R21-1 HF4.1 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R21-1 HF4.1 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues

 

 

This release

 

R20-2 HF3 and below

R20-1 HF5 and below

R19-3 HF4 and below

Installing/Upgrading TOS

If the upgrade fails with the following error message:

We have detected that custom configuration changes were made to TOS. To prevent the changes from being overwritten, the upgrade will not continue.
Detected Configuration Changes:
2021-12-16_15-19-07: CVE-2021-44228 V1

Contact Tufin support for assistance with upgrading your system.

This means that someone in your organization has implemented the manual mitigation for CVE-2021-44228 on the server. This upgrade also includes a fix for this CVE. To allow this upgrade to continue, you must remove the above log entry as follows:

  1. Run the following command

    /opt/tufin/securitysuite/scripts/local_change.sh list
    /opt/tufin/securitysuite/scripts/local_change.sh delete <timestamp>

    where <timestamp> is the date and time shown in the error message, for example: 2021-12-16_15-19-07

  2. Run the upgrade again.

Tufin Orchestration Suite R21-1 runs on TufinOS 3, and RHEL/CentOS 7. These operating systems offer greater security (more updates and more security fixes), are optimized for newer hardware, and will have extended support (CentOS 7 will continue to have security and major bug fixes until 2024). In addition, TufinOS 3 has been optimized to include only the RPMs and services necessary for the operation of Tufin Orchestration Suite. All unnecessary RPMs and services have been removed to minimize the attack surface of the operating system.

There are three options for installing/upgrading Tufin Orchestration Suite to R21-1 and above:

  • Installing Tufin Orchestration Suite on a new network environment (New Installation)

  • Upgrading from Tufin Orchestration Suite R19-3 or R20-1 (Assisted Upgrade)

  • Upgrading from Tufin Orchestration Suite R20-2 (Standard Upgrade)

The Assisted Upgrade is different from previous upgrade procedures. Unlike previous versions, upgrading Tufin Orchestration Suite to R21-1 and above requires that you also upgrade your operating system. Installing the required new operating system will erase all existing data from your server. To ensure that your existing data is preserved and transferred during the upgrade, this one-time upgrade procedure will require several additional steps. Subsequent upgrades (Standard Upgrades) to TOS and TufinOS 3 will follow the standard Tufin upgrade process you are already familiar with.

To help you perform the Assisted Upgrade, Tufin developed a structured process, which includes new upgrade tools and detailed instructions.

  • Upgrade Planner: Collects TOS environment and setup information, which will be used to guide you to instructions for the specific upgrade procedure that you should follow. For more information, see Upgrade Planner.

  • Upgrade Assistant: Walks you through the upgrade process, and automates many of the steps.

To upgrade from earlier versions of TOS, first upgrade to R19-3 or R20-1 (latest hotfix available), and then upgrade to R21-1. For more information, see the Tufin Orchestration Suite Lifecycle.

To obtain the installation/upgrade files go to the New Version Support page in the Customer portal, and follow the instructions there.

Always review the Compatibility Notes prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

Important Warnings

TufinOS Environment.Tufin Orchestration Suite R21-1 HF3.2 and above runs on TufinOS 3.71. After upgrading TufinOS to 3.71, you must immediately upgrade Tufin Orchestration Suite. Tufin Orchestration Suite will be unavailable until it is upgraded.
RHEL/CentOS Environment. To upgrade Tufin Orchestration Suite to R21-3 HF3.2 and above, you must download and install the following components:

  • Apache 2.4.6

  • PHP 7

R21-1 HF3.1 includes a fix to an issue that prevented Java from being rolled back when an upgrade failed to complete. If you are not interested in upgrading to these versions, you can manually rollback to the earlier Java version. For more information, see Manually rolling back to an earlier Java version.

Installing/Upgrading TufinOS

Tufin Orchestration Suite R21-1 requires TufinOS 3.30 and above. We recommend that you install the latest version of TufinOS available.

The latest version of TufinOS available can be downloaded from the Customer portal:

Additional Information

  • Starting from R20-2, the location of the SecureChange custom scripts is: /opt/tufin/data/securechange/scripts/

  • In R20-2, the Apache component was upgraded and its configuration files were modified. The following files in directory /etc/httpd/conf.d will be cleared during TOS upgrades and new installations:

    • autoindex.conf.orig

    • userdir.conf

    • welcome.conf

    • php.conf

    If you are using the Apache component, back up these files before you upgrade to R20-2.

  • Starting R20-2, the Web Server certificate validity will be decreased to 395 days for clean installations.

  • Tufin Orchestration Suite validates user information for many fields in SecureTrack and SecureChange such as user names and email address. If a field contains invalid information, you will not be able to create or modify the field until the invalid information has been corrected. See Input Validation for details.

  • Starting with Tufin Orchestration Suite R19-2, SecureChange will verify that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.

    Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    To review the status of all your licenses, see Viewing License Status .

    For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.

    For more information about licensing, contact your Tufin partner or email us at [email protected].

  • If you use CA-signed SSL certificates, you must use the SSLCertificateChainFile directive rather than the SSLCACertificateFile directive. See TufinOS Prerequisites or Non-TufinOS Prerequisites in the Security Essentials section of the Knowledge Center.

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • SecureApp Rest API Permissions: When segregated or interconnected multi-domain mode is configured for SecureChange/SecureApp, a user must have both the Create new applications permission and the View all applications permission enabled to use the REST API Customers methods for SecureApp.

  • Preserve your SSL certificate and configuration customizations during an upgrade to Tufin Orchestration Suite. See Customizing SSL or Virtual Host Configuration for details. (for R17-3 HF3 and above)

  • If your TOS deployment uses a Distributed Architecture configuration, you may need to upgrade sTunnel. See sTunnel Patch Installation Instructions in the Customer Portal for details.

  • For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved. After upgrading, Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.

  • Microsoft Internet Explorer (IE): Release R20-1 (TOS 1) is the last release that supports IE. From release R20-2, Tufin support for IE will reach its "end of life" (EOL). Tufin will support Microsoft Edge version 80.0.x (and above) and will continue to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).

  • If you are upgrading to R19-2 HF1 and your Tufin environment includes Panorama Advanced network objects in a Modify Group ticket, see Secure Change Known Issues from Previous Releases, Installation and Upgrade.

  • SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:

    • Chrome: versions 79 and 80.

    • Firefox: version 72

    We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:

  • EOL Palo Alto Panorama - Basic Mode: From R19-3 until R20-2, support for Panorama devices in Basic firewall management mode is deprecated for new devices. Existing devices will continue to be monitored by SecureTrack.

    In a future release, existing devices will be marked as disabled and will not be able to receive revisions. Provisioning for these devices will fail and a Device is disabled error will be displayed. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor.

    If you are using Panorama devices, we recommend using Advanced mode, which is still supported by Tufin.

  • EOL Fortinet FortiManager - Basic Mode: From R19-3 until R20-2, support for Fortinet FortiManager (FMG) devices (up to and including version 5.2) in Basic firewall management mode is deprecated for new devices. Existing devices will continue to be monitored by SecureTrack.

    In a future release, existing devices will be marked as disabled and will not be able to receive revisions. Provisioning for these devices will fail and a Device is disabled error will be displayed. For more information about supported features in each monitoring mode, see the list of SecureTrack Features by Vendor.

    If you are using FortiManager devices, we recommend using Advanced mode, which is still supported by Tufin.

  • EOL for Cisco PIX firewall devices: Cisco PIX devices reached end-of-service in 2013. Therefore starting from Tufin Orchestration Suite R20-2, existing Cisco PIX firewalls will continue to be displayed but no new policy revisions will be retrieved.