R25-1 Pre-Installation Information

Integrity Checks

Each TOS version comes encrypted with two SHA values. You can verify the integrity of the TOS installation package by running an integrity check before you install it on your servers. If the output is identical to the SHA values for the relevant TOS version, you can safely install the TOS package.

To verify the integrity, run the following commands:

[<ADMIN> ~]$ sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha256sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
[<ADMIN> ~]$ sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz
sha1sum tos-xxxx-xxxxxxxx-final-xxxx.run.tgz

R25-1 PGA.0.0

Item

Details
Run file name tos_25-1-pga.0.0-final-25670.run.tgz
sha256 8cc436fa0852cd496ad5fa86105ed0df099acbc27619f37b86a9dca1f7de0a30
sha1sum 732eaf379419476005858fb4367d94703443d7ad

R25-1 PRC1.1.0

Item

Details
Run file name tos_25-1-prc1.0.0-final-24116.run.tgz
sha256 3f6f4364da5d7f90f44153d9566d53a7a2bdc233022a28c95d64d7ba4ee316b1
sha1sum 124540cf6baadb793e5f05a1de293bbadf76f41c

Before Installing or Upgrading

  • License usage data will be automatically collected from TOS. All TOS users will need to be able to access aus.tufin.com from the browsers on their work stations. For more information, see Send Reports Automatically.

  • The /opt partition storage usage not exceed 70% of the available space to ensure proper TOS functionality.

  • All SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.

    To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges.

    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower
    tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

Changes to Ports and CLI Commands

Ports

  • There is a new port mapping for unencrypted TCP syslogs.

    Source: 601

    Destination: 32514

    The port is one of the default ports for tos cluster syslog-vip add

CLI Commands

  • TCP-plain is a new protocol option for unencrypted TCP syslogs used in tos cluster syslog-vip add --transport.

Additional Information

  • Upgrades from R24-2 and earlier may take up to two hours longer due to a data migration process that is needed for R25-1 and later.

  • Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.

  • To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.

  • For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.

    Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the Check Point Support Center for more information on how to verify which Jumbo Hotfix version is installed.