Tufin has released TOS R22-1, the first version of the Tufin Orchestration Suite of 2022.
TOS R22-1 is available as GA and can be downloaded from the Tufin Portal (login required).

Please be aware that R22-1 is available for TOS Aurora only (!).
TOS Classic is supported until the end of 2022, but with the release TOS R21-3

R22-1 delivers some improvements, e.g.

Change Automation and Orchestration

  • SecureApp
    Full Support of Tufin SecureApp in TOS Aurora as it has been supported in TOS Classic.

  • Check Point Inline Layers
    Starting with this version, SecureChange supports Check Point Inline Layers for Access Requests. This support includes the ability to add, edit and delete Inline Layer rules in Access Request Workflows.

  • Palo Alto Panorama Application Automation
    Now it is possible to enter applications in Path Analysis of SecureTrack or Access Request of SecureChange without being bound to Default Ports.

Devices and Platforms

  • Microsoft Azure
    Firewalls of Microsoft Azure are supported now. The support includes visibility of rule collections, NAT, network/application rules, and more. Changes are documented in SecureTrack as they are for other firewall vendors. The integration also includes the Topology Map.

  • Check Point / Fortinet
    For these vendors are Wildcard objects supported now for policy view and comparing policies. So the search in Rule Viewer might be easier, too. Besides SecureTrack, also SecureChange supports Wildcard objects in workflows, e.g. Access Requests, Server Decommission, or Server Clone.

  • Tufin API
    It is possible to add and/or edit Cisco routers using an API.

  • Juniper MX
    Using the Rule Viewer is possible for Juniper MX, as the use of USP violations is.

Security, Risk, and Compliance

  • Using a Vault Server
    Administrators have the option to store access credentials using a CyberArk vault server. This is possible for selected devices (Fortinet FortiManager, Palo Alto Panorama, Check Point (SmartCenter, CMA, MDS), Cisco ASA, and Juniper SRX). After establishing a connection between SecureTrack and the vault server, any access to the device (e.g. revision retrieval, dynamic topology, provisioning) is authenticated using this connection.

  • Rule Viewer
    The search capabilities of the SecureTrack Rule Viewer allow very complex queries. It is possible to save and reuse Rule Viewer queries now.

  • New Dashboard Widgets
    For Cleanup Candidates and Rules with Violations new widgets have been introduced. They allow having a look at trends regarding these topics.

Deployment and Monitoring

  • Single Sign-On for TOS
    It has taken a long, long time - now Single Sign-On (SSO) is possible for SecureTrack and SecureChange. So a user can log in at SecureTrack and is authenticated for SecureChange also (if the user is allowed to log in on both systems). This option is available for LDAP, RADIUS, TACACS+, SAML, and local authentication. Using SAML LDAP allows two-factor authentication.

  • TOS Monitoring using SNMP
    It is possible to use SNMPv3 for TOS Monitoring. SNMPv3 Traps are supported as well as SNMPv3 Walk/Get.

  • TOS Monitoring improved
    The monitoring allows now to check the Database status as well as the Deployment status (HA Mode only).

  • High Availability for TOS Aurora
    TOS Aurora now supports High Availability mode, i.e. machines can be configured to work as a HA Cluster to improve availability.

GraphQL API (get further information about this API here)

  • SecureTrack
    Rule Queries can be saved and reused. Administrators can publish them to all users. The SecureTrack API offers new options now: Create a new query, Edit a query, Delete a query, and Change the query owner.

  • SecureTrack
    Trends for Cleanup Candidates and Rules with Violations can be requested using the SecureTrack API. It is possible to consider the type of metric, the time span, and the domains that are queried.

  • SecureTrack
    A search for Network Objects is possible. Network Objects can be any group that is defined by a device in an environment. This can include host machines, VMs, or ranges of IP addresses. They can be filtered by name, type, vendor, and state.


  • SecureTrack
    For Cisco devices, the Device bulk API can be used. Enhanced POST is possible for adding new Cisco routers (IOS and IOS XE), Cisco XR, and Nexus devices.

  • SecureTrack
    SecureApp Applications can be mapped to Rules in Rule Viewer. So it is possible to e.g. get all SecureApp applications that are mapped to a specific rule.

  • SecureChange
    Using API it is possible to do actions on ticket attachments. These include the creation of a ticket with attachment, adding attachments to an existing ticket as well as downloading or removing attachments from a specific ticket.

  • SecureChange
    Customized script triggers based on SecureChange workflow trigger events can be used.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com