mapped to Rules in Rule Viewer. So it is possible to e.g. get all SecureApp applications that are mapped to a specific rule.

  • SecureChange
    Using API it is possible to do actions on ticket attachments. These include the creation of a ticket with attachment, adding attachments to an existing ticket as well as downloading or removing attachments from a specific ticket.

  • SecureChange
    Customized script triggers based on SecureChange workflow trigger events can be used.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com




Tufin has released TOS R21-3, the third and final version of the Tufin Orchestration Suite of 2021.
TOS 21-3 is available as GA and can be downloaded from the Tufin Portal (login required) in its variants for TOS Classic and TOS Aurora.

TOS 21-3 is the last version for TOS Classic. It will be supported until the end of 2022.

This version delivers improvements, e.g.

Change Automation and Orchestration

  • Enhancements for Access Decommission
    This is supported now for Check Point R80 and Panorama.
    A new tab "Manage Related Rules" has been introduced
    as well as the option to disable and not only to remove rules.

  • Enhancements for Server Decommission and Server Cloning
    Decommission of subnets as well as IP address ranges is possible now.
    Cloning allows this kind of network objects also, including a move e.g. from a subnet to a host

 Application Driven Automation

  • SecureApp supports now User Identity
  • Application Identity is shown in Connection Status

Devices and Platforms

  • Microsoft Azure
    New supported management and firewall devices in Microsoft Azure:
    • Check Point CloudGuard Multi-Domain Server, Check Point Security Management, Check Point Gateway
    • Palo Alto Panorama and PanOS
    • Fortinet FortiManager and FortiGate
  • Fortinet
    FortiManager with Central NAT policies is supported by SecureTrack now
  • Intelligent Provisioning
    for Check Point R80 and Juniper SRX
  • New versions supported:
    • Cisco ACI 5.1
    • Cisco FMC 6.7
    • VMWare NSX-V 6.4.9
    • Forcepoint SMC 6.9 with API 6.8
    • Fortinet FortiManager 6.4.6


  • SecureTrack
    • Microsoft Azure Resouces can be imported
    • Support of "get license status"
  • SecureChange
    • Auditing of some actions is possible, e.g. LDAP or RADIUS server changes as well as changes in roles
    • Output of a list of active workflows, including name, description, and type

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com





Tufin has released TOS R21-2, the second version of the Tufin Orchestration Suite of 2021.
TOS 21-2 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • Access Decommission is supported now for Cisco ASA, Fortinet Manager Advanced Mode, Forcepoint, VMware NSX, and Amazon AWS. For these supported devices the Designer determines which changes are necessary. Besides this, a detailed list of rules (and their information) impacted by this ticket can be extracted.
  • Rule comments now can be edited using the Designer using the WebUI or API. This is supported for Check Point R80, Cisco ASA, Juniper SRX, Palo Alto Panorama, and VMware NSX.
  • Change Automation for NSX-T allows detailed configuration of Security Groups using the WebUI or API.
  • Auditing SecureChange is possible now using the API. So changes to workflows are documented. It includes information about the user and the time changes were done.

Devices and Platforms

  • Check Point
    When analyzing traffic with the APG, now Check Point Inline Layers are supported.
  • Cisco
    Cisco Firewall Threat Defense (FTD) in Active Mode is supported when managed using the FMC.
  • F5
    The Interactive Map now supports paths that go through F5 devices which have SNAT Automap configured.
  • Fortinet
    FortiManager 6.4 is supported now. Regarding IPv6 a specific behavior needs to be considered.
  • Palo Alto
    IPsec VPN tunnels configured in Palo Alto gateways are now considered in SecureTrack Topology.
  • VMware NSX-T
    information about the rule direction has been added to the rules in SecureTrack and SecureChange to increase visibility.
  • VMware NSX-T
    NSX-T Security Groups have been improved, now showing dynamic group content based on matching criteria. For these, a search in SecureTrack Policy Browsers can be done. The information is also considered in Topology and Violation calculation.


  • Administering licenses in SecureTrack has been improved. This includes details about the specific SKU attached to the device, its expiration date as well as a counter for expired licenses.


  • SecureChange Auditing
    The history of workflows now can be retrieved, so auditing the life cycle of a workflow is possible now.
  • Designer Suggestions
    Using the API, now security groups for VMware NSX can be specified.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com






Tufin has released TOS R21-1, the first version of the Tufin Orchestration Suite of 2021.

Please be aware that TOS 21-1 requires TufinOS 3.x, CentOS 7, or RHEL 7.

TOS 21-1 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • SecureChange can be integrated with SecureCloud now. Automated workflows that include Azure devices can be configured. Importing Azure ASG (Application Security Groups) is possible and therefore using automation tools of SecureChange (e.g. Auto-suggest target, Provisioning) is possible. Designer and Verifier can be used for on-prem devices.
  • When provisioning changes, the Designer of SecureChange used in an Access Request workflow can consider related tickets that might have an impact on the update. Related tickets can be considered when a redesign is done. 
  • The Interactive Map of SecureTrack now allows to add/modify generic devices such as L2 firewalls, generic interfaces, and generic VPN by right-clicking on the mouse.
  • The Interactive Map also supports IPv6 path analysis for generic devices now.
  • SecureTrack Interactive Map supports using LDAP groups in Source and Destination.
  • The Interactive Map allows viewing device data and calculation of paths having Amazon AWS devices included.

Devices and Platforms

  • Amazon AWS
    For Amazon AWS devices the Interactive Map can be used to view device data and paths included in these devices.
  • Check Point
    When using Inline Layers rules configured here, can now be viewed in Policy Browser. From here, SecureChange tickets for rule modification, rule recertification, and rule decommission can be opened.
    Check Point Cloud devices in NSX-T, ACI and AWS can be included in SecureTrack.
  • Cisco
    Support for Cisco IOS-XE routers and L3 devices
  • Juniper
    Juniper SRX is now supported to have IPv6 configuration in SecureTrack Topology.
  • Fortinet
    For Fortinet FortiManager SecureTrack now offers visibility for user IDs and rules on the devices' security rules, the global level, and Adom level.
  • Palo Alto
    Using Panorama allows the use of Shared Objects now in SecureChange. The Designer can be configured to use or create shared objects as part of the automation process.


  • Error handling
    • Code for unauthorized users has been set to 403 for SecureTrack and SecureChange
    • SecureTrack returns 503 if during synchronization another graph builder is running
  • Improvements for SecureTrack
    • Check Point R80 rule numbering has been improved
    • Getting IPv6 bindings is possible now
    • Mapping zones to device interfaces can be retrieved
    • Rule recertification can now be done via API
  • Improvements for SecureChange
    • Get Security Zone for Access Requests
    • Modify Expiration Date and Reference Ticket ID
    • API returns an error if a device contains multiple objects or services with the same name
    • Import validations added for Rule Modification
    • Support of Panorama tags for Designer

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com






If you don't have upgraded now, you should consider not to wait too long. Reasons for upgrade are - new version with new features (ok, that's as always if a new version is released), but above all - upgrade of TufinOS to version 3.x based on CentOS 7. This is necessary because TufinOS 2.x is based on CentOS 6 which isn't supported any more since end of November 2020. Additionally, some security issues have been found in CentOS that are fixed inTufinOS 3.x, but will not be fixed for TufinOS 2.x due to EOL. So also this is a reason for upgrading soon.

All information about the upgrade can be found in the Tufin Portal.


Requirements for upgrading to TOS 20-2 and TufinOS 3.x are

  • TufinOS 2.21 or higher, or RHEL/CentOS 6
  • TOS R20-1 or R19-3 (any specific HF)
  • Postgres 11 (and not PostgreSQL 9.0 or 9.4)
    This upgrade is mostly done when upgrading to TufinOS 2.21

Be sure that the new server you will install the latest version of TufinOS has at least 500 GB Hard Disk and 16 GB RAM (even for lab installations). Both parameters are checked during the installation of TufinOS. Installation will stop when these requirements are not fulfilled. Anyway, you shold consider the hardware requirements published by Tufin when setting up a new server.

Before beginning the upgrade you need a new machine besides the existing machine. TufinOS as well as TOS will be installed on this new machine. Your configuration as well as data need to be copied to this machine also. Later on you can turn off the old server and change the IP addresses of the new server to the addresses of the old one.
If you don't have a new machine, you need a new hard disk that is going to be mounted to the existing server. All data are saved to this mount point, so they are available afterwards.


It's recommended that you follow the "Upgrade Assistance" published by Tufin. It's recommended to download an Upgrade Planner Application that needs to be exectured on each server any component of TOS is running on. Resullt of the execution is a JSON file with all relevant information about this specific installation. Throwing this file into the field of the page mentioned before will guide you to the correct and recommended upgrade procedure.

It's also possible to get upgrade information directly without running the Planner Application or other scripts. It's important to distinguish between the different installation types, e.g. "standalone", "with Distributed Archtecture" or "with High Availability Cluster". The recommended way is to use the Upgrade Assistant since in this case all information is transferred. It's the most safe way to upgrade. If you don't like it, you can also upgrade manually.