tufin R21-2P Orchestration Suite Aurora User Guide

: June 13, 2024
: Tufin

Table of Contents

R21-2 Aurora PHF2.0.0 Release Notes
End of Support and Deprecated Features
SecureTrack Release Notes
SecureChange Release Notes
Patents and Trademarks
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

The Security Policy Company.
Tufin Orchestration Suite Aurora
Release Notes
Version R21-2P

R21-2 Aurora PHF2.0.0 Release Notes

Resolved Issues from Previous Releases
Tufin Orchestration Suite (TOS) R21-2 Aurora PHF 2.0.0 includes all resolved issues listed for this release, as well as all resolved issues from the previous releases listed below.

All Resolved Issues| |
---|---|---
This release| |
R21-1 PHF1.1.0 Aurora| |

Installing/Upgrading TOS Aurora

If you have FortiManager devices in SecureTrack, after upgrading you are going to need to add a SAN signed certificate to each device

TOS Aurora is the next generation platform of Tufin Orchestration Suite, with newly enhanced versions of features you rely on.
There are three options for installing or upgrading TOS Aurora:

New installation: Installing TOS Aurora on a new environment.
For more information, see Clean Install procedures
Aurora to Aurora upgrade: Upgrading an older version of TOS Aurora to a newer version of TOS Aurora.
For more information, see Upgrade From TOS Aurora
Classic to Aurora upgrade: Upgrading TOS Classic to TOS Aurora.
To help you perform the Classic to Aurora upgrade, Tufin developed the Upgrade Planner. The Upgrade Planner collects TOS environment and setup information to determine whether your current environment is compatible with TOS Aurora.

For more information, see:

To upgrade from Classic to Aurora upgrade, contact Tufin Support.
To obtain the TOS Aurora installation files, see the Download Center in the Customer Portal.

Upgrade Paths and Compatibility

To view the supported upgrade paths for TOS Aurora, see the TOS Aurora Lifecycle and Build History page.
Always review the Compatibility Notes prior to installing an upgrade. Make sure to read the additional notes in the Release Notes for each version in your upgrade path.

TufinOS Compatibility

Tufin Orchestration Suite Aurora R21-2 Aurora requires TufinOS 3.50 and above. We recommend that you install the latest version of TufinOS available.
The latest version of TufinOS available can be downloaded from the Customer portal:

In the Download Center in the Customer Portal
In the New Version Support page, as part of the installation/upgrade files.

Feature| Removed from New Installations| Removed from All Installations
---|---|---
Policy Analysis Report| R21-3 Aurora| R22-2 Aurora
Risk Charts| R21-3 Aurora| R22-2 Aurora
Compliance Policies| R21-3 Aurora| R22-2 Aurora
Regulations Audit Browser| R21-3 Aurora| R22-2 Aurora
Rule Documentation Report| R21-3 Aurora| R22-2 Aurora
Security Risk Report| R22-1 Aurora| R22-2 Aurora
Expired Rules Report| R22-1 Aurora| R22-2 Aurora

Additional Stuff to Know

Starting from R21-2 Classic, all devices need TLS 1.2. SecureTrack will not retrieve revisions from devices with TLS 1.0 or 1.1.
Starting R20-2, the Web Server certificate validity will be decreased to 395 days for clean installations.
Tufin Orchestration Suite validates user information for many fields in SecureTrack and SecureChange such as user names and email address. If a field contains invalid information, you will not be able to create or modify the field until the invalid information has been corrected. See Input Validation for details.
Starting with Tufin Orchestration Suite R19-2, SecureChange will verify that devices are suitably licensed for both SecureChange and Provisioning during ticket handling.
Unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
We strongly recommend checking that all devices used in the system are fully licensed prior to upgrading, as unlicensed devices may cause unplanned interruptions when performing SecureChange operations.
To review the status of all your licenses, see Viewing License Status.
For a summary of how to work with SecureChange licenses, see Installing SecureChange Licenses and Licensing SecureChange.
For more information about licensing, contact your Tufin partner or email us at salesops@tufin.com.
Tufin Orchestration Suite enforces maximum session duration settings for SecureTrack and SecureChange, including for the REST APIs.
To ensure that SecureChange and SecureApp have full functionality, the dedicated account used to define integration with SecureTrack (SecureChange/SecureApp > Settings > General > SecureTrack) should have Super Admin permissions configured in SecureTrack.
For Check Point R80 devices, when you upgrade from R18-3 and below to R19-1 and above, a new revision is automatically retrieved.
After upgrading, Compare Revisions may show changes for all the existing network objects.
Before you upgrade, make sure you have a recent (from ≤ 3 months) Check Point Jumbo Hotfix version installed on your device. See the relevant Check Point Support Center article for more information on how to verify which Jumbo Hotfix version is installed.
Microsoft Internet Explorer (IE): Release R20-1 is the last release that supports IE. From release R20-2, Tufin support for IE will reach its “end of life” (EOL). Tufin will support Microsoft Edge version 80.0.x (and above) and will continue to support Chrome version 80.0.x (and above) and Firefox version 73.0.1 (and above).
SAML Login Authentication and Google Chrome browsers: Google recently introduced a change to their SameSite cookie policy that enhances browser security. As a result of this change, users will be unable to log in to SecureTrack using SAML authentication on old browsers. SAML authentication is supported only for browser versions starting from:
- Chrome: versions 79 and 80.
- Firefox: version 72
  We strongly recommend upgrading the browsers to these versions. For more information on the SameSite cookie policy change, see the following posts:
- Ultimate Security Professional Blog: SameSite cookies – Everything You Need to Know
- Medium: Why you need to care about Google’s change to the SameSite cookie attribute

End of Support and Deprecated Features

TOS Classic End of General Support
General support for TOS Classic ends December 31, 2022.
End of Support Schedule

R21-3: Last release of TOS Classic, only hot fixes with bug fixes will be available after this releases; no new features will be added.
December 2022: End of General (Hot Fix) support. No new general hot fixes will be available after this date. Support patches will still be available for customers with Extended Support on a case-by-case basis.

TOS Aurora Deprecated Features
The following features will no longer be available in future releases of TOS Aurora:

Feature| Removed from New Installations| Removed from All Installations| Announcement Date
---|---|---|---
Policy Analysis Report| R21-3 Aurora| R22-2 Aurora| Jun-21
Risk Charts| R21-3 Aurora| R22-2 Aurora| Jun-21
Compliance Policies| R21-3 Aurora| R22-2 Aurora| Jun-21
Regulations Audit Browser| R21-3 Aurora| R22-2 Aurora| Jun-21
Rule Documentation Report| R21-3 Aurora| R22-1 Aurora| Jun-21
Security Risk Report| R22-1 Aurora| R22-2 Aurora| Jun-21
Expired Rules Report| R22-1 Aurora| R22-2 Aurora| Jun-21
Integration with Puppet LabsPuppetLab| Not available in any TOS Aurora releases.| Aug-21
Integration with Cisco ACI Application| Not available in any TOS Aurora releases.| Aug-21

Policy Analysis Report

In TOS Aurora version R21-3, the Policy Analysis Report will not be available.
We recommend you consider using the following feature instead:

Rule Viewer

End of Life Schedule

21-3: Unavailable in new installations and removed from installations not currently using the feature
22-1: Removed from all installations

Risk Charts
In TOS Aurora version 21-3, the new USP Compliance widget will replace the Risk Chart in the Dashboard. The Compliance widget can be configured to calculate risk by USP and can be accessed from the USP Viewer.

End of Life Schedule

R21-3: Unavailable in new installations
R22-1: Removed from installations not currently using the feature
R22-2: Removed from all installations

If you will still require access to the old Risk Dashboard, contact Tufin support.

Compliance Policies
In TOS Aurora version R21-3, the Compliance Policies feature will not be available. If you currently use the Compliance Policies, the feature will still be available until version R22-2, but will no longer be available after that release.
We recommend you consider using the following feature instead:

These features give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.

End of Life Schedule

R21-3: Unavailable in new installations
R22-1: Removed from installations not currently using the feature
R22-2: Removed from all installations

Regulations Audit Browser
In TOS Aurora version R21-3, the Regulations Audit Browser will not be available. If you currently use the Regulations Audit Browser, the feature will still be available until version R22-2, but will no longer be available after that release.
We recommend you consider using the following features instead:

End of Life Schedule

R21-3: Unavailable in new installations
R22-2: Removed from all installations

Rule Documentation Report
In TOS Aurora version R22-1, the Rule Documentation Report will not be available.
We recommend you consider using the following feature instead:

End of Life Schedule

21-3: Unavailable in new installations
22-1: Removed from all installations

Security Risk Report
In TOS Aurora version R22-1, the Security Risk Report feature will not be available. If you currently use the Security Risk Report, the feature will still be available until version R22-2, but will no longer be available after that release.
We recommend you consider using the following features instead:

The Unified Security Policy feature give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.

End of Life Schedule

R21-1: Unavailable in new installations
R22-2: Removed from all installations

Expired Rules Report
In TOS Aurora version R22-2, the Expired Rules Report will not be available.
We recommend you consider using the following feature instead:

Rule Viewer

End of Life Schedule

22-1: Unavailable in new installations
22-2: Removed from all installations

Integration with Puppet Labs
SecureApp integrated with TOS Aurora will not support integration with Puppet from Puppet Labs®.

End of Life Schedule

Not available in any TOS Aurora releases.

Integration with Cisco ACI Application
SecureApp integrated with TOS Aurora will not support integration with Cisco ACI Applications.

End of Life Schedule

Not available in any TOS Aurora releases.

Deprecated Devices
The following devices will not be fully supported in future versions of TOS:

Fortinet FortiManager – Basic Mode
As of R19-3, creating new Fortinet FortiManager – Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported.
For other limitations of FortiManager Basic, see Notes for FortiManager Basic.
If you use FortiManager devices, we recommend using Advanced mode, which is still supported by Tufin.

End of Life Schedule

R19-3: Installing new devices not supported
R22-1: Retrieving new revisions not supported

Palo Alto Networks Panorama – Basic Mode
As of R19-3, creating new Palo Alto Networks Panorama – Basic Mode devices is not supported. As of R22-1, retrieving new revisions is not supported.
For other limitations of Panorama Basic, see Notes for Panorama Basic.
If you use Panorama devices, we recommend using Advanced mode, which is still supported by Tufin.

End of Life Schedule

R19-3: Installing new devices not supported
R22-1: Retrieving new revisions not supported

Panorama Version 8 and earlier
No longer supported

End of Life Schedule

22-1: Unavailable in new installations and not supported

SecureTrack Release Notes

Issues Resolved in SecureTrack R21-2 (Aurora)
R21-2 PHF2.0.0
SecureTrack version R21-2 PHF2.0.0 includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Device Monitoring	TOS-39166	R21-2 HF3

R21-3 HF1
R22-1 PRC1.0.0| For Cisco FMC devices, resolved an issue causing the date in device syslogs with a priority code to be parsed incorrectly. (SR86135, SR83985)
Device Monitoring| TOS-39288| R22-1 PRC1.0.0| For Juniper SRX devices, resolved an issue preventing syslogs from being retrieved because certain calculations were impacted by a deleted device that had not been removed from the database. (SR86831)
Notifications| TOS-37576| R21-3 PGA.0.0
R22-1 PRC1.0.0| Resolved an issue of false admin alerts about neo4j. (SR84494)
Notification| TOS-38979| R21-3 PGA.0.0
R22-1 PRC1.0.0| Resolved an issue of node status messages being sent without justification.
Examples: Probe Failed.., Node degraded.., Node healthy…. (SR85055)
Topology| TOS-37984| R21-2 HF1
R21-3 RC1| For Azure Virtual Networks, resolved an issue preventing SecureTrack from retrieving dynamic topology data when there is a user-defined route with a service tag in the address prefix. (SR72996)
Upgrade/Installation| TOS-40501| R21-3 PGA.0.0
R22-1 PRC1.0.0| Resolved an issue preventing upgrade to TOS Aurora due to bridge service error E11000. (SR85953)

R21-2 PHF1.1.0
SecureTrack version R21-2 PHF1.1.0 includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Security	TOS-39138		Mitigated the CVE-2021-44228 (Apache Log4Shell) and

CVE-2021-45046 vulnerability

R21-2 PHF1.0.0
SecureTrack R21-2 PHF1.0.0 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Device Monitoring	TOS-34684		Resolved an issue causing the output files

from a certain script to be stored in the/tmp folder. (SR78053)
Device Monitoring| TOS-34910| R21-3 PRC1| For Check Point CMA devices, resolved an issue preventing SecureTrack from stopping/starting the devices from the Status page. (SR81269)
Rule Viewer| TOS-34260| R21-3 PRC1| Resolved an issue preventing revisions from being retrieved from rules with very long comments (Over 32,000 characters). Long comments are now retrieved, but only the first 32,000 characters will be indexed and searchable. (SR82846)
Topology| TOS-36162| R21-1 HF4
R21-2 HF2
R21-2 PHF2
R21-3 RC1
R21-3 PRC1
R21-3 GA
R21-3 PGA| For Amazon AWS accounts, resolved an issue preventing SecureTrack from retrieving dynamic topology as a result of incorrect authorization credentials sent to AWS when running a topology sync. (SR71499, SR79558)
Upgrade/
Installation| TOS-34653| R21-3 PRC1| For Fortimanager devices with large amounts of global rules, resolved an issue preventing the global rules from appearing in the Rule Viewer, which caused delays in the migration from Classic to Aurora. (SR82151)
Violations| TOS-33122| R21-3 PRC1| For Check Point CMA devices, resolved an issue preventing rules belonging to a group with an Any exclusion from triggering violations. (SR81025)

R21-2 PGA.2.0
SecureTrack R21-2 PGA.2 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description

Install/
Upgrade| TOS-33527| | Resolved an issue preventing TOS Aurora from being installed on new Gen 4 appliances, or servers with a clean install of TufinOS, and no TOS classic.
Device Monitoring| TOS-34319| R21-2 PHF1| For cloud environments (which have an external load balancer), resolved an issue preventing TOS from processing incoming syslog data. (SR81532)

R21-2 PGA.1.0
SecureTrack R21-2 PGA.1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Install/Upgrade	TOS-33157	R21-2 HF1.1

R21-2 HF2
R21-3 RC1| For upgrades to R21-2 GA, resolved an issue preventing subscription only license SKUs from manually being reattached to devices for machines configured with specific timezones. (SR79657, SR79000, SR81009)

R21-2 PGA.0.0
SecureTrack R21-2 PGA for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Compare	TOS-26650	R21-1 HF3

R21-2 HF1
R21-3 RC1| For Juniper SRX devices, resolved an issue preventing rules with revisions containing IPv6 objects with a certain address from being displayed in the Compare tab, in the View Policy dialog box. (SR72212)
Configuration| TOS-27733| R21-2 PHF1| Resolved an issue causing all timestamps in specific pods to be in the UTC timezone, instead of the configured time zone. (SR71500)
Database| TOS-24600| | Resolved a memory issue preventing SecureTrack from calculating violations for devices with interfaces mapped to a large number of zones. (SR70765)
Device Monitoring| TOS-26841| R21-3 PRC1| Resolved an issue preventing SecureTrack from processing new revisions. (SR73704)
Device Monitoring| TOS-28643| R21-1 HF2.1
R21-1 HF3
R21-2 HF1
R21-3 RC| For Check Point R81 devices, resolved an issue preventing SecureTrack from receiving revisions that include rules with an “interoperable device” network object in the source or destination. (SR74993)
Device Monitoring| TOS-30021| R21-2 PHF1
R21-3 PRC1| For Fortimanager 6.4.6 devices, resolved an issue preventing SecureTrack from pulling revisions. (SR77532)
Installation/ Upgrade| TOS-29964| R21-2 PHF1
R21-3 PRC1| Resolved an issue preventing TOS classic from being upgraded to TOS Aurora when SecureTrack is monitoring devices with no rules.
REST API| TOS-28641| R21-2 HF1
R21-3 RC1| For managing devices (Fortimanager, Panorama, Cisco ASA), resolved an issue causing the Shadowing Rules API function to return incorrect results. (SR77429)
Rule Viewer| TOS-26841| R21-3 PRC1| Resolved an issue preventing SecureTrack from processing new revisions. (SR73704)

R21-2 PRC1.0.0
SecureTrack R21-2 PRC1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
Installation/Upgrade	TOS-21696		For Classic to Aurora upgrades from R18-2

and below, resolved a cluster management mismatch issue which resulted in spam messages.(SR71028)

Known Issues in SecureTrack R21-2 (Aurora)

SecureTrack version R21-2 for TOS Aurora has these known issues:
Interactive sessions in multiple tabs of the same browser, the Back button in the web browser, and Internet Explorer prior to version 11 are not supported.

SecureChange Release Notes

Issues Resolved in SecureChange R21-2 (Aurora)
R21-2 PHF1
SecureChange version R21-2 PHF1 for TOS Aurora includes these resolved or updated issues, and all resolved or updated issues from earlier versions.

Category	Reference ID	Also in	Description
General	TOS-29209	R21-2 HF1

R21-3 RC1
R21-3 PRC1| Resolved an issue causing SecureChange to try and connect to the internet when users log in. (SR76998)
Licensing| TOS-35690| R22-1 PRC1| For cloud deployments, resolved an issue preventing SecureChange licenses from being auto-attached to devices. (SR80904)

R21-2 PGA.1
SecureChange version R21-2 PGA.1 for TOS Classic includes no new resolved or updated issues, and all resolved or updated issues from earlier versions.
R21-2 PRC1 and PGA
SecureChange version R21-2 PRC1 and PGA for TOS Aurora includes no new resolved or updated issues, and all resolved or updated issues from earlier versions.

Known Issues in SecureChange R21-2 (Aurora)

SecureChange version R21-2 for TOS Aurora has these known issues:
Interactive sessions in multiple tabs of the same browser, the Back button in the web browser, and Internet Explorer prior to version 11 are not supported.

Patents and Trademarks

See www.tufin.com/patents for patent details.
Trademarks
Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.
Some TOP plugins include software developed by Terrapin Communications, Inc. and its contributors for RANCID.
Document Version Information
This document is relevant for all R21-2P releases up to PHF2.0.0.
Published on Tuesday, January 18, 2022 9:54 PM.