Tufin has just released TOS R19-3, the third and final version of the Tufin Orchestration Suite in 2019.
TOS 19-3 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Rule Modification Workflow
    With this workflow it's possible to modify the fields Source and Destination within an existing rule. Here new as well as existing objects can be added or removed. This feature is fully integrated in SecureTrack Policy Browser and delivers full API support
    Supported devices are Check Point R80, Cisco FMC, Palo Alto Panorama, Cisco ASA, and Juniper SRX
  • Group Ticket Notifications
    Teams can work better now with this feature. The requester of a ticket can now specify a group of users that will receive all E-Mail notifications
  • Palo Alto Panorama FQDN Objects in Access Request
    FQDN can be used now, so it's no more necessary to convert names to IP addresses when used in an Access Request
  • Check Point R80 - Support of IPv6 addresses
    Access Requests now can use IPv6 addresses in source and/or destination. This is true for new as well as existing rules. Besides this, also new IPv6 objects can be created. Manual Target Selection in SecureChange is required

Devices and Platforms

  • Check Point R80 syslog
    Usually, Check Point Log/Management Servers deliver their logs to SecureTrack using LEA. If wanted, now these logs also can be sent by syslog to SecureTrack
  • Cisco ACI Visibility
    The ACI policy is now shown in SecureTrack, including EPGs, VRFs, Contracts, Subjects, ... So an instant view of policy details is possible
  • Cisco ACI Path Analysis
    ACI devices are included in SecureTrack Topology, so the traffic flow in and out of the ACI device is shown
  • Cicso FMC Visibility
    Now FMC zones are shown in retrieved FMC rules, e.g. in Policy Prowser, View Policy etc.
  • Forcepoint
    Improvements regarding speed of revision retrieval
  • PAN Panorama syslog
    Panorama can be configured now to send syslog by TCP/TLS instead of UDP
  • PAN Panorama Device Groups
    Panorama Device Groups (DG) can now be migrated to non-default SecureTrack domains from any level in the group hierarchy, improving management of Domains
  • VMware NSX-T
    SecureTrack and Secure Change now support NSX-T. It includes Change Tracking, Clean Up, Violations, Policy Browser, Reports, Topology, etc.

REST API

  • Check Point R80
    • Adding or Updating Managed Devices (CMA or SMC) via API
    • Adding new device (CMA or SMC) via API
  • Palo Alto Panorama
    • Support of URL Filtering using API
  • SecureChange Designer
    • Enhancements for Set Rule location via API
  • Rule Modification Workflow
    • Support of many features regarding the Rule Modification Workflow via API
  • SecureApp
    • Getting Application Interfaces is possible now using API

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released R19-2, the second version of the Tufin Orchestration Suite in 2019. TOS 19-2 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecureChange
    Enhancements for the "Clone Server Policy" Workflow. They include zero-touch automation for Designer, Policy Update and Commit Policy Changes for all supported devices. Addtionally, support for NSX-V has been added.
  • SecureChange
    The Desgner now can be configured to implement changes in Access Requests as before (optimized policy), but also to implement each Access Request in separate rules. On demnad, this can also be requested by users.
  • SecureChange
    The Workflow "Modify Group" supports now Check Point objects with dual stack (IPv4 / IPv6)
  • SecureTrack, SecureChange
    Support of Fortinet Web Filter allows more visibility on rules that have configured it. So auditing is improved. End-to-End change automation is possible for current and Next Generation Fortinet configurations.
  • SecureChange
    Support of Dual Stack Objects (IPv4/IPv6) in Modify Group Workflow for Check Point R80
  • SecureChange
    Requester Notifications can be sent to AD groups, not only to individuals

Security, Risk and Compliance

  • SecureTrack, SecureChange
    Updated NextGen Applications Library for Palo Alto.
  • SecureTrack
    Improved Troubleshooting using advanced path analysis queries that contain multiple IP addresses
  • SecureTrack, SecureChange
    Protection against CSRF (Cross-Site Request Forgery) attacks (not currently supported for Microsoft Internet Explorer 11)

 Devices and Platforms

  • SecureTrack
    Support of Cisco ACI regarding "Enhanced Visibility", "Enhanced Topology Modeling", and "Risk Assessment".
  • SecureTrack
    Support of Palo Alto Panorama High Availability
  • SecureTrack
    Suppport of Palo Alto Panoramy External Dynamic List (EDL) Support
  • SecureTrack
    Support of Palo Alto Fully Qualified Domain Names
  • SecureTrack, SecureApp
    Policy Browser allows mapping of SecureApp Connections to rules for Cisco FMC, Fortinet FortiManager, and Palo Alto Panorama in Advanced Mode
  • SecureTrack
    Support of Check Point CloudGuard for Azure
  • Support of new devices:
    • Cisco Firepower Management Center (FMC) 6.3
    • Cosco ASA 9.13 beta

REST API

  • Improvements for SecureTrack
    • Automatic onbording of Management Devices via API has been added for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
    • Adding / Updating of single or multiple devices is possible now for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
  • Improvements for SecureTrack/SecureChange
    • Support for Palo Alto Panorama External Dynamic List (EDL) data has been added
  • Improvements for SecureChange
    • The results for the Clone Server Policy can be retrieved via API
  • Improvements for SecureTrack/SecureChange/SecureApp
    • The serialization implementation for JSON is now complete for all SecureTrack, SecureChange and SecureApp REST APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released R19-1, the first version of the Tufin Orchestration Suite in 2019. TOS 19-1 is available as GA now, delivering some improvements, e.g.

  • Interactive Map of SecureTrack allows to save queries now. This allows administrators to save the most important path queries and to re-use them again
  • SecureApp has been optimized for color-blind access. It's compatible with corresponding industry standards now.

Change Automation and Orchestration

  • SecureChange
    Clone Server Policy Workflow allows easy duplication of access permissions when new servers are introduced. This might also help when a server is moved from one address to another.
    Supported platforms are Cisco ASA, Cisco Firepower, Check Point R80 (CMA, SmartCenter, MDS), Fortinet FortiManager advanced and Palo Alto Panorama advanced
  • SecureChange
    Enhanced sorting of selections when adding or removing components. This might help e.g. when an assingment to some users / groups is done. The box for selecting / deselecting them can be sorted not only by name but also by "add" or "clear". This is relevant for "Access Request" and "Clone Server Policy" workflows.

Security, Risk and Compliance

  • SecureTrack, SecureChange
    Map Ticket to Rule is a new feature that maps a fully or paritally implemented ticket to rules. This mapping is based on results of the Verifier.
  • SecureChange
    Enhancements for "Legacy Rules". The Designer now places changes above a legacy rule now only if the legacy rule traffic intersects the Access Request traffic. Until now, this was done always.
  • SecureTrack
    Enhanced USP allows to automatically trigger a violation for IP addresses that are not explicitely included in any USP. They can easily be added to relevant zones.
  • SecureTrack
    A new network zone called "Unassociated Networks" is predefined. It includes all private IP addresses that are not defined in any other zone. This is the "private equivalent" to the predefined zone "Internet". It's used in SecureTrack as well as SecureChange and SecureApp.

 Devices and Platforms

  • SecureTrack
    NAT support for Palo Alto Panorama advanced to track changes on NAT rules
  • SecureTrack
    URL Filtering Support for Palo Alto Panorama advanced to track changes in URL Category
  • SecureTrack
    Cisco Nexus VXLAN Routing Support is implemented now and shown in the Interactive Map
  • SecureTrack
    Routes configured in Juniper MX Router Devices can be selected now, i.e. if there are many dynamic routes specific networks and routes can be added / deleted which might increase router performance
  • SecureChange
    "Server Decommission" is supported now for Global Objects defined in Check Point MDS
  • Support of new devices:
    • Check Point R80.20 (Check Point API version 1.1)
    • Forcepoint SMC 6.5 (SMC API version 6.4)
    • Fortinet FortiManager 6.0.2

REST API

  • Improvements for SecureTrack
    • Unified Returned JSON Array Format is completed now
    • Panorama Firewall Name to Rule- and Policy-related API (PolicyTargetDTO)
    • Adding Devices via API is possible now (for Check Point R77, Cisco ASA without Virtual Contexts, more to follow)
    • Get Panorama URL Categories
    • Compare Traffice Between Devices
    • Service Object Search
    • Modify Unified Security Policy via API is possible now
  • Improvements for SecureChange
    • Clone Server Policy Request DTO
    • Reject Ticket via API
    • Map Rules to Ticket

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released R18-3, the third version of the Tufin Orchestration Suite in 2018. TOS 18-3 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecuerChange
    Remove Access for VMware NSX. This kind of Workflow is available for NSX now.
  • Secure Change
    Modify Group Automation for Palo Alto Panorama Shared Objects
  • SecureChange
    Server Decommission Automation, now supported for Palo Alto Panorama Shared Objects and Cisco Firepower Management Console (FMC)
  • SecureChange
    Change Automation Enhancements for Cisco Firepower, now supporting workflows "Allow Access", "Modify Group", "Server Decommission", "Rule Decommission", and "Rule Recertification"
  • SecureChange
    Action "Commit Now" is possible in an automatic step in workflows "Access Request", "Modify Group", "Access Request and Modify Group", and "Rule Decommision" for these Devices: Palo Alto Panorama Advanced Management Mode, Fortinet FortiManager Advanced Management Mode, Check Point CMA R80. Check Point MDS R80 is only supported for "Modify Group"

Security, Risk and Compliance

  • SecureTrack
    Rule Change and Object Change Reports for Palo Alto Panorama Device Groups for Advanced Management Mode and FortiManager ADOM Policies when configured for Advanced Management Mode.
  • SecureTrack
    Enhanced Unified Security Policy (USP) Risk Analysis, e.g. configuration of Default Behavior when an IP address is not covered in the USP

Devices and Platforms

  • SecureTrack
    Fortinet FortiManager Rule Name support for FMG version 5.4 and above
  • SecureTrack
    Syslog support for Check Point R77, so traffic and audit logs can be received using LEA or syslog
  • SecureTrack
    External syslog support for VMware NSX, support of vRealize Log Insight
  • SecureTrack
    Cisco Firepower revision changes support
  • SecureTrack
    Policy-based routing (PBR) and related ACL rules support for Cisco IOS routers in the Interactive Map
  • Support of new devices
    • Cisco ASA 9.9
    • Check Point R80.20 (EA)
    • Palo Alto PanOS 8.1

REST API

  • Improvements for SecureTrack
    • Unified Returned JSON Array Format - continued
    • New Change Windows APIs
    • Get General SecureTrack Properties
    • Enhanced API for retrieving subnet information
    • Restricted pagination for Rule Search API
    • Enhanced API for Monitored Devices
    • Service Search
    • Retrieve suggested targets for an access request
  • Improvements for SecureChange
    • Commit Results
    • Modify Designer suggestion

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released R18-2, the second version of the Tufin Orchestration Suite in 2018. TOS 18-2 is available as GA now, delivering some improvements, e.g.

Cloud

  • SecureTrack
    Automatically Onboard AWS VPCs
    VPCs are automatically detected now, which covers adding or removing them.

Security Policy Change Automation and Orchestration

  • SecureChange
    Commit Policy Changes. Using this function, policies are pushed from the Management Server to the Firewalls using the Designer. Supported for Check Point, Palo Alto and Fortinet
  • SecureTrack, SecureChange
    The feature Change Windows allows to schedule time slots for committing policies from Management Server to Firewalls, including new report features
  • SecureChange
    Customizable Rule Names for FortiManager allow to define a rule name directly from the SecureChange Designer when changes are implemented.
  • SecureChange
    Change Automation Enhancements for Cisco Firepower allow to implement changes of the security policy automatically.

Devices and Platforms

  • SecureTrack
    Inline Layer Support for Check Point R80.10
  • SecureTrack
    Migrate or Delete Multiple Devices for some Cisco and Check Point Devices using “Device Bulk Tasks”
  • Support of new devices
    • VMware NSX 6.4.0
    • Cisco ASA 9.8
    • Fortinet FortiManager 5.6.3
    • Fortinet FortiGate 5.4.7 and 5.6.3
    • Forcepoint SMC 6.4
    • Palo Alto Panorama 8.1

REST API

  • Improvements for SecureTrack/SecureChange/SecureApp
    Upgrades of REST API Stanadard (JAX_RS) from 1.1 to 2.1, compliant with Java EE8 Apache CXF (which implements JAX_RS 2.1) upgraded from 2.6.16 to 3.2.1
  • Improvements for SecureTrack
    • Unified Returned JSON Array Format for these APIs:
      Get devices, Get device by Id, Add offline device, Update offline device, Get rules by device, Get specific rule, Rule Search APIs
    • Generic Devices APIs:
      Fully manage adding, deleting, or modifying generic devices to the Interactive Map via the REST APIs. New argument “update_topology”.
    • Sync Topology APIs
      Synchronization of Interactive Map by “Fast Topology Sync” or “Full Topology Snyc”
    • Generic VPN connections API
      Retrieval of a list of generic VON in the Topology Map
    • Check Point Inline Layer Support
      Parameter “include_subpolicy” allows support of this mode
    • Additional Data Returned for Check Point Devices
      API responses for “get devices”, “installed_policy” and “parent_id"
    • Filtering Service Group Members
      Optional parameter “show_members” with more information
    • Support for Pagination in USP Exceptions
      Better management of a large number of USP Exceptions
    • Retrieve Domains from SecureTrack
      New “Synchronize Domains” API retrieves all domains from SecureTrack, also synchronizing SecureChange Domains

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released the first version of the Tufin Orchestration Suite in 2018: R18-1. TOS 18-1 is available as GA now, delivering some improvements, e.g.

Cloud

  • SecureTrack
    Support of AWS AssumeRole as part of the AWS Security Token Service
  • SecureTrack
    Support of the latest Microsoft Azure SDK 1.2.0

Security Policy Change Automation and Orchestration

  • SecureTrack, SecureChange
    Rule Recertification Automation by a specific workflow
  • SecureTrack, SecureChange
    Cisco Firepower Automation (including Target Suggestion, Risk Analysis, Designer and Verifier)
  • SecureChange
    New Workflow Customization Triggers (e.g. when Automatic Step fails, Pre-Assignment Script)
  • SecureChange
    Enhancements for Manual Target Selection
  • SecureTrack, SecureChange
    Stealth Rule is considered now by Designer

Security, Risk, and Compliance

  • SecureTrack
    Automatic Policy Generator (APG) for Palo Alto Panorama and Fortinet FortiManager

Devices and Platforms

  • SecureTrack
    Dynamic Routing Support for Palo Alto and Fortinet
  • SecureTrack, SecureChange
    Extended Generic NAT for Palo Alto
  • SecureTrack, SecureChange
    Topology Support for Cisco Firepower
  • Support of new devices
    • Fortinet FortiManager 5.4.4
    • Fortinet FortiGate 5.2.11
    • F5 13.0
    • Cisco Security Manager 4.15
    • Cisco Firepower 6.2.3
    • Microsoft Azure SDK 1.2.0

REST API

  • Improvements for SecureTrack
    • Parameter show_members for Network Object APIs
    • Network Topology APIs for NSX
    • Retrieve Total Available Records
    • Offline Device APIs
  • Improvements for SecureChange
    • new Tickets API - Confirm

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com