www.tufin.club

The Tufin Orchestration Suite (TOS) provides the option to use a multi-domain management in SecureTrack as well as in SecureChange. This is useful e.g. when there are several companies or parts of a big enterprise using the same TOS instance. Some hints about it below. 

SecureTrack

Introducing Domains in SecureTrack is quite easy. In SecureTrack you go in the menu to "Monitoring - Domains" to define one or more domains. After this, managed devices can be assigned to different domains. Users as well as administators can be restricted to see only domains they are allowed to. 

Hints: 

• Domains can be changed later, as well as the membership of a device. 
• Users / Administrators might get their permissions per domain. 
• Users cannot see the Map / Topology in multi-domain mode, even if they have the permission to view all devices in all domains (!)
  If this is needed, the multi-domain mode needs to be switched back to single-domain mode
  • Remove all devices from any domain, except default domain
  • Go to https://<securetrackVIP>/stcgitest.htm
  • Fetch the configuration using the link "Configuration - EditStConf - Fetch Current Conf"
  • Change the parameter <is_mssp>1</is_mssp> to <is_mssp>0</is_mssp>
  • Save the change by pressing "Submit New Conf" at the bottom of the page

SecureChange

If you have configured domains in SecureTrack, there is an option to use them in SecureChange, too. There are two options for domains in SecureChange that can be configured via the menu "Settings - Multi Domains". Please read the text below before clicking an option (!)

• Segregated domains
  Users are restricted to see only devices ot the domain(s) as configured in SecureTrack. In SecureChange there are additional restrictions: Ticket Handlers have to be in the same domain as the Requester who created the ticket - also only targets and objects of this domain can be seen. Addtionally, Target Suggestion, Designer, and Verifier can analyze access requests only within this domain. 
• Interconnected domains
  The restrictions shown above are not present, so Target Suggestion, Designer, and Verifier to analyze access requests across domains (same as the default "none"). In this configuration, the "Clone Network Object Policy Workflow" is not supported. 

When considering to configure domains in SecureChange, lease beware of the fact that a change of this selection is not possible (!)

Since some versions of the Tufin Orchestration Suite (TOS) licensing and its enforcement is a bit more flexible as in earlier times. 

If e.g. 20 devices had been licensed some time ago, adding another device resulted in problems. Now, it's more flexible and you have the possibility to add some devices more than you have licensed. This results in the need of "license usage reports" for Tufin to find out the number of licenses used. 

Working with versions up to 24-2, these reports are required, but not really enforced. The license is shown in SecureTrack via Menu > Admin > Administrator > Licenses. At the bottom of the screen License Management the section License Usage is shown.

If the option "Send automatic usage reports" is turned on and the system has Internet access, everything is fine. If it's not turned on or connected to the Internet, a manual download of the usage report is recommended. The resulting JSON file is uploaded to the Tufin Portal then. 

Starting with 25-1, the license usage reports are enforced. The screen shown above has changed to this: 

It's now necessary to upload the license usage report to the Tufin Portal - and to get the confirmation code that will be sent by E-Mail after the upload. After having uploaded the code shown in the E-Mail to TOS, a message is displayed that the licenses used has been verified. 

Not following Tufin's guidelines of today, some restrictions regarding the TOS will occur because no Information about Site Usage Monitoring has been supplied: 

• Not providing Reports for 6 Months:
  There is no possibility to upgrade TOS
  
  
• Not providing Reports for 12 Months: 
  No further use of TOS is possible, even if a valid subscription has been purchased

So the flexibility regarding licenses requires a mandatory upload of License Usage Reports to the Tufin Portal now. It's done here via My Account > Available Licenses > Manual Usage Upload - or if TOS is connected to the Internet, via the automatic upload process. 

Tufin has officially released TOS R25-1. It's the first version of the Tufin Orchestration Suite of 2025. 
TOS R25-1 is available as GA and can be downloaded from the Tufin Portal (authentication required).
Some improvements of TOS R25-1:

Change Monitoring, Automation, and Orchestration

• SecureTrack
  When looking at the revision history, comments can be added now. This feature is available for GCP, Meraki, Arista and other OPM devices.
  
  
• SecureTrack
  In Cloud environments, syslogs via TCP can be encrypted with TLS now. 
  
  
• SecureTrack
  Based on Network Configuration, a mapping of zones to interfaces (MZTI) is supported now. This is useful when working with USPs. 
  
  
• SecureChange
  The user experience for "generic workflows" has been improved by introducing a new design and a panel for "Ticket Properties". 
  
  
• SecureChange
  It's possible to automate userID from Network Tickets to Next Generation Firewalls like Panorama and FortiManager
  
  
• SecureChange
  Further improvements in SecureChange SLA allow to pause, resume, and reset the SLA of tickets. Non-handler users can be excluded from the SLA, so the time used by handler teams can be calculated more accurate. 
  
  
• SecureApp
  Applications may now include connections using LDAP user groups from specified networks.
  
  
• TufinMate
  Tufin's AI Assistant is now generally available. It supports in troubleshooting network issues, opening Access Request tickets via Microsoft Teams using natural language and Microsoft Copilot is supported to get questions about Topology. 

Devices and Platforms

• Arista EOS
  The Linux-based network operation system for Clouds is officially supported now. It's supported for Topology (e.g. VxLAN, MPLS, VPN) for IPv4 as well as IPv6, for USP as well as Change Automation.
  
  
• AWS
  Unused Security Group (SG) rules across AWS environments are recognized now, so rule analytics, last-hit information in Rule Viewer as well as Security Best Practice reports are available. 
  
  
• Azure
  Using USPs is possible for Azure Network Security Groups (NSGs) now. This might increase the security level of the cloud.
  
  
• Azure
  Azure Network Security Groups (NSGs) with Application Security Groups (ASGs) are supported by the Designer in Access Request Workflows now. So changes can be automated, too. 
  
  
• Check Point
  Check Point Last Hit Information is shown in the Rule Viewer for objects in rules. Therefore it's possible now to identitfy unused objects in rules. 
  
  
• Cisco Meraki
  Automatic Target selection in SecureChange is supported now for Cisco Meraki, including USP checks before implementation. 
  
  
• OPM
  OPM (Open Policy Management) devices can be integrated into TOS. Now, in Access Request Workflows Designer support for this kind of devices has been added. 
  
  
• VMware
  NSX-T Gateway Firewalls can be integrated to SecureTrack now. So the policies and their revisions are visible, shown in Topopology, as well as checked against USPs. 
  
  
• VMware
  NSX-T in Azure VMware Solution (AVS) is supported. It allows to extend the on-premis VM environment zu Microsoft Azure. 
  
  
• Zscaler Internet Access (ZIA)
  ZIA devices are supported by SecureTrack now. They are shown in SecureTrack Topology (including VPN) and NGFW objects like URL categorization as well as FQDNs are supported. 
  
  
• Zscaler Internet Access (ZIA)
  SecureTrack Rule Viewer shows rules, last-hit information. Additionally, reports are possible to identify unused rules and objects.

Tufin Appliances

• Tufin G4 (T800 / T1200) & G4.5 (T820 / T1220) appliances can be connected to two different switches to provide them with Link Redundancy. 

Further improvements, as well as corrections, are included in R25-1.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

There are various status messages when backing up the Tufin Orchestration Suite. One of them is 
     IMPAIRED
If any backup is in this status, it's no longer possible to continue working with the data backup.

The reason for this status is a component in the Kubernetes cluster that is not working correctly when the backup has been created. 

To solve the problem, all backups with this status should first be deleted. Then ensure that the TOS cluster is in a good state. No problems should be reported when calling the “tos status” command. Then the backup will work as desired again.

The message "checker failure" might occur when checking the status of the Tufin Orchestration Suite. 

When looking at Tufin's knowledge base, this message is mentioned as "known bug" that is fixed in R24-1 PHF4.1.0 and R24-2 PHF1.0.0, respectively. If you cannot upgrade or get still the message, this procedure might help: 

• Find as root the pod that is responsible for this message by using the command
  # kubectl get pods -owide | grep node-exporter
  tos-prometheus-node-exporter-zddqg                    2/2     Running     0 …
  
  
• Check this pod, e.g. if it's running (can be skipped)
  # kubectl describe pod tos-prometheus-node-exporter-zddqg
  ...
• Restarting the pod helps to return to a normal status
  # kubectl delete pod tos-prometheus-node-exporter-zddqg

You can check the status of this pod by using the first command shown above. Please give the pod to start (and to show a status "ok") about two minutes. Checking "tos status" before will still deliver "checker failure" because the pod is still not running well.