Tufin has released TOS R21-2, the second version of the Tufin Orchestration Suite of 2021.
TOS 21-2 is available as GA and can be downloaded from the Tufin Portal (login required). It delivers improvements, e.g.

Change Automation and Orchestration

  • Access Decommission is supported now for Cisco ASA, Fortinet Manager Advanced Mode, Forcepoint, VMware NSX, and Amazon AWS. For these supported devices the Designer determines which changes are necessary. Besides this, a detailed list of rules (and their information) impacted by this ticket can be extracted.
  • Rule comments now can be edited using the Designer using the WebUI or API. This is supported for Check Point R80, Cisco ASA, Juniper SRX, Palo Alto Panorama, and VMware NSX.
  • Change Automation for NSX-T allows detailed configuration of Security Groups using the WebUI or API.
  • Auditing SecureChange is possible now using the API. So changes to workflows are documented. It includes information about the user and the time changes were done.

Devices and Platforms

  • Check Point
    When analyzing traffic with the APG, now Check Point Inline Layers are supported.
  • Cisco
    Cisco Firewall Threat Defense (FTD) in Active Mode is supported when managed using the FMC.
  • F5
    The Interactive Map now supports paths that go through F5 devices which have SNAT Automap configured.
  • Fortinet
    FortiManager 6.4 is supported now. Regarding IPv6 a specific behavior needs to be considered.
  • Palo Alto
    IPsec VPN tunnels configured in Palo Alto gateways are now considered in SecureTrack Topology.
  • VMware NSX-T
    information about the rule direction has been added to the rules in SecureTrack and SecureChange to increase visibility.
  • VMware NSX-T
    NSX-T Security Groups have been improved, now showing dynamic group content based on matching criteria. For these, a search in SecureTrack Policy Browsers can be done. The information is also considered in Topology and Violation calculation.


  • Administering licenses in SecureTrack has been improved. This includes details about the specific SKU attached to the device, its expiration date as well as a counter for expired licenses.


  • SecureChange Auditing
    The history of workflows now can be retrieved, so auditing the life cycle of a workflow is possible now.
  • Designer Suggestions
    Using the API, now security groups for VMware NSX can be specified.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com