www.tufin.club

Tufin has released TOS R24-2, the second version of the Tufin Orchestration Suite of 2024. 
TOS R24-2 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-2:

Deployment

  • Upgrade
    The upgrade process has been optimized and is shown in a more transparent way. This increases visibility and helps troubleshooting during upgrades.

Change Monitoring, Automation, and Orchestration

  • SecureChange
    SLA can be set for tickets. Starting with this version, business hours and non-working days can be considered by configuration.
  • SecureChange
    The page showing the tickets has been improved esp. regarding search tickets and manage saved queries. 

  • SecureTrack
    OPM devices are integrated better now. Supported is e.g. automatic mapping of zones to interfaces, matching rules in the Topology Map, etc. So they are also found by SecureChange as possible installation targets.
  • SecureTrack
    The Topology Map now supports both IPv4 and IPv6 routes. So it can be used in mixed environments also.
  • SecureTrack
    The Device Viewer includes the feature "Revision History" for all devices now. This is useful esp. for GCP, Cisco Meraki and OPM devices because they don't have the option for comparing revisions.

Devices and Platforms

  • Azure NSG
    SecureChange Designer now provides suggested changes for access across Azure NSGs and Azure firewall devices. 
  • Azure NSG
    SecureTrack Rule Viewer can interpret the configuration of NSGs, so e.g. "cleanup" as well as "unused objects" can be used.
  • Azure Firewall
    Azure firewalls in a Virtual WAN- Secured Hub deployment when routing is configured in the Azure Hub are supported. So based on the Topology, also USP violations as well as Designer / Verifier are supported. 

  • Cisco
    For Cisco FMC devices generic NAT is supported, so it can be used in Topology.

  • Fortinet
    UserID Automation for FortiManager is supported now, delivering improved visibility for the LDAP groups that are part of the User Groups and FSSO objects. This includes topology support as well as automation tools of SecureChange.
  • Fortinet
    For path analysis FQDN objects or DNS can be used.
  • Fortinet
    The support of enhanced VPN across Fortinet devices is improved (Dial-Up/dynamic VPN). The modelling of SD-WAN is improved.

  • Google
    GCP VPC firewalls can be used in Access Request workflows, they are automatically recognized based on information from the Topology. So also the Verifier can be used for these devices.

  • VMware
    NSX-T is supported by the Rule Viewer, last hit information for NSX-T Distributed firewall rules is available now.
  • VMware
    NSX-T VRFs can be imported as logical routers and be used in Topology.
  • VMware
    IPv6 is now supported for VMware NSX-T in the Interactive Map: Interfaces and Routes. So in SecureChange Designer, Provisioning and Verifier are supported.

 

Further improvements, as well as corrections, are included in R24-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

In earlier times, when using TufinOS 3.x (based on CentOS) it has been possible to check which ciphers are going to be used in SSL and TLS, respectivly. After upgrading to TufinOS 4.x (based on Rocky Linux) this is no more possible. 

Tufin Support states that this is "as designed" and "it's secure": 

Tufin routinely carries security tests for each supported version. If an issue is detected by public commercial tools or with customized penetration testing - it is handled immediately. As far as we can tell, based on tests by Tufin and many of our customers, there are no vulnerable ciphers loaded and available to use in TOS. 

 

 

 

When having users on a TufinOS, each user has an ID that can be checked in /etc/passwd, e.g.

# cat /etc/passwd | grep tufin-admin
tufin-admin:x:1000:1000::/home/tufin-admin:/bin/bash
#

If a user is added, ID1001 might be the ID for this new user. 
Checking system activity (e.g. with ps aux) might show this user quite active, even if not logged in. 

The reason for this effect is that TOS is running some processes with ID1001 - independently of "real usage" of this ID in /etc/passwd or not.
Processes using this ID are e.g. Java, MongoDB, Kafka, ... 

So don't wonder about users not logged in to CLI but using some resources, it's not an attack, but TOS working as designed by Tufin.

 

 

 

 

Just a short reminder

As known by the most, TufinOS 4.x is available and should be deployed. Since July, 1st, TufinOS 3.x is no more supported since it's based on CentOS 7 which has been depreciated. So for this Linux, no more development or even security patches are available.

There are different ways to upgrade from TufinOS 3.x to TufinOS 4.x. All of them are documented in the Tufin Portal (authentication required)

Please be aware that a backup is required before upgrading. Additionally, TufinOS 4.x is based on Rocky Linux, so some configuration details are different to TufinOS 3.x

 

 

 

Tufin SecureChange offers results of the Designer for Access Request (AR) Workflows e.g. where to put a new rule, including definition of objects, comments, etc. The Designer can run in one of two modes.

As shown, the base configuration is done via SecureChange > Workflows > [workflow name] > Workflow properties. Please find some remarks about these two options below.

  • Optimize policy for rule reuse
    Having this option active (default), the Designer tries to implement the changes in an existing rule, e.g. if SRC and DST are the same, but only the (new) service is not implemented yet, a change of the rule is assumed - "add Service xxx to rule yyy". This leads to a slimmer rule base, but changes cannot be found easily. So this option is useful for permanent changes and not for test situations. 

  • Create new policy rule for each access request
    This option instructs the Designer to create new rules for each access request, i.e. even if there is a rule with same SRC and DST, a new rule will be proposed. It is the exact Access Request in the ticket. An advantage of this behavior is a good overview "rules per AR", so e.g. rules for testing can easily be removed. Some characteristics need to be considered when using this mode:
    • Even if a rule allows the required access completely, the Designer recommends to create a new rule for the exact Access Request. This might lead to shadowed and / or redundant rules. When using Check Point, the policy cannot be installed any more because of the verifier results.
    • When using SecureApp, a workflow having this option enabled, cannot be selected. In this case, Application Owners need to open the AR directly in SecureChange, without any help by SecureApp.

More information about the Designer can be found in the Tufin Portal (Authentication required).

 

 

 

Tufin has released TOS R24-1, the first version of the Tufin Orchestration Suite of 2024. It enforces the "new licensing" as R23-2 started to do. Licensing is enforced following the Solution Tiers. So before an upgrade be sure that you have all active devices licensed, the license activated and not using a temporary license.
TOS R24-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R24-1:

Change Monitoring, Automation, and Orchestration

  • SecureTrack
    Some improvements have been integrated into Rule Viewer. It affects e.g. group rules or the increased limit for rule actions.
  • SecureTrack
    The Rule Viewer allows a new TQL operator: "intersect". It locates rules whose SRC or DST intersect with a given IP, subnet, or range.
  • SecureTrack
    Shadowed rules shown in Rule Viewer can now be selected to get further information.
  • SecureTrack
    A USP template for PCI-DSS 4.0 is integrated, allowing to follow the latest PCI-DSS Standard.
  • SecureTrack
    Regarding USPs, now violations of Azure Firewall Rules are considered.

  • SecureChange
    Searching for tickets has been updated to a new look-and-feel. This affects "free search" as well as "detailed search".
  • SecureChange
    Palo Alto Panorama and ACI integration with DAG-based ACI EPG tags in their Panorama security policies allow to automate changes with SecureChange workflow tools.
  • SecureChange
    Palo Alto rules and access requests whose source includes both UserID (LDAP Groups) and IP addresses are supported now.

  • SecureApp
    A custom validation script is available for SecureApp, allowing to ensure some important properties like e.g. object names, USP compliance.

Deployment

  • TOS CLuster
    New default alerts are available to check e.g. file system usage and database status. These TOS Cluster Health Alerts offer simpler monitoring. 

Devices and Platforms

  • Azure
    For Azure FW and NSG rules some enhancements for Cleanup have been published

  • Cisco
    Cisco Meraki can be added to SecureTrack using proxy authentication
  • Cisco
    Besides the on prem support of Cisco FMX, now Cisco Cloud-Delivered FMC is supported, too

  • Google Cloud
    From this version on, GCP is incorporated into SecureTrack Topology
  • Google Cloud
    GCP projects can be added to SecureTrack using proxy authentication

  • Palo Alto
    Panorama Managed Prisma Access is incorporated into SecureTrack Topology
  • Palo Alto
    Palo Alto Device Groups that manage Palo Alto Cloud NGFW on Azure are now supported
  • Palo Alto
    Palo Alto VM series on GCP is supported, delivering full functionality

API Improvements

  • SecureChange
    The SecureChange Reporting API has been introduced. It allows more granular reporting about tickets and step events

 

Further improvements, as well as corrections, are included in R24-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com