Tufin has released TOS R20-2, the second version of the Tufin Orchestration Suite of 2020.

Please be aware that TOS 20-2 requires TufinOS 3.x, CentOS 7, or RHEL 7. This has been pointed out before. More information about this process to be published here.

So a direct upgrade isn't possible. It's necessary to upgrade/reinstall the Operating System itself. This isn't the move to TOS 2.0, the new version Tufin is talking about a lot. TOS 2.0 is currently available for SecureTrack only. Upgrade tools point customers using SecureTrack only to this new version. If you upgrade, please consider the hardware requirements Tufin has published for the "old" TOS as well as for the "new" TOS.

TOS 20-2 is available as GA, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecureChange offers "ticket references". So tickets can be combined and/or referenced. This might be useful if e.g. a rule is decertified and in the next step a Rule Decommissioning should start. Here, a link can be placed, showing to the first ticket.
  • When in a SecureChange Access Request "Risk Analysis" is done, only USPs in SecureTrack could be considered. Now, also results of an External Risk Analysis can be considered and shown to the corresponding user.

Security, Risk, and Compliance

  • The integration of Transparent Firewalls (working on layer 2 in bridge mode) needed extra tools. Now, they can be added using the WebUI of SecureTrack.
  • If a path is found in SecureTrack Interactive Map, the result can now be exported in a PDF file. This file includes all relevant information about devices involved, including corresponding rules. So here is more information as it is shown via a REST API call.
  • Searches in SecureTrack Interactive Map allow more than eight results now.

Devices and Platforms

  • Check Point - improvement of Rule Numbering when monitoring a CMA with Global Policies.
  • Cisco ACI - SecureTrack Path Analysis for simulation of paths to external IP addresses traveling via specific EPGs is possible now.
  • Fortinet - Support of IPv6 Path Analysis in SecureTrack Interactive Map, FQDN Object Automation in SecureChange and possibility for Global Level configuration. The last two points require a FortiManager.
  • Microsoft Azure - Support of SecureTrack Interactive Map
  • Palo Alto Networks Panorama - Besides predefined applications now also custom applications can be used in SecureChange Automation. Improvements for Device Monitoring are included as well as the possibility to add Panorama tags to new rules.
  • Support of additional devices and versions:
    • Check Point R80.40 (Check Point Management API v1.5 and v1.6)
    • Cisco ACI 4.2
    • Juniper SRX 19.4
    • Palo Alto PanOS 9.1
    • VMware NSX-T 2.5 and 3.0


  • Error Code For Unauthorized Users Changed to 403
  • Rule Numbering Enhancement for Check Point R80 Devices
  • Get IPV6 Binding
  • Get zone to interface mapping
  • Synchronize Topology Model API Enhancement
  • Rule Recertification - Update the Certification Status of SecureTrack Rules
  • Network Object and Service Name Verification
  • GET Security Zone for Access Requests
  • Panorama supported for Designer APIs
  • Expiration Date and Reference Ticket ID Can Be Modified
  • Input Validations Added to Rule Modification Fields


Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com