Version update

Tufin has released TOS R20-1, the first version of the Tufin Orchestration Suite in 2020. TOS 20-1 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Improvement of Rule Modification Workflow
    This type of workflow has been introduced with R19-3. This version allows to create tickets to change Source and Destionation of an existing rule. With R20-1 now also Services can be added / changed / removed from a rule.
    Supported devices are Check Point R80, Cisco ASA, Cisco FMC, Palo Alto Panorama, and Juniper SRX.
  • Enhancements in SecureApp User Permissions
    More flexibility for roles and permissions in SecureApp, e.g. configuration whether users are allowed to use Server Resources in their Application Connections. Besides this, Tufin has enhanced the Security Segmentation if Interconnected Domains are configred.

Devices and Platforms

  • Support of IPv6 in Topology
    SecureTrack Topology supports IPv6, i.e. it can be used in the Interactive Map for e.g. paths and traffic simulation.
    Supported are currently Cisco IOS-XR, Check Point R80, and Fortinet FortiManager in Advanced Mode.
  • Fortinet IPv6 automation in non-topology mode
    If Topology isn't used in SecureChange (require e.g. manual Target selection), IPv6 objects in SecureChange Access Requests can be used in automation. So change processes can be automated working with IPv4 as well as IPv6 objects.
  • Enhancements for Licensing page
    Some improvements have been implemented to deliver more clarity regarding available and bound licenses.
  • Cisco FMC Zones Support - Automation
    For Cisco Firepower Management Center (FMC) devices in non-topology mode specific zone-to-zone mapping can be chosen in SecureChange Access Requests. This can also be used in automated changes.
  • Cisco Firepower Rule and Object Usage
    The enhanced rule usage capabilities and features in SecureTrack can now be used for FMC devices, i.e. metadata for rules are calculated and shown in Policy Browser.
  • Palo Alto Panorama Dynamic Address Group (DAG) support with Tags
    The content of Dynamic Access Groups based on Panorama Tags can be shown in SecureTrack, improving visibility and traffic analysis (also in Topology).
  • Hashicorp Vault Support for Amazon AWS
    This option can be used to store Amazon AWS authentication credentials and to provide tight access control to the AWS. Instead of connecting directly to the AWS, SecureTrack can receive a token for authentication and communication with the AWS device.
  • Support of additional devices and versions
    • Check Point R80.40, supporting Check Point API version 1.5
    • Cisco Firepower Management Center (FMC) 6.5
    • Forcepoint SMC 6.5.10
    • F5 BIG IP 14.1
    • Palo Alto PanOS firewall version 9.1
    • Palo Alto Panorama version 9.0.4, 9.1
    • VMware NSX-V version 6.4.6

REST API

  • Management of Generic Interfaces, Generic Routes, and Generic VPN
    New API calls are available, supporting full functionality - e.g. get Generic Interface by ID, get Generic Interfaces for a device, get Generic Route by ID, get Generic Routes for a device, get Generic VPN by ID, get Generic VPNs for a device.
  • Management of Device Connections for Firewalls in Transparent Mode
    Managing L2 Firewalls is now integrated and possible using REST API.
  • Management of Ignored Interfaces
    It's possible to exclude selected Interfaces from SecureTrack Topology. They can now being managed using REST API.
  • Device Interfaces and Domains
    When working with Domains in SecureTrack, now REST API can be used to associate an interface óf a device with a Domain ID.
  • Cloud Management
    The Interactive Map uses Clouds in some situations. Now the management of Joining Clouds can be done via REST API.
  • Enhancements of User Management
    Management of SecureChange and SecureApp users is enhanced when REST API is used, esp. management of Groups.
  • Rule Modification Workflow
    As shown above, Service can now be changed for a rule. This can also be done with REST API.
  • Ticket Search in SecureChange
    Pagination can now be used in REST API to shorten response time and to limit the amount of data returned by rule search APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has just released TOS R19-3, the third and final version of the Tufin Orchestration Suite in 2019.
TOS 19-3 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • Rule Modification Workflow
    With this workflow it's possible to modify the fields Source and Destination within an existing rule. Here new as well as existing objects can be added or removed. This feature is fully integrated in SecureTrack Policy Browser and delivers full API support
    Supported devices are Check Point R80, Cisco FMC, Palo Alto Panorama, Cisco ASA, and Juniper SRX
  • Group Ticket Notifications
    Teams can work better now with this feature. The requester of a ticket can now specify a group of users that will receive all E-Mail notifications
  • Palo Alto Panorama FQDN Objects in Access Request
    FQDN can be used now, so it's no more necessary to convert names to IP addresses when used in an Access Request
  • Check Point R80 - Support of IPv6 addresses
    Access Requests now can use IPv6 addresses in source and/or destination. This is true for new as well as existing rules. Besides this, also new IPv6 objects can be created. Manual Target Selection in SecureChange is required

Devices and Platforms

  • Check Point R80 syslog
    Usually, Check Point Log/Management Servers deliver their logs to SecureTrack using LEA. If wanted, now these logs also can be sent by syslog to SecureTrack
  • Cisco ACI Visibility
    The ACI policy is now shown in SecureTrack, including EPGs, VRFs, Contracts, Subjects, ... So an instant view of policy details is possible
  • Cisco ACI Path Analysis
    ACI devices are included in SecureTrack Topology, so the traffic flow in and out of the ACI device is shown
  • Cicso FMC Visibility
    Now FMC zones are shown in retrieved FMC rules, e.g. in Policy Prowser, View Policy etc.
  • Forcepoint
    Improvements regarding speed of revision retrieval
  • PAN Panorama syslog
    Panorama can be configured now to send syslog by TCP/TLS instead of UDP
  • PAN Panorama Device Groups
    Panorama Device Groups (DG) can now be migrated to non-default SecureTrack domains from any level in the group hierarchy, improving management of Domains
  • VMware NSX-T
    SecureTrack and Secure Change now support NSX-T. It includes Change Tracking, Clean Up, Violations, Policy Browser, Reports, Topology, etc.

REST API

  • Check Point R80
    • Adding or Updating Managed Devices (CMA or SMC) via API
    • Adding new device (CMA or SMC) via API
  • Palo Alto Panorama
    • Support of URL Filtering using API
  • SecureChange Designer
    • Enhancements for Set Rule location via API
  • Rule Modification Workflow
    • Support of many features regarding the Rule Modification Workflow via API
  • SecureApp
    • Getting Application Interfaces is possible now using API

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released R19-2, the second version of the Tufin Orchestration Suite in 2019. TOS 19-2 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecureChange
    Enhancements for the "Clone Server Policy" Workflow. They include zero-touch automation for Designer, Policy Update and Commit Policy Changes for all supported devices. Addtionally, support for NSX-V has been added.
  • SecureChange
    The Desgner now can be configured to implement changes in Access Requests as before (optimized policy), but also to implement each Access Request in separate rules. On demnad, this can also be requested by users.
  • SecureChange
    The Workflow "Modify Group" supports now Check Point objects with dual stack (IPv4 / IPv6)
  • SecureTrack, SecureChange
    Support of Fortinet Web Filter allows more visibility on rules that have configured it. So auditing is improved. End-to-End change automation is possible for current and Next Generation Fortinet configurations.
  • SecureChange
    Support of Dual Stack Objects (IPv4/IPv6) in Modify Group Workflow for Check Point R80
  • SecureChange
    Requester Notifications can be sent to AD groups, not only to individuals

Security, Risk and Compliance

  • SecureTrack, SecureChange
    Updated NextGen Applications Library for Palo Alto.
  • SecureTrack
    Improved Troubleshooting using advanced path analysis queries that contain multiple IP addresses
  • SecureTrack, SecureChange
    Protection against CSRF (Cross-Site Request Forgery) attacks (not currently supported for Microsoft Internet Explorer 11)

 Devices and Platforms

  • SecureTrack
    Support of Cisco ACI regarding "Enhanced Visibility", "Enhanced Topology Modeling", and "Risk Assessment".
  • SecureTrack
    Support of Palo Alto Panorama High Availability
  • SecureTrack
    Suppport of Palo Alto Panoramy External Dynamic List (EDL) Support
  • SecureTrack
    Support of Palo Alto Fully Qualified Domain Names
  • SecureTrack, SecureApp
    Policy Browser allows mapping of SecureApp Connections to rules for Cisco FMC, Fortinet FortiManager, and Palo Alto Panorama in Advanced Mode
  • SecureTrack
    Support of Check Point CloudGuard for Azure
  • Support of new devices:
    • Cisco Firepower Management Center (FMC) 6.3
    • Cosco ASA 9.13 beta

REST API

  • Improvements for SecureTrack
    • Automatic onbording of Management Devices via API has been added for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
    • Adding / Updating of single or multiple devices is possible now for Palo Alto Panorama and Fortinet FortiManager (both in advanced management mode) as well as Cisco ASA including import/update of virtual contexts
  • Improvements for SecureTrack/SecureChange
    • Support for Palo Alto Panorama External Dynamic List (EDL) data has been added
  • Improvements for SecureChange
    • The results for the Clone Server Policy can be retrieved via API
  • Improvements for SecureTrack/SecureChange/SecureApp
    • The serialization implementation for JSON is now complete for all SecureTrack, SecureChange and SecureApp REST APIs.

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released R19-1, the first version of the Tufin Orchestration Suite in 2019. TOS 19-1 is available as GA now, delivering some improvements, e.g.

  • Interactive Map of SecureTrack allows to save queries now. This allows administrators to save the most important path queries and to re-use them again
  • SecureApp has been optimized for color-blind access. It's compatible with corresponding industry standards now.

Change Automation and Orchestration

  • SecureChange
    Clone Server Policy Workflow allows easy duplication of access permissions when new servers are introduced. This might also help when a server is moved from one address to another.
    Supported platforms are Cisco ASA, Cisco Firepower, Check Point R80 (CMA, SmartCenter, MDS), Fortinet FortiManager advanced and Palo Alto Panorama advanced
  • SecureChange
    Enhanced sorting of selections when adding or removing components. This might help e.g. when an assingment to some users / groups is done. The box for selecting / deselecting them can be sorted not only by name but also by "add" or "clear". This is relevant for "Access Request" and "Clone Server Policy" workflows.

Security, Risk and Compliance

  • SecureTrack, SecureChange
    Map Ticket to Rule is a new feature that maps a fully or paritally implemented ticket to rules. This mapping is based on results of the Verifier.
  • SecureChange
    Enhancements for "Legacy Rules". The Designer now places changes above a legacy rule now only if the legacy rule traffic intersects the Access Request traffic. Until now, this was done always.
  • SecureTrack
    Enhanced USP allows to automatically trigger a violation for IP addresses that are not explicitely included in any USP. They can easily be added to relevant zones.
  • SecureTrack
    A new network zone called "Unassociated Networks" is predefined. It includes all private IP addresses that are not defined in any other zone. This is the "private equivalent" to the predefined zone "Internet". It's used in SecureTrack as well as SecureChange and SecureApp.

 Devices and Platforms

  • SecureTrack
    NAT support for Palo Alto Panorama advanced to track changes on NAT rules
  • SecureTrack
    URL Filtering Support for Palo Alto Panorama advanced to track changes in URL Category
  • SecureTrack
    Cisco Nexus VXLAN Routing Support is implemented now and shown in the Interactive Map
  • SecureTrack
    Routes configured in Juniper MX Router Devices can be selected now, i.e. if there are many dynamic routes specific networks and routes can be added / deleted which might increase router performance
  • SecureChange
    "Server Decommission" is supported now for Global Objects defined in Check Point MDS
  • Support of new devices:
    • Check Point R80.20 (Check Point API version 1.1)
    • Forcepoint SMC 6.5 (SMC API version 6.4)
    • Fortinet FortiManager 6.0.2

REST API

  • Improvements for SecureTrack
    • Unified Returned JSON Array Format is completed now
    • Panorama Firewall Name to Rule- and Policy-related API (PolicyTargetDTO)
    • Adding Devices via API is possible now (for Check Point R77, Cisco ASA without Virtual Contexts, more to follow)
    • Get Panorama URL Categories
    • Compare Traffice Between Devices
    • Service Object Search
    • Modify Unified Security Policy via API is possible now
  • Improvements for SecureChange
    • Clone Server Policy Request DTO
    • Reject Ticket via API
    • Map Rules to Ticket

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released R18-3, the third version of the Tufin Orchestration Suite in 2018. TOS 18-3 is available as GA now, delivering some improvements, e.g.

Change Automation and Orchestration

  • SecuerChange
    Remove Access for VMware NSX. This kind of Workflow is available for NSX now.
  • Secure Change
    Modify Group Automation for Palo Alto Panorama Shared Objects
  • SecureChange
    Server Decommission Automation, now supported for Palo Alto Panorama Shared Objects and Cisco Firepower Management Console (FMC)
  • SecureChange
    Change Automation Enhancements for Cisco Firepower, now supporting workflows "Allow Access", "Modify Group", "Server Decommission", "Rule Decommission", and "Rule Recertification"
  • SecureChange
    Action "Commit Now" is possible in an automatic step in workflows "Access Request", "Modify Group", "Access Request and Modify Group", and "Rule Decommision" for these Devices: Palo Alto Panorama Advanced Management Mode, Fortinet FortiManager Advanced Management Mode, Check Point CMA R80. Check Point MDS R80 is only supported for "Modify Group"

Security, Risk and Compliance

  • SecureTrack
    Rule Change and Object Change Reports for Palo Alto Panorama Device Groups for Advanced Management Mode and FortiManager ADOM Policies when configured for Advanced Management Mode.
  • SecureTrack
    Enhanced Unified Security Policy (USP) Risk Analysis, e.g. configuration of Default Behavior when an IP address is not covered in the USP

Devices and Platforms

  • SecureTrack
    Fortinet FortiManager Rule Name support for FMG version 5.4 and above
  • SecureTrack
    Syslog support for Check Point R77, so traffic and audit logs can be received using LEA or syslog
  • SecureTrack
    External syslog support for VMware NSX, support of vRealize Log Insight
  • SecureTrack
    Cisco Firepower revision changes support
  • SecureTrack
    Policy-based routing (PBR) and related ACL rules support for Cisco IOS routers in the Interactive Map
  • Support of new devices
    • Cisco ASA 9.9
    • Check Point R80.20 (EA)
    • Palo Alto PanOS 8.1

REST API

  • Improvements for SecureTrack
    • Unified Returned JSON Array Format - continued
    • New Change Windows APIs
    • Get General SecureTrack Properties
    • Enhanced API for retrieving subnet information
    • Restricted pagination for Rule Search API
    • Enhanced API for Monitored Devices
    • Service Search
    • Retrieve suggested targets for an access request
  • Improvements for SecureChange
    • Commit Results
    • Modify Designer suggestion

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released R18-2, the second version of the Tufin Orchestration Suite in 2018. TOS 18-2 is available as GA now, delivering some improvements, e.g.

Cloud

  • SecureTrack
    Automatically Onboard AWS VPCs
    VPCs are automatically detected now, which covers adding or removing them.

Security Policy Change Automation and Orchestration

  • SecureChange
    Commit Policy Changes. Using this function, policies are pushed from the Management Server to the Firewalls using the Designer. Supported for Check Point, Palo Alto and Fortinet
  • SecureTrack, SecureChange
    The feature Change Windows allows to schedule time slots for committing policies from Management Server to Firewalls, including new report features
  • SecureChange
    Customizable Rule Names for FortiManager allow to define a rule name directly from the SecureChange Designer when changes are implemented.
  • SecureChange
    Change Automation Enhancements for Cisco Firepower allow to implement changes of the security policy automatically.

Devices and Platforms

  • SecureTrack
    Inline Layer Support for Check Point R80.10
  • SecureTrack
    Migrate or Delete Multiple Devices for some Cisco and Check Point Devices using “Device Bulk Tasks”
  • Support of new devices
    • VMware NSX 6.4.0
    • Cisco ASA 9.8
    • Fortinet FortiManager 5.6.3
    • Fortinet FortiGate 5.4.7 and 5.6.3
    • Forcepoint SMC 6.4
    • Palo Alto Panorama 8.1

REST API

  • Improvements for SecureTrack/SecureChange/SecureApp
    Upgrades of REST API Stanadard (JAX_RS) from 1.1 to 2.1, compliant with Java EE8 Apache CXF (which implements JAX_RS 2.1) upgraded from 2.6.16 to 3.2.1
  • Improvements for SecureTrack
    • Unified Returned JSON Array Format for these APIs:
      Get devices, Get device by Id, Add offline device, Update offline device, Get rules by device, Get specific rule, Rule Search APIs
    • Generic Devices APIs:
      Fully manage adding, deleting, or modifying generic devices to the Interactive Map via the REST APIs. New argument “update_topology”.
    • Sync Topology APIs
      Synchronization of Interactive Map by “Fast Topology Sync” or “Full Topology Snyc”
    • Generic VPN connections API
      Retrieval of a list of generic VON in the Topology Map
    • Check Point Inline Layer Support
      Parameter “include_subpolicy” allows support of this mode
    • Additional Data Returned for Check Point Devices
      API responses for “get devices”, “installed_policy” and “parent_id"
    • Filtering Service Group Members
      Optional parameter “show_members” with more information
    • Support for Pagination in USP Exceptions
      Better management of a large number of USP Exceptions
    • Retrieve Domains from SecureTrack
      New “Synchronize Domains” API retrieves all domains from SecureTrack, also synchronizing SecureChange Domains

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Page 3 of 5