Tufin has just released TOS R19-3, the third and final version of the Tufin Orchestration Suite in 2019.
TOS 19-3 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Rule Modification Workflow
    With this workflow it's possible to modify the fields Source and Destination within an existing rule. Here new as well as existing objects can be added or removed. This feature is fully integrated in SecureTrack Policy Browser and delivers full API support
    Supported devices are Check Point R80, Cisco FMC, Palo Alto Panorama, Cisco ASA, and Juniper SRX
  • Group Ticket Notifications
    Teams can work better now with this feature. The requester of a ticket can now specify a group of users that will receive all E-Mail notifications
  • Palo Alto Panorama FQDN Objects in Access Request
    FQDN can be used now, so it's no more necessary to convert names to IP addresses when used in an Access Request
  • Check Point R80 - Support of IPv6 addresses
    Access Requests now can use IPv6 addresses in source and/or destination. This is true for new as well as existing rules. Besides this, also new IPv6 objects can be created. Manual Target Selection in SecureChange is required

Devices and Platforms

  • Check Point R80 syslog
    Usually, Check Point Log/Management Servers deliver their logs to SecureTrack using LEA. If wanted, now these logs also can be sent by syslog to SecureTrack
  • Cisco ACI Visibility
    The ACI policy is now shown in SecureTrack, including EPGs, VRFs, Contracts, Subjects, ... So an instant view of policy details is possible
  • Cisco ACI Path Analysis
    ACI devices are included in SecureTrack Topology, so the traffic flow in and out of the ACI device is shown
  • Cicso FMC Visibility
    Now FMC zones are shown in retrieved FMC rules, e.g. in Policy Prowser, View Policy etc.
  • Forcepoint
    Improvements regarding speed of revision retrieval
  • PAN Panorama syslog
    Panorama can be configured now to send syslog by TCP/TLS instead of UDP
  • PAN Panorama Device Groups
    Panorama Device Groups (DG) can now be migrated to non-default SecureTrack domains from any level in the group hierarchy, improving management of Domains
  • VMware NSX-T
    SecureTrack and Secure Change now support NSX-T. It includes Change Tracking, Clean Up, Violations, Policy Browser, Reports, Topology, etc.


  • Check Point R80
    • Adding or Updating Managed Devices (CMA or SMC) via API
    • Adding new device (CMA or SMC) via API
  • Palo Alto Panorama
    • Support of URL Filtering using API
  • SecureChange Designer
    • Enhancements for Set Rule location via API
  • Rule Modification Workflow
    • Support of many features regarding the Rule Modification Workflow via API
  • SecureApp
    • Getting Application Interfaces is possible now using API


Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com