R24-1 Pre-Installation Information

Integrity Checks

Each TOS version comes encrypted with two SHA values. You can verify the integrity of the TOS installation package by running an integrity check before you install it on your servers. If the output is identical to the SHA values for the relevant TOS version, you can safely install the TOS package.

To verify the integrity, run the following commands:

[<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
[<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

R24-1 PHF4.1.0

Item

Details
Run file name tos_24-1-phf4.1.0-final-22336.run.tgz
sha256 41ff7efd6eba344caabb5ba1a5da595e12742abae1d8438edd4f4fe01e3b3ecf
sha1sum 6170456c6fa1eaef8a67caea34287cb231fbf63a

R24-1 PHF4.0.0

No longer available.

Item

Details
Run file name tos_24-1-phf4.0.0-final-21845.run.tgz
sha256 e594a43fe144f784825a651cfa8b76f9e2c87aa0ed880248cc2a7304f69c2252
sha1sum bf351756403e5007aad4a7a2fc5d533d2c22d18f

R24-1 PHF3.0.0

Item

Details
Run file name tos_24-1-phf3.0.0-final-20308.run.tgz
sha256 1288ca52d05f779d37556928f1d3370fdc7bf8354beb3966f2158d776a357f56
sha1sum 90187351502ef6f1c7f7fd9db2603c939f4e9be9

R24-1 PHF2.1.0

Item

Details
Run file name tos_24-1-phf2.1.0-final-20182.run.tgz
sha256 2342804a08e1ce33cfa77e85656e4e8a28e347f5ee6e3874349454ced3fc4d6d
sha1sum 9e521f5576d0664a935de853c109e7b5c87f8e61

R24-1 PHF2.0.0

Contains a bug which prevents preconfigured and new scheduled SecureTrack reports in SecureTrack from running

Item

Details
Run file name tos_24-1-phf2.0.0-final-19227.run.tgz
sha256 3b552bd2cd3f2d4d6503eca18beae9d41d27324d49009b047a16b487c4b120af
sha1sum f1fdfa139f16f798c30871877f7511604acadf31

R24-1 PHF1.0.0

Item

Details
Run file name tos_24-1-phf1.0.0-final-18553.run.tgz
sha256 791f3b0ac207798898d76e96e29ad886ba350d5c48f4222265d19dc29ffd8d49
sha1sum 67d5591e1bc9c55d7c1a5fa205b15456c545e624

R24-1 PGA.0.0

Item

Details
Run file name tos_24-1-pga.0.0-final-17973.run.tgz
sha256 0a65c69292104e0d997cd57fe47b6c3c3dfa6b8c94ecaf5baf128ad27c9e3ebb
sha1sum 1b7adeb949ac4871ad2e6f8bada3a116368eb194

R24-1 PRC1.0.0

Item

Details
Run file name tos_24-1-prc1.0.0-final-17179.run.tgz
sha256 baf6373a8708fc91424797268255e00cb8dcbd4ac3d735eee4df16d6bd179138
sha1sum e9cf8c01865930df96391853872426c874a513a1

Before Installing or Upgrading

  • License usage data will be automatically collected from TOS. All TOS users will need to be able to access aus.tufin.com from the browsers on their work stations. For more information, see Send Reports Automatically.

  • The /opt partition storage usage not exceed 70% of the available space to ensure proper TOS functionality.

  • After upgrading to R23-1 PRC1.0.0, you are going to have to regenerate the client certificates for any OPM device connected to TOS.

  • All SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

    To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges.

    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

  • If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device

Additional Information

  • Starting from R23-1 PHF1.0.0, ICMP is considered both a service and an application when creating or editing the security policy of a USP zone. To differentiate:

    • ICMP = application

    • ICMP-proto = service

    This is also true when defining a specific service. For example: ICMP-proto 8.

    As a result, when importing old USP CSV files to R23-1 PHF1.0.0 and later, ICMP will be considered an application and not a service. For ICMP to be considered a service, you are going to need to change it to ICMP-proto.

  • Starting from R22-2 PHF2.0.0, the Tufin Marketplace has been renamed Tufin extensions.

  • Starting from R22-1 PHF2.0.0, for Cisco ASA devices, in order to prevent unnecessary ticket dependencies, Designer creates groups using the timestamp as the suffix of the group name. For example:

    • NetworkGroup_1657713531

    • If you want to change back to the previous naming convention, in stconf set the Designer_ASA_Index_Group_Name flag as True.

    For more information, see Changing The Naming Convention of Cisco ASA Group Names Created by Designer

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the Check Point Support Center for more information on how to verify which Jumbo Hotfix version is installed.

  • SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:

    • Chrome: versions 79 and 80.

    • Firefox: version 72

    We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts: