Tufin has released TOS R21-3, the third and final version of the Tufin Orchestration Suite of 2021.
TOS 21-3 is available as GA and can be downloaded from the Tufin Portal (login required) in its variants for TOS Classic and TOS Aurora.

TOS 21-3 is the last version for TOS Classic. It will be supported until the end of 2022.

This version delivers improvements, e.g.

Change Automation and Orchestration

  • Enhancements for Access Decommission
    This is supported now for Check Point R80 and Panorama.
    A new tab "Manage Related Rules" has been introduced
    as well as the option to disable and not only to remove rules.

  • Enhancements for Server Decommission and Server Cloning
    Decommission of subnets as well as IP address ranges is possible now.
    Cloning allows this kind of network objects also, including a move e.g. from a subnet to a host

 Application Driven Automation

  • SecureApp supports now User Identity
  • Application Identity is shown in Connection Status

Devices and Platforms

  • Microsoft Azure
    New supported management and firewall devices in Microsoft Azure:
    • Check Point CloudGuard Multi-Domain Server, Check Point Security Management, Check Point Gateway
    • Palo Alto Panorama and PanOS
    • Fortinet FortiManager and FortiGate
  • Fortinet
    FortiManager with Central NAT policies is supported by SecureTrack now
  • Intelligent Provisioning
    for Check Point R80 and Juniper SRX
  • New versions supported:
    • Cisco ACI 5.1
    • Cisco FMC 6.7
    • VMWare NSX-V 6.4.9
    • Forcepoint SMC 6.9 with API 6.8
    • Fortinet FortiManager 6.4.6

REST API

  • SecureTrack
    • Microsoft Azure Resouces can be imported
    • Support of "get license status"
  • SecureChange
    • Auditing of some actions is possible, e.g. LDAP or RADIUS server changes as well as changes in roles
    • Output of a list of active workflows, including name, description, and type

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released TOS R21-2, the second version of the Tufin Orchestration Suite of 2021.
TOS 21-2 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • Access Decommission is supported now for Cisco ASA, Fortinet Manager Advanced Mode, Forcepoint, VMware NSX, and Amazon AWS. For these supported devices the Designer determines which changes are necessary. Besides this, a detailed list of rules (and their information) impacted by this ticket can be extracted.
  • Rule comments now can be edited using the Designer using the WebUI or API. This is supported for Check Point R80, Cisco ASA, Juniper SRX, Palo Alto Panorama, and VMware NSX.
  • Change Automation for NSX-T allows detailed configuration of Security Groups using the WebUI or API.
  • Auditing SecureChange is possible now using the API. So changes to workflows are documented. It includes information about the user and the time changes were done.

Devices and Platforms

  • Check Point
    When analyzing traffic with the APG, now Check Point Inline Layers are supported.
  • Cisco
    Cisco Firewall Threat Defense (FTD) in Active Mode is supported when managed using the FMC.
  • F5
    The Interactive Map now supports paths that go through F5 devices which have SNAT Automap configured.
  • Fortinet
    FortiManager 6.4 is supported now. Regarding IPv6 a specific behavior needs to be considered.
  • Palo Alto
    IPsec VPN tunnels configured in Palo Alto gateways are now considered in SecureTrack Topology.
  • VMware NSX-T
    information about the rule direction has been added to the rules in SecureTrack and SecureChange to increase visibility.
  • VMware NSX-T
    NSX-T Security Groups have been improved, now showing dynamic group content based on matching criteria. For these, a search in SecureTrack Policy Browsers can be done. The information is also considered in Topology and Violation calculation.

Deployment

  • Administering licenses in SecureTrack has been improved. This includes details about the specific SKU attached to the device, its expiration date as well as a counter for expired licenses.

REST API

  • SecureChange Auditing
    The history of workflows now can be retrieved, so auditing the life cycle of a workflow is possible now.
  • Designer Suggestions
    Using the API, now security groups for VMware NSX can be specified.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

 

Tufin has released TOS R21-1, the first version of the Tufin Orchestration Suite of 2021.

Please be aware that TOS 21-1 requires TufinOS 3.x, CentOS 7, or RHEL 7.

TOS 21-1 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • SecureChange can be integrated with SecureCloud now. Automated workflows that include Azure devices can be configured. Importing Azure ASG (Application Security Groups) is possible and therefore using automation tools of SecureChange (e.g. Auto-suggest target, Provisioning) is possible. Designer and Verifier can be used for on-prem devices.
  • When provisioning changes, the Designer of SecureChange used in an Access Request workflow can consider related tickets that might have an impact on the update. Related tickets can be considered when a redesign is done. 
  • The Interactive Map of SecureTrack now allows to add/modify generic devices such as L2 firewalls, generic interfaces, and generic VPN by right-clicking on the mouse.
  • The Interactive Map also supports IPv6 path analysis for generic devices now.
  • SecureTrack Interactive Map supports using LDAP groups in Source and Destination.
  • The Interactive Map allows viewing device data and calculation of paths having Amazon AWS devices included.

Devices and Platforms

  • Amazon AWS
    For Amazon AWS devices the Interactive Map can be used to view device data and paths included in these devices.
  • Check Point
    When using Inline Layers rules configured here, can now be viewed in Policy Browser. From here, SecureChange tickets for rule modification, rule recertification, and rule decommission can be opened.
    Check Point Cloud devices in NSX-T, ACI and AWS can be included in SecureTrack.
  • Cisco
    Support for Cisco IOS-XE routers and L3 devices
  • Juniper
    Juniper SRX is now supported to have IPv6 configuration in SecureTrack Topology.
  • Fortinet
    For Fortinet FortiManager SecureTrack now offers visibility for user IDs and rules on the devices' security rules, the global level, and Adom level.
  • Palo Alto
    Using Panorama allows the use of Shared Objects now in SecureChange. The Designer can be configured to use or create shared objects as part of the automation process.

REST API

  • Error handling
    • Code for unauthorized users has been set to 403 for SecureTrack and SecureChange
    • SecureTrack returns 503 if during synchronization another graph builder is running
  • Improvements for SecureTrack
    • Check Point R80 rule numbering has been improved
    • Getting IPv6 bindings is possible now
    • Mapping zones to device interfaces can be retrieved
    • Rule recertification can now be done via API
  • Improvements for SecureChange
    • Get Security Zone for Access Requests
    • Modify Expiration Date and Reference Ticket ID
    • API returns an error if a device contains multiple objects or services with the same name
    • Import validations added for Rule Modification
    • Support of Panorama tags for Designer

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

 

If you don't have upgraded now, you should consider not to wait too long. Reasons for upgrade are - new version with new features (ok, that's as always if a new version is released), but above all - upgrade of TufinOS to version 3.x based on CentOS 7. This is necessary because TufinOS 2.x is based on CentOS 6 which isn't supported any more since end of November 2020. Additionally, some security issues have been found in CentOS that are fixed inTufinOS 3.x, but will not be fixed for TufinOS 2.x due to EOL. So also this is a reason for upgrading soon.

All information about the upgrade can be found in the Tufin Portal.

 

Requirements for upgrading to TOS 20-2 and TufinOS 3.x are

  • TufinOS 2.21 or higher, or RHEL/CentOS 6
  • TOS R20-1 or R19-3 (any specific HF)
  • Postgres 11 (and not PostgreSQL 9.0 or 9.4)
    This upgrade is mostly done when upgrading to TufinOS 2.21

Be sure that the new server you will install the latest version of TufinOS has at least 500 GB Hard Disk and 16 GB RAM (even for lab installations). Both parameters are checked during the installation of TufinOS. Installation will stop when these requirements are not fulfilled. Anyway, you shold consider the hardware requirements published by Tufin when setting up a new server.

Before beginning the upgrade you need a new machine besides the existing machine. TufinOS as well as TOS will be installed on this new machine. Your configuration as well as data need to be copied to this machine also. Later on you can turn off the old server and change the IP addresses of the new server to the addresses of the old one.
If you don't have a new machine, you need a new hard disk that is going to be mounted to the existing server. All data are saved to this mount point, so they are available afterwards.

 

It's recommended that you follow the "Upgrade Assistance" published by Tufin. It's recommended to download an Upgrade Planner Application that needs to be exectured on each server any component of TOS is running on. Resullt of the execution is a JSON file with all relevant information about this specific installation. Throwing this file into the field of the page mentioned before will guide you to the correct and recommended upgrade procedure.

It's also possible to get upgrade information directly without running the Planner Application or other scripts. It's important to distinguish between the different installation types, e.g. "standalone", "with Distributed Archtecture" or "with High Availability Cluster". The recommended way is to use the Upgrade Assistant since in this case all information is transferred. It's the most safe way to upgrade. If you don't like it, you can also upgrade manually.

 

 

 

Tufin has released TOS R20-2, the second version of the Tufin Orchestration Suite of 2020.

Please be aware that TOS 20-2 requires TufinOS 3.x, CentOS 7, or RHEL 7. This has been pointed out before. More information about this process to be published here.

So a direct upgrade isn't possible. It's necessary to upgrade/reinstall the Operating System itself. This isn't the move to TOS 2.0, the new version Tufin is talking about a lot. TOS 2.0 is currently available for SecureTrack only. Upgrade tools point customers using SecureTrack only to this new version. If you upgrade, please consider the hardware requirements Tufin has published for the "old" TOS as well as for the "new" TOS.

TOS 20-2 is available as GA, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecureChange offers "ticket references". So tickets can be combined and/or referenced. This might be useful if e.g. a rule is decertified and in the next step a Rule Decommissioning should start. Here, a link can be placed, showing to the first ticket.
  • When in a SecureChange Access Request "Risk Analysis" is done, only USPs in SecureTrack could be considered. Now, also results of an External Risk Analysis can be considered and shown to the corresponding user.

Security, Risk, and Compliance

  • The integration of Transparent Firewalls (working on layer 2 in bridge mode) needed extra tools. Now, they can be added using the WebUI of SecureTrack.
  • If a path is found in SecureTrack Interactive Map, the result can now be exported in a PDF file. This file includes all relevant information about devices involved, including corresponding rules. So here is more information as it is shown via a REST API call.
  • Searches in SecureTrack Interactive Map allow more than eight results now.

Devices and Platforms

  • Check Point - improvement of Rule Numbering when monitoring a CMA with Global Policies.
  • Cisco ACI - SecureTrack Path Analysis for simulation of paths to external IP addresses traveling via specific EPGs is possible now.
  • Fortinet - Support of IPv6 Path Analysis in SecureTrack Interactive Map, FQDN Object Automation in SecureChange and possibility for Global Level configuration. The last two points require a FortiManager.
  • Microsoft Azure - Support of SecureTrack Interactive Map
  • Palo Alto Networks Panorama - Besides predefined applications now also custom applications can be used in SecureChange Automation. Improvements for Device Monitoring are included as well as the possibility to add Panorama tags to new rules.
  • Support of additional devices and versions:
    • Check Point R80.40 (Check Point Management API v1.5 and v1.6)
    • Cisco ACI 4.2
    • Juniper SRX 19.4
    • Palo Alto PanOS 9.1
    • VMware NSX-T 2.5 and 3.0

REST API

  • Error Code For Unauthorized Users Changed to 403
  • Rule Numbering Enhancement for Check Point R80 Devices
  • Get IPV6 Binding
  • Get zone to interface mapping
  • Synchronize Topology Model API Enhancement
  • Rule Recertification - Update the Certification Status of SecureTrack Rules
  • Network Object and Service Name Verification
  • GET Security Zone for Access Requests
  • Panorama supported for Designer APIs
  • Expiration Date and Reference Ticket ID Can Be Modified
  • Input Validations Added to Rule Modification Fields

 

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

 

Tufin has released TOS R20-1, the first version of the Tufin Orchestration Suite in 2020. TOS 20-1 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Improvement of Rule Modification Workflow
    This type of workflow has been introduced with R19-3. This version allows to create tickets to change Source and Destionation of an existing rule. With R20-1 now also Services can be added / changed / removed from a rule.
    Supported devices are Check Point R80, Cisco ASA, Cisco FMC, Palo Alto Panorama, and Juniper SRX.
  • Enhancements in SecureApp User Permissions
    More flexibility for roles and permissions in SecureApp, e.g. configuration whether users are allowed to use Server Resources in their Application Connections. Besides this, Tufin has enhanced the Security Segmentation if Interconnected Domains are configred.

Devices and Platforms

  • Support of IPv6 in Topology
    SecureTrack Topology supports IPv6, i.e. it can be used in the Interactive Map for e.g. paths and traffic simulation.
    Supported are currently Cisco IOS-XR, Check Point R80, and Fortinet FortiManager in Advanced Mode.
  • Fortinet IPv6 automation in non-topology mode
    If Topology isn't used in SecureChange (require e.g. manual Target selection), IPv6 objects in SecureChange Access Requests can be used in automation. So change processes can be automated working with IPv4 as well as IPv6 objects.
  • Enhancements for Licensing page
    Some improvements have been implemented to deliver more clarity regarding available and bound licenses.
  • Cisco FMC Zones Support - Automation
    For Cisco Firepower Management Center (FMC) devices in non-topology mode specific zone-to-zone mapping can be chosen in SecureChange Access Requests. This can also be used in automated changes.
  • Cisco Firepower Rule and Object Usage
    The enhanced rule usage capabilities and features in SecureTrack can now be used for FMC devices, i.e. metadata for rules are calculated and shown in Policy Browser.
  • Palo Alto Panorama Dynamic Address Group (DAG) support with Tags
    The content of Dynamic Access Groups based on Panorama Tags can be shown in SecureTrack, improving visibility and traffic analysis (also in Topology).
  • Hashicorp Vault Support for Amazon AWS
    This option can be used to store Amazon AWS authentication credentials and to provide tight access control to the AWS. Instead of connecting directly to the AWS, SecureTrack can receive a token for authentication and communication with the AWS device.
  • Support of additional devices and versions
    • Check Point R80.40, supporting Check Point API version 1.5
    • Cisco Firepower Management Center (FMC) 6.5
    • Forcepoint SMC 6.5.10
    • F5 BIG IP 14.1
    • Palo Alto PanOS firewall version 9.1
    • Palo Alto Panorama version 9.0.4, 9.1
    • VMware NSX-V version 6.4.6

REST API

  • Management of Generic Interfaces, Generic Routes, and Generic VPN
    New API calls are available, supporting full functionality - e.g. get Generic Interface by ID, get Generic Interfaces for a device, get Generic Route by ID, get Generic Routes for a device, get Generic VPN by ID, get Generic VPNs for a device.
  • Management of Device Connections for Firewalls in Transparent Mode
    Managing L2 Firewalls is now integrated and possible using REST API.
  • Management of Ignored Interfaces
    It's possible to exclude selected Interfaces from SecureTrack Topology. They can now being managed using REST API.
  • Device Interfaces and Domains
    When working with Domains in SecureTrack, now REST API can be used to associate an interface óf a device with a Domain ID.
  • Cloud Management
    The Interactive Map uses Clouds in some situations. Now the management of Joining Clouds can be done via REST API.
  • Enhancements of User Management
    Management of SecureChange and SecureApp users is enhanced when REST API is used, esp. management of Groups.
  • Rule Modification Workflow
    As shown above, Service can now be changed for a rule. This can also be done with REST API.
  • Ticket Search in SecureChange
    Pagination can now be used in REST API to shorten response time and to limit the amount of data returned by rule search APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com