What's New in R25-1

Note to Customers with Tiered Licenses

Since R23-2, TOS features are enforced on tiered licenses according to solution tier. Examples are topology and some SecureChange workflows that are available only in the SecureChange+ tier, and provisioning that is available only in the Enterprise tier - see Solution Tiers. For more information contact your account team.

To filter the results, enter text in one or more of the filter fields.

To see all items, clear the filter fields.

Feature

Description

Tags
Arista EOS Support

Arista EOS devices are now officially supported in TOS, enabling policy visibility, rule and revision history for change tracking, and extensive topology coverage with technologies like VxLAN, MPLS, and VPN. Additional features include detection of USP violations, IPv4/IPv6 support, simplified device management through Arista's CloudVision Portal, and automation of access requests using tools like auto-target selection, Verifier, and Designer.

Monitoring these devices through TOS will enable you to benefit from faster troubleshooting of network issues using the topology map, and allow you to quickly identify and resolve problems while minimizing downtime. You can use Arista's CloudVision Portal for device management in TOS to enhance efficiency and save time by eliminating the need to add EOS devices individually. Additionally, automated changes across Arista devices and NGFWs reduce SLA delays, prevent repeated work, and mitigate risks, ensuring a more secure and efficient network.

 arista, device management, visibility, topology, audit, compliance
Last Hit Information for Check Point objects in rules Rule Viewer now retrieves information from syslogs to display Last Hit information for objects in Check Point rules. This feature helps users easily identify unused objects in rules, reducing the attack surface and enhancing security. Improved scalability ensures better performance in large Check Point environments, allowing for efficient usage analysis. By automating the identification of unused objects, TOS saves time, streamlines rule management processes, and reduces security risks. check point, rule viewer, last hit, syslog,
Pause, resume and reset ticket SLA

TOS now allows the amount of time tickets linger while waiting for non-handler users, such as requesters or third parties to be excluded from the SLA. This ensures that ticket SLA calculations focus solely on the actual time consumed by handler teams. Authorized users can pause an SLA’s progress, which can then be manually resumed by the handler or automatically when the ticket advances to the next step. This feature is particularly relevant when tickets require external input or clarification, as it ensures SLA tracking reflects only the efforts of the responsible teams.

sla, ticket, requester, handler
SecureChange generic workflow UX enhancements

The enhanced UX for Generic Workflow tickets introduces a modern, user-friendly interface designed to simplify and improve ticket handling. Key features include a new layout for viewing and editing tickets, an intuitive Ticket Properties panel to manage details such as priority, attachments, and expiration dates, and streamlined navigation between workflow steps and dynamic assignment tasks. Users can perform essential actions like assigning, reassigning, or redoing steps, requesting additional information, and editing ticket fields such as text areas, drop-down lists, and URLs, with the option to view fields in read-only mode. With the enhanced UX, users will be able to easily track steps' progress and status, manage ticket properties, and handle dynamic assignment tasks with greater efficiency, which will improve overall productivity.

 securechange, ux, generic, ticket
Designer support for OPM devices in Access Request workflows Designer can now provide suggestions in the access request workflow for vendors integrated by Professional Services or partners using the OPM framework. Having Designer provide automated suggestions will enable customers to optimize their change request processes, reduce manual effort and SLAs. Designer will also ensure simplified and more readable policies, prevent shadowed and duplicate rules, and boost the return on investment. designer, opm, securechange, access request
Designer support for Azure NSGs with ASGs Designer can now use Network Security Groups (NSGs) with Application Security Groups (ASGs) from Access Requests in change suggestions, further enhancing the ability to automate more changes with increased agility and security. This feature aligns TOS with Azure best practices, simplifies policy management and eliminates the need for manual IP address maintenance, while still maintaining robust security standards. designer, asg, nsg, azure, access request
USP violations for Azure NSGs The TOS USP can identify policy violations for Azure NSGs installed on subnets, helping ensure Azure compliance with security policies. By automatically detecting NSG rules that breach these policies, you can ensure audit readiness and prevent penalties. Additionally, this feature enhances cloud security by facilitating effective network segmentation, reinforcing a secure and well-organized infrastructure. usp, azure, nsg, violation
Cleanup of AWS Security Group unused rules Streamline the identification and removal of unused Security Group (SG) rules across AWS environments using rule analytics, last-hit information in Rule Viewer, and security best practice reports on a scheduled basis. Being able to automatically identify unused objects eliminates the need for manual log analysis, saving time and effort. With this feature, you can safely remove unused rules to enhance their security posture, ensure business continuity, accelerate cleanup projects, and achieve compliance, all while maintaining an efficient and secure environment. cleanup, aws, object, security group, security
Visibility & Topology support for NSX-T Gateway Firewalls TOS now enables customers to manage NSX-T Gateway Firewall policies by offering comprehensive policy visibility, rule and revision history tracking, compliance management through USP violation detection, and network topology support. Using TOS as a centralized solution saves time and reduces complexity by allowing users to view and search policies across hybrid environments. In addition, this new feature enhances security and ensures compliance readiness by automatically identifying rule violations, simplifies troubleshooting with seamless change tracking, and reduces manual effort and mean time to resolution (MTTR) with accurate network topology insights in multi-vendor environments. nsx-t, gfw, topology, usp, visibility, violation
Topology and matching rules for Zscaler Internet Access (ZIA)

TOS now displays ZIA devices in the topology map, including GRE/IPSEC VPN tunnel details to organizational locations. In addition, users can use path analysis queries to troubleshoot connectivity issues, showing whether traffic is allowed or blocked by the ZIA firewall’s filtering policy. Users can also troubleshoot issues involving NGFW objects like URL categories and FQDNs. This reduces mean time to resolution (MTTR) and helps minimize downtime. In addition, the ZIA devices can be monitored via proxy servers, allowing secure communications, and enabling you to achieve compliance.

zia, scaler, proxy, topology, compliance
Last hit information for Zscaler cloud firewall rules and objects Unused rules and objects in ZIA Advanced Firewall Filtering Policies can now be identified through Rule Viewer, allowing you to leverage last-hit information for rules, source/destination addresses, and the service fields. In addition, users can schedule and generate a Rule Analytics report to identify unused rules and objects based on last-hit data, allowing them to be safely removed, effectively improving your security posture without compromising business continuity. By automating these processes, you can accelerate cleanup projects, eliminate the need for manual log analysis, and maximize the efficiency of existing tools. zia, rule viewer, last hit, compliance
Access Request automation for Cisco Meraki TOS now offers automatic target selection of relevant Cisco Meraki networks based on topology as part of the change request process, along with risk analysis prior to implementing changes in the Meraki firewall policies. The process also includes auto-ticket closure for requests that have already been implemented and automatic change design to enable the requested access. Additionally, Risk Analysis can be automatically performed before changes are implemented in the Meraki firewall polices. These improvements help reduce SLA times, prevent rework, and ensure that changes are risk-free, minimizing the potential for breaches. meraki, automation, access request, risk analysis
Comments in revision history A Comment field has been added to the Revision History view. The field is editable for GCP, Meraki, Arista and other OPM devices. This field enables users to add comments to device revision as a part of the audit process for those devices. For all other devices, the field is read-only. revision, opm, comment
TufinMate TOS Extension

TufinMate – Tufin's AI Assistant is now generally available. Capabilities include:

  • TufinMate for IT – allows IT teams to troubleshoot network connectivity issues and open SecureChange access request tickets via Microsoft Teams, using natural language.

  • TufinMate for SOC – allows security teams to get answers to questions related to network topology, policy rules usage, and more, using Microsoft Copilot for Security

  • TufinMate for NetSec engineers, which allows network engineers to get Tufin “how to” information, will be available later in 2025.

TufinMate can be configred using a Management App, which allows administrators to: configure the integration with Microsoft Teams and Microsoft Copilot for Security, and manage roles and permissions. TufinMate provides IT and security teams access to a subset of Tufin’s information, which is relevant to their role, allowing them to be more self-sufficient, increase efficiency and reduce the load on network teams.

tufinmate, ai, securechange
Automatic MZTI for SecureTrack+ SecureTrack+ customers can now automatically map zones to interfaces based on the network configuration, allowing you to simplify policy management and make USP compliance management easier to adopt. With this mapping you can maintain continuous compliance, improve violations precision avoid false-positive results, and reduce the time and mistakes that are part of any manual effort. zone, policy management, usp
Link redundancy support for Tufin Appliances

Tufin G4 (T800 / T1200) & G4.5 (T820 / T1220) appliances can now connect to two separate switches, ensuring better network redundancy and survivability in the event of a switch failure. This setup allows the TOS to continue operating seamlessly even if one switch fails. By deploying appliances in data centers that adhere to redundancy best practices, this feature enhances system reliability and minimizes the risk of downtime.

 appliance, link redundancy, switch

NSX-T in Azure VMware Solution (AVS)

NSX-T in Azure VMware Solution (AVS) is supported for TOS enabling you to migrate and extend your on-premises VM environment to Microsoft's platform. With this ability you will be able to embrace the flexibility and scalability offered by the cloud while still maintaining the value derived from TOS Aurora’s unique policy management capabilities.

TOS Aurora provides complete feature parity with on-premises VMware NSX-T deployments.

azure

cloud

deployment

devices

platforms

Encrypted Syslogs for Cloud Deployments

Syslogs sent from devices to TOS cloud deployments can now be encrypted with TLS. The encryption can be applied to TCP traffic only. With this feature, you will be able to securely perform real-time monitoring for your devices that support syslog monitoring using TOS.

cloud

syslog

tls

tcp