www.tufin.club

Tufin has released TOS R22-2, the second version of the Tufin Orchestration Suite of 2022.
TOS R22-2 is available as GA and can be downloaded from the Tufin Portal (login required).
Since the support of TOS Classic provided by Tufin ends within the next weeks, this version is available for TOS Aurora only. Some improvements of TOS Aurora R22-2:

Change Automation and Orchestration

  • SecureChange
    The Designer results include now not only the recommendations for rules but also the Access Request.

  • SecureChange
    If an auto-step with provisioning fails due to ticket dependencies, a new run of the Designer is needed. Then, the auto-step could be tried again. Now, the Designer can be run in this auto-step for provisioning to consider the latest changes.

  • SecureChange
    IPv6 Addresses can now be used in automation, e.g. Target selection, Designer, and Verifier. This is possible when Check Point R8x or FortiManager is used.

  • SecureChange
    In Rule Decommission workflows, now Designer and Provisioning can be split into separate (manual/automatic) steps.

  • SecureChange
    The Rule Decommission workflow now allows the dynamic assignment of steps using a script if the criteria for the assignment are e.g. too complex.

  • SecureChange
    If SecureChange is configured in "Interconnected Domains" mode, now Risk Analysis is possible in Access Requests, even if there are overlapping IP addresses in different Domains. In this case, a flag needs to be set in SecureTrack.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to automatically add access to either the pre- or post-sections on Panorama devices per device group or globally.

  • SecureChange (Palo Alto Panorama)
    The Designer can be customized to create new rules with a custom log forwarding profile automatically.

  • SecureChange (Palo Alto Panorama, FortiManager)
    The Designer can now be customized to automatically create new rules with custom security profile groups. Such a custom security profile group is available for different Panorama device groups or FortiManager Administrative Domains.

  • SecureChange (Cisco ASA)
    The Designer now can automatically create network and service objects instead of adding them inline into rules and groups. Possible for Access Request workflow and Clone Network Object workflow.

  • SecureChange
    Access Requests allow to use now User Identity (i.e. add LDAP group in Source) independently of the Topology Mode (on or off).

Devices and Platforms

  • Microsoft Azure
    The Azure Firewall Policy Network and Application Rules are now fully integrated into the Rule Viewer.

  • Microsoft Azure
    The Topology now shows matching rules when running a path analysis on the Map.

  • Microsoft Azure
    The Topology now supports Azure Load Balancers which are integrated here now.

  • Fortinet
    Support of Fortinet SD-WAN for Topology and Policy Visibility. 

  • Fortinet
    Support of IPsec VPN configured in FortiGate devices that are managed by a FortiManager - they are modeled in the Topology now.

  • Forcepoint
    The Stonesoft rules are now shown in Rule Viewer.

  • New version support: Tufin TOS now supports
    • Check Point R81.20
    • Cisco ISO-SE - 17.7.1, IOS-XR - 7.5.1, IOS - 15.9.3M4
    • F5 BIG-IP v16.1.2
    • Forcepoint Stonesoft SMC - 6.10.7
    • Fortinet FortiManager 7.2
    • Juniper SRX 22.1R1

Security, Risk, and Compliance

  • SecureTrack
    Shadowing Rules are integrated and displayed in Rule Viewer, making the review of rule bases easier.

Deployment and Monitoring

  • Backup of Tufin Orchestration Suite
    • Backup files now can be stored directly on external S3 storage services. These storage providers are supported: AWS S3 Storage, AWS Blog Storage, Google Storage, and Minio S3 compatible storage.
    • The expiration dates of backups now can be modified, so backup files can be kept for a longer time.

  • Clustering TOS Aurora is possible in the case of disaster, i.e. running TOS on two different sites is possible when using the same S3 compatible external cloud storage service for backup files. The standby cluster can be switched to active in case of failure of the first one. The TOS is restored from the latest backup file.

  • RADIUS Authentication and Authorization can be configured to run automatically on SecureTrack. So there is no more a need to manually define and manage each SecureTrack user accessing SecureTrack. To implement this, a Vendor Specific Attribute (VSA) is used.

Help and Training

  • The "Help function" is extended and includes now a direct link to Tufin Training videos on YouTube.

  • The TOS version is now also displayed in the SecureChange Help menu.

REST API

  • SecureTrack
    The Rule Information now includes the Palo Alto Panorama UUID
  • SecureChange
    The API call "GET Domains" returns now the Domain Description allowing consideration of different domains.
  • SecureChange
    Script Triggers for Workflow events (get, create, update) can also be used for Marketplace Apps now.
  • SecureChange
    The priority of a ticket can now be updated using a script.
  • SecureChange
    If steps are "self-assigned" to groups, a list of users shows potential handlers (candidates). This information can now be used in scripts.
  • SecureChange
    When using GET to get information about users / IDs, now the user name is also returned by this call.

 

If you are using SecureTrack reports, please find a list of depreciated reports that are removed with R22-2 here.

Further improvements, as well as corrections, are included in R22-2.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

 

In November 2022 Tufin has released TufinOS 3.100.
This version is available for download now in the Tufin Portal (authentication required). The download link offers an update package as well as a package for a clean install.

  • Hardening is improved with this version:
    • The user "root" is locked by default in new installations for TOS Aurora. An unlock is possible by setting a password after the installation is complete
    • A reset of the root password is possible now by pressing "e" during the system start. Details about resetting the root password can be found at Tufin Knowledge Center
    • Approved MAC algorithms are configured according to item 5.2.11 of CIS CentOS Linux 7 Benchmark
      If still TOS Classic is used, the ciphers need to be updated in /etc/ssh/sshd_config
  • RPMs are updated, now based on CentOS 7.9 (18.10.2022)
  • The kernel has been updated to version 3.10.0-1160.76.1.el7.x86_64
  • The RPM fio has been added for storage I/O performance check
  • For TOS Aurora, the Wireguard driver has been updated to version 1.0.20220627

Some updates included in this version affect TufinOS Classic only.

  • PHP has been updated to version 7.4.32-1.el7
  • PostgreSQL 11 has been updated to 11.17-1PGDG.rhel7

 

 

 

The Tufin Orchestration Suite (TOS) Aurora is no more a "simple installation based on Linux", but a Kubernetes Cluster. Therefore some network requirements regarding IP addresses need to be considered. Before upgrading to or installing TOS Aurora, some IP addresses need to be reserved. These are:

  • A dedicated IP address for each physical server (central server, worker node)
    This address is also used to access the CLI of each system
  • A VIP that is used for accessing the WebUI of SecureTrack/SecureChange/SecureApp
  • If Syslog messages are going to be received, an additional VIP is necessary also

All of these IP addresses need to be on the same network (or the system needs more than one active interface).

Besides this, additional networks need to be reserved for TOS Aurora.

  • A 16-bit CIDR network dedicated to the Kubernetes pods network. It's by default 10.244.0.0/16
    If another network is needed, please contact Tufin Support.
  • A 24-bit CIDR network dedicated to TOS Aurora for the Kubernetes service network. This must not overlap with the first network.

These networks need to be out of the range described in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
They must not overlap with the addresses of the networks listed above. Additionally, it's required that they don't overlap with any subnets communicating with TOS Aurora or its nodes. 

Further details can be found in the Knowledge Center run by Tufin.

 

 

 

Using Tufin SecureChange, there are some options for Decommission. Sometimes it is not clear, what is meant by the different workflow types. So here you find a brief description.

 

Access Request

When having an Access Request Workflow, new access "from - to" can be requested if the action is "accept".
Using the other option "remove" allows to decommission access "from - to".

In the example shown above, the access from 10.1.1.0/24 to 10.2.2.0/24 using the protocol https is no more needed. Because it is an Access Request ticket, many IP addresses can be used here. Besides this, more than one Access Request can be defined within one ticket. The requester does not need to care which firewalls are involved and which firewall rules are affected. So the removal of "access" might affect many firewalls and rules, respectively.

 

Rule Decommission

A ticket for a Rule Decommission Workflow always starts in Tufin SecureTrack, not in SecureChange. The ticket is opened for a specific rule configured on one firewall device. This must not be mixed up with an Access Request.
Please consider the configuration requirements, e.g. the SecureTrack user needs to be authorized to open such a ticket in SecureChange.
First, the rule is selected in the Rule Viewer.

Clicking on the button on the right side opens a menu where the option "Decommission rule" can be selected. The next step is to provide a subject for a ticket and select the workflow. Now, a new ticket is created in SecureChange, allowing to check and submit the request.

 

 Decommission of network objects

A third option for decommissioning is the use of a Decommission network object Workflow. This kind of workflow is used to remove network objects from rules and groups. So after having the ticket closed, the selected object is no more in use.
Hint: If an object that shall be removed is "last in cell", SecureChange Designer recommends removing the whole rule. This is because if the "last in cell" object is removed, the usual firewall configuration replaces the lost object with "any" by default.

The network, server, or address range needs to be provided manually.
Please regard that the object is not removed from the Firewall Management. It's still there, but unused.

 

 

 

Tufin has released TOS R22-1, the first version of the Tufin Orchestration Suite of 2022.
TOS R22-1 is available as GA and can be downloaded from the Tufin Portal (login required).

Please be aware that R22-1 is available for TOS Aurora only (!).
TOS Classic is supported until the end of 2022, but with the release TOS R21-3

R22-1 delivers some improvements, e.g.

Change Automation and Orchestration

  • SecureApp
    Full Support of Tufin SecureApp in TOS Aurora as it has been supported in TOS Classic.

  • Check Point Inline Layers
    Starting with this version, SecureChange supports Check Point Inline Layers for Access Requests. This support includes the ability to add, edit and delete Inline Layer rules in Access Request Workflows.

  • Palo Alto Panorama Application Automation
    Now it is possible to enter applications in Path Analysis of SecureTrack or Access Request of SecureChange without being bound to Default Ports.

Devices and Platforms

  • Microsoft Azure
    Firewalls of Microsoft Azure are supported now. The support includes visibility of rule collections, NAT, network/application rules, and more. Changes are documented in SecureTrack as they are for other firewall vendors. The integration also includes the Topology Map.

  • Check Point / Fortinet
    For these vendors are Wildcard objects supported now for policy view and comparing policies. So the search in Rule Viewer might be easier, too. Besides SecureTrack, also SecureChange supports Wildcard objects in workflows, e.g. Access Requests, Server Decommission, or Server Clone.

  • Tufin API
    It is possible to add and/or edit Cisco routers using an API.

  • Juniper MX
    Using the Rule Viewer is possible for Juniper MX, as the use of USP violations is.

Security, Risk, and Compliance

  • Using a Vault Server
    Administrators have the option to store access credentials using a CyberArk vault server. This is possible for selected devices (Fortinet FortiManager, Palo Alto Panorama, Check Point (SmartCenter, CMA, MDS), Cisco ASA, and Juniper SRX). After establishing a connection between SecureTrack and the vault server, any access to the device (e.g. revision retrieval, dynamic topology, provisioning) is authenticated using this connection.

  • Rule Viewer
    The search capabilities of the SecureTrack Rule Viewer allow very complex queries. It is possible to save and reuse Rule Viewer queries now.

  • New Dashboard Widgets
    For Cleanup Candidates and Rules with Violations new widgets have been introduced. They allow having a look at trends regarding these topics.

Deployment and Monitoring

  • Single Sign-On for TOS
    It has taken a long, long time - now Single Sign-On (SSO) is possible for SecureTrack and SecureChange. So a user can log in at SecureTrack and is authenticated for SecureChange also (if the user is allowed to log in on both systems). This option is available for LDAP, RADIUS, TACACS+, SAML, and local authentication. Using SAML LDAP allows two-factor authentication.

  • TOS Monitoring using SNMP
    It is possible to use SNMPv3 for TOS Monitoring. SNMPv3 Traps are supported as well as SNMPv3 Walk/Get.

  • TOS Monitoring improved
    The monitoring allows now to check the Database status as well as the Deployment status (HA Mode only).

  • High Availability for TOS Aurora
    TOS Aurora now supports High Availability mode, i.e. machines can be configured to work as a HA Cluster to improve availability.

GraphQL API (get further information about this API here)

  • SecureTrack
    Rule Queries can be saved and reused. Administrators can publish them to all users. The SecureTrack API offers new options now: Create a new query, Edit a query, Delete a query, and Change the query owner.

  • SecureTrack
    Trends for Cleanup Candidates and Rules with Violations can be requested using the SecureTrack API. It is possible to consider the type of metric, the time span, and the domains that are queried.

  • SecureTrack
    A search for Network Objects is possible. Network Objects can be any group that is defined by a device in an environment. This can include host machines, VMs, or ranges of IP addresses. They can be filtered by name, type, vendor, and state.

REST API

  • SecureTrack
    For Cisco devices, the Device bulk API can be used. Enhanced POST is possible for adding new Cisco routers (IOS and IOS XE), Cisco XR, and Nexus devices.

  • SecureTrack
    SecureApp Applications can be mapped to Rules in Rule Viewer. So it is possible to e.g. get all SecureApp applications that are mapped to a specific rule.

  • SecureChange
    Using API it is possible to do actions on ticket attachments. These include the creation of a ticket with attachment, adding attachments to an existing ticket as well as downloading or removing attachments from a specific ticket.

  • SecureChange
    Customized script triggers based on SecureChange workflow trigger events can be used.

Further improvements, as well as corrections, are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

TOS Classic has reached its last version, R21-3. This platform is supported by Hotfixes until the End of 2022. If needed, extended support is available. In this case, you need to contact your Reseller and/or your local Tufin Sales Representative. 

TOS Aurora is the only platform for which improvements are developed. Therefore also some changes regarding devices and reports are announced or implemented. Most cases have a successor in TOS Aurora. The changes are in supported devices and reports.

 

Reports

Tufin SecureTrack still includes some Standard Reports e.g. "Rule and Object usage". Besides this, the free app SecureTrack Reporting Essentials is available in the Tufin Marketplace. Some of the reports are going to be removed or replaced.

  • Policy Analysis Report
    Based on Policy Analysis Queries regular Reports can be triggered. The queries are carried out at the configured times, leading to a Policy Analysis Report.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: Rule Viewer

  • Security Risk Report
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. Reports can be generated per device showing potential risks.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Risk Charts
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. The result of such a Risk Analysis is shown as Risk Charts overall or per Device.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: Widget in USP Viewer

  • Compliance Policies
    For a very long time, own compliance policies could be defined and the configuration monitored accordingly.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, USP Alerts Manager, USP Exceptions

  • Regulations Audit Browser
    Regulations are defined in SecureTrack, e.g. PCI DSS or SOX. The monitored configuration is shown using the Regulations Audit Browser - also showing fulfillment of the regulations or details about violations.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Rule Documentation Report
    Reports about Rule Metadata can be achieved using this kind of report. These reports per device are about e.g. expired rules, their business owner, or ticket ID.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Rule Viewer

  • Security Risk Report
    Risks, as defined in NIST 800-53, can be configured in SecureTrack. Reports can be generated per device showing potential risks.
    No more available in new installations: R21-3
    Removed from all installations: R22-2
    Substitute / Follow up: USP, Reporting Essentials

  • Expired rules Report
    Many vendors offer a time limit for rules. After the given date the corresponding rule is disabled automatically. Reports point out expired rules or rules that will expire within a configurable time frame.
    No more available in new installations: R22-1
    Removed from all installations: R22-2
    Substitute / Follow up: Rule Viewer

 

Devices and features

Support of some devices and features are going to be removed in TOS Aurora. It affects e.g.

  • Check Point Firewall OS Monitoring
    No new configuration in R22-1 and above, but available for installations using this feature (no more in the price list)
  • Fortinet FortiManager in Basic Mode
    No more new devices starting with R19-3, no revisions in R22-1 and above
  • Palo Alto Networks Panorama in Basic Mode
    No more new devices starting with R19-3, no revisions in R22-1 and above
  • Palo Alto Panorama Version 8 and earlier
    No longer supported in R22-1 and above