1. Home
  2. Blog
  3. Firewall Best Practices
  4. Tufin Orchestration Suite R21-2: Advanced Automation for Network Access Decommissioning and NSX-T

Published February 15th, 2023 by Sigalit Kaidar

Looking to boost your security automation? Tufin Orchestration Suite R21-2 helps you accelerate and optimize your security and network operations to improve productivity, audit readiness, and overall protection. Be sure to check out the Tufin Knowledge Center for full documentation on Tufin’s latest release.

Let’s take a closer look at the key features of R21-2.

Enhance productivity and optimize rulesets via access decommission

Frequently, users are required to remove network access to an asset (e.g. application, server) for several reasons, the most important of which, is a security risk. Others can be, for example, a completed job by a subcontractor where the access is no longer needed, an employee who left the company, and their access permissions should be revoked, or even the removal of an obsolete app. Whether the necessary change/s require partially decommissioning the access or removing the access completely, it’s a complex task. It repeatedly requires admins to manually change multiple rules that more often than not, are managed by different network security solutions (e.g. Cisco ASA, FortiManager, etc.). Managing rules in silo solutions, without comprehensive visibility into how changes might impact other assets, is an error-prone, time-consuming process that many admins try to avoid out of fear of causing an outage, and disrupting business continuity.

The result is, that over time, admins are left with thousands of rules, and cumbersome, unreadable policies that are impossible to manage manually. Many of these rules are no longer relevant to current business needs and communication flows, which on its own, can also weaken an organization’s security posture.

With the latest release, R21-2, Tufin offers automated access decommissioning that streamlines the process of safely and accurately removing underlying rules and network objects once access is no longer deemed appropriate or necessary.

Users can now use Tufin SecureChange Access Request workflow to both add and remove access on the same ticket. If you want to remove access which uses a protocol that is no longer considered secure, and add new access using a more secure protocol , you can use the same ticket to do both in an automated/semi-automated way (depending on your preference).

access decommissioning workflow
Access decommissioning workflow: Ascertain business impact

As a step in the Access Request workflow, the Tufin Designer will design both changes (adding new access and decommissioning existing access). By clicking on the ‘Manage Related Rules’, as shown in the screenshot below, you can view the impacted rules that are included in Tufin Designer’s recommendations for access removal. You can view related rules, irrespective of the network solution vendor used, and determine which ones you want to implement. This provides both visibility and control over the sensitive process of network access removal.

access decommissioning report
Access decommissioning support in the Access Request workflow: Ascertain business impact

Moreover, if you don’t want Tufin to change a specific rule, you can easily indicate it by clicking the ‘Ignore Rule’ checkbox and re-running the Tufin Designer. The redesigned change will not include the ‘ignored rules’ (see screenshot below). Once approved, Tufin will implement the relevant policy change/s and verify implementation after it’s complete.


Access decommissioning support in Access Request workflow: Ascertain business impact

In conclusion, with the addition of Access Decommissioning to the Access Request workflow, you will benefit from a streamlined and straightforward process to help you remove risky and/or no longer needed access, in a controlled manner. This will enable you to reduce complexity, minimize the risk of outages, and reduce the possibility of security risks caused by misconfigurations and manual processes.

Simplified audit readiness with editable rule comments

In addition, R21-2 offers another new feature to further support the Access Request process. If your organization is being audited for compliance standards, such as PCI-DSS, as part of the rule analysis, you should look for any rules without comments. Adding a comment to a new rule or updating a comment of an existing rule, is a security and operational best practice, whereby the comment should clearly outline business requirements, last change to a rule, etc.

Currently, network admins have to manually edit rule comments directly on the network device, which is a cumbersome, error-prone process. They often need to access multiple consoles from different vendors to edit comments across their environment, and keep the ruleset readable. From R21-2, as part of the Access Request workflow, admins can now edit comments of an existing rule that is subject to change by the Tufin Designer. Tufin then automatically provisions the edits to the comment across all relevant devices, making it exceptionally easier to track and perform rule reviews for audit purposes.

Modifying rule comments is available via both Tufin SecureChange GUI and an API.

access request workflow edit rules
Edit existing rules’ comment in the Access Request workflow

VMware NSX-T Enhancements

As the leading supplier of automated policy management for software-defined networking (SDN), Tufin further enhanced its automation capabilities for VMware NSX-T, to provide:

  • Automate policy changes with ‘Applied to’ field – In this release, we enhanced our Access Request workflow to take the “Applied to” field into consideration when designing and implementing a new access request. As part of a new access design, Tufin automatically identifies all relevant security groups and their content (e.g. VMs), and applies the necessary changes to the relevant policy/rule.
  • Enhance visibility into VMware NSX-T security groups with tags – To help you even further simplify NSX-T policy management, with R21-2, you can now manage policies using dynamic attributes, such as tags. Tufin provides visibility into tags and their associated security groups and VMs, whereby you can use Tufin SecureTrack to easily view and identify policy violations with the security groups’ content. In addition, you can optimize security group rules by running rule cleanup, as well as conduct path analysis from source/destination containing security groups, for fast and effective troubleshooting.


Visibility into security groups, VMs, and tags

  • NSX-T rule direction – R21-2 provides enhanced visibility and advanced search capabilities for NSX-T rules direction in Tufin SecureTrack. You can now search for rules using the direction criteria (e.g. find all rules with ‘in’ direction or ‘out’ direction, find rules that have in/out directions, or include no direction).

To learn more about R21-2, and to see these and other new features in action, watch this webinar.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

In this post:

Background Image