If you monitor Stonesoft, devices, do not upgrade from R21-3 to R22-2. Instead upgrade directly to R23-1 PHF2.1.0 or later. This is due to a bug in the upgrade process that might cause the last modified date in the Rule Viewer to be incorrect for some Stonesoft devices. If you have already upgraded from R21-3 to R22-2, a fix may be available - contact support for details. We apologize for the inconvenience.

R22-2 PHF4.0.0 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R22-2 PHF4.0.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues
R22-1 PHF4.1.0
R21-3 PHF2.1.0
R21-2 PHF2.0.0

Installing/Upgrading TOS Aurora

TOS Aurora is the next generation platform of Tufin Orchestration Suite, with newly enhanced versions of features you rely on.

There are three options for installing or upgrading TOS Aurora:

New installation: Installing TOS Aurora on a new environment.

For more information, see Clean Install procedures
Aurora to Aurora upgrade: Upgrading an older version of TOS Aurora to a newer version of TOS Aurora.

For more information, see Upgrade From TOS Aurora
Classic to Aurora upgrade: Upgrading TOS Classic to TOS Aurora.

For more information, see Upgrade TOS Classic to TOS Aurora.

Before You Install R22-2 or Upgrade

From R22-2 PHF2.0.0, we require that the /opt partition storage not exceed 70% of the available space to ensure proper TOS functionality.
From R22-2 PGA0.0.0, we improved several backup components. Backups will take longer to complete, but will be compressed and more reliable.
After upgrading to R22-2 PRC1.0.0, you are going to have to regenerate the client certificates for any OPM device connected to TOS.
When installing or upgrading to R22-2 PRC1.0.0, all SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges.
```
tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
```
tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device

If you are upgrading from R21-3 or R21-2, after the upgrade, the license enforcement accuracy of management devices (such as Panorama and FortiManager) will be improved: the license status of the management devices is going to be determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.
To resolve this, you can:
- Ensure that a valid license is attached to all managed firewalls.
- Disable the unlicensed firewalls
- Remove the unlicensed firewalls from SecureTrack monitoring.
This does not apply to Check Point Management Devices

Upgrade Paths and Compatibility

To view the supported upgrade paths for TOS Aurora, see the TOS Release History page.

Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

TufinOS Compatibility

Tufin Orchestration Suite R22-2 Aurora requires TufinOS 3.80 and above. However, it is always best to use the latest version of TufinOS available.

The latest version of TufinOS available can be downloaded from the Customer portal:

In the Download Center in the Customer Portal
In the New Version Support page, as part of the installation/upgrade files.

Deprecated Features

The following features are no longer available in these releases of TOS Aurora:

Feature	Removed from New Installations	Removed When Upgrading	Announcement Date
Adding new TOP plugins (existing plugins in TOS will continue to work).	R25-1	R25-2	March 2024
Extended Dynamic List (EDL) management via SecureApp	R24-1	R24-2	November 2023
TLS 1.0/1.1 (email and LDAP communications). Transport Layer Security (TLS) 1.0 and 1.1 were deprecated by the IETF in June 2018, due to security issues. For most services TLS 1.2 is now mandatory.	R23-2	R23-2	December 2022
Policy Analysis Report (replaced by Policy Analysis Report in STRE)	R21-3	R22-2	June 2021
Risk Charts (replaced by Dashboard)	R21-3	R22-2	June 2021
Compliance Policies (replaced by Unified Security Policy)	R21-3	R22-2	June 2021
Regulations Audit Browser (replaced by Unified Security Policy and SecureTrack Reporting Essentials)	R21-3	R22-2	June 2021
Rule Documentation Report (replaced by Rule Viewer)	R21-3	R22-1	June 2021
Security Risk Report (replaced by Unified Security Policy and SecureTrack Reporting Essentials)	R22-1	R22-2	June 2021
Expired Rules Report (replaced by Rule Viewer, SecureTrack Reporting Essentials Rule Analytics report, and the Rule Lifecycle Management App).	R22-1	R22-2	June 2021
Integration with Puppet Labs	R19-3	R19-3	August 2021
Viewing Cisco ACI Applications in SecureApp	R19-3	R19-3	August 2021
Firewall OS Monitoring (available only where used continuously since upgrade from TOS Classic)	R22-1	R22-1	March 2022

For a list of features that will be deprecated in future releases, see End of Support and Deprecated Features

Devices and Platforms Reaching End of Support

Device/Vendor	Limited Support New devices cannot be added. Existing devices will continue to work as before.	End of Support New devices cannot be added. Existing devices cannot receive revisions. Automation will not work.
VMware NSX-V	R24-2	R25-1
Cisco ASA Version 8 and earlier	R24-1	R24-2
Juniper NSM	R24-1	R24-2
Netfilter iptables	R23-2	R24-2
Cisco Security Manager	R23-2	R24-2
Check Point R77	R23-1 R24-1 Also removed from Map	R25-2
OpenStack	R23-1	R24-1
Panorama Version 8 and earlier	R22-1
Palo Alto Networks Panorama - Basic Mode	R19-3	R22-1
Fortinet FortiManager - Basic Mode	R19-3	R22-1

Additional Information

Starting from R22-2 PHF2.0.0, the Tufin Marketplace has been renamed Tufin Extensions.
Starting from R22-1 PHF2.0.0, for Cisco ASA devices, in order to prevent unnecessary ticket dependencies, Designer creates groups using the timestamp as the suffix of the group name. For example:
- NetworkGroup_1657713531

If you want to change back to the previous naming convention, in stconf set the Designer_ASA_Index_Group_Name flag as True.

For more information, see Changing The Naming Convention of Cisco ASA Group Names Created by Designer

Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:
- Chrome: versions 79 and 80.
- Firefox: version 72
We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
- Ultimate Security Professional Blog: SameSite cookies - Everything You Need to Know
- Medium: Why you need to care about Google’s change to the SameSite cookie attribute