On This Page
R20-2 HF3 Release Notes
Resolved Issues from Previous Releases
Tufin Orchestration Suite (TOS) R20-2 HF3 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.
|
All Resolved Issues |
|
|
|---|---|---|
|
This release |
|
|
|
R20-1 HF5 and below |
|
|
|
R19-3 HF4 and below |
|
|
|
R19-2 HF4 and below |
|
|
Installing/Upgrading TOS
Tufin Orchestration Suite R20-2 runs on TufinOS 3, and RHEL/CentOS 7. These operating systems offer greater security (more updates and more security fixes), are optimized for newer hardware, and will have extended support (CentOS 7 will continue to have security and major bug fixes until 2024). In addition, TufinOS 3 has been optimized to include only the RPMs and services necessary for the operation of Tufin Orchestration Suite. All unnecessary RPMs and services have been removed to minimize the attack surface of the operating system.
There are three options for installing/upgrading Tufin Orchestration Suite to R20-2 and above:
-
Installing Tufin Orchestration Suite on a new network environment (New Installation)
-
Upgrading from Tufin Orchestration Suite R19-3 or R20-1 (Assisted Upgrade)
-
Upgrading from Tufin Orchestration Suite R20-2 to a later hotfix (Standard Upgrade)
The Assisted Upgrade is different from previous upgrade procedures. Unlike previous versions, upgrading Tufin Orchestration Suite to R20-2 and above requires that you also upgrade your operating system. Installing the required new operating system will erase all existing data from your server. To ensure that your existing data is preserved and transferred during the upgrade, this one-time upgrade procedure will require several additional steps. Subsequent upgrades (Standard Upgrades) to TOS and TufinOS 3 will follow the standard Tufin upgrade process you are already familiar with.
To help you perform the Assisted Upgrade, Tufin developed a structured process, which includes new upgrade tools and detailed instructions.
-
Upgrade Planner: Collects TOS environment and setup information, which will be used to guide you to instructions for the specific upgrade procedure that you should follow. For more information, see Upgrade Planner.
-
Upgrade Assistant: Walks you through the upgrade process, and automates many of the steps.
To obtain the installation/upgrade files go to the New Version Support page in the Customer portal, and follow the instructions there.
Always review the Compatibility Notes prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.
Installing/Upgrading TufinOS
Tufin Orchestration Suite R20-2 requires TufinOS 3.30 and above. We recommend that you install the latest version of TufinOS available.
The latest version of TufinOS available can be downloaded from the Customer portal:
- In the Download Center in the Customer Portal
- In the New Version Support page, as part of the installation/upgrade files.
Additional Information
-
Starting from R20-2, the location of the SecureChange custom scripts is: /opt/tufin/data/securechange/scripts/
-
In R20-2, the Apache component was upgraded and its configuration files were modified. The following files in directory /etc/httpd/conf.d will be cleared during TOS upgrades and new installations:
-
autoindex.conf.orig
-
userdir.conf
-
welcome.conf
-
php.conf
If you are using the Apache component, back up these files before you upgrade to R20-2.
-
- Starting R20-2, the Web Server certificate validity will be decreased to 395 days for clean installations.
-
You must upgrade the JMS certificates prior to upgrading to this version of TOS. See Upgrading JMS Server Certificates for details.
The JMS certificate key length is checked during the upgrade: The upgrade process will stop and prompt you to update the JMS certificate if the key length is less than 2048-bit.
- Tufin Orchestration Suite validates user information for many fields in SecureTrack and SecureChange such as user names and email address. If a field contains invalid information, you will not be able to create or modify the field until the invalid information has been corrected. See Input Validation for details.
-
Customers who have customized solutions developed by Tufin Professional Services should upgrade the Tufin PS Support package before upgrading from R18-3 or below to R19-1 or above. If you have already upgraded, you should upgrade the Tufin PS scripts package right away:
-
Download the latest Professional Services Setup file (setup_tufin_ps_scripts-5.0.12.run or above) from the Tufin Portal.
-
Install the package on your Tufin Orchestration Suite server:
sh setup_tufin_ps_scripts-5.0.12.run -w
-
-
Upgrade behavior for existing zones named "Unassociated Networks"
The predefined Unassociated Networks zone is added to the Zone Manager during upgrade. If you are upgrading from a system that already contains a zone with the name “Unassociated Networks”, the existing zones are renamed, as follows:
- The existing zones named “Unassociated Networks” will be renamed copy_of_Unassociated Networks, copy(2)_of_Unassociated Networks, and so on.
- For each domain in multidomain/MSSP mode, any existing zone that is named “Unassociated Networks” will also be renamed.
The existing USP matrices in each domain will be changed to reflect the renamed zones. They will include the name copy_of_Unassociated Networks (and not "Unassociated Networks").
When you import new matrices after an upgrade, the name of the zone is taken from the CSV without being renamed.
-
If you are running a Distributed Deployment architecture, the upgrade transfers the SSL certificate from the Distribution Server to the Central Server. The installation script prompts for the SecureTrack administrator account credentials, so have the credential information available prior to beginning the upgrade.
-
If you use CA-signed SSL certificates, you must use the SSLCertificateChainFile directive rather than the SSLCACertificateFile directive. See TufinOS Prerequisites or Non-TufinOS Prerequisites in the Security Essentials section of the Knowledge Center.
-
R19-2 was the final supported release of the Tufin Orchestration Suite for the Tufin T500, T1000, and T1000XL appliances. Tufin announced End of Sales for these appliances in December 2013. The successor appliances are the T510, T1100, and T1100XL.
-
Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
-
The mechanism for configuring the Secure Change web HTTP session timeout changed in R19-2.
When upgrading from R19-1 and earlier releases, the prior value configured for the SecureChange web HTTP session timeout (/opt/tufin/securitysuite/conf/tufin_setting.properties > SC_SESSION_TIMEOUT) is discarded, and the new value for session timeout is taken from the OIDCSessionInactivityTimeout setting.
The SC_SESSION_TIMEOUT value is not automatically copied to OIDCSessionInactivityTimeout when you upgrade Tufin Orchestration Suite. You must manually change the parameter value, as described in Configuring Web HTTP Session Durations.
-
To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
-
SecureApp Rest API Permissions: When segregated or interconnected multi-domain mode is configured for SecureChange/SecureApp, a user must have both the Create new applications permission and the View all applications permission enabled to use the REST API Customers methods for SecureApp.
- Preserve your SSL certificate and configuration customizations during an upgrade to Tufin Orchestration Suite. See Customizing SSL or Virtual Host Configuration for details. (for R17-3 HF3 and above)
-
Prior to upgrading to R17-3 or above you must fill in the "Administrator DN" field (SecureTrack > Settings > Configuration > External Authentication). After the upgrade has completed, the title of the field will be renamed to "LDAP Bind DN".
-
If your TOS deployment uses a Distributed Architecture configuration, you may need to upgrade sTunnel. See sTunnel Patch Installation Instructions in the Customer Portal for details.
-
For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved. After upgrading, Compare Revisions may show changes for all the existing network objects.
Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
-
Starting with R19-3, TOS will validate user information for local users and for SecureChange User Groups. For details, see .
-
Microsoft Internet Explorer (IE): Release R20-1 (TOS 1) is the last release that supports IE. From release R20-2, Tufin support for IE will reach its "end of life" (EOL). Tufin will support Microsoft Edge version 80.0.x (and above) and will continue to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).
-
If you are upgrading to R19-2 HF1 and your Tufin environment includes Panorama Advanced network objects in a Modify Group ticket, see Secure Change Known Issues from Previous Releases, Installation and Upgrade.
-
SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, R20-1 users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for the latest browser versions:
-
Chrome: versions 79 and 80.
-
Firefox: version 72
-
Internet explorer: version 11
We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
-
-
Policy Analysis: For installations (from TOS 19-1 and above), Policy Analysis will be disabled and removed from the SecureTrack menu of the Tufin Orchestration Suite (TOS R19-1).
From TOS 19-1 and above, many of the Policy Analysis features and capabilities will be available via Policy Browser and via the Interactive Map > SEARCH PATHS queries.
If required, you may contact Tufin Support to re-enable the SecureTrack Policy Analysis tab.
-
EOL Palo Alto Panorama - Basic Mode: From R19-3 until R20-2, support for Panorama devices in Basic firewall management mode is deprecated for new devices. Existing devices will continue to be monitored by SecureTrack.
In a future release, existing devices will be marked as disabled and will not be able to receive revisions. Provisioning for these devices will fail and a Device is disabled error will be displayed. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor.
If you are using Panorama devices, we recommend using Advanced mode, which is still supported by Tufin.
-
EOL Fortinet FortiManager - Basic Mode: From R19-3 until R20-2, support for Fortinet FortiManager (FMG) devices (up to and including version 5.2) in Basic firewall management mode is deprecated for new devices. Existing devices will continue to be monitored by SecureTrack.
In a future release, existing devices will be marked as disabled and will not be able to receive revisions. Provisioning for these devices will fail and a Device is disabled error will be displayed. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor.
If you are using FortiManager devices, we recommend using Advanced mode, which is still supported by Tufin.
-
EOL for Cisco PIX firewall devices: Cisco PIX devices reached end-of-service in 2013. Therefore starting from Tufin Orchestration Suite R20-2, existing Cisco PIX firewalls will continue to be displayed but no new policy revisions will be retrieved.
