What's New in TOS 5

The list below will sometimes include upcoming versions that are not yet released. Check available versions.

New naming convention

Starting with 5.0.00, we are introducing a new naming convention for TOS. Platform version replaces major version and feature version replaces minor versions of type PGA and PHF. As new features and bug fixes are made available, they are released as new feature versions within that platform version.

  • Platform version: Includes many versions - an initial release version, a number of feature versions, plus unplanned versions if and when needed. Platform version examples: TOS 5, TOS6.

  • Initial release version: The first version, not for production deployment. Meant to test and verify that the new TOS infrastructure deploys and runs smoothly in a lab environment. It contains infrastructure updates and bug fixes, but little or no new features. Examples: 5.0.00, 6.0.00.

  • Feature versions: These versions are production-ready. They contain feature enhancements and bug fixes with little or no infrastructure changes. They will typically be spaced out around six weeks apart. Updating to a feature version within the same platform version generally takes less time than updating to a new platform version. Examples: 5.1.0, 5.2.0, 6.1.00.

The previous naming convention (e.g. R25-2 PHF3.0.0) will continue be used for R25-2 and earlier versions. For more information, see the Tufin Customer Portal

5.2.00

To filter the results, enter text in one or more of the filter fields. Clear the fields to see all items.

Feature

Description

Zone API

A new API to create, update and retrieve SecureTrack zones.

Benefits:

  • Automation of zone maintenance and reporting

  • Reduced time and costs of audit preparation

USP Viewer Scroll Bar

Vertical and horizontal scroll bars appear when needed in the USP Viewer.

Benefits:

  • Improved user experience

View Reports Permissions

SecureChange admins can define for each user whether they can generate reports on all tickets or only their own.

Benefits:

  • Improved control over access

  • Implementation of least-privilege security

Check Point License Consumption API

With this API, you can enable or disable specific Check Point module gateways that have been decommissioned or are standby / test devices, from license counting. You only pay for the devices that deliver value; disabled devices do not consume a license but remain visible in TOS.

Benefits:

  • Reduced TOS licensing costs

PAN IPv6 Support In Topology Map

TOS now supports IPv6 interfaces and routing (static and dynamic) for Palo Alto Networks devices managed by Panorama, across both advanced routing and legacy routing modes. IPv6 traffic is included in topology mapping, path analysis, and rule matching. In addition, SecureChange access requests now support IPv6 for automatic target selection on PAN devices.

Benefits:

  • Improved troubleshooting for IPv6 connectivity.

  • Improved overall automation accuracy.

Push Tufin-Only Changes to Panorama

As part of 'Commit Now' and 'Change Window' in SecureChange, TOS performs two actions in Panorama: 'Commit to Panorama' (can be scoped to Tufin user changes) and 'Push to Devices' (previously always pushed all user changes). The new enhancement lets you configure the 'Push to Devices' scope — either all Panorama users or Tufin user changes only.

Benefits:

  • Reduced risk by ensuring only approved, Tufin-managed changes are pushed.

  • True zero-touch automation — controlled committing and pushing without manual intervention

  • Reduced operational overhead by eliminating the need to manually manage Panorama commits and pushes

Push changes to DGs only

You can now configure TOS to push only device group policy changes to Panorama-managed firewalls, without pushing Panorama templates.

Benefits:

  • Prevention of unintended template deployments during SecureChange provisioning.

  • Reduced risk of operational errors and application downtime by ensuring only approved, TOS-managed changes are pushed.

  • Zero-touch automation and reduced change SLA by enabling TOS to commit and push without manual intervention.

Guardicore and Illumio Microsegmentation Topology

TOS topology now includes microsegmentation devices in path analysis. When source/destination is a managed asset, TOS detects and shows the microsegmentation device on the path with its matching rules (including tag-based, tag group, and alert rules). Supports same-subnet and behind-cloud scenarios. You can select Guardicore/Illumio assets as path query endpoints.

Benefits:

  • Reduced MTTR when microsegmentation is part of the path.

  • Fewer manual investigation steps means less engineering time spent per incident.

  • End-to-end path analysis across firewalls, cloud, SASE, and microsegmentation is available in one unified view, so teams identify the blocking rule, whether a firewall or a Guardicore/Illumio tag-based rule.

Zscaler Designer Objects

Designer now suggests updating and creating groups as needed on Zscaler ZIA instead of raw embedded IP addresses or services,

Benefits:

  • Cleaner, more maintainable firewall change suggestions for these OPM-managed devices.

  • Improved policy readabilty and maintinability

Guardicore and Illumio Microsegmentation in Rule Viewer

You can now get deep, tag-aware visibility into Guardicore policies in the Rule Viewer- including resolving tags to assets, filtering rules by asset tags, IPs or names, and tracking rule history changes triggered by asset tag updates.

Benefits:

  • Full transparency into which assets tag-based rules cover.

  • Faster, more accurate policy analysis and auditing.

  • Meaningful change tracking without noise.

  • Accurate permissiveness scoring.

  • Identification and clean up unused Guardicore rules using last hit data which reduces the attack surface and risk. Enterprise-scale support (300K assets).

Palo Alto Strata Cloud Manager

You can now detect USP violations, view topology run path analysis for Strata Cloud Manager NGFW policies.

Benefits:

  • Improved operational efficiency

  • Time saving in troubleshooting and audit preparation

  • Reduced MTTR

  • Improved security

  • Continous compliance.

Static NSX-T Groups

The group modification workflow now lets you add/remove objects from static NSX-T security groups or create new groups, and provision the changes seamlessly.

Benefits:

  • Reduced SLA by using an automated workflow.

5.1.01

Bug fix only. See 5.1.00 for feature enhancements.

5.1.00

This is the first GA release of TOS 5

To filter the results, enter text in one or more of the filter fields. Clear the fields to see all items.

Feature

Description

Arista VeloCloud

VeloCloud SD-WAN devices can now be monitored by TOS, bringing them into the unified control plane used to manage and monitor firewalls, routers, cloud resources, and hybrid environments. Security and traffic policies from VeloCloud are visible, validated, and governed like all other network devices.

Benefits:

  • Consistent security policies across the entire hybrid architecture.

  • Faster, safer change implementation.

  • Stronger compliance posture and audit readiness.

  • Reduced operational complexity and misconfiguration risk.

  • Improved incident response through unified path visibility.

See SecureTrack features and SecureChange features for Arista VeloCloud.

TufinAI Executive Dashboard

TOS administrators can now to craft their own dashboards and define charts to present unique and customized aggregations over security rules and SecureChange tickets. Based on specifications given in natural language, AI-generated code fetches filtered data from TOS and renders it into charts and reports.

Benefits:

  • Generate your own dashboards and reports

  • Examples: Daily monitoring, proof of ROI, compliance audit preparation, policy cleanup planning, ticket SLA, policy vulnerabilities.

See Personalize TufinAI Executive Dashboard.

Cisco FMC - FQDN

FQDN objects are now supported for Cisco FMC including visibility, topology, compliance, and access request automation. Visibility into FQDN content is supported in the Rule Viewer and Compare Revisions. You can run path analysis queries by using FMC FQDN objects and identify allowing/blocking rules. You can automate access requests that include FQDN objects where rules have to be changed / added, including target selection, design, verification and provisioning.

Benefits

  • Reduced SLA through fully automated access request handling.

  • Improved accuracy

See SecureTrack and SecureChange features for Cisco FMC.

Azure Usage Analysis

TOS now supports VNet flow logs, and Azure resource specific log analytics collection to provide cleanup and optimization insights for Azure NSGs and firewalls.

Benefits:

  • Reduced attack surface

  • Improved security posture

  • Reduced time spent on manual cleanup/optimization

See Azure configuration for flow logs.

RHEL 9 / Rocky Linux 9

TOS can now be installed on Red Hat Enterprise Linux 9 and Rocky Linux 9 operating systems

Benefits:

  • Addresses market demand to install TOS on more recent operating system versions

  • Improves security and compliance posture

  • Streamlines deployment

See TOS release history.

Monitor AWS using SDK2

Amazon's AWS SDK v1 has reached end of support, and will not receive further security or new region updates. Therefore, for all new installations, TOS will monitor AWS using SDK v2. For upgrades, from older installations, TOS will continue using SDK v1.

By the end of the year, SDK v2 will become the default both for clean installs and upgrades from previous versions.

All TOS enhancements for AWS added in TOS 5 and later will require AWS SDK v2.

Therefore, we recommend moving to AWS SDK v2.

Benefits:

  • Ensures latest AWS security and other updates

  • Access to the latest TOS features for AWS (RDS, prefix lists and opt-in regions)

See Use AWS SDK v2 for AWS monitoring.

AWS RDS Visibility & Policy Support

AWS RDS instances are now visible in TOS. Security Group policies applied to RDS endpoints can be viewed, searched by IP, and included in topology and path analysis.

TOS retrieves AWS RDS instances and associates their security groups, modeling them as network entities. RDS instances are counted as licensed VM entities.

This feature requires AWS SDK v2.

Benefits:

  • Full visibility of policies protecting AWS databases.

  • Accurate path analysis to RDS endpoints.

  • Improved compliance posture for AWS environments.

See SecureTrack Features by Vendor > Amazon.

AWS Opt-in Regions By Assume Role

TOS now supports monitoring AWS opt-in regions using assume role authorization. TOS can monitor the accounts and resources deployed in the opt-in regions by AWS using assume role authorization. Requires enablement of AWS SDK2. Otherwise, a local user must be used for authentication and authorization.

This feature requires SDK v2.

Benefits:

  • Full visibility of policies protecting AWS databases.

  • Accurate path analysis for resources deployed in opt-in regions

See SecureTrack Features by Vendor > Amazon.

Cisco IOS-XE SDWAN (cEdge) - GRE Tunnel support

Cisco IOS-XE SDWAN (cEdge) - GRE Tunnel support

  • Accurate topology map including GRE tunnels enables E2E automated change process

  • Facilitates shorter SLAs

  • Fewer manual errors

See SecureTrack Features by Vendor > Cisco.

5.0.00

This is the initial release, not for production.

To filter the results, enter text in one or more of the filter fields. Clear the fields to see all items.

Feature

Description

Initial Release

5.0.00 is the first version of the TOS 5 platform version. It is not for production deployment but rather meant to test and verify that the new TOS infrastructure deploys and runs smoothly in a lab environment. Generally first versions of platform versions contains infrastructure updates and bug fixes, but little or no new features. Subsequent versions starting with 5.1.00 will contain new features.

New Naming Convention

Starting with 5.0.00, we are introducing a new naming convention for TOS. Platform version replaces major version and feature version replaces minor versions of type PGA and PHF. As new features and bug fixes are made available, they are released as new feature versions within that platform version.

The previous naming convention (e.g. R25-2 PHF3.0.0) will continue be used for R25-2 and earlier versions only.

  • Platform version: Includes many versions - an initial release version, a number of feature versions, and unplanned versions if needed. Platform version examples: TOS 5, TOS6.

  • Initial release version: The first version, not for production deployment. Meant to test and verify that the new TOS infrastructure deploys and runs smoothly in a lab environment. It contains infrastructure updates and bug fixes, but little or no new features. Examples: 5.0.00, 6.0.00.

  • Feature versions: These versions are production-ready. They contain feature enhancements and bug fixes with little or no infrastructure changes. They will typically be spaced out around six weeks apart. Updating to a feature version within the same platform version generally takes less time than updating to a new platform version. Examples: 5.1.0, 5.2.0, 6.1.00.

For more information, see the Tufin Customer Portal