Tufin has released TOS R21-1, the first version of the Tufin Orchestration Suite of 2021.

Please be aware that TOS 21-1 requires TufinOS 3.x, CentOS 7, or RHEL 7.

TOS 21-1 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • SecureChange can be integrated with SecureCloud now. Automated workflows that include Azure devices can be configured. Importing Azure ASG (Application Security Groups) is possible and therefore using automation tools of SecureChange (e.g. Auto-suggest target, Provisioning) is possible. Designer and Verifier can be used for on-prem devices.
  • When provisioning changes, the Designer of SecureChange used in an Access Request workflow can consider related tickets that might have an impact on the update. Related tickets can be considered when a redesign is done. 
  • The Interactive Map of SecureTrack now allows to add/modify generic devices such as L2 firewalls, generic interfaces, and generic VPN by right-clicking on the mouse.
  • The Interactive Map also supports IPv6 path analysis for generic devices now.
  • SecureTrack Interactive Map supports using LDAP groups in Source and Destination.
  • The Interactive Map allows viewing device data and calculation of paths having Amazon AWS devices included.

Devices and Platforms

  • Amazon AWS
    For Amazon AWS devices the Interactive Map can be used to view device data and paths included in these devices.
  • Check Point
    When using Inline Layers rules configured here, can now be viewed in Policy Browser. From here, SecureChange tickets for rule modification, rule recertification, and rule decommission can be opened.
    Check Point Cloud devices in NSX-T, ACI and AWS can be included in SecureTrack.
  • Cisco
    Support for Cisco IOS-XE routers and L3 devices
  • Juniper
    Juniper SRX is now supported to have IPv6 configuration in SecureTrack Topology.
  • Fortinet
    For Fortinet FortiManager SecureTrack now offers visibility for user IDs and rules on the devices' security rules, the global level, and Adom level.
  • Palo Alto
    Using Panorama allows the use of Shared Objects now in SecureChange. The Designer can be configured to use or create shared objects as part of the automation process.


  • Error handling
    • Code for unauthorized users has been set to 403 for SecureTrack and SecureChange
    • SecureTrack returns 503 if during synchronization another graph builder is running
  • Improvements for SecureTrack
    • Check Point R80 rule numbering has been improved
    • Getting IPv6 bindings is possible now
    • Mapping zones to device interfaces can be retrieved
    • Rule recertification can now be done via API
  • Improvements for SecureChange
    • Get Security Zone for Access Requests
    • Modify Expiration Date and Reference Ticket ID
    • API returns an error if a device contains multiple objects or services with the same name
    • Import validations added for Rule Modification
    • Support of Panorama tags for Designer

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com