A Deeper Dive: Tufin Policy Orchestration Suite R19-2

Tufin Orchestration Suite R19-2

Enhanced Next-Generation Firewall and SDN Support

We recently released Tufin R19-2 with new features and improvements, a result of customer feedback and requests. R19-2 highlights include management of dynamic objects, integration with Cisco ACI to deliver full visibility and monitoring, and advanced next-generation firewall support.

Enhanced visibility and topology modeling for Cisco ACI

One of the newly added features enables you to gain centralized visibility and real-time monitoring of the Cisco ACI Fabric in the context of your overall IT environment. This helps to accelerate the adoption and bridge the gap between the Cisco ACI and the rest of your IT environment.

You can easily add the Cisco ACI as another environment to manage directly from Tufin by connecting to the Cisco Application Policy Infrastructure Controller (Cisco APIC). The ACI Fabric will be automatically added into the Tufin topology map, providing a graphic display of the Fabric -- EPGs and applications, including traffic traversing the ACI fabric along non-ACI devices, and network zones.  

Once the ACI Fabric is added, Tufin immediately starts documenting any changes that are made to the Fabric, so you can begin tracking Fabric- related revisions (e.g. if a contract was deleted from the policy).

Cisco ACI topology

Cisco ACI topology with external routes

In addition, you can use Tufin topology map to optimize the network and troubleshoot any connectivity issues between the EPGs and outside the ACI fabric. For example, if an app availability issue is detected, you can use Tufin interactive topology map to run path analysis to view EPG to EPG east-west traffic, as well as north-south traffic. By entering the EPG name or IP address as source/destination, Tufin calculates and maps the path if it exists, or alerts on unavailable traffic routes. You can view which devices are in the path, EPGs and routing configurations inside and across the ACI fabric. Path analysis is calculated across any environment, not only within your ACI Fabric. Based on the app’s connectivity needs, you can also change rules that block traffic.

Finally, with centralized visibility and consistent network security policy enforcement, you can now manage the Cisco ACI and the rest of your environment as one.

Enhanced visibility and monitoring of advanced NG capabilities within Palo Alto Networks and Check Point CloudGuard in Azure

Tufin R19-2 also provides support for Palo Alto Networks Fully Qualified Domain Name (FQDN) objects and External Dynamic Lists (EDL), as well as CheckPoint CloudGuard objects in Microsoft Azure. This way, you can apply compliance policies with rules containing FQDN, EDLs, and CloudGuard objects.

Tufin is the first vendor to offer EDL support, where you can leverage Tufin SecureApp integration with Palo Alto Panorama to manage EDLs. This means that now, you can securely update and monitor lists from the network. Following EDL change made in SecureApp, Palo Alto Networks firewall will be using the updated configuration.

EDL support for Panorama

Tufin EDLs support for Panorama™

Finally, another Palo Alto Networks enhancement in R19-2 is supporting Panorama High Availability (HA) mode, enabling a single ruleset that can be applied to the HA pair. Tufin monitors Panorama HA devices in SecureTrack so in case of switchover to the HA peer, Tufin will continue and manage the device, including track changes, provision new changes, and alert on compliance and connectivity issues, to ensure continuous protection following a fail-over.

Create new firewall rules for requested network access

To avoid rule proliferation, Tufin consistently attempts to reuse or edit existing rules to satisfy new access requests, referred to as “policy optimization”. However, there are cases where a new rule is required for a specific purpose (e.g. temporary access for 3rd party vendors). Here, we recommend not adding this access to an existing rule, but rather, create a new rule to enable access. This way, by the time you need to revoke the vendor access, you can easily do so without the fear of disrupting other processes that may use the same rule.

Starting with Tufin Orchestration Suite R19-2 this option is available in SecureChange access request. It can also be leveraged to simplify firewall policy management and comply with rule documentation best practices.

Learn more about new features and enhancements in R19-2.

If you have questions or would like a personal 1:1 demo, contact us.