What's New in R24-2

Note to Customers with Tiered Licenses

Since R23-2, TOS features are enforced on tiered licenses according to solution tier. Examples are topology and some SecureChange workflows that are available only in the SecureChange+ tier, and provisioning that is available only in the Enterprise tier - see Solution Tiers. For more information contact your account team.

To filter the results, enter text in one or more of the filter fields.

To see all items, clear the filter fields.

Feature

Description

Tags

Ticket SLA now considers non-working days

SecureChange now uses working office hours, as defined in the system calendar, to determine the ticket SLA by calculating total working hours for each ticket and workflow step. Administrators can customize the calendar with working days and non-business days (such as holidays and vacation days). The business duration appears on the tickets page and is returned in API calls.

The business duration calculation provides accurate ticket SLA calculations and avoids unjustified SLA notifications and escalations caused by tickets waiting over weekends and holidays. In addition, this calculation improves granularity for ticket time by reporting hours instead of days.

For more information, see Customizing SecureChange Operations.

automation, workflow, SLA
Automation for OPM devices

OPM devices now support automatic mapping of zones to interfaces, matching rules in topology for common policy enforcement types such as a policy installed on an entire device, a policy installed on an interface, and zone to zone policy. Additionally, auto-target selection as part of the Access Request workflow and Verifier results for Access Requests now include these devices.

This new automation allows broader network coverage and policy management, simplified USP management, more accurate topology and change automation, and reduced SLA for access requests that involve OPM devices.

For more information, see Open Policy Model.

opm, monitoring, SLA, automation
IPv6 automation for VMware NSX-T

Interactive Map now supports IPv6 routes and interfaces for NSX-T, and extends to Verifier, Designer, and provisioning for NSX-T IPv6-based access requests. This support reduces manual effort, reduces MTTR (mean time to repair) across IPv4 and IPv6 networks, streamlines network changes, and improves SLA by implementing NSX-T change requests automatically.

For more information, see VMware.

vmware, ipv6, topology, verifier, designer, SLA, automation
Topology Support for Mixed IPv4/IPv6 Tunnel

Path Analysis now allows you to query paths that include both IPv4 and IPv6 routes (hops). Customers with mixed IPv4 and IPv6 networks benefit from the interactive map and can troubleshoot broken connectivity.

For more information, see Path Analysis.

ipv4, ipv6, topology,
UserID Automation for FortiManager

This feature provides improved visibility for the LDAP groups that are part of the User Groups and FSSO objects and includes topology support for FortiManager User Groups and FSSO objects based on LDAP groups. In addition, all automation tools (such as Verifier, Designer, and Provisioning) support automated access requests for User Groups based on LDAP groups. These improvements implement user-based access requests automatically, rapidly, and more securely.

For more information, see Fortinet.

fortimanager, ldap, verifier, designer, provisioning, automation
FQDN Support in Path Analysis

FQDN objects or DNS can be used in path analysis as source/destination, show the relevant path, and show whether the access is allowed across each device in the path. This improvement simplifies network troubleshooting.

For more information, see Path Analysis.

topology, fqdn, dns, path analysis
NSX-T VRF-lite Support

You can now import NSX-T VRFs as logical routers in TOS Aurora. In addition, Topology modeling is supported for NSX-T VRFs. These improvements provide more accurate network troubleshooting and change automation across NSX-T environments.

For more information, see VMware.

nsx-t, topology,
Fortinet SD-WAN enhancements - Dynamic VPN

TOS Aurora includes enhanced VPN support across Fortinet devices including Dial-Up/dynamic VPN configuration. This support provides more accurate modeling of the SD-WAN environment, which enables easy troubleshooting and change automation across dynamic VPNs.

For more information, see Fortinet.

sd-wan, fortinet, vpn, topology
Generic NAT Support for Cisco FMC You can now use generic NAT for Cisco FMC devices, enabling the topology to consider NAT configuration across Cisco FMC devices. cisco, fmc, nat, topology
SecureChange Tickets Page Enhancements

The SecureChange Tickets page has been updated to improve the user experience when searching tickets and managing saved queries. Changes include an action menu with the Save and Delete options, a Refresh button to refresh the search results, and the Edit Saved Search option to save them.

For more information, see Tickets.

securechange, tickets, automation
Auto-target Selection and Verifier Support for GCP GCP VPC firewalls can now be part of the access request workflow, and automatically identified based on the topology path. In addition, Verifier is now supported for Access Requests with GCP VPC firewall devices. This new support saves time and avoids manual effort in determining the relevant firewalls for access requests. gcp, verifier, access request, requests, cloud
Designer Support for Azure Firewalls and Azure NSGs.

Designer now provides suggested changes for access across Azure NSGs and Azure firewall devices. This support prevents erroneous configurations for access changes, reduces network change SLAs, implements changes while avoiding shadowed and duplicate rules. (Note: Azure NSG support starting with the GA release.)

For more information, see Microsoft Azure.

azure, nsgs, designer, cloud
Azure NSGs Cleanup - Unused Objects Rule Viewer now identifies unused objects in Azure NSGs. This feature includes last hit information for source/destination addresses and the service field, filtering rules based on the last hit of objects in rules and/or objects with no hits, and scheduling/generating the Rule Analytics report. This capability enables customers to remove unused objects safely from rules, accelerates cleanup, and achieves broader visibility into the cloud environment. See object.notHit and object.timeLastHit in TQL Fields For the Rule Viewer. azure, nsgs, rule viewer, cloud
Azure Firewall Support in a Secured-Hub Deployment

TOS Aurora now supports Azure firewalls in a Virtual WAN- Secured Hub deployment when routing is configured in the Azure Hub. This support extends to network troubleshooting (using topology), change automation (including Verifier and Designer), and USP violations of Azure firewall policies.

This feature improves network troubleshooting, change automation, and compliance assurance for Azure firewalls deployed in a Secure-hub deployment.

For more information, see Micorsoft Azure.

azure, cloud, topology, verifier, designer
Cleanup for VMware NSX-T - Unused Rules

Rule Viewer now includes last hit information for NSX-T Distributed firewall rules. This improvement enables customers to identify and remove unused NSX-T rules safely and improves the security posture while maintaining business continuity.

For more information, see VMware.

nsx-t, vmware, cloud
Revision History for All Devices

The Device Viewer has been enhanced with a new feature - Revision History – that lists the revisions received for each device and lets you drill down to the rules that were modified, added and/or deleted in the revision. This new feature is for all devices, however it has special importance for GCP, Meraki and OPM devices because they do not have the Compare Revisions feature that most other devices have. The new feature means that all monitored devices now have powerful audit and troubleshooting capabilities.

For more information, see Revision History.

security, opm, device viewer
TOS Aurora Upgrade Enhancement Tufin administrators can now view the steps that are planned for a TOS Aurora upgrade before it starts. During the upgrade, they will be able to continue in case of a failure. These improvements simplify troubleshooting, improve upgrade reliability, reduce upgrade failures, and increase visibility. For more information, see Upgrade TOS Aurora. deployment, upgrade
TOS Aurora Status Enhancements

The tos status CLI command now includes information for remote collector connectivity status and application services status. Administrators can use a GraphQL query to see this data. These improvements increase visibility and simplify troubleshooting.

For more information, see TOS CLI Reference.

deployment, remote collector