Version update

Tufin has released TOS R24-2, the second version of the Tufin Orchestration Suite of 2024. 
TOS R24-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-2:

Deployment

• Upgrade
  The upgrade process has been optimized and is shown in a more transparent way. This increases visibility and helps troubleshooting during upgrades.

Change Monitoring, Automation, and Orchestration

• SecureChange
  SLA can be set for tickets. Starting with this version, business hours and non-working days can be considered by configuration.
• SecureChange
  The page showing the tickets has been improved esp. regarding search tickets and manage saved queries. 
  
  
• SecureTrack
  OPM devices are integrated better now. Supported is e.g. automatic mapping of zones to interfaces, matching rules in the Topology Map, etc. So they are also found by SecureChange as possible installation targets.
• SecureTrack
  The Topology Map now supports both IPv4 and IPv6 routes. So it can be used in mixed environments also.
• SecureTrack
  The Device Viewer includes the feature "Revision History" for all devices now. This is useful esp. for GCP, Cisco Meraki and OPM devices because they don't have the option for comparing revisions.

Devices and Platforms

• Azure NSG
  SecureChange Designer now provides suggested changes for access across Azure NSGs and Azure firewall devices. 
• Azure NSG
  SecureTrack Rule Viewer can interpret the configuration of NSGs, so e.g. "cleanup" as well as "unused objects" can be used.
• Azure Firewall
  Azure firewalls in a Virtual WAN- Secured Hub deployment when routing is configured in the Azure Hub are supported. So based on the Topology, also USP violations as well as Designer / Verifier are supported. 
  
  
• Cisco
  For Cisco FMC devices generic NAT is supported, so it can be used in Topology.
  
  
• Fortinet
  UserID Automation for FortiManager is supported now, delivering improved visibility for the LDAP groups that are part of the User Groups and FSSO objects. This includes topology support as well as automation tools of SecureChange.
• Fortinet
  For path analysis FQDN objects or DNS can be used.
• Fortinet
  The support of enhanced VPN across Fortinet devices is improved (Dial-Up/dynamic VPN). The modelling of SD-WAN is improved.
  
  
• Google
  GCP VPC firewalls can be used in Access Request workflows, they are automatically recognized based on information from the Topology. So also the Verifier can be used for these devices.
  
  
• VMware
  NSX-T is supported by the Rule Viewer, last hit information for NSX-T Distributed firewall rules is available now.
• VMware
  NSX-T VRFs can be imported as logical routers and be used in Topology.
• VMware
  IPv6 is now supported for VMware NSX-T in the Interactive Map: Interfaces and Routes. So in SecureChange Designer, Provisioning and Verifier are supported.

Further improvements, as well as corrections, are included in R24-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

Tufin has released TOS R24-1, the first version of the Tufin Orchestration Suite of 2024. It enforces the "new licensing" as R23-2 started to do. Licensing is enforced following the Solution Tiers. So before an upgrade be sure that you have all active devices licensed, the license activated and not using a temporary license.
TOS R24-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-1:

Change Monitoring, Automation, and Orchestration

• SecureTrack
  Some improvements have been integrated into Rule Viewer. It affects e.g. group rules or the increased limit for rule actions.
• SecureTrack
  The Rule Viewer allows a new TQL operator: "intersect". It locates rules whose SRC or DST intersect with a given IP, subnet, or range.
• SecureTrack
  Shadowed rules shown in Rule Viewer can now be selected to get further information.
• SecureTrack
  A USP template for PCI-DSS 4.0 is integrated, allowing to follow the latest PCI-DSS Standard.
• SecureTrack
  Regarding USPs, now violations of Azure Firewall Rules are considered.
  
  
• SecureChange
  Searching for tickets has been updated to a new look-and-feel. This affects "free search" as well as "detailed search".
• SecureChange
  Palo Alto Panorama and ACI integration with DAG-based ACI EPG tags in their Panorama security policies allow to automate changes with SecureChange workflow tools.
• SecureChange
  Palo Alto rules and access requests whose source includes both UserID (LDAP Groups) and IP addresses are supported now.
  
  
• SecureApp
  A custom validation script is available for SecureApp, allowing to ensure some important properties like e.g. object names, USP compliance.

Deployment

• TOS CLuster
  New default alerts are available to check e.g. file system usage and database status. These TOS Cluster Health Alerts offer simpler monitoring. 

Devices and Platforms

• Azure
  For Azure FW and NSG rules some enhancements for Cleanup have been published
  
  
• Cisco
  Cisco Meraki can be added to SecureTrack using proxy authentication
• Cisco
  Besides the on prem support of Cisco FMX, now Cisco Cloud-Delivered FMC is supported, too
  
  
• Google Cloud
  From this version on, GCP is incorporated into SecureTrack Topology
• Google Cloud
  GCP projects can be added to SecureTrack using proxy authentication
  
  
• Palo Alto
  Panorama Managed Prisma Access is incorporated into SecureTrack Topology
• Palo Alto
  Palo Alto Device Groups that manage Palo Alto Cloud NGFW on Azure are now supported
• Palo Alto
  Palo Alto VM series on GCP is supported, delivering full functionality

API Improvements

• SecureChange
  The SecureChange Reporting API has been introduced. It allows more granular reporting about tickets and step events

Further improvements, as well as corrections, are included in R24-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

Tufin has released TOS R23-2, the second version of the Tufin Orchestration Suite of 2023.
TOS R23-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS Aurora R23-2:

Change Monitoring, Automation, and Orchestration

• SecureChange (Palo Alto Networks)
  Automation for Panorama URL Categories allows design and provisioning for URL Categories also.
  
  
• SecureChange
  Rules from different devices can be added to a single ticket using the Rule Viewer. This is available for Rule Decommission, Rule Modification, and Rule Recertification tickets.
  
  
• SecureChange
  Extension Apps have been added to the SecureChange menu.
  
  
• SecureChange
  A new page for "My Requests" has been integrated into SecureChange.
  
  
• SecureTrack
  Topology and Automation now support Internet Objects, that can be directly inserted into Devices by Check Point and Forcepoint.
  
  
• SecureCloud
  SecureCloud now displays a risk assessment for assets exposed to the internet based on the data returned from the firewalls monitored by SecureTrack.
  
  
• SecureTrack
  The Rule Viewer now offers the option to view the change history of a rule by the new tab "Rule History".

Deployment

• License
  In order to monitor license consumption and accurate auditing, a mechanism for tracking the license usage is introduced. The licenses of SecureTrack+, SecurecChange+, and Enterprise can be sent automatically to Tufin. More information here.
  
  
• License
  The License Management in SecureTrack has a new user interface that can be accessed by SecureTrack Super Administrators.
  
  
• Appliances
  New appliances for TOS are available now. They come pre-installed with TufinOS and TOS Aurora. There are two different appliances available: T-820 and T-1220.
  
  
• Operating Systems
  In June 2024 CentOS 7 as well as TufinOS 3 are going to be End-of-Life. TufinOS 4 and Red Hat Enterprise Linux / Rocky Linux 8.6 are the successors. They are available for on-premise installations, cloud deployments require Rocky Linux 8.6.
  
  
• Google Cloud
  Tufin now supports high availability for GCP over three availability zones.

Devices and Platforms

• AWS
  VMware NSX-T on AWS (VMware cloud) is supported for TOS, providing the same features as with on-prem NSX deployments.
  
  
• Azure
  Network Security Groups (NSG) can be used as targets in SecureChange Access Requests. The verifier is now able to check automatically implemented policies.
  
  
• Azure
  The deployment of TOS in Microsoft Azure is supported for very large installations also. Sizing requires help from Tufin.
  
  
• Check Point
  The management of Check Point devices can be done in the cloud using Check Point Smart-1 Cloud. This is supported by Tufin now.
  
  
• Cisco
  Cisco Viptela is now supported in SecureTrack Topology, including OMP routes as well as SD-WAN interfaces and SD-WAN labels.
  
  
• Cisco
  The Designer now can automatically create rules with custom logging for Cisco ASA devices.
  
  
• Palo Alto Networks
  Tufiin is now able to monitor Palo Alto Networks Prisma Access Policies managed by Panorama devices.
  
  

GraphQL API

• Enhancements for SecureTrack
  • A new query returns all changes made in a selected revision that affect a specific rule.
  • A new query returns a list of revisions in a specific time frame that affects a selected rule.

REST API

• Enhancements for SecureTrack
  • NAT information can be retrieved per revision, not only for the last revision.
  • Dynamic Topology data can be retrieved from a specific device tree. This subset can be refreshed without the need of a Topology "Full Sync".
    
    
• Enhancements for SecureChange
  • URL Category Zones can be set and get for path calculation and target selection.
  • It is possible to run "commit now" for a specific device in a SecureChange ticket for Check Point R8x, FortiManager, and Panorama.
    
    
• Enhancements for SecureApp
  • It is possible to search network objects not only by their name but also by IP address, subnet, and comment.

Further improvements, as well as corrections, are included in R23-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

Tufin has released TOS R23-1, the first version of the Tufin Orchestration Suite of 2023.
TOS R23-1 is available as GA and can be downloaded from the Tufin Portal (login required).
This version is available for TOS Aurora only. Some improvements of TOS Aurora R23-1:

Change Automation and Orchestration

• SecureChange (Azure)
  Azure Firewalls can be included in Access Request tickets in topology mode, i.e. they can be used as targets in such a ticket.
  
  
• SecureChange (Check Point)
  Support of FQDN configured in Check Point has been integrated into SecureChange automation tools.
  
  
• SecureChange (Cisco)
  Access Requests now can be provisioned to Cisco Nexus devices
  
  
• SecureChange
  A redesign by the Designer can be triggered by API.
  
  
• SecureChange
  Using API POST allows the creation of tickets with rules from multiple devices for workflows focused on rules (modification, decommission, recertification).
  
  
• SecureChange API
  The API now allows to trigger "commit now", automatic retries are possible also.
  
  
• SecureChange API
  Automation of the provisioning can be scheduled, triggered, or retried using the API

Cloud

• SecureTrack (AWS)
  Importing multiple AWS accounts and additional entries like VPCs or transit gateways is possible using the bulk API feature.

Deployment and Monitoring

• TOS Aurora deployment in AWS is now supported for large customers
• Solarwinds can be used to monitor the health of the Kubernetes cluster
• Backups can be stored externally using NAS (NFS) storage.
• Remote Collectors are now supported for Cloud Deployments (AWS, Azure, GCP)
• From now on, the Microsoft Authentication Library (MSAL) can be used for authentication, since the Active Directory Authentication Library (ADAL) will no more be supported after June 2023

Devices and Platforms

• Amazon AWS
  AWS Gateway Load Balancers can be imported from the AWS account and be integrated into SecureTrack Topology. This also means that change automation also can be used for these devices.
  
  
• Check Point / Palo Alto Networks
  Syslog is now supported not only using TCP instead of UDP but also using encryption. So for these two devices, Syslog can be transferred securely to SecureTrack.
  
  
• Check Point
  SecureTrack as well as SecureChange support Check Point FQDN objects. They are visible in security rules and change tracking, assessment, path analysis, and matching rules. In SecureChange they can be used in Target Selection, Designer, and Verifier.
  
  
• Cisco
  SecureTrack Rule Viewer, Topology, and USP now support Cisco Meraki Firewalls
  
  
• Microsoft Azure
  Azure Virtual Hubs from Azure subscriptions can be imported to SecureTrack Topology. So they can not only be used for Path Analysis, but also by SecureChange Automation Tools.
  
  
• Microsoft Azure
  The import of Azure Virtual Hubs from Azure subscriptions is possible to show in SecureTrack Topology. This can be used for Path Analysis as well as in SecureChange.
  
  
• Microsoft Azure
  Azure Shared Express Routes are now modeled in the Topology map to be used here as well as in SecureChange
  
  
• Microsoft Azure
  Azure Application Security Groups (ASGs) that are part of Network Security Group (NSG) rules can be used in SeureTrack Rule Viewer, Object Lookup, Compare Revisions, and Topology Path Analysis.
  
  
• Palo Alto Networks
  In SecureTrack Rule Viewer a search for PAN Rule UUID is possible. This information also appears in the ID of the Device column when exporting Rule Viewer information.
  
  
• API
  The Devices Bulk API has been provided with a delete function. So it's possible to remove a Management Device and all of its managed devices with an API call.
  
  
• API
  Rule-based tickets containing multiple devices or policies per ticket can be submitted by API now.

GraphQL API

• USP exceptions
  Exceptions can be defined with network objects (e.g. network groups, IP addresses) via GraphQL. This isn't possible using the WebUI

REST API

• Enhancements for SecureTrack
  • Bulk Device Deletion API allows to delete e.g. a management server and all firewalls managed by it from SecureTrack
  • Multiple AWS Accounts Management API allows using of this bulk API feature to onboard multiple AWS accounts and edit them by importing VPCs and transit gateways also.
  • Exceptions can be defined with network objects (e.g. network groups, IP addresses) via REST API and GraphQL API, respectively. This isn't possible using the WebUI
    
    
• Enhancements for SecureChange
  
  • Designer Redesign is possible now using the API. This is useful if e.g. a new revision has been retrieved between design and provisioning.
  • Selective Device Update is useful for the automation of provisioning changes.
  • Ticket Creation is possible using API POST for rules of multiple devices. This is used for Rule Modification, Rule Decommission, or Rule Recertification.
  • Trigger Commit Now for a specific device is possible. Automatic Retries can be automated.
  • Submit (Rule-Based) Tickets can be used now for multiple devices.

Security, Risk, and Compliance

• USP Exceptions contain Object IDs now, so within these exceptions, network objects can be used.

Topology Map

• Device Grouping in the Topology Map delivers more visualization. This is done by grouping network and security devices by domain or other custom requirements.

User Experience

• Accessibility for color-blind users can be improved by configurable high-contrast color schemes.
• The Look and Feel of the Tickets page is updated, delivering a more user-friendly experience.

Further improvements, as well as corrections, are included in R23-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

Update July 2023: R23-1 PGA.0.0 and R23-1 PHF1.0.0 were recalled.
R23-1 PHF1.1.0 should be considered the earliest available R23-1 release.

Update August 2023: R23-1 PGA1.2.0 is available now for download.

Tufin has released TOS R22-2, the second version of the Tufin Orchestration Suite of 2022.
TOS R22-2 is available as GA and can be downloaded from the Tufin Portal (login required).
Since the support of TOS Classic provided by Tufin ends within the next weeks, this version is available for TOS Aurora only. Some improvements of TOS Aurora R22-2:

Change Automation and Orchestration

• SecureChange
  The Designer results include now not only the recommendations for rules but also the Access Request.
  
  
• SecureChange
  If an auto-step with provisioning fails due to ticket dependencies, a new run of the Designer is needed. Then, the auto-step could be tried again. Now, the Designer can be run in this auto-step for provisioning to consider the latest changes.
  
  
• SecureChange
  IPv6 Addresses can now be used in automation, e.g. Target selection, Designer, and Verifier. This is possible when Check Point R8x or FortiManager is used.
  
  
• SecureChange
  In Rule Decommission workflows, now Designer and Provisioning can be split into separate (manual/automatic) steps.
  
  
• SecureChange
  The Rule Decommission workflow now allows the dynamic assignment of steps using a script if the criteria for the assignment are e.g. too complex.
  
  
• SecureChange
  If SecureChange is configured in "Interconnected Domains" mode, now Risk Analysis is possible in Access Requests, even if there are overlapping IP addresses in different Domains. In this case, a flag needs to be set in SecureTrack.
  
  
• SecureChange (Palo Alto Panorama)
  The Designer can be customized to automatically add access to either the pre- or post-sections on Panorama devices per device group or globally.
  
  
• SecureChange (Palo Alto Panorama)
  The Designer can be customized to create new rules with a custom log forwarding profile automatically.
  
  
• SecureChange (Palo Alto Panorama, FortiManager)
  The Designer can now be customized to automatically create new rules with custom security profile groups. Such a custom security profile group is available for different Panorama device groups or FortiManager Administrative Domains.
  
  
• SecureChange (Cisco ASA)
  The Designer now can automatically create network and service objects instead of adding them inline into rules and groups. Possible for Access Request workflow and Clone Network Object workflow.
  
  
• SecureChange
  Access Requests allow to use now User Identity (i.e. add LDAP group in Source) independently of the Topology Mode (on or off).
  
  

Devices and Platforms

• Microsoft Azure
  The Azure Firewall Policy Network and Application Rules are now fully integrated into the Rule Viewer.
  
  
• Microsoft Azure
  The Topology now shows matching rules when running a path analysis on the Map.
  
  
• Microsoft Azure
  The Topology now supports Azure Load Balancers which are integrated here now.
  
  
• Fortinet
  Support of Fortinet SD-WAN for Topology and Policy Visibility. 
  
  
• Fortinet
  Support of IPsec VPN configured in FortiGate devices that are managed by a FortiManager - they are modeled in the Topology now.
  
  
• Forcepoint
  The Stonesoft rules are now shown in Rule Viewer.
  
  
• New version support: Tufin TOS now supports
  • Check Point R81.20
  • Cisco ISO-SE - 17.7.1, IOS-XR - 7.5.1, IOS - 15.9.3M4
  • F5 BIG-IP v16.1.2
  • Forcepoint Stonesoft SMC - 6.10.7
  • Fortinet FortiManager 7.2
  • Juniper SRX 22.1R1
    
    

Security, Risk, and Compliance

• SecureTrack
  Shadowing Rules are integrated and displayed in Rule Viewer, making the review of rule bases easier.
  
  

Deployment and Monitoring

• Backup of Tufin Orchestration Suite
  
  • Backup files now can be stored directly on external S3 storage services. These storage providers are supported: AWS S3 Storage, AWS Blog Storage, Google Storage, and Minio S3 compatible storage.
  • The expiration dates of backups now can be modified, so backup files can be kept for a longer time.
    
    
• Clustering TOS Aurora is possible in the case of disaster, i.e. running TOS on two different sites is possible when using the same S3 compatible external cloud storage service for backup files. The standby cluster can be switched to active in case of failure of the first one. The TOS is restored from the latest backup file.
  
  
• RADIUS Authentication and Authorization can be configured to run automatically on SecureTrack. So there is no more a need to manually define and manage each SecureTrack user accessing SecureTrack. To implement this, a Vendor Specific Attribute (VSA) is used.

Help and Training

• The "Help function" is extended and includes now a direct link to Tufin Training videos on YouTube.
  
  
• The TOS version is now also displayed in the SecureChange Help menu.

REST API

• SecureTrack
  The Rule Information now includes the Palo Alto Panorama UUID
• SecureChange
  The API call "GET Domains" returns now the Domain Description allowing consideration of different domains.
• SecureChange
  Script Triggers for Workflow events (get, create, update) can also be used for Marketplace Apps now.
• SecureChange
  The priority of a ticket can now be updated using a script.
• SecureChange
  If steps are "self-assigned" to groups, a list of users shows potential handlers (candidates). This information can now be used in scripts.
• SecureChange
  When using GET to get information about users / IDs, now the user name is also returned by this call.

If you are using SecureTrack reports, please find a list of depreciated reports that are removed with R22-2 here.

Further improvements, as well as corrections, are included in R22-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com