Bugs - Resolved and Unresolved

SecureChange runs slowly following use of Designer

USP exceptions partially exempt rule violations that in previous versions of TOS were fully exempted.

Revision not retrieved for FMG Global, when It contains Internet-Service-Group

Auto Verifier incorrectly showing red when there is a revision with an AR change.

Deleting SA application takes about 8 hours and reaches a memory peak of 31GB

Upgrade pre-check fails when Extensions and/or PS solutions have been installed. Logs are likely to contain error messages: Executing step "Pod amounts on nodes" in section "Validations section" and ERROR Node <NODENAME> has 110 pods, which is above the allowed limit of 108.

TOS functions including backup, upgrade and high availability are not working. When running the tos status command, the node status indicates CHECKER_FAILURE'.

Slow processing and/or tickets get stuck in Designer or Verifier. This might be accompanied by high memory consumption and Mongo timeout exception error messages in the logs.

Fortinet FMG ADOM revision fails when device has a wildcard object with a metadata variable. Additional information: Error message "Failed parsing configuration" appears in the logs

Last hit information does not appear in Rule Viewer for Azure Firewall. Additional information: The logs might contain a null pointer exception (NPE)

Violation calculations fail to detect violated rules when the environment exceeds 200 devices.

For VMware NSX-T devices that contain global objects, rules are missing from TOS.

Connection failures between TOS and Panorama devices cause revision retrievals to fail.

Revisions cannot be retrieved from Cisco FMC 7.0.6.3 devices when the logs contain duplicate network object names.

Error message: "New version verification failed".

USP exceptions for specific applications and services fully exempt rules that should only be partially exempted.

Email notifications to servers that require user authentication are not being sent.

Topology information cannot be retrieved from Panorama devices with Prisma

Topology map does not show routes between Azure VNets in VHubs belonging to different subscriptions. The VNets appear as isolated islands

SecureTrack is unable to retrieve revisions from Zscaler devices when there are more than 1,000 rules on the device.

The Expiration banner does not appear for expired tickets with an expiration date that was updated via the REST API.

Searching for a cloned server in SecureApp via API returns data from the original server, even if the cloned server has been modified since cloning.

Upgrade from R24-1 PHF2 to R24-2 fails. Possible error messages include:

ERROR Step "Pod amounts on nodes" in section "Validations section" failed

ERROR Section "Validations section" failed

ERROR Upgrade has encountered a problem in step: "Pod amounts on nodes" due to: Node node1 has 114 pods, which is above the allowed limit of 108

The drilldown menu for shadowing rules fails to load when many zones are configured on the device.

API returns 500 error when device does not support NAT rules.

Last hit showing up incorrectly in Rule Viewer and TQL queries when the time zone of the user is different from the server . The value is out by one day when compared to the revision details.

Incorrect topology calculation for Cisco MPLS. The path appears as broken.

Login fails when password contains UTF-8 characters

Error message: 403 Invalid Credential

For very large Panorama hierarchies, Designer debug tool get stuck.

Deprecated compliance risk calculations failed on OPM devices causing failure to risk calculations.

Rules are deleted and recreated, causing the rule documentation to be deleted.

Backup fails.

Error message: Insufficient disk space on minio Dir

The "Get Network Objects," "Get Server," "Get Servers," "Get Service," and "Get Services" API functions do not include servers or services cloned via SecureApp in their responses.

For a network object query, the API output is empty.

Upgrade from earlier release of TOS Aurora fails.

Logs contain error message connection to server at "stolon-sc-svc" (IP), port 5432 failed

VIP objects, with IPv6 addresses without mapped IP, cause an error when parsing the revision.

The STRE Shadowed Rules report returns a bad request error when there are unprocessed revisions in the SecureTrack database.

Error message: 400 bad request

Rule Viewer does not show the source for some rules on Fortigate devices with a user group and object group that share the same name.

Error message: This data cannot be displayed at the moment.

SecureChange is inaccessible.
Error 503 appears when going to SecureChange using UI or API.

For Cisco FMC devices, groups with literal wildcards cause the revision to fail.

FMC devices that use legacy UI configured with literal subnets, which contain white spaces at beginning or end, cause the revision to fail.

On Cisco ASA devices, revisions are associated with the wrong accounts in Change Viewer.

Upgrade procedure gets stuck on the bridge-scheduler validation.

For FMG devices, tickets get stuck and cannot progress unless adjusted manually.

Revisions cannot be retrieved from an ACI 5.3 device configured with a transparent proxy in SecureTrack.

Ticket dependency calculations for group modification tickets on Check Point Devices causes the SecureTrack server to crash due to lack of memory.

Parsing fails to identify SD-WAN routes for Cisco Routers when the output returned from the router starts with information unrelated to the actual routing data.

Log message: Finish parsing content. evpn route count: 0.

TOS install and upgrade procedures fail with DNS error message when DNS is configured correctly.

Error message: ERROR DNS misconfiguration:

lookup test-tufin.local on xx.xx.xx.x:xx: server misbehaving

In R24-1, only relevant for PHF4.0.0.

Prisma/GPCS RN-SPN object does not appear in the Map.

Fortinet firewalls appear connected, but the ADOMs and VDOMs under it show a connection error.

The number of pods exceeds the Kubernetes limit of 110.

Scheduled reports are not shown in the report repository.

Import of Panorama devices to TOS fails.

Error message: CSM error:General Failure

Provisioning to a VMware NSX device fails when the rule contains an internet object.

Some non-tiered perpetual licenses installed on certain time-zones cause workflows in TOS to be disabled.

Designer fails to run on Cisco ASA devices causing a timeout error due to a service_group with type 0. Error message: Designer fails with error (attached).

Parsing fails to identify SD-WAN routes for Cisco Routers when the output returned from the router starts with information unrelated to the actual routing data.

Log message: Finish parsing content. evpn route count: 0.

Scheduled topology sync runs a day late.

For Cisco devices, incorrect paths are shown in the Topology Map when there are multiple MPLS-VPN next hops.

For Juniper SRX devices, shadowing rules load a blank page in Rule Viewer. In Compare Revision, the Source and Destination are empty.

Revisions cannot be retrieved from Cisco FMC devices due to intermittent 401 errors from the device API.

Error messages: Access token invalid, unknown error, unable to get configuration

When attempting to remove access for a NAT rule with multiple source zones on a FortiManager device , Designer displays an incorrect error message.

Incorrect error message: Remove Access suggestions for NAT rules are not supported.

Correct error message: No suggestions for this request.

Destination zones are removed from USP exception calculations after they are edited.

Device revisions fail to appear in TOS when multiple versions are received at once.

NSX-T 4.1 objects do not appear in the Compare Revisions tab.

SecureApp performance slows after performing an action with a Server Group that contains several thousand servers.

SecureTrack cannot retrieve information about rules using this API call: https://<TUFIN_BASE_URL>/securetrack/api/devices/<device_id>/rules/<id>/documentation

There is an issue with Designer when submitting an access request.

Message: Cannot modify the initial default policy. You need to associate a policy with <FW_Name>.

Revisions cannot be fetched from Cisco Layer 2 switches.

Error message: Error occurred when pulling configuration from the device: Wrong arguments

The SecureTrack user interface is not responsive and backups fail.

Tufin MIB file does not contain records of all traps that could be sent to the SNMP server.

Affects R24-1 PHF2.0.0 only. Preconfigured and new scheduled SecureTrack reports in SecureTrack will not run. STRE reports are not affected.

Designer is not ignoring rules with the legacy automation attribute.

Topology information cannot be retrieved for AWS gateway load balancers when there is a NAT object on one of the firewall devices in the target group

For Fortinet devices, after running Designer for the first time and selecting Update Devices, there is an error.

Error message: Remove network object <object name> from existing group < group name>.

Source and destination fields are empty in Compare Revision and appear as N/A in Rule Viewer.

SecureTrack cannot retrieve revisions from Cisco Meraki devices when the device contains a WAN interface with a missing gateway. The user interface shows that the device is being monitored correctly.

Revisions from Juniper SRX devices are missing NAT objects with 'any' in the rule source or destination.

SecureTrack cannot monitor Cisco layer 3 devices with a custom login prompt.

Permitted traffic to Panorama devices is shown as blocked due to a mismatch between the predefined services in TOS and the predefined service on the device.

The content of ACI objects in Panorama dynamic access groups does not appear in TOS when the device Is configured with more than one IP address (on the Panorama side).

Installation crashes.

SecureApp's application history is incorrect for server groups whose connections were updated via API.

Provisioning fails when special character ü appears in the rule name from SecureApp.

Designer fails to update Panorama configuration in SecureChange. After clicking UPDATE DEVICE, the following error appears: Unexpected error, please, try again

NAT objects (Any, Any-IPv4, and Any-IPv6) do not appear in NST tables.

After processing a request to delete unused tickets, Verifier results are empty.

Upgrading to R24-1 PHF2.0.0 failed. Error message: Failed to execute topology-facade API call.

The tos snapshot restore command fails on TOS R23-2 PHF3.1.0.

Gateway load balancers cannot be imported when traffic is blocked from one or more AWS regions.

Tickets page loads slowly if there are more than 10,000 tickets present. In addition to improving performance, users can change the default amount of tickets loaded to a lower number.

Cleanup rest API call returns General error when getting fully shadowed or disabled rules without including the start and count parameters.

Revisions cannot be retrieved from Palo Alto devices. In the Compare Revisions page data for these devices is incomplete, and in the Administration > Status page imported Prisma objects show: Error: unknown error.

For FortiGate 7.2.6v devices, cannot get a new revision.

Unable to add Fortinet ADOM when the comment includes an array of strings.

Error message: Fail to unmarshal data.

Cisco ASA device fails to provision when editing a rule which contains DM_INLINE group even though Designer suggests using it.

Designer cannot create an object with NAT information if it was added from the Object Browser, from a VIP/MIB NAT policy filter, or from the results of path analysis if there is NAT in the path.

Error message: <OBJECT NAME> is defined in Zone A and cannot be used in Zone B.

After upgrading to R24-1 on a machine with IPv6 configured, the Topology map fails to load and displays the error message "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

FMC devices cease to function, with tickets failing to process and an error message “Unknown error.” Evidence of memory leaks appear in the logs.

The Cleanup Browser, Object Lookup, and Change Browser pages fail to perform device calculations when a large number of devices are present.

Tickets page always reverts to last saved query when navigating away from the page instead of keeping the query performed by the user.

When there are more than 15,000 devices, the SecureTrack Object Lookup page loads initial data, but no buttons work.

When running Designer on a device which doesn’t support Provisioning “Not run” appears next to the device name in the SecureChange.

When running Designer on a Check Point device with an access request that is shadowing a different access request, Designer returns an error.

Error message: Designer is unable to suggest changes for this device.

Access-role and security zone objects are displayed as network objects in the CSV file that is created when exporting Unattached Network Objects from the Cleanup Browser.

The result returned by the security_zones api function is missing zone hierarchies

Upgrade to R23-2 PHF1.0.0 fails due to license restriction errors.

Error message: Upgrade service failed with the following errors:\nService tss failed with error: Failed due to license restrictions

When processing UI requests, TOS virtual network issues yield errors or delays in response.

Some devices are missing in the path when inbound and outbound VRFs are different.

Rule Change report does not send notification emails and is not saved in the repository.

Device Collector container crashes with exit code 139 (SIGSEV). Related to memory leak on Queue_Server process.

SecureTrack user interface stops responding and displays the following message: Looks like something went wrong. Performance queries were enhanced to resolve this issue.

For Check Point devices, cannot create a rule name with more than 30 characters.

On the Dashboard, Cleanup Trend data for devices with disabled or shadowed rules includes only the first 100 devices.

Revisions cannot be processed for Check Point CMA devices that have ‘@’ in an object name. This can be resolved by removing the @ character from all object names in the policy and fetching the revision again.

Slow FMC syslog messages retrieval by SecureTrack due to logs full of prints by the syslog translator.

Following forced removal, devices still appear in the Device Viewer and Rule Viewer.

Failure to import Meraki managed devices.

Verifier returns a "User Network zone is not configured" message when the User Network zone has no subnet, but a child zone (of the User Network zone) contains a subnet.

Topology and zone mapping incomplete for Cisco Meraki devices.

In the Rule History tab, there is no indication of the object type for changes to services or security profiles.

Cleanup instances do not open in the Cleanup page when the revisions have multiple versions and there is revision parsing order is inconsistent. The following message appears to uses: Recalculating revision results. This may take a while.

A Certified rule status is being overridden by the rule documentation backward-compatibility API.

Fields are missing from the MIB file.

Automatic target analysis fails for Check Point FQDN objects, even though the objects exists. Topology returns the error message: Internal error occurred

An "invalid server certificate" error is returned when logging into devices from TOS using Cyberark for external authentication.

Local backup fails.

No requests shown when filtering for closed tickets in a group that contains more then 35310 tickets.

Importing data using the SecureApp Import Applications template fails with error message “Cannot import application data” when empty rows are present.

Verifier and Path Analysis fail to display rules implemented on a monitored firewall, due to incorrect parsing of network object groups

Editing Designer results is not allowed after Designer fails within an auto-step.

When restarting TOS after running “tos cluster snapshot,” “tos cluster snapshot restore” fails with error “no global configuration found”.

Topology information cannot be retrieved from AWS devices when there is a gateway load balancer linked to multiple AWS accounts.

Revisions cannot be retrieved. Caused by a failure in the device collector service

Tos backup create suffers performance issues when configured to local storage.

Revision retrieval fails due to a single client running on two different pods.

After upgrading to R23-2 PHF3.0.0 when the jvm.extraOpts parameter is present, calling the logs of SecureTrack jobs returns the message ERROR unable to locate appender "${env:logging.appender}" for logger config "root."

For Cisco routers, rule numbers are parsed incorrectly when the device is not configured to collect rule usage analysis. As a result, attempts to provision ACL removal fail.

Revision fetching for NSX-T devices was not triggered when the NSX Manager NSX-T revisions fail to be retrieved when the NSX Manager hostname is an FQDN.

After upgrading, TOS fails to receive device revisions if monitored Check Point devices use LEA authentication on RC.