R24-2 Pre-Installation Information

Integrity Checks

Each TOS version comes encrypted with two SHA values. You can verify the integrity of the TOS installation package by running an integrity check before you install it on your servers. If the output is identical to the SHA values for the relevant TOS version, you can safely install the TOS package.

To verify the integrity, run the following commands:

[<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
[<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

R24-2 PGA.0.0

Item

Details

Run file name tos_24-2-pga.0.0-final-21356.run.tgz
sha256 d9119f1137da005f0daf0ecf7c7da23cf93e508bbafbe6fc885d6b9f070c6a37
sha1sum 804db4225b2c6c2dfcf67293ff6370a667c7b525

R24-2 PRC1.1.0

Item

Details

Run file name tos_24-2-prc1.1.0-final-20305.run.tgz
sha256 6ca8a19c7d89d416137022ebfbe15060ec35e6685db06ebde7d218717f6132b7
sha1sum 003c03a485a7d544bc781555638bc3574c5f03ed

Before Installing or Upgrading

  • License usage data will be automatically collected from TOS. All TOS users will need to be able to access aus.tufin.com from the browsers on their work stations. For more information, see Send Reports Automatically.

  • The /opt partition storage usage not exceed 70% of the available space to ensure proper TOS functionality.

  • All SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

    To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges.

    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

Additional Information

  • Connect SecureChange to SecureCloud: After upgrading to R24-2 PGA.0.0, any customer who uses SecureCloud or external cloud provider integration to import Azure ASGs (Application Security Groups) to the source or destination of Access Requests and take full advantage of SecureChange automation tools, must set the following configuration to make it work after the upgrade.

    [<ADMIN> ~]$ sudo tos config set -s epc-service -p enabled=true

    For more information, see SecureCloud Settings.

  • Starting from R23-1 PHF1.0.0, ICMP is considered both a service and an application when creating or editing the security policy of a USP zone. To differentiate:

    • ICMP = application

    • ICMP-proto = service

    This is also true when defining a specific service. For example: ICMP-proto 8.

    As a result, when importing old USP CSV files, ICMP will be considered an application and not a service. For ICMP to be considered a service, you are going to need to change it to ICMP-proto.

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.

  • SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:

    • Chrome: versions 79 and 80.

    • Firefox: version 72

    We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts: