Tufin has released TOS R22-2, the second version of the Tufin Orchestration Suite of 2022.
TOS R22-2 is available as GA and can be downloaded from the Tufin Portal (login required).
Since the support of TOS Classic provided by Tufin ends within the next weeks, this version is available for TOS Aurora only. Some improvements of TOS Aurora R22-2:

Change Automation and Orchestration

  • SecureChange
    The Designer results include now not only the recommendations for rules but also the Access Request.

  • SecureChange
    If an auto-step with provisioning fails due to ticket dependencies, a new run of the Designer is needed. Then, the auto-step could be tried again. Now, the Designer can be run in this auto-step for provisioning to consider the latest changes.

  • SecureChange
    IPv6 Addresses can now be used in automation, e.g. Target selection, Designer, and Verifier. This is possible when Check Point R8x or FortiManager is used.

  • SecureChange
    In Rule Decommission workflows, now Designer and Provisioning can be split into separate (manual/automatic) steps.

  • SecureChange
    The Rule Decommission workflow now allows the dynamic assignment of steps using a script if the criteria for the assignment are e.g. too complex.

  • SecureChange
    If SecureChange is configured in "Interconnected Domains" mode, now Risk Analysis is possible in Access Requests, even if there are overlapping IP addresses in different Domains. In this case, a flag needs to be set in SecureTrack.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to automatically add access to either the pre- or post-sections on Panorama devices per device group or globally.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to create new rules with a custom log forwarding profile automatically.

  • SecureChange (Palo Alto Panorama, FortiManager)
    The Designer can now be customized to automatically create new rules with custom security profile groups. Such a custom security profile group is available for different Panorama device groups or FortiManager Administrative Domains.

  • SecureChange (Cisco ASA)
    The Designer now can automatically create network and service objects instead of adding them inline into rules and groups. Possible for Access Request workflow and Clone Network Object workflow.

  • SecureChange
    Access Requests allow to use now User Identity (i.e. add LDAP group in Source) independently of the Topology Mode (on or off).

Devices and Platforms

  • Microsoft Azure
    The Azure Firewall Policy Network and Application Rules are now fully integrated into the Rule Viewer.

  • Microsoft Azure
    The Topology now shows matching rules when running a path analysis on the Map.

  • Microsoft Azure
    The Topology now supports Azure Load Balancers which are integrated here now.

  • Fortinet
    Support of Fortinet SD-WAN for Topology and Policy Visibility. 

  • Fortinet
    Support of IPsec VPN configured in FortiGate devices that are managed by a FortiManager - they are modeled in the Topology now.

  • Forcepoint
    The Stonesoft rules are now shown in Rule Viewer.

  • New version support: Tufin TOS now supports
    • Check Point R81.20
    • Cisco ISO-SE - 17.7.1, IOS-XR - 7.5.1, IOS - 15.9.3M4
    • F5 BIG-IP v16.1.2
    • Forcepoint Stonesoft SMC - 6.10.7
    • Fortinet FortiManager 7.2
    • Juniper SRX 22.1R1

Security, Risk, and Compliance

  • SecureTrack
    Shadowing Rules are integrated and displayed in Rule Viewer, making the review of rule bases easier.

Deployment and Monitoring

  • Backup of Tufin Orchestration Suite
    • Backup files now can be stored directly on external S3 storage services. These storage providers are supported: AWS S3 Storage, AWS Blog Storage, Google Storage, and Minio S3 compatible storage.
    • The expiration dates of backups now can be modified, so backup files can be kept for a longer time.

  • Clustering TOS Aurora is possible in the case of disaster, i.e. running TOS on two different sites is possible when using the same S3 compatible external cloud storage service for backup files. The standby cluster can be switched to active in case of failure of the first one. The TOS is restored from the latest backup file.

  • RADIUS Authentication and Authorization can be configured to run automatically on SecureTrack. So there is no more a need to manually define and manage each SecureTrack user accessing SecureTrack. To implement this, a Vendor Specific Attribute (VSA) is used.

Help and Training

  • The "Help function" is extended and includes now a direct link to Tufin Training videos on YouTube.

  • The TOS version is now also displayed in the SecureChange Help menu.


  • SecureTrack
    The Rule Information now includes the Palo Alto Panorama UUID
  • SecureChange
    The API call "GET Domains" returns now the Domain Description allowing consideration of different domains.
  • SecureChange
    Script Triggers for Workflow events (get, create, update) can also be used for Marketplace Apps now.
  • SecureChange
    The priority of a ticket can now be updated using a script.
  • SecureChange
    If steps are "self-assigned" to groups, a list of users shows potential handlers (candidates). This information can now be used in scripts.
  • SecureChange
    When using GET to get information about users / IDs, now the user name is also returned by this call.


If you are using SecureTrack reports, please find a list of depreciated reports that are removed with R22-2 here.

Further improvements, as well as corrections, are included in R22-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com