R19-3 HF4 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R19-3 HF4 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues

 

 
This release
R19-2 HF4 and below

R19-1 HF3 and below
R18-3 HF3 and below

Upgrading Tufin Orchestration Suite

You can upgrade to Tufin Orchestration Suite (TOS) R19-3 from R18-3, R19-1, or R19-2. To upgrade from earlier versions than shown above, first upgrade to R18-3, R19-1, or R19-2 and then upgrade to TOS R19-3. Make sure to read the additional notes in the Release Notes for each version upgrade. Review the Compatibility Notes for the TufinOS 2.x version required for this release.

If your current system includes PostgreSQL 9.4 or below, you must upgrade to PostgreSQL 11.x before upgrading the Tufin Orchestration Suite.

Click here to view the Tufin Orchestration Suite build number history.

The complete Tufin Orchestration Suite documentation can be found in the Tufin Knowledge Center.

Starting from R20-2 and above Tufin Orchestration Suite will require TufinOS 3.0, RHEL 7, or CentOS 7.

Upgrading TufinOS

  • Installing TOS for the first time on a server running a clean install of TufinOS 2.15 or above, requires TOS R18-1 or above.
  • Upgrading or installing on a server after you have upgraded the server to TufinOS 2.15 or above, requires one of the following TOS versions:
    • TOS R17-3 GA or above
    • TOS R17-2 HF2.2 or above
    • TOS R17-1 HF4.1 or above
    • TOS R16-4 HF5.1 or above
  • If you are running TOS R16-3 or below you must first upgrade TOS to the desired version using the latest hotfix available, and then upgrade TufinOS.

Additional Information

  • You must upgrade the JMS certificates prior to upgrading to this version of TOS. See Upgrading JMS Server Certificates for details.

    The JMS certificate key length is checked during the upgrade: The upgrade process will stop and prompt you to update the JMS certificate if the key length is less than 2048-bit.

  • Starting with Tufin Orchestration Suite R19-2, SecureChange will verify that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.

    Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    To review the status of all your licenses, see Viewing License Status .

    For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.

    For more information about licensing, contact your Tufin partner or email us at [email protected].

  • Customers who have customized solutions developed by Tufin Professional Services should upgrade the Tufin PS Support package before upgrading from R18-3 or below to R19-1 or above. If you have already upgraded, you should upgrade the Tufin PS scripts package right away: 

    1. Download the latest Professional Services Setup file (setup_tufin_ps_scripts-5.0.12.run or above) from the Tufin Portal.

    2. Install the package on your Tufin Orchestration Suite server:

      sh setup_tufin_ps_scripts-5.0.12.run -w

  • Upgrade behavior for existing zones named "Unassociated Networks"

    The predefined Unassociated Networks zone is added to the Zone Manager during upgrade. If you are upgrading from a system that already contains a zone with the name “Unassociated Networks”, the existing zones are renamed, as follows:

    • The existing zones named “Unassociated Networks” will be renamed copy_of_Unassociated Networks, copy(2)_of_Unassociated Networks, and so on.
    • For each domain in multidomain/MSSP mode, any existing zone that is named “Unassociated Networks” will also be renamed.

    The existing USP matrices in each domain will be changed to reflect the renamed zones. They will include the name copy_of_Unassociated Networks (and not "Unassociated Networks").

    When you import new matrices after an upgrade, the name of the zone is taken from the CSV without being renamed.

  • If you are running a Distributed Deployment architecture, the upgrade transfers the SSL certificate from the Distribution Server to the Central Server. The installation script prompts for the SecureTrack administrator account credentials, so have the credential information available prior to beginning the upgrade.

  • If you use CA-signed SSL certificates, you must use the SSLCertificateChainFile directive rather than the SSLCACertificateFile directive. See TufinOS Prerequisites or Non-TufinOS Prerequisites in the Security Essentials section of the Knowledge Center.

  • R19-2 was final supported release of the Tufin Orchestration Suite for the Tufin T500, T1000, and T1000XL appliances. Tufin announced End of Sales for these appliances in December 2013. The successor appliances are the T510, T1100, and T1100XL.

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • The mechanism for configuring the Secure Change web HTTP session timeout changed in R19-2.

    When upgrading from R19-1 and earlier releases, the prior value configured for the SecureChange web HTTP session timeout (/opt/tufin/securitysuite/conf/tufin_setting.properties > SC_SESSION_TIMEOUT) is discarded, and the new value for session timeout is taken from the OIDCSessionInactivityTimeout setting.

    The SC_SESSION_TIMEOUT value is not automatically copied to OIDCSessionInactivityTimeout when you upgrade Tufin Orchestration Suite. You must manually change the parameter value, as described in Configuring Web HTTP Session Durations.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • Preserve your SSL certificate and configuration customizations during an upgrade to Tufin Orchestration Suite. See Customizing SSL or Virtual Host Configuration for details. (for R17-3 HF3 and above)

  • Prior to upgrading to R17-3 or above you must fill in the "Administrator DN" field (SecureTrack > Settings > Configuration > External Authentication). After the upgrade has completed, the title of the field will be renamed to "LDAP Bind DN".

  • If your TOS deployment uses a Distributed Architecture configuration, you may need to upgrade sTunnel. See sTunnel Patch Installation Instructions in the Customer Portal for details.

  • For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved. After upgrading, Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.

  • Starting with R19-3, TOS will validate user information for local users and for SecureChange User Groups. For details, see User Field Validation.

  • Microsoft Internet Explorer (IE): Release R20-1 (TOS 1) will be the last release that supports IE. From release R20-2, Tufin support for IE will reach its "end of life" (EOL) and Tufin will start supporting Microsoft Edge 80.0.x and above.

  • If you are upgrading to R19-2 HF1 and your Tufin environment includes Panorama Advanced network objects in a Modify Group ticket, see Secure Change Known Issues from Previous Releases, Installation and Upgrade,

  • Policy Analysis: For installations (from TOS 19-1 and above), Policy Analysis will be disabled and removed from the SecureTrack menu of the Tufin Orchestration Suite (TOS R19-1).

    From TOS 19-1 and above, many of the Policy Analysis features and capabilities will be available via Policy Browser and via the Interactive Map > SEARCH PATHS queries.

    If required, you may contact Tufin Support to re-enable the SecureTrack Policy Analysis tab.

  • Palo Alto Panorama - Basic Mode:  In 2019, Palo Alto announced that online updates for Palo Alto Panorama software versions (up to and including version 7.1) will no longer be available. From R19-3, support for Panorama devices in Basic firewall management mode is deprecated for new devices. If you are upgrading to R19-3, the existing Panorama devices in Basic mode will continue to be monitored in SecureTrack. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor..

  • Fortinet FortiManager - Basic Mode: From R19-3, support for Fortinet FortiManager (FMG) devices (up to and including version 5.2) in Basic firewall management mode is deprecated for new devices. If you are upgrading to R19-3, the existing FortiManager devices in Basic mode will continue to be monitored in SecureTrack. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor.

  • EOL for Cisco PIX firewall devices: Cisco PIX devices reached end-of-service in 2013. Therefore starting from Tufin Orchestration Suite R20-2, existing Cisco PIX firewalls will continue to be displayed but no new policy revisions will be retrieved.