Tufin Orchestration Suite Aurora
Release Notes
Version R21-2P
Release Notes
Table of Contents
Table of Contents
2
R21-2 Aurora PHF2.0.0 Release Notes
3
Installing/Upgrading TOS Aurora
3
End of Support and Deprecated Features
5
TOS Classic End of General Support
5
TOS Aurora Deprecated Features
5
SecureTrack Release Notes
8
Issues Resolved in SecureTrack R21-2 (Aurora)
8
Known Issues in SecureTrack R21-2 (Aurora)
10
SecureChange Release Notes
11
Issues Resolved in SecureChange R21-2 (Aurora)
11
Known Issues in SecureChange R21-2 (Aurora)
11
Patents and Trademarks
12
Copyright 2003-2022, Tufin Software Technologies Ltd.
2
Release Notes R21-2 Aurora PHF2.0.0 Release Notes
R21-2 Aurora PHF2.0.0 Release Notes
Resolved Issues from Previous Releases
Tufin Orchestration Suite (TOS) R21-2 Aurora PHF2.0.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.
All Resolved Issues This release R21-1 PHF1.1.0 Aurora
Installing/Upgrading TOS Aurora
If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device
TOS Aurora is the next generation platform of Tufin Orchestration Suite, with newly enhanced versions of features you rely on. There are three options for installing or upgrading TOS Aurora:
l New installation: Installing TOS Aurora on a new environment. For more information, see Clean Install procedures
l Aurora to Aurora upgrade: Upgrading an older version of TOS Aurora to a newer version of TOS Aurora. For more information, see Upgrade From TOS Aurora
l Classic to Aurora upgrade: Upgrading TOS Classic to TOS Aurora. To help you perform the Classic to Aurora upgrade, Tufin developed the Upgrade Planner. The Upgrade Planner collects TOS environment and setup information to determine whether your current environment is compatible with TOS Aurora. For more information, see: l Upgrade Planner - TOS Classic to TOS Aurora l Before You Upgrade from TOS Classic to TOS Aurora To upgrade from Classic to Aurora upgrade, contact Tufin Support.
To obtain the TOS Aurora installation files, see the Download Center in the Customer Portal.
Upgrade Paths and Compatibility
To view the supported upgrade paths for TOS Aurora, see the TOS Aurora Lifecycle and Build History page. Always review the Compatibility Notes prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.
TufinOS Compatibility
Tufin Orchestration Suite Aurora R21-2 Aurora requires TufinOS 3.50 and above. We recommend that you install the latest version of TufinOS available. The latest version of TufinOS available can be downloaded from the Customer portal:
l In the Download Center in the Customer Portal l In the New Version Support page, as part of the installation/upgrade files.
Copyright 2003-2022, Tufin Software Technologies Ltd.
3
Release Notes R21-2 Aurora PHF2.0.0 Release Notes
Feature
Removed from New Installations Removed from All Installations
Policy Analysis Report
R21-3 Aurora
R22-2 Aurora
Risk Charts
R21-3 Aurora
R22-2 Aurora
Compliance Policies
R21-3 Aurora
R22-2 Aurora
Regulations Audit Browser R21-3 Aurora
R22-2 Aurora
Rule Documentation Report R21-3 Aurora
R22-2 Aurora
Security Risk Report
R22-1 Aurora
R22-2 Aurora
Expired Rules Report
R22-1 Aurora
R22-2 Aurora
Additional Stuff to Know
l Starting from R21-2 Classic, all devices need TLS 1.2. SecureTrack will not retrieve revisions from devices with TLS 1.0 or 1.1.
l Starting R20-2, the Web Server certificate validity will be decreased to 395 days for clean installations.
l Tufin Orchestration Suite validates user information for many fields in SecureTrack and SecureChange such as user names and email address. If a field contains invalid information, you will not be able to create or modify the field until the invalid information has been corrected. See Input Validation for details.
l Starting with Tufin Orchestration Suite R19-2, SecureChange will verify that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.
Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
To review the status of all your licenses, see Viewing License Status .
For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.
For more information about licensing, contact your Tufin partner or email us at salesops@tufin.com.
l Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
l To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
l For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved. After upgrading, Compare Revisions may show changes for all the existing network objects.
Before you upgrade, make sure you have a recent (from 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
l Microsoft Internet Explorer (IE): Release R20-1 is the last release that supports IE. From release R20-2, Tufin support for IE will reach its "end of life" (EOL). Tufin will support Microsoft Edge version 80.0.x (and above) and will continue to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).
l SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:
l Chrome: versions 79 and 80.
l Firefox: version 72
We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
l Ultimate Security Professional Blog: SameSite cookies - Everything You Need to Know
l Medium: Why you need to care about Google's change to the SameSite cookie attribute
Copyright 2003-2022, Tufin Software Technologies Ltd.
4
Release Notes End of Support and Deprecated Features
End of Support and Deprecated Features
TOS Classic End of General Support
General support for TOS Classic ends December 31, 2022. End of Support Schedule
l R21-3: Last release of TOS Classic, only hot fixes with bug fixes will be available after this releases; no new features will be added. l December 2022: End of General (Hot Fix) support. No new general hot fixes will be available after this date. Support patches will still be
available for customers with Extended Support on a case-by-case basis.
TOS Aurora Deprecated Features
The following features will no longer be available in future releases of TOS Aurora:
Feature Policy Analysis Report
Removed from New Installations
R21-3 Aurora
Removed from All Installations
R22-2 Aurora
Risk Charts
R21-3 Aurora
R22-2 Aurora
Compliance Policies
R21-3 Aurora
R22-2 Aurora
Regulations Audit Browser
R21-3 Aurora
R22-2 Aurora
Rule Documentation Report
R21-3 Aurora
R22-1 Aurora
Security Risk Report
R22-1 Aurora
R22-2 Aurora
Expired Rules Report
R22-1 Aurora
R22-2 Aurora
Integration with Puppet LabsPuppetLab
Not available in any TOS Aurora releases.
Integration with Cisco ACI Application
Not available in any TOS Aurora releases.
Announcement Date
June 2021 June 2021 June 2021 June 2021 June 2021 June 2021 June 2021 August 2021
August 2021
Policy Analysis Report
In TOS Aurora version R21-3, the Policy Analysis Report will not be available. We recommend you consider using the following feature instead:
l Rule Viewer
End of Life Schedule
l 21-3: Unavailable in new installations and removed from installations not currently using the feature l 22-1: Removed from all installations
Risk Charts
In TOS Aurora version 21-3, the new USP Compliance widget will replace the Risk Chart in the Dashboard. The Compliance widget can be configured to calculate risk by USP and can be accessed from the USP Viewer.
End of Life Schedule
l R21-3: Unavailable in new installations l R22-1: Removed from installations not currently using the feature
Copyright 2003-2022, Tufin Software Technologies Ltd.
5
Release Notes End of Support and Deprecated Features
l R22-2: Removed from all installations If you will still require access to the old Risk Dashboard, contact Tufin support.
Compliance Policies
In TOS Aurora version R21-3, the Compliance Policies feature will not be available. If you currently use the Compliance Policies, the feature will still be available until version R22-2, but will no longer be available after that release. We recommend you consider using the following feature instead:
l Unified Security Policy l USP Alerts Manager l USP Exceptions These features give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.
End of Life Schedule
l R21-3: Unavailable in new installations l R22-1: Removed from installations not currently using the feature l R22-2: Removed from all installations
Regulations Audit Browser
In TOS Aurora version R21-3, the Regulations Audit Browser will not be available. If you currently use the Regulations Audit Browser, the feature will still be available until version R22-2, but will no longer be available after that release. We recommend you consider using the following features instead:
l Unified Security Policy l SecureTrack Reporting Essentials
End of Life Schedule
l R21-3: Unavailable in new installations l R22-2: Removed from all installations
Rule Documentation Report
In TOS Aurora version R22-1, the Rule Documentation Report will not be available. We recommend you consider using the following feature instead:
l Rule Viewer
End of Life Schedule
l 21-3: Unavailable in new installations l 22-1: Removed from all installations
Security Risk Report
In TOS Aurora version R22-1, the Security Risk Report feature will not be available. If you currently use the Security Risk Report, the feature will still be available until version R22-2, but will no longer be available after that release. We recommend you consider using the following features instead:
l Unified Security Policy l SecureTrack Reporting Essentials The Unified Security Policy feature give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.
End of Life Schedule
l R21-1: Unavailable in new installations l R22-2: Removed from all installations
Copyright 2003-2022, Tufin Software Technologies Ltd.
6
Release Notes End of Support and Deprecated Features
Expired Rules Report
In TOS Aurora version R22-2, the Expired Rules Report will not be available. We recommend you consider using the following feature instead:
l Rule Viewer
End of Life Schedule
l 22-1: Unavailable in new installations l 22-2: Removed from all installations
Integration with Puppet Labs SecureApp integrated with TOS Aurora will not support integration with Puppet from Puppet Labs®.
End of Life Schedule
l Not available in any TOS Aurora releases.
Integration with Cisco ACI Application
SecureApp integrated with TOS Aurora will not support integration with Cisco ACI Applications.
End of Life Schedule
l Not available in any TOS Aurora releases.
Deprecated Devices
The following devices will not be fully supported in future versions of TOS:
Fortinet FortiManager - Basic Mode
As of R19-3, creating new Fortinet FortiManager - Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported. For other limitations of FortiManager Basic, see Notes for FortiManager Basic. If you use FortiManager devices, we recommend using Advanced mode, which is still supported by Tufin.
End of Life Schedule
l R19-3: Installing new devices not supported l R22-1: Retrieving new revisions not supported
Palo Alto Networks Panorama - Basic Mode
As of R19-3, creating new Palo Alto Networks Panorama - Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported. For other limitations of Panorama Basic, see Notes for Panorama Basic. If you use Panorama devices, we recommend using Advanced mode, which is still supported by Tufin.
End of Life Schedule
l R19-3: Installing new devices not supported l R22-1: Retrieving new revisions not supported
Panorama Version 8 and earlier
No longer supported
End of Life Schedule
l 22-1: Unavailable in new installations and not supported
Copyright 2003-2022, Tufin Software Technologies Ltd.
7
Release Notes SecureTrack Release Notes
SecureTrack Release Notes
Issues Resolved in SecureTrack R21-2 (Aurora)
R21-2 PHF2.0.0
SecureTrack version R21-2 PHF2.0.0 includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category Device Monitoring
Reference ID TOS-39166
Also in R21-2 HF3 R21-3 HF1
Description
For Cisco FMC devices, resolved an issue causing the date in device syslogs with a priority code to be parsed incorrectly. (SR86135, SR83985)
Device Monitoring
TOS-39288
Notifications
TOS-37576
R22-1 PRC1.0.0 R22-1 PRC1.0.0
R21-3 PGA.0.0
For Juniper SRX devices, resolved an issue preventing syslogs from being retrieved because certain calculations were impacted by a deleted device that had not been removed from the database. (SR86831)
Resolved an issue of false admin alerts about neo4j. (SR84494)
Notification
TOS-38979
Topology
TOS-40501
Upgrade/Installation TOS-37984
R22-1 PRC1.0.0 R21-3 PGA.0.0 R22-1 PRC1.0.0
R21-2 HF1 R21-3 RC1
R21-3 PGA.0.0 R22-1 PRC1.0.0
Resolved an issue of node status messages being sent without justification. Examples: Probe Failed.., Node degraded.., Node healthy.... (SR85055)
For Azure Virtual Networks, resolved an issue preventing SecureTrack from retrieving dynamic topology data when there is a user-defined route with a service tag in the address prefix. (SR72996)
Resolved an issue preventing upgrade to TOS Aurora due to bridge service error E11000. (SR85953)
R21-2 PHF1.1.0
SecureTrack version R21-2 PHF1.1.0 includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category Security
Reference ID TOS-39138
Also in
Description
Mitigated the CVE-2021-44228 (Apache Log4Shell) and CVE-2021-45046 vulnerability
R21-2 PHF1.0.0
SecureTrack R21-2 PHF1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category
Reference ID
Device Monitoring TOS-34684
Also in
Device Monitoring TOS-34910
R21-3 PRC1
Rule Viewer
TOS-34260
R21-3 PRC1
Topology
TOS-36162
R21-1 HF4 R21-2 HF2 R21-2 PHF2
Description
Resolved an issue causing the output files from a certain script to be stored in the /tmp folder. (SR78053)
For Check Point CMA devices, resolved an issue preventing SecureTrack from stopping/starting the devices from the Status page. (SR81269)
Resolved an issue preventing revisions from being retrieved from rules with very long comments (Over 32,000 characters). Long comments are now retrieved, but only the first 32,000 characters will be indexed and searchable. (SR82846)
For Amazon AWS accounts, resolved an issue preventing SecureTrack from retrieving dynamic topology as a result of incorrect authorization credentials sent to AWS when running a topology sync. (SR71499, SR79558)
R21-3 RC1 R21-3 PRC1 R21-3 GA
Upgrade/ Installation
TOS-34653
R21-3 PGA R21-3 PRC1
For Fortimanager devices with large amounts of global rules, resolved an issue preventing the global rules from appearing in the Rule Viewer, which caused delays in the migration from Classic to Aurora. (SR82151)
Copyright 2003-2022, Tufin Software Technologies Ltd.
8
Release Notes SecureTrack Release Notes
Violations
TOS-33122
R21-3 PRC1
For Check Point CMA devices, resolved an issue preventing rules belonging to a group with an Any exclusion from triggering violations. (SR81025)
R21-2 PGA.2.0
SecureTrack R21-2 PGA.2 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category
Reference ID
Install/ Upgrade
TOS-33527
Device Monitoring TOS-34319
Also in R21-2 PHF1
Description
Resolved an issue preventing TOS Aurora from being installed on new Gen 4 appliances, or servers with a clean install of TufinOS, and no TOS classic.
For cloud environments (which have an external load balancer), resolved an issue preventing TOS from processing incoming syslog data. (SR81532)
R21-2 PGA.1.0
SecureTrack R21-2 PGA.1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category
Install/ Upgrade
Reference ID TOS-33157
Also in R21-2 HF1.1 R21-2 HF2 R21-3 RC1
Description
For upgrades to R21-2 GA, resolved an issue preventing subscription only license SKUs from manually being reattached to devices for machines configured with specific timezones. (SR79657, SR79000, SR81009)
R21-2 PGA.0.0
SecureTrack R21-2 PGA for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category Compare
Configuration
Reference ID TOS-26650
TOS-27733
Also in R21-1 HF3 R21-2 HF1 R21-3 RC1 R21-2 PHF1
Database
TOS-24600
Device Monitoring TOS-26841
R21-3 PRC1
Device Monitoring TOS-28643
R21-1 HF2.1 R21-1 HF3 R21-2 HF1
Description For Juniper SRX devices, resolved an issue preventing rules with revisions containing IPv6 objects with a certain address from being displayed in the Compare tab, in the View Policy dialog box. (SR72212)
Resolved an issue causing all timestamps in specific pods to be in the UTC timezone, instead of the configured time zone. (SR71500) Resolved a memory issue preventing SecureTrack from calculating violations for devices with interfaces mapped to a large number of zones. (SR70765) Resolved an issue preventing SecureTrack from processing new revisions. (SR73704) For Check Point R81 devices, resolved an issue preventing SecureTrack from receiving revisions that include rules with an "interoperable device" network object in the source or destination. (SR74993)
Device Monitoring TOS-30021
Installation/ Upgrade
REST API
TOS-29964 TOS-28641
Rule Viewer
TOS-26841
R21-3 RC R21-2 PHF1 R21-3 PRC1 R21-2 PHF1 R21-3 PRC1 R21-2 HF1 R21-3 RC1 R21-3 PRC1
For Fortimanager 6.4.6 devices, resolved an issue preventing SecureTrack from pulling revisions. (SR77532)
Resolved an issue preventing TOS classic from being upgraded to TOS Aurora when SecureTrack is monitoring devices with no rules.
For managing devices (Fortimanager, Panorama, Cisco ASA), resolved an issue causing the Shadowing Rules API function to return incorrect results. (SR77429)
Resolved an issue preventing SecureTrack from processing new revisions. (SR73704)
R21-2 PRC1.0.0
SecureTrack R21-2 PRC1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category
Reference ID
Installation/Upgrade TOS-21696
Also in
Description
For Classic to Aurora upgrades from R18-2 and below, resolved a cluster management mismatch issue which resulted in spam messages.(SR71028)
Copyright 2003-2022, Tufin Software Technologies Ltd.
9
Release Notes SecureTrack Release Notes
Known Issues in SecureTrack R21-2 (Aurora)
SecureTrack version R21-2 for TOS Aurora has these known issues: Interactive sessions in multiple tabs of the same browser, the Back button in the web browser, and Internet Explorer prior to version 11 are not supported.
Copyright 2003-2022, Tufin Software Technologies Ltd.
10
Release Notes SecureChange Release Notes
SecureChange Release Notes
Issues Resolved in SecureChange R21-2 (Aurora)
R21-2 PHF1
SecureChange version R21-2 PHF1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.
Category General
Licensing
Reference ID TOS-29209
TOS-35690
Also in R21-2 HF1 R21-3 RC1 R21-3 PRC1 R22-1 PRC1
Description Resolved an issue causing SecureChange to try and connect to the internet when users log in. (SR76998)
For cloud deployments, resolved an issue preventing SecureChange licenses from being auto-attached to devices. (SR80904)
R21-2 PGA.1
SecureChange version R21-2 PGA.1 for TOS Classic includes no new resolved or updated issues, and all resolved or updated issues from earlier versions.
R21-2 PRC1 and PGA
SecureChange version R21-2 PRC1 and PGA for TOS Aurora includes no new resolved or updated issues, and all resolved or updated issues from earlier versions.
Known Issues in SecureChange R21-2 (Aurora)
SecureChange version R21-2 for TOS Aurora has these known issues:
Interactive sessions in multiple tabs of the same browser, the Back button in the web browser, and Internet Explorer prior to version 11 are not supported.
Copyright 2003-2022, Tufin Software Technologies Ltd.
11
Release Notes Patents and Trademarks
Patents and Trademarks
See www.tufin.com/patents for patent details. Trademarks Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Some TOP plugins include software developed by Terrapin Communications, Inc. and its contributors for RANCID.
Document Version Information This document is relevant for all R21-2P releases up to PHF2.0.0. Published on Tuesday, January 18, 2022 9:54 PM.
Copyright 2003-2022, Tufin Software Technologies Ltd.
12
mailto:salesops@tufin.com
Virtual Patent Marking | Tufin
USP Alerts Manager
Why you need to care about Googleâs change to the SameSite cookie attribute | by Tufin | Medium
Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services
SameSite cookies - Everything You Need to Know · Ultimate Security Professional Blog