Version update

Tufin has released TufinOS 4.60, based on Rocky Linux 8.10 latest versions. 
It includes Kernel version 4.18.0-553.74.1.el8_10.x86_64 and 188 updated RPMs. TufinOS includes now 741 RPMs in total. 

TufinOS is available for Tufin Appliances Gen 3.5 (T-1100, T1100-XL), Gen 4.0 (T-800, T-1200), as well as Gen 4.5 (T-820, T-1220). 
Supported hypervisor is (as before) VMware.

TufinOS is available in the Download Section of the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has officially released TOS R25-2. It's the second and final version of the Tufin Orchestration Suite of 2025. 
TOS R25-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R25-2:

Change Monitoring, Automation, and Orchestration

  • SecureTrack
    Legacy reports in SecureTrack now use a 64-bit process, delivering better performance esp. for devices with a large number of rules and objects

  • SecureTrack
    A Rule Optimizer allows to deliver hints how to tighten the rule base, based on real-time traffic logs, for AWS, Azure NSGs and Zscaler ZIA

  • SecureTrack
    The Topology Map now supports generic policy-based routing (PBR) in the Path Analysis. PBR rules of monitored devices can be defined, edited, monitored and mapped. 

  • SecureChange
    The Rule Recertification Workflow has got some improvements, including a better UI and certification history

  • SecureChange
    The Designer now has a new interface for Access Requests involving changes on OPM devices, Azure NSGs, Azure firewalls, Zscaler ZIA, Huawei, Versa and others

Devices and Platforms

  • TufinOS
    TufinOS is now available as an Amazon Machine Image (AMI) in the AWS Marketplace

  • Azure
    Starting with R25-2 PHF1, Microsoft Azure Subscriptions for a given Tenant can be onboarded very simple, allowing Azure Subscriptions to be managed and monitored in an easy way

  • Azure
    Starting with R25-2 PHF2, Azure VNET is going to be imported automatically, enabled for individual subscriptions

  • Azure and OPM devices
    Change automation is possible for access requests involving Azure NSGs and OPM devices

  • AWS
    Management of AWS accounts at organizational level is possible now, also automatically

  • Cisco
    Cisco ACI endpoint security groups (ESGs) are supported now in object and contract comparisons, change tracking, and ESG-based path analysis in the Topology Map

  • Cisco
    For Cisco FMC Tos now takes AppID and URL category into account, improving also path analysis

  • Cloud
    Checking compliance with USPs is now also possible for AWS, GCP and Azure network security groups installed on a NIC

  • Palo Alto
    Palo Alto Networks external dynamic lists (PAN EDLs) are supported now, alloing e.g. filtering by IP in the Rule Viewer

  • Zscaler
    Zscaler ZIA is now integrated into SecureChange, allowing automatic Target selection in Access Requests as well as Risk Analysis and the use of Designer and Verifier

Administration

  • Installation 
    When installing TufinOS on VMware ESXi, the disk setup considers the separation of ETCD as part of the configuration workflow

  • Updates
    When installing a patch, from now on it isn't necessarily the complete package that is installed. Tufin has optimized TOS for being able to receive (smaller) hotfixes also

  • Remote Collector
    From now on, Remote Collectors automatically recover after disaster recovery switchover and restore of the central cluster

Further improvements, as well as corrections, are included in R25-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

 

Tufin has officially released TOS R25-1. It's the first version of the Tufin Orchestration Suite of 2025. 
TOS R25-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R25-1:

Change Monitoring, Automation, and Orchestration

  • SecureTrack
    When looking at the revision history, comments can be added now. This feature is available for GCP, Meraki, Arista and other OPM devices.

  • SecureTrack
    In Cloud environments, syslogs via TCP can be encrypted with TLS now. 

  • SecureTrack
    Based on Network Configuration, a mapping of zones to interfaces (MZTI) is supported now. This is useful when working with USPs. 

  • SecureChange
    The user experience for "generic workflows" has been improved by introducing a new design and a panel for "Ticket Properties". 

  • SecureChange
    It's possible to automate userID from Network Tickets to Next Generation Firewalls like Panorama and FortiManager

  • SecureChange
    Further improvements in SecureChange SLA allow to pause, resume, and reset the SLA of tickets. Non-handler users can be excluded from the SLA, so the time used by handler teams can be calculated more accurate. 

  • SecureApp
    Applications may now include connections using LDAP user groups from specified networks.

  • TufinMate
    Tufin's AI Assistant is now generally available. It supports in troubleshooting network issues, opening Access Request tickets via Microsoft Teams using natural language and Microsoft Copilot is supported to get questions about Topology. 

Devices and Platforms

  • Arista EOS
    The Linux-based network operation system for Clouds is officially supported now. It's supported for Topology (e.g. VxLAN, MPLS, VPN) for IPv4 as well as IPv6, for USP as well as Change Automation.

  • AWS
    Unused Security Group (SG) rules across AWS environments are recognized now, so rule analytics, last-hit information in Rule Viewer as well as Security Best Practice reports are available. 

  • Azure
    Using USPs is possible for Azure Network Security Groups (NSGs) now. This might increase the security level of the cloud.

  • Azure
    Azure Network Security Groups (NSGs) with Application Security Groups (ASGs) are supported by the Designer in Access Request Workflows now. So changes can be automated, too. 

  • Check Point
    Check Point Last Hit Information is shown in the Rule Viewer for objects in rules. Therefore it's possible now to identitfy unused objects in rules. 

  • Cisco Meraki
    Automatic Target selection in SecureChange is supported now for Cisco Meraki, including USP checks before implementation. 

  • OPM
    OPM (Open Policy Management) devices can be integrated into TOS. Now, in Access Request Workflows Designer support for this kind of devices has been added. 

  • VMware
    NSX-T Gateway Firewalls can be integrated to SecureTrack now. So the policies and their revisions are visible, shown in Topopology, as well as checked against USPs. 

  • VMware
    NSX-T in Azure VMware Solution (AVS) is supported. It allows to extend the on-premis VM environment zu Microsoft Azure. 

  • Zscaler Internet Access (ZIA)
    ZIA devices are supported by SecureTrack now. They are shown in SecureTrack Topology (including VPN) and NGFW objects like URL categorization as well as FQDNs are supported. 

  • Zscaler Internet Access (ZIA)
    SecureTrack Rule Viewer shows rules, last-hit information. Additionally, reports are possible to identify unused rules and objects.

Tufin Appliances

  • Tufin G4 (T800 / T1200) & G4.5 (T820 / T1220) appliances can be connected to two different switches to provide them with Link Redundancy. 


Further improvements, as well as corrections, are included in R25-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released TOS R24-2, the second version of the Tufin Orchestration Suite of 2024. 
TOS R24-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-2:

Deployment

  • Upgrade
    The upgrade process has been optimized and is shown in a more transparent way. This increases visibility and helps troubleshooting during upgrades.

Change Monitoring, Automation, and Orchestration

  • SecureChange
    SLA can be set for tickets. Starting with this version, business hours and non-working days can be considered by configuration.
  • SecureChange
    The page showing the tickets has been improved esp. regarding search tickets and manage saved queries. 

  • SecureTrack
    OPM devices are integrated better now. Supported is e.g. automatic mapping of zones to interfaces, matching rules in the Topology Map, etc. So they are also found by SecureChange as possible installation targets.
  • SecureTrack
    The Topology Map now supports both IPv4 and IPv6 routes. So it can be used in mixed environments also.
  • SecureTrack
    The Device Viewer includes the feature "Revision History" for all devices now. This is useful esp. for GCP, Cisco Meraki and OPM devices because they don't have the option for comparing revisions.

Devices and Platforms

  • Azure NSG
    SecureChange Designer now provides suggested changes for access across Azure NSGs and Azure firewall devices. 
  • Azure NSG
    SecureTrack Rule Viewer can interpret the configuration of NSGs, so e.g. "cleanup" as well as "unused objects" can be used.
  • Azure Firewall
    Azure firewalls in a Virtual WAN- Secured Hub deployment when routing is configured in the Azure Hub are supported. So based on the Topology, also USP violations as well as Designer / Verifier are supported. 

  • Cisco
    For Cisco FMC devices generic NAT is supported, so it can be used in Topology.

  • Fortinet
    UserID Automation for FortiManager is supported now, delivering improved visibility for the LDAP groups that are part of the User Groups and FSSO objects. This includes topology support as well as automation tools of SecureChange.
  • Fortinet
    For path analysis FQDN objects or DNS can be used.
  • Fortinet
    The support of enhanced VPN across Fortinet devices is improved (Dial-Up/dynamic VPN). The modelling of SD-WAN is improved.

  • Google
    GCP VPC firewalls can be used in Access Request workflows, they are automatically recognized based on information from the Topology. So also the Verifier can be used for these devices.

  • VMware
    NSX-T is supported by the Rule Viewer, last hit information for NSX-T Distributed firewall rules is available now.
  • VMware
    NSX-T VRFs can be imported as logical routers and be used in Topology.
  • VMware
    IPv6 is now supported for VMware NSX-T in the Interactive Map: Interfaces and Routes. So in SecureChange Designer, Provisioning and Verifier are supported.

 

Further improvements, as well as corrections, are included in R24-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Tufin has released TOS R24-1, the first version of the Tufin Orchestration Suite of 2024. It enforces the "new licensing" as R23-2 started to do. Licensing is enforced following the Solution Tiers. So before an upgrade be sure that you have all active devices licensed, the license activated and not using a temporary license.
TOS R24-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-1:

Change Monitoring, Automation, and Orchestration

  • SecureTrack
    Some improvements have been integrated into Rule Viewer. It affects e.g. group rules or the increased limit for rule actions.
  • SecureTrack
    The Rule Viewer allows a new TQL operator: "intersect". It locates rules whose SRC or DST intersect with a given IP, subnet, or range.
  • SecureTrack
    Shadowed rules shown in Rule Viewer can now be selected to get further information.
  • SecureTrack
    A USP template for PCI-DSS 4.0 is integrated, allowing to follow the latest PCI-DSS Standard.
  • SecureTrack
    Regarding USPs, now violations of Azure Firewall Rules are considered.

  • SecureChange
    Searching for tickets has been updated to a new look-and-feel. This affects "free search" as well as "detailed search".
  • SecureChange
    Palo Alto Panorama and ACI integration with DAG-based ACI EPG tags in their Panorama security policies allow to automate changes with SecureChange workflow tools.
  • SecureChange
    Palo Alto rules and access requests whose source includes both UserID (LDAP Groups) and IP addresses are supported now.

  • SecureApp
    A custom validation script is available for SecureApp, allowing to ensure some important properties like e.g. object names, USP compliance.

Deployment

  • TOS CLuster
    New default alerts are available to check e.g. file system usage and database status. These TOS Cluster Health Alerts offer simpler monitoring. 

Devices and Platforms

  • Azure
    For Azure FW and NSG rules some enhancements for Cleanup have been published

  • Cisco
    Cisco Meraki can be added to SecureTrack using proxy authentication
  • Cisco
    Besides the on prem support of Cisco FMX, now Cisco Cloud-Delivered FMC is supported, too

  • Google Cloud
    From this version on, GCP is incorporated into SecureTrack Topology
  • Google Cloud
    GCP projects can be added to SecureTrack using proxy authentication

  • Palo Alto
    Panorama Managed Prisma Access is incorporated into SecureTrack Topology
  • Palo Alto
    Palo Alto Device Groups that manage Palo Alto Cloud NGFW on Azure are now supported
  • Palo Alto
    Palo Alto VM series on GCP is supported, delivering full functionality

API Improvements

  • SecureChange
    The SecureChange Reporting API has been introduced. It allows more granular reporting about tickets and step events

 

Further improvements, as well as corrections, are included in R24-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

Tufin has released TOS R23-2, the second version of the Tufin Orchestration Suite of 2023.
TOS R23-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS Aurora R23-2:

Change Monitoring, Automation, and Orchestration

  • SecureChange (Palo Alto Networks)
    Automation for Panorama URL Categories allows design and provisioning for URL Categories also.

  • SecureChange
    Rules from different devices can be added to a single ticket using the Rule Viewer. This is available for Rule Decommission, Rule Modification, and Rule Recertification tickets.

  • SecureChange
    Extension Apps have been added to the SecureChange menu.

  • SecureChange
    A new page for "My Requests" has been integrated into SecureChange.

  • SecureTrack
    Topology and Automation now support Internet Objects, that can be directly inserted into Devices by Check Point and Forcepoint.

  • SecureCloud
    SecureCloud now displays a risk assessment for assets exposed to the internet based on the data returned from the firewalls monitored by SecureTrack.

  • SecureTrack
    The Rule Viewer now offers the option to view the change history of a rule by the new tab "Rule History".

Deployment

  • License
    In order to monitor license consumption and accurate auditing, a mechanism for tracking the license usage is introduced. The licenses of SecureTrack+, SecurecChange+, and Enterprise can be sent automatically to Tufin. More information here.

  • License
    The License Management in SecureTrack has a new user interface that can be accessed by SecureTrack Super Administrators.

  • Appliances
    New appliances for TOS are available now. They come pre-installed with TufinOS and TOS Aurora. There are two different appliances available: T-820 and T-1220.

  • Operating Systems
    In June 2024 CentOS 7 as well as TufinOS 3 are going to be End-of-Life. TufinOS 4 and Red Hat Enterprise Linux / Rocky Linux 8.6 are the successors. They are available for on-premise installations, cloud deployments require Rocky Linux 8.6.

  • Google Cloud
    Tufin now supports high availability for GCP over three availability zones.

Devices and Platforms

  • AWS
    VMware NSX-T on AWS (VMware cloud) is supported for TOS, providing the same features as with on-prem NSX deployments.

  • Azure
    Network Security Groups (NSG) can be used as targets in SecureChange Access Requests. The verifier is now able to check automatically implemented policies.

  • Azure
    The deployment of TOS in Microsoft Azure is supported for very large installations also. Sizing requires help from Tufin.

  • Check Point
    The management of Check Point devices can be done in the cloud using Check Point Smart-1 Cloud. This is supported by Tufin now.

  • Cisco
    Cisco Viptela is now supported in SecureTrack Topology, including OMP routes as well as SD-WAN interfaces and SD-WAN labels.

  • Cisco
    The Designer now can automatically create rules with custom logging for Cisco ASA devices.

  • Palo Alto Networks
    Tufiin is now able to monitor Palo Alto Networks Prisma Access Policies managed by Panorama devices.

GraphQL API

  • Enhancements for SecureTrack
    • A new query returns all changes made in a selected revision that affect a specific rule.
    • A new query returns a list of revisions in a specific time frame that affects a selected rule.

REST API

  • Enhancements for SecureTrack
    • NAT information can be retrieved per revision, not only for the last revision.
    • Dynamic Topology data can be retrieved from a specific device tree. This subset can be refreshed without the need of a Topology "Full Sync".

  • Enhancements for SecureChange
    • URL Category Zones can be set and get for path calculation and target selection.
    • It is possible to run "commit now" for a specific device in a SecureChange ticket for Check Point R8x, FortiManager, and Panorama.

  • Enhancements for SecureApp
    • It is possible to search network objects not only by their name but also by IP address, subnet, and comment.

 

Further improvements, as well as corrections, are included in R23-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

Page 1 of 5