What's New in R25-2

To filter the results, enter text in one or more of the filter fields. Clear the fields to see all items.

Feature: Description:

Feature	Description
PAN EDL Objects	TOS can now process Palo Alto Networks external dynamic lists (PAN EDLs). Rules can be filtered in the Rule Viewer by IPs contained in the object and they are included in Topology path analysis and automation. This enhancement improves network troubleshooting, allows detection of policy violations of EDL rules and improves the accuracy of access request changes. The new PAN EDL support results in shorter MTTR, better SLA performance and makes continuous compliance more attainable. See Palo Alto Networks for details. Keywords: network, path analysis, troubleshooting, pan, panorama, edl
Cisco FMC URL Category and AppID	TOS now takes AppID and URL category into account, adding visibility, change tracking and advanced topology mapping. It also allows more accurate automation for Cisco FMC rules with URL categories or Application IDs. By considering these attributes, USP violations can be detected accurately and the risk of misconfiguration is lowered by eliminating false positives in shadowing analysis for NGFW-based rules. This improvement enables more accurate path analysis, helping maintain SLAs and reducing MTTR. It also improves compliance accuracy supporting zero trust and micro-segmentation initiatives. See Cisco for details. Keywords: network, path analysis, troubleshooting, cisco, fmc, url, url category, appid, app id, application id
Cisco ACI – Topology Support for ESG	TOS now supports Cisco ACI endpoint security groups (ESGs) in object and contract comparisons, change tracking, and ESG-based path analysis in the Interactive Map. This enhancement supports zero trust and micro-segmentation initiatives by providing identity-based visibility into ESG policies. It reduces risk during segmentation transitions by offering full support for ESGs alongside EPGs. Accurate ESG-based path analysis helps maintain SLA and reduces MTTR, while change tracking of ESG contracts and objects improves audit readiness. See Cisco for details. Keywords: network, path analysis, troubleshooting, cisco, asi, esg
Generic PBR – Topology Support	TOS now supports generic policy-based routing (PBR) in Topology path analysis. You can define, edit, and map PBR rules on monitored devices using the API, with traffic paths calculated according to PBR behavior before traditional routing logic. This enhancement improves troubleshooting by enabling analysis of routing decisions influenced by PBR policies. It reduces risk and manual effort by reflecting the real traffic paths affected by PBR and helps maintain SLA by ensuring access request analysis and automation are accurate through modeling PBR behavior in topology calculations. See Adding Generic Policy-Based Routing (PBR) for details. Keywords: network, path analysis, troubleshooting, generic pbr,
OPM Designer New UI	Designer now has a new interface for access requests involving changes to OPM devices, Azure NSGs, Azure firewalls, Zscaler ZIA, Huawei, Versa and others. This gives improved usability and extends Designer capabilities to better support OPM devices. The new intuitive UI shortens the time needed for change implementation, and improves efficiency, aiding SLA compliance and expanding Designer support to additional devices. See Using Designer for details. Keywords: change automation, automation
Rule Optimizer	Rule Optimizer is a new feature in the Rule Viewer that lets you proactively tighten the permissiveness of security policy rules based on real-time traffic logs. You can quickly identify rules in need of optimization and easily make modifications. Rule Optimizer runs automatically and exposes weak security rules that you might not have been aware of. In addition, an enhanced TQL lets you to query for rules eligible for optimization. This feature will help reduce your attack surface, improving security posture and lowering risk In this version, Rule Optimizer works for AWS, Azure NSGs, Zscaler ZIA, and from R25-2 PHF1.0.0 VMWare NSX-T. It will be extended to additional devices in the future. See Rule Optimizer for details. Keywords: cloud, sase
AWS Organization Support	Onboarding AWS accounts just got easier and quicker with the new TOS capability of managing AWS accounts at the organization level. TOS can now automatically onboard new accounts added to the organization. Conversely, you can update credentials for the organization and propagate them to all monitored accounts. Aside from saving time and effort, this feature makes sure visibility, topology and change automation are up to date across all AWS accounts. See Cloud Organizations for details. Keywords: cloud, sase
Azure VNET Auto Import	Monitoring your Azure environment has been made easier and more reliable with the VNET automatic import capability which imports all VNETs in single subscription without user action. The feature can be enabled selectively by subscription. The result is reduced effort and operational overhead, and continuous up to date visibility, topology and change automation. See Monitoring Microsoft Azure for details. Keywords: cloud, sase
Zscaler ZIA Automation	TOS change automation has been extended to include Zscaler ZIA. ZIA is now identified as a target device in Access Requests, participates in Risk Analysis, Designer and Verifier, and when access has already been implemented, the ticket is automatically closed and the rule documented with the ticket ID. The result of this added support is policy change implementation in minutes instead of days, avoidance of Designer ‘redos’, reduction of risk and increased ability to honor service level agreements. See Zscaler for details. Keywords: cloud, sase, automation, change automation
Azure NSG and OPM Provisioning	TOS now supports automatic provisioning for access requests involving Azure NSGs and OPM devices, enabling end-to-end automation for these platforms within hybrid environments. This enhancement reduces risk and improves SLA performance through zero-touch automation, and increases operational efficiency by supporting a unified change process across cloud and on-prem environments. See Device Experience and UI Types for details. Keywords: cloud, sase, automation, change automation
USP Violations for AWS SGs, GCP, and Azure NSGs installed on NIC	TOS now detects USP violations in AWS, GCP and Azure network security groups installed on a network interface card (NIC), including rules containing objects defined by NICs (Azure ASGs, AWS SGs, GCP tags). This enhancement reduces risk and supports continuous compliance with regulatory standards across AWS, Azure, and GCP environments. See Rule Violations for details. Keywords: security, compliance, security groups, network security groups, sgs, nsgs
Rule Recertification New UX and Certification History	Rule Recertification has received a number of significant enhancements. The Recertification workflow now has a modern, user-friendly UI in which Admins can now configure default recertification periods and enforce expiration policies. In the Rule Viewer, the rule details and drilldown views have been updated to provide better visibility and monitoring of the rule’s certification status. This includes a new certification section in the rule drilldown containing a complete history of all certifications including recertification comments. These enhancements give valuable context, improving collaboration and recertification decisions. The benefits gained from this complete and comprehensive rule lifecycle management are improved tracking, auditing, and maintenance of firewall policy compliance, while reducing manual effort and time required to manage the certification process. This ensures continuous audit readiness and supports stronger compliance, with minimal disruption to day-to-day operations. See Rule Recertification, Certify/Decertify Rules, and Rule Recertification Field for details. Keywords: security, compliance
Integrated TufinOS/ETCD Deployment	TufinOS installation on hypervisors now includes the ETCD disk setup as part of the configuration workflow. This simplifies installation, lowers risk of misconfiguration, improves deployment stability, and makes the whole deployment process smoother and trouble free. See Prepare a VMware ESXi Machine for details. Keywords: deployment, disks
TufinOS AMI	TufinOS 4 is now available as an Amazon Machine Image (AMI) in the AWS Marketplace. This simplifies AWS deployment, reduces time to value, improves security posture through a hardened OS image, and makes the whole deployment process smoother and trouble free. See Prepare an AWS Instance for details. Keywords: deployment
Remote Collector Disaster Recovery	Remote Collectors now automatically recover after disaster recovery switchover and central cluster restore. More than just a best practice, this guarantees true high availability by maintaining ongoing security operations and consistent policy enforcement. The result is robust, enterprise-level resilience that helps meet server-level agreements for recovery time objectives (RTO), ensuring business continuity and giving faster time to value. See Disaster Recovery and TOS restore for details. Keywords: deployment, rc, dr
Update Optimization	The TOS update process has been optimized for hot fixes. This shortens update time, makes the update process more robust and improves platform stability. See TOS Update for details. Keywords: deployment, optimization, upgrade, installation, hf, hot fixes
Improved Performance of Large Reports	Legacy SecureTrack reports now use a 64-bit process, allowing report generation for devices with large rule and object sets. For best performance, save reports to the repository rather than running them on-demand. Keywords: reports, performance

Feature

Description

PAN EDL Objects

TOS can now process Palo Alto Networks external dynamic lists (PAN EDLs). Rules can be filtered in the Rule Viewer by IPs contained in the object and they are included in Topology path analysis and automation.

This enhancement improves network troubleshooting, allows detection of policy violations of EDL rules and improves the accuracy of access request changes. The new PAN EDL support results in shorter MTTR, better SLA performance and makes continuous compliance more attainable.

See Palo Alto Networks for details.

Keywords: network, path analysis, troubleshooting, pan, panorama, edl

Cisco FMC URL Category and AppID

TOS now takes AppID and URL category into account, adding visibility, change tracking and advanced topology mapping. It also allows more accurate automation for Cisco FMC rules with URL categories or Application IDs. By considering these attributes, USP violations can be detected accurately and the risk of misconfiguration is lowered by eliminating false positives in shadowing analysis for NGFW-based rules.

This improvement enables more accurate path analysis, helping maintain SLAs and reducing MTTR. It also improves compliance accuracy supporting zero trust and micro-segmentation initiatives.

See Cisco for details.

Keywords: network, path analysis, troubleshooting, cisco, fmc, url, url category, appid, app id, application id

Cisco ACI – Topology Support for ESG

TOS now supports Cisco ACI endpoint security groups (ESGs) in object and contract comparisons, change tracking, and ESG-based path analysis in the Interactive Map.

This enhancement supports zero trust and micro-segmentation initiatives by providing identity-based visibility into ESG policies. It reduces risk during segmentation transitions by offering full support for ESGs alongside EPGs. Accurate ESG-based path analysis helps maintain SLA and reduces MTTR, while change tracking of ESG contracts and objects improves audit readiness.

See Cisco for details.

Keywords: network, path analysis, troubleshooting, cisco, asi, esg

Generic PBR – Topology Support

TOS now supports generic policy-based routing (PBR) in Topology path analysis. You can define, edit, and map PBR rules on monitored devices using the API, with traffic paths calculated according to PBR behavior before traditional routing logic.

This enhancement improves troubleshooting by enabling analysis of routing decisions influenced by PBR policies. It reduces risk and manual effort by reflecting the real traffic paths affected by PBR and helps maintain SLA by ensuring access request analysis and automation are accurate through modeling PBR behavior in topology calculations.

See Adding Generic Policy-Based Routing (PBR) for details.

Keywords: network, path analysis, troubleshooting, generic pbr,

OPM Designer New UI

Designer now has a new interface for access requests involving changes to OPM devices, Azure NSGs, Azure firewalls, Zscaler ZIA, Huawei, Versa and others. This gives improved usability and extends Designer capabilities to better support OPM devices.

The new intuitive UI shortens the time needed for change implementation, and improves efficiency, aiding SLA compliance and expanding Designer support to additional devices.

See Using Designer for details.

Keywords: change automation, automation

Rule Optimizer

Rule Optimizer is a new feature in the Rule Viewer that lets you proactively tighten the permissiveness of security policy rules based on real-time traffic logs. You can quickly identify rules in need of optimization and easily make modifications. Rule Optimizer runs automatically and exposes weak security rules that you might not have been aware of. In addition, an enhanced TQL lets you to query for rules eligible for optimization.

This feature will help reduce your attack surface, improving security posture and lowering risk In this version, Rule Optimizer works for AWS, Azure NSGs, Zscaler ZIA, and from R25-2 PHF1.0.0 VMWare NSX-T. It will be extended to additional devices in the future.

See Rule Optimizer for details.

Keywords: cloud, sase

AWS Organization Support

Onboarding AWS accounts just got easier and quicker with the new TOS capability of managing AWS accounts at the organization level. TOS can now automatically onboard new accounts added to the organization. Conversely, you can update credentials for the organization and propagate them to all monitored accounts.

Aside from saving time and effort, this feature makes sure visibility, topology and change automation are up to date across all AWS accounts.

See Cloud Organizations for details.

Keywords: cloud, sase

Azure VNET Auto Import

Monitoring your Azure environment has been made easier and more reliable with the VNET automatic import capability which imports all VNETs in single subscription without user action. The feature can be enabled selectively by subscription.

The result is reduced effort and operational overhead, and continuous up to date visibility, topology and change automation.

See Monitoring Microsoft Azure for details.

Keywords: cloud, sase

Zscaler ZIA Automation

TOS change automation has been extended to include Zscaler ZIA. ZIA is now identified as a target device in Access Requests, participates in Risk Analysis, Designer and Verifier, and when access has already been implemented, the ticket is automatically closed and the rule documented with the ticket ID.

The result of this added support is policy change implementation in minutes instead of days, avoidance of Designer ‘redos’, reduction of risk and increased ability to honor service level agreements.

See Zscaler for details.

Keywords: cloud, sase, automation, change automation

Azure NSG and OPM Provisioning

TOS now supports automatic provisioning for access requests involving Azure NSGs and OPM devices, enabling end-to-end automation for these platforms within hybrid environments.

This enhancement reduces risk and improves SLA performance through zero-touch automation, and increases operational efficiency by supporting a unified change process across cloud and on-prem environments.

See Device Experience and UI Types for details.

Keywords: cloud, sase, automation, change automation

USP Violations for AWS SGs, GCP, and Azure NSGs installed on NIC

TOS now detects USP violations in AWS, GCP and Azure network security groups installed on a network interface card (NIC), including rules containing objects defined by NICs (Azure ASGs, AWS SGs, GCP tags).

This enhancement reduces risk and supports continuous compliance with regulatory standards across AWS, Azure, and GCP environments.

See Rule Violations for details.

Keywords: security, compliance, security groups, network security groups, sgs, nsgs

Rule Recertification New UX and Certification History

Rule Recertification has received a number of significant enhancements. The Recertification workflow now has a modern, user-friendly UI in which Admins can now configure default recertification periods and enforce expiration policies. In the Rule Viewer, the rule details and drilldown views have been updated to provide better visibility and monitoring of the rule’s certification status. This includes a new certification section in the rule drilldown containing a complete history of all certifications including recertification comments. These enhancements give valuable context, improving collaboration and recertification decisions.

The benefits gained from this complete and comprehensive rule lifecycle management are improved tracking, auditing, and maintenance of firewall policy compliance, while reducing manual effort and time required to manage the certification process. This ensures continuous audit readiness and supports stronger compliance, with minimal disruption to day-to-day operations.

See Rule Recertification, Certify/Decertify Rules, and Rule Recertification Field for details.

Keywords: security, compliance

Integrated TufinOS/ETCD Deployment

TufinOS installation on hypervisors now includes the ETCD disk setup as part of the configuration workflow.

This simplifies installation, lowers risk of misconfiguration, improves deployment stability, and makes the whole deployment process smoother and trouble free.

See Prepare a VMware ESXi Machine for details.

Keywords: deployment, disks

TufinOS AMI

TufinOS 4 is now available as an Amazon Machine Image (AMI) in the AWS Marketplace. This simplifies AWS deployment, reduces time to value, improves security posture through a hardened OS image, and makes the whole deployment process smoother and trouble free.

See Prepare an AWS Instance for details.

Keywords: deployment

Remote Collector Disaster Recovery

Remote Collectors now automatically recover after disaster recovery switchover and central cluster restore. More than just a best practice, this guarantees true high availability by maintaining ongoing security operations and consistent policy enforcement.

The result is robust, enterprise-level resilience that helps meet server-level agreements for recovery time objectives (RTO), ensuring business continuity and giving faster time to value.

See Disaster Recovery and TOS restore for details.

Keywords: deployment, rc, dr

Update Optimization

The TOS update process has been optimized for hot fixes. This shortens update time, makes the update process more robust and improves platform stability.

See TOS Update for details.

Keywords: deployment, optimization, upgrade, installation, hf, hot fixes

Improved Performance of Large Reports

Legacy SecureTrack reports now use a 64-bit process, allowing report generation for devices with large rule and object sets. For best performance, save reports to the repository rather than running them on-demand.

Keywords: reports, performance