Posted on May 20th, 2020 by Roi Alon

Good news from the Tufin team! We’re pleased to announce the general availability of our latest release, Tufin Orchestration Suite (TOS) R20-1.

This new version extends Tufin’s Network Security Policy Management (NSPM) leadership as the broadest automation platform supporting the widest range of vendors.  R20-1 focuses on enhanced automation and NGFW management capabilities. TOS R20-1 provides:

  • Accelerate incident response by using the Rule Modification workflow to remove risky services from rules. 
  • Enhanced support for IPv6, where now, you can run path analysis (“what if”) between requested source and destination or troubleshoot connectivity by including IPv6 addresses.
  • Extended NGFW support of both Palo Alto Networks Panorama and Cisco Firepower.

Key features in this release include: 

1.    NEW! Option to modify services in rules -- We’ve extended the capabilities of the Rule Modification Workflow and added the option to modify firewall rules by adding and/or removing an object/s from the service field. This is in addition to the ability to do it for the source/destination fields (available since TOS R19-3). This becomes especially handy when you need to do routine policy clean up, modify network access, or quickly block risky services. Remember the infamous “WannaCry” breach? You can now search for all rules that allow inbound traffic on a specific port and block it.

Modify service field by creating a new object

Take for example a scenario where you’re required to make ad-hoc changes to existing rules as a result of a suspicious activity, or (in a more optimized scenario) you need to enable new connectivity, because one of your developers added a new feature to an existing app that now requires connectivity on a new protocol. In this scenario, admins can use Tufin SecureTrack policy browser to query the rule base, and search for relevant rules that require modification.  Admins can then initiate a Rule Modification workflow process in Tufin SecureChange to automatically make the desired changes in the selected rules.

Whether you need to add a new service to existing policy rule/s, or remove services from policy rules, SecureChange has you covered. With SecureChange automated workflow, you don’t need to look for the rules manually and modify the service firewall by firewall, but rather, use SecureChange to implement the change automatically throughout all multi-vendor firewalls, if needed. This ensures a fast, accurate, and validated change process. All workflows are audit-ready, as they track and document the full change history.

Tufin SecureChange automatically designs and provisions the requested changes

Finally, with Tufin, you can create as many different workflows as needed, and address multiple use cases, where each workflow is fully customizable and easily configured to meet specific operational and security needs. 

2.    Fast implementation: Automate changes that include IPv6 addresses -- To support customer’s IoT, 5G and other related initiatives, and their migration to IPv6, we’re continuously enhancing our IPv6 support, where users gain a comprehensive network topology view, and automate rule changes with IPv6 addresses. IPv6 support has been added within both automation and topology modes for Fortinet, Check Point and Cisco IOS-XR, and automation modes for Cisco ASA and Forcepoint.  

Comprehensive network topology view, including IPv6 addresses

In TOS R20-1, you can quickly implement rule changes that include IPv6 addresses, as part of the automated change workflow. For example, if you need to change/enable new access, you select the requested source/destination (can be either IPv6/IPv4). Tufin SecureChange automatically maps out all firewall devices, including IPv6 addresses, collected from the on-premise, SDN, and cloud environments, on the optimized path between the source and destination. Next, Tufin pinpoints what changes in rule/s and/or network objects need to be made to enable the required change, and upon approval, implements the change and verifies accurate implementation once it’s done.

In addition, with TOS R20-1 you’ll now be able to troubleshoot security gaps by running path analysis.
 

Automate network changes with IPv6 addresses via Tufin SecureChange

3.    Extend Tufin support for NGFW platforms -- Tufin has an ongoing commitment to provide market-leading support for NGFW platforms. In TOS R20-1, enhancements focus on Palo Alto Networks and Cisco Firepower. 

Gain visibility and detect policy violations and misconfigurations with Palo Alto Networks Panorama Dynamic Address Groups (DAGs). When it comes to tracking policy changes, changes to static addresses content are easier to track and detect. This is because changes are usually done using a formal, standardized process, where it’s clear who made the change, when, where, and why (hopefully, you have a reliable documentation process in place). But tracking policies when addresses are dynamically changing, is not an easy task. 

Take for example a scenario where a user tags an object, and as a result, this object is automatically being map to a DAG. This DAG is used in rule source/destination fields. If you don’t have control on what object are being tagged and added to the different DAGs, it can lead to overly permissive rules and other access risks and compliance violations. It’s important that you able to track changes in DAGs and ensure they are in compliant. 

View and track changes in DAGs, including match criteria

With Tufin R20-1, users can efficiently monitor Panorama policies including DAGs. Tufin detects and highlights changes in DAGs, ensuring that admins have full visibility into DAG content and changes. This can help prevent, for example, access misconfigurations, where a user attach/detached a tag to an object, and the object is automatically assigned to/removed from a DAG, potentially leading to unwanted access changes.

img-responsive
View DAG content – name, match criteria, group members

With R20-1 Admins can now detect policy violations and misconfigurations, such as rule permissiveness, shadowing, and duplicate objects for rules with both static and dynamic addresses.

View rule violations, permissiveness, shadowing, and more

In addition, we’ve also enhanced our search capabilities, so you can now search for tags and see all rules and DAGs that match this tag. With Tufin interactive topology map, users can also view rules that allow/block traffic. 

Automatically generate and optimize policies for Cisco Firepower. Tufin now provides a simple way to generate and optimize segmentation policies for Cisco Firepower NGFW. Policies are generated based on rule and object usage, such as rule last hit. By using traffic/usage analysis based on data retrieved from Cisco Firepower, admins can now, for example, detect and replace overly permissive rules with more refined rules, based on accurate usage assessments, minimizing network security risks.

In R20-1, we’ve also added support for Cisco Firepower zones. You can now view zone-to-zone mapping and make policy changes, for example, adding a new rule to a policy using an automated workflow. Based on source zone and destination zone, Tufin SecureChange automatically highlights which rules should be changed, and in which zone. Once risk analysis is completed, changes are automatically implemented on the Cisco Firepower Management Center (FMC) devices. Finally, SecureChange automatically validates change implementation.

firepower zones
Firepower zone support in Tufin SecureChange