tufin R22-1 PHF4.1.0 Orchestration Suite Aurora Owner’s Manual

: June 13, 2024
: Tufin

Table of Contents

tufin R22-1 PHF4.1.0 Orchestration Suite Aurora
Resolved Issues from Previous Releases
Installing/Upgrading TOS Aurora
Upgrade Paths and Compatibility
Additional Information
End of Support and Deprecated Features
SecureTrack Release Notes
SecureChange Release Notes
Patents and Trademarks
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

tufin R22-1 PHF4.1.0 Orchestration Suite Aurora

R22-1 Aurora PHF4.1.0 Release Notes

Resolved Issues from Previous Releases

Tufin Orchestration Suite (TOS) R22-1 Aurora PHF4.1.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

Installing/Upgrading TOS Aurora

There are three options for installing or upgrading TOS Aurora:

New installation: Installing TOS Aurora on a new environment.
For more information, see Clean Install procedures
Aurora to Aurora upgrade: Upgrading an older version of TOS Aurora to a newer version of TOS Aurora.
For more information, see Upgrade From TOS Aurora
Classic to Aurora upgrade: Upgrading TOS Classic to TOS Aurora.
For more information, see Upgrade TOS Classic to TOS Aurora.

Before You Install R22-1 or Upgrade
When installing or upgrading to R22-1 PHF3.0.0 or later, you can change the default pods network (10.244.0.0/16). The pods network cannot overlap with the:

Services network
The physical address of the TOS Aurora servers
Your primary VIP, Syslog VIP or external load balancer IP
Any other subnets communicating with TOS or with TOS nodes
When installing or upgrading to R22-1 PRC1.0.0, all SNMP inbound queries (such as walk, get, and getNext) will be disabled by default.
To enable SNMP v2 walk and get queries, after the installation/upgrade, run the following CLI command on the initial data node as a user with root privileges
If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN-signed certificate to each device.

After the upgrade, the license enforcement accuracy of management devices (such as Panorama and FortiManager) will be improved: the license status of the management devices is going to be determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.
To resolve this, you can

Ensure that a valid license is attached to all managed firewalls.
Disable the unlicensed firewalls
Remove the unlicensed firewalls from SecureTrack monitoring.

Upgrade Paths and Compatibility

To view the supported upgrade paths for TOS Aurora, see the TOS Aurora Lifecycle and Build History page.
Always review the Compatibility Notes prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

TufinOS Compatibility
Tufin Orchestration Suite Aurora R22-1 Aurora requires TufinOS 3.70 and above. If you are running TufinOS 3.70, we strongly recommend upgrading to at least TufinOS 3.71 as it contains important security fixes. However, it is always best to use the latest version of TufinOS available.

Feature| Removed from New Installations| Removed from New Installations and TOS Upgrades
---|---|---
Policy Analysis Report| R21-3 Aurora| R22-2 Aurora
Risk Charts| R21-3 Aurora| R22-2 Aurora
Compliance Policies| R21-3 Aurora| R22-2 Aurora
Regulations Audit Browser| R21-3 Aurora| R22-2 Aurora
Rule Documentation Report| R21-3 Aurora| R22-2 Aurora
Security Risk Report| R22-1 Aurora| R22-2 Aurora
Expired Rules Report| R22-1 Aurora| R22-2 Aurora

Additional Information

Starting from R22-1 PHF3.0.0, there is a new bulk API that allows the deletion of a management device and all its managed devices.
Starting from R22-1 PHF2.0.0, for Cisco ASA devices, in order to prevent unnecessary ticket dependencies, the Designer creates groups using the timestamp as the suffix of the group name. For example:
NetworkGroup_1657713531
If you want to change back to the previous naming convention, in stconf set the Designer_ASA_Index_Group_Name flag as True.
For more information, see Changing The Naming Convention of Cisco ASA Group Names Created by Designer
SecureChange verifies that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.
Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
To review the status of all your licenses, see Viewing License Status.
For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.
For more information about licensing, contact your Tufin partner or email us at salesops@tufin.com.
Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
For Check Point R80 devices, a new revision is automatically retrieved when you upgrade, and therefore Compare Revisions may show changes for all the existing network objects.
Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
Microsoft Internet Explorer (IE): Internet Explorer will reach its “end of life” (EOL) in R20-2. TOS supports Microsoft Edge version 80.0.x (and above) and continues to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).
SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:
Chrome: versions 79 and 80.
Firefox: version 72
We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
Ultimate Security Professional Blog: SameSite cookies – Everything You Need to Know
Medium: Why you need to care about Google’s change to the SameSite cookie attribute Release Notes
R22-1 Aurora PHF4.1.0 Release Notes Copyright

End of Support and Deprecated Features

TOS Classic End of General Support
General support for TOS Classic ends on December 31, 2022.
End of Support Schedule
R21-3: Last release of TOS Classic, only hotfixes with bug fixes will be available after this release; no new features will be added.
December 2022: End of General (Hot Fix) support. No new general hotfixes will be available after this date. Support patches will still be available for customers with Extended Support on a case-by-case basis.

TOS Aurora Deprecated Features
The following features will no longer be available in future releases of TOS Aurora:

Removing Support for TLS 1.0/1.1

Transport Layer Security (TLS) 1.0 and 1.1 were deprecated by the IETF in June 2018, due to security issues.
TOS has supported TLS 1.2 for more than five years and for most services, TLS 1.2 is mandatory.
Until R23-1, the TOS LDAP and SMTP clients will also support older TLS versions – 1.0/1.1. From TOS release R23-2, Tufin will no longer support the old TLS versions for email and LDAP communications.

Policy Analysis Report

In TOS Aurora version R21-3, the Policy Analysis Report will not be available.
We recommend you consider using the following feature instead:
Policy Analysis Report in STRE

End-of-Life Schedule

21-3: Unavailable in new installations and removed from installations not currently using the feature
22-1: Removed from all installations

Risk Charts
In TOS Aurora version 21-3, the new USP Compliance widget will replace the Risk Chart in the Dashboard. The Compliance widget can be configured to calculate risk by USP and can be accessed from the USP Viewer.
End-of-Life Schedule

R21-3: Unavailable in new installations
R22-1: Removed from installations not currently using the feature
R22-2: Removed from all installations
If you still require access to the old Risk Dashboard, contact Tufin support.

Compliance Policies
In TOS Aurora version R21-3, the Compliance Policies feature will not be available. If you currently use the Compliance Policies, the feature will still be available until version R22-2, but will no longer be available after that release.

We recommend you consider using the following feature instead:
- Unified Security Policy
- USP Alerts Manager
- USP Exceptions
These features give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.

End-of-Life Schedule

R21-3: Unavailable in new installations
R22-1: Removed from installations not currently using the feature
R22-2: Removed from all installations

Regulations Audit Browser

In TOS Aurora version R21-3, the Regulations Audit Browser will not be available. If you currently use the Regulations Audit Browser, the feature will still be available until version R22-2, but will no longer be available after that release.
We recommend you consider using the following features instead:
Unified Security Policy
SecureTrack Reporting Essentials

End-of-Life Schedule

R21-3: Unavailable in new installations
R22-2: Removed from all installations

Rule Documentation Report

In TOS Aurora version R22-1, the Rule Documentation Report will not be available.
We recommend you consider using the following feature instead:
Rule Viewer

End-of-Life Schedule

21-3: Unavailable in new installations
22-1: Removed from all installations

Security Risk Report

In TOS Aurora version R22-1, the Security Risk Report feature will not be available. If you currently use the Security Risk Report, the feature will still be available until version R22-2, but will no longer be available after that release.
We recommend you consider using the following features instead:
Unified Security Policy
SecureTrack Reporting Essentials
The Unified Security Policy feature gives you greater flexibility in the number of zones that you can configure and allows you to define the requirements that you need.

End-of-Life Schedule

R21-1: Unavailable in new installations
R22-2: Removed from all installations

Expired Rules Report

In TOS Aurora version R22-2, the Expired Rules Report will not be available.
Expired rule information can be seen using:
Rule Viewer
The Rule Analytics report in SecureTrack Reporting Essentials.

End-of-Life Schedule

22-1: Unavailable in new installations
22-2: Removed from all installations

Integration with Puppet Labs

TOS Aurora versions of SecureApp will not support integration with Puppet Labs.
End-of-Life Schedule
Not available in any TOS Aurora releases.

Viewing Cisco ACI Applications in SecureApp

SecureApp integrated with TOS Aurora will not support integration with Cisco ACI Applications.

End-of-Life Schedule

Not available in any TOS Aurora releases.

Firewall OS Monitoring

As of Release R22-1 this feature will not be available in new installations but will continue to be available for users who already use the feature.

Deprecated Devices

The following devices will not be fully supported in future versions of TOS:

Check Point R77

As of R23-1 Check Point R77 is no longer a supported device.

End-of-Life Schedule

R23-1: Unavailable in new installations and not supported

Cisco Security Manager

As of R23-2 Cisco Security Manager (CSM) is no longer a supported device.

End-of-Life Schedule

R23-2: Unavailable in new installations and not supported

Open Stack

As of R23-1 Open Stack is no longer a supported vendor.

End-of-Life Schedule

R23-1: Unavailable in new installations and not supported

Fortinet FortiManager – Basic Mode

As of R19-3, creating new Fortinet FortiManager – Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported.
For other limitations of FortiManager Basic, see Notes for FortiManager Basic.
If you use FortiManager devices, we recommend using Advanced mode, which is still supported by Tufin.

End-of-Life Schedule

R19-3: Installing new devices not supported
R22-1: Retrieving new revisions not supported

Palo Alto Networks Panorama – Basic Mode

As of R19-3, creating new Palo Alto Networks Panorama – Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported.
For other limitations of Panorama Basic, see Notes for Panorama Basic.
If you use Panorama devices, we recommend using Advanced mode, which is still supported by Tufin.

End-of-Life Schedule

R19-3: Installing new devices not supported
R22-1: Retrieving new revisions not supported

Panorama Version 8 and earlier

No longer supported

End-of-Life Schedule

22-1: Unavailable in new installations and not supported

SecureTrack Release Notes

Issues Resolved in SecureTrack R22-1 (Aurora)
R22-1 PHF4.1.0

R22-1 PHF4.0.0
SecureTrack R22-1 PHF4.0.0 for TOS Aurora these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Backup and	TOS-57651	R22-2	Resolved an issue preventing negative database

health from being detected, which
Restore| | PGA.0.0,| impacted backups. Added a liveness and readiness probe for the on gdb pod which
| | R23-1| will restart the pod when the database is in an unhealthy state. (SR99542)
| | PRC1.0.0|
Database| TOS-58874| R21-3 HF6| Resolved an issue causing the database to be vacuumed after failing to archive
| | R22-2| revisions, which resulted in unnecessary files filling up storage. (SR101854)
| | PHF1.0.0|
| | R23-1 PRC1|
Database| TOS-59190| R22-2| Resolved an indexing issue impacting TOS performance. (SR104245)
| | PHF1.0.0|
Device| TOS-57069| R22-2| For Fortinet FortiGate devices, resolved an issue that caused revision retrievals to
Monitoring| | PGA.0.0,| fail when there were large amounts of revision data. (SR103596)
| | R23-1|
| | PRC1.0.0|
Device| TOS-57178| | For Cisco ACI devices with large configurations, resolved an issue preventing
Monitoring| | | revisions from being retrieved. (SR104205)
Device| TOS-59013| R22-2| When running st_monitor, resolved an issue in which error messages regarding the
Monitoring| | PHF1.0.0| diff_cache table was displayed. (SR103024)
Device| TOS-59378| | For Cisco ACI devices, resolved a rare timing issue in which the revision retrieval
Monitoring| | | could fail. (SR105850)
GraphQL API| TOS-59534| R22-2| Resolved an issue preventing SNMPv3 encryption via the GraphQL API when SMTP
| | PHF1.0.0| with a password is also configured. (SR104682, SR105480)
REST API| TOS-56404| R22-2 PGA.0.0, R23-1| Resolved an issue in which an API search query with the search_text parameter returned zero results. (SR102956)
| | PRC1.0.0|
Rule and| TOS-58144| | For Cisco ASA devices, resolved an issue in which users without access to the
Object Usage| | | “show cluster info” commands were able to add ASA devices to SecureTrack without
| | | triggering any errors in the device collector log for rule and object usage.(SR102851)
Rule and| TOS-58535| R22-2| For FortiManager devices, resolved an issue in which rules were not retrieved for
Category| Reference ID| Also in| Description
---|---|---|---
Object Usage| | PHF1.0.0,| global policy packages that were located in folders. (SR104667)
| | R23-1|
| | PRC1.0.0|
Topology| TOS-57145| R22-2| Resolved an issue in which joining identical clouds did not appear in the Interactive
| | PGA.0.0,| map after a Fast Topology Sync. (SR100125)
| | R23-1|
| | PRC1.0.0|
Topology| TOS-57582| R22-2| For Cisco ASA devices, resolved an issue in which the device’s interface name
| | PGA.0.0,| appeared incorrectly in the Interactive Map. (SR102300)
| | R23-1|
| | PRC1.0.0|
Topology| TOS-58789| R23-1| Resolved an issue in which topology data retrieval failed when a single AWS region
| | PRC1.0.0| was unreachable. (SR103957)

R22-1 PHF3.1.0
SecureTrack R22-1 PHF3.1.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

| Category| Reference ID| Also in| Description
---|---|---|---|---
Security| | TOS-57720| R22-2 PGA.0.0| Resolved a security vulnerability that would have enabled attackers to exploit a flaw in Apache Commons Text packages 1.5 through 1.9. The Apache Commons Text packages have been upgraded to version 1.1.0.
| | | | For more information, see CVE-2022-42889

R22-1 PHF3.0.0
SecureTrack R22-1 PHF3.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF2.0.0
SecureTrack R22-1 PHF2.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF1.0.0
SecureTrack R22-1 PHF1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PGA.0.0
SecureTrack R22-1 PGA.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PRC1.0.0
SecureTrack R22-1 PRC1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Known Issues in SecureTrack R22-1 (Aurora)
SecureTrack version R22-1 for TOS Aurora has these known issues:

SecureChange Release Notes

Issues Resolved in SecureChange R22-1 (Aurora)
R22-1 PHF4.0.0
SecureChange version R22-1 PHF4.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF3.1.0
SecureChange version R22-1 PHF3.1.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF3.0.0
SecureChange version R22-1 PHF3.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF2.0.0
SecureChange version R22-1 PHF2.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PHF1.0.0
SecureChange version R22-1 PHF1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

R22-1 PGA.0.0
SecureChange version R22-1 PGA.0.0 for TOS Aurora includes no new resolved or updated issues, and all resolved or updated issues from earlier versions.
R22-1 PRC1.0.0
SecureChange version R22-1 PRC1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Known Issues in SecureChange R22-1 (Aurora)
There are no known issues in SecureChange version R22-1 for TOS Aurora.

SecureApp Release Notes
Issues Resolved in SecureApp R22-1
R22-1 PHF4.0.0
SecureApp version R22-1 PHF4.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Patents and Trademarks

See www.tufin.com/patents for patent details.

Trademarks

Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.
Some TOP plugins include software developed by Terrapin Communications, Inc. and its contributors for RANCID.

Document Version Information