What's New

Note to Customers with Tiered Licenses

From R23-2, TOS features are enforced on tiered licenses according to solution tier. Examples are topology and some SecureChange workflows that are available only in the SecureChange+ tier, and provisioning that is available only in the Enterprise tier - see Solution Tiers. For more information contact your account team.

To filter the results, enter text in one or more of the filter fields.

To see all items, clear the filter fields.

Categories: Feature:

Categories	Feature	Description
Automation Panorama	Automation for Panorama URL Categories	Existing predefined or custom Panorama URL categories can be inserted directly into access requests, enabling you to further leverage the automation capabilities of SecureChange: Intelligent firewall target selection reduces the need for manual interventions and do-overs. TOS automatically verifies if the requested access to the URL category has already been implemented and closes requests, which have already been implemented to ensure optimal resource utilization. Use Designer to more easily design changes to enable access to the requested URL category. Provision the designed changes to the policy to ensure accurate implementation. Furthermore, you can leverage the topology map to troubleshoot connectivity to URLs, empowering your administrators to easily identify and resolve network issues, and get a more comprehensive view of shadowed rules with URL categories.
Automation Rule Viewer SecureChange	Rules from Different Devices in single SecureChange Ticket	In the Rule Viewer, you can now add rules from different devices/policies to a single ticket. With this feature, the process of making rule changes becomes much simpler, and cleanup times are now much faster, as you no longer need to open a separate ticket for each device rule. This feature is available for Rule Decommission, Rule Modification and Rule Recertification tickets.
Automation Topology	Topology and Automation Support for Internet Objects	You can perform path analysis queries using the internet object as either the source or destination. This provides you with enhanced visibility of your network, and improves troubleshooting for network objects going to/from the internet. In addition, you can insert internet objects directly into Check Point and Stonesoft devices in Access Request workflows to implement more secure and accurate access request changes.
Deployment License	License Usage Tracking for Tiered Licenses	In order to allow tigher license consumption monitoring and enable more accurate auditing, a new automated license usage tracking mechanism is being introduced in R23-2. This new mechanism is relevant for customers who use the tiered licensing model (SecureTrack+, SecureChange+, or Enterprise). For more information on this feature, see License Usage Tracking
Deployment License UX	New License Management Page	If you have a tiered license (SecureTrack+, SecureChange+, or Enterprise), you can now view detailed information on the licenses installed in your system. The old legacy License Management page was replaced with a more modern user interface which shows only the information required to understand the license status of your TOS deployment. This includes the license tier you purchased as well as important license information, such as when it expires. The license tier is now enforced by the product. The new License Management page is only available to SecureTrack Super Administrators.
Deployment Appliance	New Gen 4.5 Appliances (T-820/T-1220)	The Tufin T-820/T-1220 are the latest appliances to be made available in Tufin's T-series. These new appliances are designed to deliver best-in-class security policy orchestration, compliance, and visibility for today’s dynamic network and cloud environments. With the T-820/T-220 you will receive an all-in-one solution for managing security policies across heterogeneous networks, simplifying the complexity of security operations and ensuring continuous compliance with regulatory standards. Using cutting-edge hardware and our industry leading Tufin Orchestration Suite, these new appliances offer superior performance, scalability, and high availability to meet the demands of any size organization. With a user-friendly interface and advanced automation capabilities, these new appliances make it easy to manage security policies, monitor and report on compliance, and quickly automate security changes across your hybrid networks. The T-820/T-1220 appliances come pre-installed with TufinOS and TOS Aurora.
Deployment	New Supported Operating Systems	In June 2024, RHEL/CentOS 7 are going to be EOL (end of life), as well as TufinOS 3 which is based on CentOS 7. TufinOS 4 and Red Hat Enterprise Linux/Rocky Linux 8.6 are the new supported operating systems for TOS Aurora. These operating systems are available for both clean installs and upgrades on virtual machines and appliances - deployed on-premises. For cloud deployments, only Rocky Linux 8.6 will be supported. The 2023 support of these operating systems provides you with longer coverage and will enable you to plan the move to the new operating system well before your existing operating system becomes EOL in 2024.
Cloud Deployment GCP HA	High Availability in GCP Over Three Availability Zones	High availability is now supported for GCP over three availability zones, giving you a higher level of resilience and availability when deploying on this cloud platform.
Devices Palo Alto Networks Platforms	Palo Alto Networks Prisma Access Policies	You can use TOS Aurora to monitor Palo Alto Networks Prisma Access Policies managed by Panorama devices, offering you enhanced control and visibility into these polices with Tufin's built-in reports. With TOS support for Prisma Access Policies you can also: Save valuable time and effort in identifying rules via the Rule Viewer Compare revisions in SecureTrack to reduce effort when it comes to change tracking Streamline cleanup processes using Tufin’s Automated Workflows - Clone Network Object Policy, Network Object Decommission, and Rule Decommission Simplify the certification process using the Rule Recertification workflow. Empower your firewall administrators to modify rules and groups via auditable workflows such as Group Modification and Rule Modification. Automate Access Requests in non-topology mode to avoid risks and reduce the time it takes implement network changes. In addition, being able to monitor Prisma Access Policies with TOS will eliminate the need to manually prepare for audits on these policies and manually perform time consuming and error-prone policy changes. You will now be able to take full advantage of TOS Aurora's automation capabilities for this device.
Check Point Devices Platforms	Check Point Smart-1 Cloud	You can use SecureTrack to manage your policies on Check Point Smart-1 Cloud. Tufin offers full feature parity with on-premises Check Point management platforms to ensure a smoother transition to the cloud without compromising on policy management capabilities. You can leverage the scalability and flexibility of Smart-1 Cloud, while still getting the Tufin value for visibility, topology, cleanup, compliance, and automation.
Cisco Devices Platforms Topology	Cisco Viptela Topology Support	You can view Cisco Viptela cEdge devices in SecureTrack's Interactive Map, including OMP routes, SD-WAN interfaces and SD-WAN labels. This will provide you with a holistic view of your SD-WAN environment, empowering your administrators to quickly identify and resolve connectivity challenges across complex networks, and ensure precise firewall target selection as part of the access request workflow to streamline the change process.
Automation Azure Cloud Devices Platforms	Azure NSG Automation - Verifier Support	You can run Verifier on automated change requests that go through Azure Network Security Groups (NSGs), ensuring that the requested traffic in the Access Request ticket is implemented and allowed on the policies in the path. NSGs can be automatically suggested as a target for the access request. Being able to run Verifier on them as well will enable you to automatically close tickets and save significant amounts of time and resources that would otherwise be needed to review the requests.
Azure Cisco Cloud Devices Platforms	Default Custom Logging for Cisco ASA in Designer	You can configure Designer to automatically create new rules with custom logging for Cisco ASA devices, eliminating the need for manual intervention and help achieve zero touch automation. You have the option of associating different types of logging with different Cisco ASA devices.
API SecureChange	Get URL Category zone	A new API gets the URL Category zone defined for path calculation and target selection. This zone is defined on the SecureTrack Zones page.
API SecureChange	Set the URL Category Zone	A new API sets a zone as the URL Category zone for path calculation and target selection. User networks and Unassociated Networks zones cannot be used as the URL Category zone.
API SecureChange	Trigger Commit Now in a SecureChange Ticket	A new API runs Commit Now for a specific device in a SecureChange ticket. You can use this API to automate retries of Commit Now, or to implement customized change windows for a given device. This is available for Check Point R80+, FortiManager, and Panorama.
GraphQL SecureTrack	Retrieve Changes in a Revision Affecting a Rule	A new GraphQL query returns all changes made in a selected revision that affect the requested rule.
GraphQL SecureTrack	Retrieve the List of Revisions Affecting a Rule	A new GraphQL query returns a list of revisions, in the requested time frame, that contain one or more changes affecting the requested rule. Includes accountability information.
API SecureTrack	NAT Information Per Revision	A new API retrieves NAT information for security rules in a specific revision. Previously, obtaining NAT information for security rules was limited to the last revision fetched from the device.
API SecureTrack Topology	Retrieve Dynamic Topology Data from Specific Devices	A new API retrieves dynamic topology data from a specific device tree. This will enable you to refresh a subset of the data in the Interactive Map without having to run a full topology sync. This will save time and help you keep your topology data up-to-date.
API SecureApp	Get SecureApp Network Objects by IP, Subnet and Comment	You can use the SecureApp Rest API to get network objects by IP address, subnet and comment - in addition to name. This enhancement further aligns the REST API capabilities with that of the SecureAPP User Interface. Two API functions have been enhanced: network_objects allows you to search all applications for network objects by their IP address /applications/{applicationId:0-9}+/network_objects allows you to search a specific application for network objects. There is a new API function: server_lookup This API function allows you to get network objects according to the subnet the server is located in, the server’s IP address, or comment.
AWS Cloud Deployment Devices Platforms	VMware NSX-T on AWS (VMware Cloud)	VMware NSX-T on AWS (VMware cloud) is supported for TOS enabling you to migrate and extend your on-premises VM environment to Amazon's platform With this ability you will be able to embrace the flexibility and scalability offered by the cloudwhile still maintaining the value derived from TOS Aurora’s unique policy management capabilities. TOS Aurora provides complete feature parity with on-premises NSX deployments.
Cloud Compliance Risk Security	Accurate Risk Assessments for Cloud Assets Exposed to Internet	SecureCloud now displays a risk assessment for assets exposed to the internet based on the data returned from the firewalls monitored by SecureTrack. With this information you will be able to perform more accurate risk assessments based on the aggregated data collected from cloud-native controls as well as virtual firewalls deployed in the cloud. This will result in a reduction of false positive risk assessments (both from Tufin and third-party vendors) and an overall improvement to the general effectiveness of risk prioritizations.
Compliance Risk Rule Viewer Security	Rule History Visibility	You can now use the Rule Viewer to view the change history of the rule and receive instant visibility into rule changes, and rule metadata changes as they occur. This will save time when it comes to recertifying rules, and troubleshooting security breaches and power outages caused by rule changes. The information is displayed in a new Rule History tab listing all the rules that were changed, when they were changed and by who. Selecting a rule will provide you with more details about the specific changes that were made. Being able to retrieve the rule history will also simplify audits. You can select the relevant rules and export their history as a CSV file, which can then be sent to the auditor for review.
Extensions SecureChange UX	Extensions Apps in SecureChange Navigation Menu	The Extension Apps have been added to the SecureChange navigation menu, enabling you to easily navigate from TOS to your installed apps. If an app is not installed, you will be redirected to a page where you can learn more about it.
SecureChange UX	New Requests page	The SecureChange legacy Requests page has been replaced with a new page that offers a more modern user experience for SecureChange users looking to view their requests. New features include the ability to add and remove columns and sort the list of requests.