Important Installation Information

If you monitor Check Point or Fortinet devices, upgrade only to R23-1 PHF2.1.0 or later, due to a bug discovered in the upgrade process to earlier R23-1 releases.

Download and Integrity Checks

Downloads

  1. Download the TOS R23-1 PHF3.1.0 installation package from the Download Center.

    2. The downloaded files are in .tgz format <FILENAME>.tgz.

R23-1 PHF3.2.0

Item

Details
Run file name tos_23-1-phf3.2.0-final-16838.run.tgz
sha256 df38fb97dcc7f705bdee651ed2b4792a2240573117d90c6ebf9a38d94cf81bb2
sha1sum fe30aa609eaffaea67c79a200eddc021a8e335af

R23-1 PHF3.1.0

Item

Details
Run file name tos_23-1-phf3.1.0-final-16547.run.tgz
sha256 b30a77796a2f2a28fcd7c854fd5fa7dd263fc966de0ceae5af30b7cc2dfe73e8
sha1sum 51f13156ac25ff76b3f2099fb7474898b743b72b

R23-1 PHF3.0.0

Item

Details
Run file name tos_23-1-phf3.0.0-final-15661.run.tgz
sha256 cdce2c9b48abd873967a088a87ecbc95bd6efb5cc3d070abe44ef055ac255249
sha1sum 8a3c2d54c66dd494fc32e5244572a8b9e45b6b6c

R23-1 PHF2.1.0

Item

Details
Run file name tos_23-1-phf2.1.0-final-14841.run.tgz
sha256 a19e25e1fe5586b286cfe5741602cf03d014dbbef4b50578aefe61fab1344798
sha1sum bd5b798007634252d75b0aa9637c3f0a8f4b3062

R23-1 PHF2.0.0

Item

Details
Run file name tos_23-1-phf2.0.0-final-14167.run.tgz
sha256 1ea0c1464a1d82f618a5dfee2a244df910eca0c9ce26b76a3b8d08fa2a5e7baa
sha1sum 6bcb57dab22fa2e6ae9296f3a9de92d728e34e73

R23-1 PHF1.2.0

Item

Details
Run file name tos_23-1-phf1.2.0-final-13930.run.tgz
sha256 8cc16e7455c7d3b60fb136c26fb2f4cb44b6aaad72b726caacfdbb142f0acddb
sha1sum 22f9c222c14313eefff8715fd56923ae38bd9df6

Before Installing or Upgrading

  • From R22-2 PHF2.0.0, we require that the /opt partition storage not exceed 70% of the available space to ensure proper TOS functionality.

  • From R22-2, we improved several backup components. Backups will take longer to complete, but will be compressed and more reliable.

  • After upgrading to R23-1 PRC1.0.0, you are going to have to regenerate the client certificates for any OPM device connected to TOS.

  • When installing or upgrading to R23-1, all SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

    To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges.

    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

  • If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device

  • If you are upgrading from R21-3 or R21-2, after the upgrade, the legacy license enforcement accuracy of management devices (such as Panorama and FortiManager) will be improved: the license status of the management devices is going to be determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.

    To resolve this, you can:

    • Ensure that a valid license is attached to all managed firewalls.

    • Disable the unlicensed firewalls

    • Remove the unlicensed firewalls from SecureTrack monitoring.

    This does not apply to Check Point Management Devices

Additional Information

  • Starting from R23-1 PHF1.0.0, ICMP is considered both a service and an application when creating or editing the security policy of a USP zone. To differentiate:

    • ICMP = application

    • icmp-proto = service

    This is also true when defining a specific service. For example: icmp-proto 8.

    As a result, when importing old USP CSV files to R23-1 PHF1.0.0 and later, ICMP will be considered an application and not a service. For ICMP to be considered a service, you are going to need to change it to icmp-proto.

  • Starting from R22-2 PHF2.0.0, the Tufin Marketplace has been renamed Tufin extensions.

  • Starting from R22-1 PHF2.0.0, for Cisco ASA devices, in order to prevent unnecessary ticket dependencies, Designer creates groups using the timestamp as the suffix of the group name. For example:

    • NetworkGroup_1657713531

    • If you want to change back to the previous naming convention, in stconf set the Designer_ASA_Index_Group_Name flag as True.

    For more information, see Changing The Naming Convention of Cisco ASA Group Names Created by Designer

  • SecureChange verifies that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.

    Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    To review the status of all your licenses, see Viewing License Status .

    For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.

    For more information about licensing, contact your Tufin partner or email us at [email protected].

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.

  • SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:

    • Chrome: versions 79 and 80.

    • Firefox: version 72

    We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts: