R22-1 Aurora PHF4.1.0 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R22-1 Aurora PHF4.1.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues

 

 

This release

 

R21-3 PHF2.1.0

R21-2 PHF2.0.0

R21-1 PHF1.1.0

Installing/Upgrading TOS Aurora

There are three options for installing or upgrading TOS Aurora:

Before You Install R22-1 or Upgrade

When installing or upgrading to R22-1 PHF3.0.0 or later, you can change the default pods network (10.244.0.0/16). The pods network cannot overlap with the:

  • Services network

  • The physical address of the TOS Aurora servers

  • Your primary VIP, Syslog VIP or external load balancer IP

  • Any other subnets communicating with TOS or with TOS nodes

When installing or upgrading to R22-1 PRC1.0.0, all SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges

tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device
After the upgrade, the license enforcement accuracy of management devices (such as Panorama and FortiManager) will be improved: the license status of the management devices is going to be determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.

To resolve this, you can:

  • Ensure that a valid license is attached to all managed firewalls.

  • Disable the unlicensed firewalls

  • Remove the unlicensed firewalls from SecureTrack monitoring.

Upgrade Paths and Compatibility

To view the supported upgrade paths for TOS Aurora, see:

Always review the TOS Release History prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

TufinOS Compatibility

Tufin Orchestration Suite R22-1 Aurora requires TufinOS 3.70 and above. If you are running TufinOS 3.70, we strongly recommend upgrading to at least TufinOS 3.71 as it contains important security fixes. However, it is always best to use the latest version of TufinOS available.

Deprecated Features

The following features are no longer available in these releases of TOS Aurora:

Feature

Removed from New Installations

Removed When Upgrading

Announcement Date

Adding new TOP plugins (existing plugins in TOS will continue to work).

R25-1

R25-2

March 2024

Extended Dynamic List (EDL) management via SecureApp

R24-1

R24-2

November 2023

TLS 1.0/1.1 (email and LDAP communications). Transport Layer Security (TLS) 1.0 and 1.1 were deprecated by the IETF in June 2018, due to security issues. For most services TLS 1.2 is now mandatory.

R23-2

R23-2

December 2022

Policy Analysis Report (replaced by Policy Analysis Report in STRE)

 R21-3 R22-2 June 2021
Risk Charts (replaced by Dashboard) R21-3 R22-2

June 2021
Compliance Policies (replaced by Unified Security Policy) R21-3 R22-2 June 2021

Regulations Audit Browser (replaced by Unified Security Policy and SecureTrack Reporting Essentials)

R21-3

R22-2

June 2021
Rule Documentation Report (replaced by Rule Viewer) R21-3 R22-1 June 2021
Security Risk Report (replaced by Unified Security Policy and SecureTrack Reporting Essentials) R22-1 R22-2

June 2021

Expired Rules Report (replaced by Rule Viewer, SecureTrack Reporting Essentials Rule Analytics report, and the Rule Lifecycle Management App).

R22-1

R22-2

June 2021
Integration with Puppet Labs R19-3 R19-3 August 2021
Viewing Cisco ACI Applications in SecureApp R19-3 R19-3 August 2021
Firewall OS Monitoring (available only where used continuously since upgrade from TOS Classic) R22-1 R22-1 March 2022

For a list of features that will be deprecated in future releases, see End of Support and Deprecated Features

Deprecated Devices/Vendors

The following devices/vendors are no longer available in these releases of TOS Aurora:

Device/Vendor

Removed from New Installations

Removed from New Installations and TOS Upgrades
R22-1 Aurora PHF4.1.0 Release Notes R23-2  
R22-1 Aurora PHF4.1.0 Release Notes R23-1  
R22-1 Aurora PHF4.1.0 Release Notes R23-1  
R22-1 Aurora PHF4.1.0 Release Notes R22-1  
R22-1 Aurora PHF4.1.0 Release Notes R19-3 R22-1 - Not removed, but retrieving revisions is no longer supported
R22-1 Aurora PHF4.1.0 Release Notes R19-3 R22-1 - Not removed, but retrieving revisions is no longer supported

Additional Information

  • Starting from R22-1 PHF3.0.0, there is a new bulk API that allows the deletion of a management device and all its managed devices.

  • Starting from R22-1 PHF2.0.0, for Cisco ASA devices, in order to prevent unnecessary ticket dependencies, Designer creates groups using the timestamp as the suffix of the group name. For example:

    • NetworkGroup_1657713531

    • If you want to change back to the previous naming convention, in stconf set the Designer_ASA_Index_Group_Name flag as True.

    For more information, see Changing The Naming Convention of Cisco ASA Group Names Created by Designer

  • SecureChange verifies that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.

    Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.

    To review the status of all your licenses, see Viewing License Status .

    For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.

    For more information about licensing, contact your Tufin partner or email us at [email protected].

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.

  • Microsoft Internet Explorer (IE):  Internet Explorer will reached its "end of life" (EOL) in R20-2. TOS supports Microsoft Edge version 80.0.x (and above) and continues to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).

  • SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:

    • Chrome: versions 79 and 80.

    • Firefox: version 72

    We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts: