R21-3 Aurora PHF2.1.0 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R21-3 Aurora PHF2.1.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues
This release
R21-2 PHF2.0.0
R21-1 PHF1.1.0

Installing/Upgrading TOS Aurora

TOS Aurora is the next generation platform of Tufin Orchestration Suite, with newly enhanced versions of features you rely on.

There are three options for installing or upgrading TOS Aurora:

New installation: Installing TOS Aurora on a new environment.

For more information, see Clean Install procedures
Aurora to Aurora upgrade: Upgrading an older version of TOS Aurora to a newer version of TOS Aurora.

For more information, see Upgrade From TOS Aurora
Classic to Aurora upgrade: Upgrading TOS Classic to TOS Aurora.

To help you perform the Classic to Aurora upgrade, Tufin developed the Upgrade Planner. The Upgrade Planner collects TOS environment and setup information to determine whether your current environment is compatible with TOS Aurora.

For more information, see:
- Upgrade Planner - TOS Classic to TOS Aurora
- Before You Upgrade from TOS Classic to TOS Aurora
To upgrade from Classic to Aurora upgrade, contact Tufin Support.

To obtain the TOS Aurora installation files, see the Download Center in the Customer Portal.

Before You Upgrade

When installing or upgrading to R21-3 PHF1.0.0, all SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges

tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device

After the upgrade, the license enforcement accuracy of management devices (such as Panorama and FortiManager) will be improved: the license status of the management devices is going to be determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.

To resolve this, you can:

Ensure that a valid license is attached to all managed firewalls.
Disable the unlicensed firewalls
Remove the unlicensed firewalls from SecureTrack monitoring.

After upgrading to R21-3 PGA.0.0, you will need to recreate your scheduled backup policy. This issue is resolved in R21-3 PGA.1.0

Upgrade Paths and Compatibility

To view the supported upgrade paths for TOS Aurora, see the TOS Release History page.

Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

TufinOS Compatibility

Tufin Orchestration Suite R21-3 Aurora requires TufinOS 3.50 and above. We recommend that you install the latest version of TufinOS available.

The latest version of TufinOS available can be downloaded from the Customer portal:

In the Download Center in the Customer Portal
In the New Version Support page, as part of the installation/upgrade files.

Deprecated Features

The following features are no longer available in these releases of TOS Aurora:

Feature	Removed from New Installations	Removed from New Installations and TOS Upgrades
Policy Analysis Report	R21-3 Aurora	R22-2 Aurora
Risk Charts	R21-3 Aurora	R22-2 Aurora
Compliance Policies	R21-3 Aurora	R22-2 Aurora
Regulations Audit Browser	R21-3 Aurora	R22-2 Aurora
Rule Documentation Report	R21-3 Aurora	R22-2 Aurora
Security Risk Report	R22-1 Aurora	R22-2 Aurora
Expired Rules Report	R22-1 Aurora	R22-2 Aurora

Deprecated Devices/Vendors

The following devices/vendors are no longer available in these releases of TOS Aurora:

Device/Vendor	Removed from New Installations	Removed from New Installations and TOS Upgrades
R21-3 Aurora PHF2.1.0 Release Notes	R23-2
R21-3 Aurora PHF2.1.0 Release Notes	R23-1
R21-3 Aurora PHF2.1.0 Release Notes	R23-1
R21-3 Aurora PHF2.1.0 Release Notes	R22-1
R21-3 Aurora PHF2.1.0 Release Notes	R19-3	R22-1 - Not removed, but retrieving revisions is no longer supported
R21-3 Aurora PHF2.1.0 Release Notes	R19-3	R22-1 - Not removed, but retrieving revisions is no longer supported

Additional Information

Starting from R21-3, for physical firewall licenses, when auto-attaching, the licenses are first attached to the appropriate physical firewalls. If there are any remaining unused licenses, while there are not enough virtual licenses to cover all virtual devices, the unused licenses for the physical firewalls will be automatically attached to virtual firewalls that require a license.

In the License Status table > License Usage column, if a physical license is attached to both physical and virtual devices, the column will display how many licenses are attached to each device type.
Starting from R21-2 Classic, all devices need TLS 1.2. SecureTrack will not retrieve revisions from devices with TLS 1.0 or 1.1.
Starting with Tufin Orchestration Suite R19-2, SecureChange will verify that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.

Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

To review the status of all your licenses, see Viewing License Status .

For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.

For more information about licensing, contact your Tufin partner or email us at [email protected].
Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved. After upgrading, Compare Revisions may show changes for all the existing network objects.

Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
Microsoft Internet Explorer (IE): Release R20-1 is the last release that supports IE. From release R20-2, Tufin support for IE will reach its "end of life" (EOL). Tufin will support Microsoft Edge version 80.0.x (and above) and will continue to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).
SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:
- Chrome: versions 79 and 80.
- Firefox: version 72
We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
- Ultimate Security Professional Blog: SameSite cookies - Everything You Need to Know
- Medium: Why you need to care about Google’s change to the SameSite cookie attribute