What's New

Note to Customers with Tiered Licenses

From R23-2, TOS features are enforced on tiered licenses according to solution tier. Examples are topology and some SecureChange workflows that are available only in the SecureChange+ tier, and provisioning that is available only in the Enterprise tier - see Solution Tiers. For more information contact your account team.

To filter the results, enter text in one or more of the filter fields.

To see all items, clear the filter fields.

Categories

Feature

Description

Automation

Panorama

Automation for Panorama URL Categories

Existing predefined or custom Panorama URL categories can be inserted directly into access requests, enabling you to further leverage the automation capabilities of SecureChange:

  • Intelligent firewall target selection reduces the need for manual interventions and do-overs.

  • TOS automatically verifies if the requested access to the URL category has already been implemented and closes requests, which have already been implemented to ensure optimal resource utilization.

  • Use Designer to more easily design changes to enable access to the requested URL category.

  • Provision the designed changes to the policy to ensure accurate implementation.

Furthermore, you can leverage the topology map to troubleshoot connectivity to URLs, empowering your administrators to easily identify and resolve network issues, and get a more comprehensive view of shadowed rules with URL categories.

Automation

Rule Viewer

SecureChange

Rules from Different Devices in single SecureChange Ticket

In the Rule Viewer, you can now add rules from different devices/policies to a single ticket. With this feature, the process of making rule changes becomes much simpler, and cleanup times are now much faster, as you no longer need to open a separate ticket for each device rule.

This feature is available for Rule Decommission, Rule Modification and Rule Recertification tickets.

Automation

Topology

Topology and Automation Support for Internet Objects

You can perform path analysis queries using the internet object as either the source or destination. This provides you with enhanced visibility of your network, and improves troubleshooting for network objects going to/from the internet.

In addition, you can insert internet objects directly into Check Point and Stonesoft devices in Access Request workflows to implement more secure and accurate access request changes.

Deployment

License

License Usage Tracking for Tiered Licenses

In order to allow tigher license consumption monitoring and enable more accurate auditing, a new automated license usage tracking mechanism is being introduced in R23-2. This new mechanism is relevant for customers who use the tiered licensing model (SecureTrack+, SecureChange+, or Enterprise).

For more information on this feature, see License Usage Tracking

Deployment

License

UX

New License Management Page

If you have a tiered license (SecureTrack+, SecureChange+, or Enterprise), you can now view detailed information on the licenses installed in your system. The old legacy License Management page was replaced with a more modern user interface which shows only the information required to understand the license status of your TOS deployment. This includes the license tier you purchased as well as important license information, such as when it expires. The license tier is now enforced by the product.

The new License Management page is only available to SecureTrack Super Administrators.

Deployment

Appliance

New Gen 4.5 Appliances (T-820/T-1220)

The Tufin T-820/T-1220 are the latest appliances to be made available in Tufin's T-series. These new appliances are designed to deliver best-in-class security policy orchestration, compliance, and visibility for today’s dynamic network and cloud environments. With the T-820/T-220 you will receive an all-in-one solution for managing security policies across heterogeneous networks, simplifying the complexity of security operations and ensuring continuous compliance with regulatory standards. Using cutting-edge hardware and our industry leading Tufin Orchestration Suite, these new appliances offer superior performance, scalability, and high availability to meet the demands of any size organization. With a user-friendly interface and advanced automation capabilities, these new appliances make it easy to manage security policies, monitor and report on compliance, and quickly automate security changes across your hybrid networks.

The T-820/T-1220 appliances come pre-installed with TufinOS and TOS Aurora.

Deployment

New Supported Operating Systems

In June 2024, RHEL/CentOS 7 are going to be EOL (end of life), as well as TufinOS 3 which is based on CentOS 7. TufinOS 4 and Red Hat Enterprise Linux/Rocky Linux 8.6 are the new supported operating systems for TOS Aurora. These operating systems are available for both clean installs and upgrades on virtual machines and appliances - deployed on-premises. For cloud deployments, only Rocky Linux 8.6 will be supported.

The 2023 support of these operating systems provides you with longer coverage and will enable you to plan the move to the new operating system well before your existing operating system becomes EOL in 2024.

Cloud

Deployment

GCP

HA

High Availability in GCP Over Three Availability Zones

High availability is supported for GCP over three availability zones, giving you a higher level of resilience and availability when deploying on this cloud platform. Note that all availability zones must be in the same region.

Azure

Cloud

Deployment

Extra Large Microsoft Azure Networks

Tufin's largest customers can now deploy TOS on Microsoft Azure. This will require a different setup in terms of disk/virtual machine requirements. Consult your Tufin technical representative for sizing information.

Devices

Palo Alto Networks

Platforms

Palo Alto Networks Prisma Access Policies

You can use TOS Aurora to monitor Palo Alto Networks Prisma Access Policies managed by Panorama devices, offering you enhanced control and visibility into these polices with Tufin's built-in reports.

With TOS support for Prisma Access Policies you can also:

  • Save valuable time and effort in identifying rules via the Rule Viewer

  • Compare revisions in SecureTrack to reduce effort when it comes to change tracking

  • Streamline cleanup processes using Tufin’s Automated Workflows - Clone Network Object Policy, Network Object Decommission, and Rule Decommission

  • Simplify the certification process using the Rule Recertification workflow.

  • Empower your firewall administrators to modify rules and groups via auditable workflows such as Group Modification and Rule Modification.

  • Automate Access Requests in non-topology mode to avoid risks and reduce the time it takes implement network changes.

In addition, being able to monitor Prisma Access Policies with TOS will eliminate the need to manually prepare for audits on these policies and manually perform time consuming and error-prone policy changes. You will now be able to take full advantage of TOS Aurora's automation capabilities for this device.

Check Point

Devices

Platforms

Check Point Smart-1 Cloud You can use SecureTrack to manage your policies on Check Point Smart-1 Cloud. Tufin offers full feature parity with on-premises Check Point management platforms to ensure a smoother transition to the cloud without compromising on policy management capabilities. You can leverage the scalability and flexibility of Smart-1 Cloud, while still getting the Tufin value for visibility, topology, cleanup, compliance, and automation.

Cisco

Devices

Platforms

Topology

Cisco Viptela Topology Support You can view Cisco Viptela cEdge devices in SecureTrack's Interactive Map, including OMP routes, SD-WAN interfaces and SD-WAN labels. This will provide you with a holistic view of your SD-WAN environment, empowering your administrators to quickly identify and resolve connectivity challenges across complex networks, and ensure precise firewall target selection as part of the access request workflow to streamline the change process.

Automation

Azure

Cloud

Devices

Platforms

Azure NSG Automation - Verifier Support You can run Verifier on automated change requests that go through Azure Network Security Groups (NSGs), ensuring that the requested traffic in the Access Request ticket is implemented and allowed on the policies in the path. NSGs can be automatically suggested as a target for the access request. Being able to run Verifier on them as well will enable you to automatically close tickets and save significant amounts of time and resources that would otherwise be needed to review the requests.

Azure

Cisco

Cloud

Devices

Platforms

Default Custom Logging for Cisco ASA in Designer You can configure Designer to automatically create new rules with custom logging for Cisco ASA devices, eliminating the need for manual intervention and help achieve zero touch automation. You have the option of associating different types of logging with different Cisco ASA devices.

API

SecureChange

Get URL Category zone

A new API gets the URL Category zone defined for path calculation and target selection. This zone is defined on the SecureTrack Zones page.

API

SecureChange

Set the URL Category Zone

A new API sets a zone as the URL Category zone for path calculation and target selection. User networks and Unassociated Networks zones cannot be used as the URL Category zone.

API

SecureChange

Trigger Commit Now in a SecureChange Ticket

A new API runs Commit Now for a specific device in a SecureChange ticket. You can use this API to automate retries of Commit Now, or to implement customized change windows for a given device. This is available for Check Point R80+, FortiManager, and Panorama.

GraphQL

SecureTrack

Retrieve Changes in a Revision Affecting a Rule

A new GraphQL query returns all changes made in a selected revision that affect the requested rule.

GraphQL

SecureTrack

Retrieve the List of Revisions Affecting a Rule

A new GraphQL query returns a list of revisions, in the requested time frame, that contain one or more changes affecting the requested rule. Includes accountability information.

API

SecureTrack

NAT Information Per Revision

A new API retrieves NAT information for security rules in a specific revision. Previously, obtaining NAT information for security rules was limited to the last revision fetched from the device.

API

SecureTrack

Topology

Retrieve Dynamic Topology Data from Specific Devices

A new API retrieves dynamic topology data from a specific device tree. This will enable you to refresh a subset of the data in the Interactive Map without having to run a full topology sync. This will save time and help you keep your topology data up-to-date.

API

SecureApp

Get SecureApp Network Objects by IP, Subnet and Comment

You can use the SecureApp Rest API to get network objects by IP address, subnet and comment - in addition to name. This enhancement further aligns the REST API capabilities with that of the SecureAPP User Interface.

Two API functions have been enhanced:

  • network_objects allows you to search all applications for network objects by their IP address

  • /applications/{applicationId:0-9}+/network_objects allows you to search a specific application for network objects.

There is a new API function: server_lookup

This API function allows you to get network objects according to the subnet the server is located in, the server’s IP address, or comment.

AWS

Cloud

Deployment

Devices

Platforms

VMware NSX-T on AWS (VMware Cloud)

VMware NSX-T on AWS (VMware cloud) is supported for TOS enabling you to migrate and extend your on-premises VM environment to Amazon's platform With this ability you will be able to embrace the flexibility and scalability offered by the cloudwhile still maintaining the value derived from TOS Aurora’s unique policy management capabilities.

TOS Aurora provides complete feature parity with on-premises NSX deployments.

Cloud

Compliance

Risk

Security

Accurate Risk Assessments for Cloud Assets Exposed to Internet

SecureCloud now displays a risk assessment for assets exposed to the internet based on the data returned from the firewalls monitored by SecureTrack. With this information you will be able to perform more accurate risk assessments based on the aggregated data collected from cloud-native controls as well as virtual firewalls deployed in the cloud. This will result in a reduction of false positive risk assessments (both from Tufin and third-party vendors) and an overall improvement to the general effectiveness of risk prioritizations.

Compliance

Risk

Rule Viewer

Security

Rule History Visibility

You can now use the Rule Viewer to view the change history of the rule and receive instant visibility into rule changes, and rule metadata changes as they occur. This will save time when it comes to recertifying rules, and troubleshooting security breaches and power outages caused by rule changes. The information is displayed in a new Rule History tab listing all the rules that were changed, when they were changed and by who. Selecting a rule will provide you with more details about the specific changes that were made.

Being able to retrieve the rule history will also simplify audits. You can select the relevant rules and export their history as a CSV file, which can then be sent to the auditor for review.

Extensions

SecureChange

UX

Extensions Apps in SecureChange Navigation Menu

The Extension Apps have been added to the SecureChange navigation menu, enabling you to easily navigate from TOS to your installed apps. If an app is not installed, you will be redirected to a page where you can learn more about it.

SecureChange

UX

New Requests page

The SecureChange legacy Requests page has been replaced with a new page that offers a more modern user experience for SecureChange users looking to view their requests. New features include the ability to add and remove columns and sort the list of requests.

Topology

Devices

Platforms

Non-admin users can access Interactive Map (PHF2.0.0 and later)

Non-admin users with the device permission Any can access the Interactive Map. Allowing more users to access the Interactive offers increased flexibility and an enhanced user experience.