Tufin · Capability

Tufin Network Security Policy Management

Unified workflow capability combining Tufin SecureTrack and SecureChange for end-to-end network security policy lifecycle management. Enables network security engineers and SOC analysts to analyze topology, query firewall rules, assess risk, and automate policy change workflows from a single interface. Ideal for firewall change automation, compliance auditing, and network access troubleshooting.

Run with Naftiko Change ManagementComplianceFirewall ManagementNetwork SecurityPolicy OrchestrationRisk ManagementTufinWorkflow Automation

What You Can Do

GET
Get devices — List all network devices in SecureTrack
/v1/devices
GET
Get device rules — Get firewall rules for a device
/v1/devices/{deviceId}/rules
GET
Check path — Check if traffic is allowed between network endpoints
/v1/topology/path
GET
Search objects — Search for network objects
/v1/network-objects
GET
Get risk — Get risk analysis findings
/v1/risk
GET
Get tickets — List security change tickets
/v1/change-tickets
POST
Create ticket — Submit a security change request
/v1/change-tickets
GET
Get ticket — Get a specific change ticket
/v1/change-tickets/{ticketId}
GET
Get task — Get a workflow task
/v1/change-tickets/{ticketId}/tasks/{taskId}
PUT
Update task — Update a workflow task
/v1/change-tickets/{ticketId}/tasks/{taskId}

MCP Tools

list-devices

List all network devices (firewalls) managed by Tufin SecureTrack

read-only
get-device-rules

Get firewall rules for a specific network device

read-only
check-network-path

Check if traffic is allowed between source and destination IP addresses

read-only
get-topology-map

Retrieve the full network topology map from SecureTrack

read-only
search-network-objects

Search for network objects (IPs, ranges, groups) across all managed devices

read-only
search-services

Search for service definitions across managed devices

read-only
get-risk-findings

Get security risk analysis findings including policy violations and unused rules

read-only
list-change-tickets

List security policy change tickets in SecureChange

read-only
create-change-ticket

Submit a new firewall rule change request to SecureChange workflow

get-change-ticket

Get details for a specific security change ticket

read-only
get-ticket-tasks

Get workflow tasks for a change ticket

read-only
approve-change-task

Approve or update a workflow task in a security change ticket

list-device-revisions

Get policy revision history for a network device

read-only

Capability Spec

network-security-policy-management.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Tufin Network Security Policy Management
  description: Unified workflow capability combining Tufin SecureTrack and SecureChange for end-to-end network security policy
    lifecycle management. Enables network security engineers and SOC analysts to analyze topology, query firewall rules, assess
    risk, and automate policy change workflows from a single interface. Ideal for firewall change automation, compliance auditing,
    and network access troubleshooting.
  tags:
  - Change Management
  - Compliance
  - Firewall Management
  - Network Security
  - Policy Orchestration
  - Risk Management
  - Tufin
  - Workflow Automation
  created: '2026-05-03'
  modified: '2026-05-06'
binds:
- namespace: env
  keys:
    SECURETRACK_USERNAME: SECURETRACK_USERNAME
    SECURETRACK_PASSWORD: SECURETRACK_PASSWORD
    SECURECHANGE_USERNAME: SECURECHANGE_USERNAME
    SECURECHANGE_PASSWORD: SECURECHANGE_PASSWORD
capability:
  consumes:
  - type: http
    namespace: securetrack
    baseUri: https://{tos_host}/securetrack/api
    description: Tufin SecureTrack REST API for network security policy management
    authentication:
      type: basic
      username: '{{SECURETRACK_USERNAME}}'
      password: '{{SECURETRACK_PASSWORD}}'
    resources:
    - name: devices
      path: /devices
      description: Network devices managed by SecureTrack
      operations:
      - name: get-devices
        method: GET
        description: Retrieve all network devices managed by SecureTrack
        inputParameters:
        - name: name
          in: query
          type: string
          required: false
          description: Filter by device name
        - name: vendor
          in: query
          type: string
          required: false
          description: Filter by vendor
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: device
      path: /devices/{deviceId}
      description: Single network device
      operations:
      - name: get-device-by-id
        method: GET
        description: Retrieve a specific network device by ID
        inputParameters:
        - name: deviceId
          in: path
          type: integer
          required: true
          description: Device identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: device-revisions
      path: /devices/{deviceId}/revisions
      description: Policy revisions for a device
      operations:
      - name: get-device-revisions
        method: GET
        description: Retrieve policy revision history for a device
        inputParameters:
        - name: deviceId
          in: path
          type: integer
          required: true
          description: Device identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: device-rules
      path: /devices/{deviceId}/rules
      description: Firewall rules for a device
      operations:
      - name: get-rules-by-device
        method: GET
        description: Retrieve all firewall rules for a specific device
        inputParameters:
        - name: deviceId
          in: path
          type: integer
          required: true
          description: Device identifier
        - name: policy
          in: query
          type: string
          required: false
          description: Filter by policy name
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: topology-path
      path: /topology/path
      description: Network path analysis
      operations:
      - name: get-topology-path
        method: GET
        description: Query network topology to determine if traffic is permitted between endpoints
        inputParameters:
        - name: src
          in: query
          type: string
          required: true
          description: Source IP address or CIDR
        - name: dst
          in: query
          type: string
          required: true
          description: Destination IP address or CIDR
        - name: service
          in: query
          type: string
          required: false
          description: Service (e.g., tcp/443)
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: topology-map
      path: /topology/map
      description: Full network topology map
      operations:
      - name: get-topology-map
        method: GET
        description: Retrieve the full network topology map
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: network-objects
      path: /network_objects
      description: Network objects across managed devices
      operations:
      - name: get-network-objects
        method: GET
        description: Search for network objects across all managed devices
        inputParameters:
        - name: name
          in: query
          type: string
          required: false
          description: Filter by object name
        - name: ip
          in: query
          type: string
          required: false
          description: Filter by IP address
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: services
      path: /services
      description: Service objects across managed devices
      operations:
      - name: get-services
        method: GET
        description: Search for service objects across all managed devices
        inputParameters:
        - name: name
          in: query
          type: string
          required: false
          description: Filter by service name
        - name: port
          in: query
          type: string
          required: false
          description: Filter by port number
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: zones
      path: /zones
      description: Security zones
      operations:
      - name: get-zones
        method: GET
        description: Retrieve all security zones
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: risk
      path: /risk
      description: Risk analysis findings
      operations:
      - name: get-risk-analysis
        method: GET
        description: Retrieve risk analysis findings including policy violations
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  - type: http
    namespace: securechange
    baseUri: https://{tos_host}/securechangeworkflow/api/securechange
    description: Tufin SecureChange REST API for security policy change workflows
    authentication:
      type: basic
      username: '{{SECURECHANGE_USERNAME}}'
      password: '{{SECURECHANGE_PASSWORD}}'
    resources:
    - name: tickets
      path: /tickets
      description: Security change tickets
      operations:
      - name: get-tickets
        method: GET
        description: Retrieve security change tickets with optional status filtering
        inputParameters:
        - name: status
          in: query
          type: string
          required: false
          description: Filter by ticket status
        - name: count
          in: query
          type: integer
          required: false
          description: Number of tickets to return
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: create-ticket
        method: POST
        description: Submit a new security change ticket
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        body:
          type: json
          data:
            subject: '{{tools.subject}}'
            description: '{{tools.description}}'
            priority: '{{tools.priority}}'
            workflow: '{{tools.workflow}}'
    - name: ticket
      path: /tickets/{ticketId}
      description: Single change ticket
      operations:
      - name: get-ticket-by-id
        method: GET
        description: Retrieve a specific security change ticket
        inputParameters:
        - name: ticketId
          in: path
          type: integer
          required: true
          description: Ticket identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: update-ticket
        method: PUT
        description: Update an existing change ticket
        inputParameters:
        - name: ticketId
          in: path
          type: integer
          required: true
          description: Ticket identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        body:
          type: json
          data:
            subject: '{{tools.subject}}'
            description: '{{tools.description}}'
    - name: ticket-tasks
      path: /tickets/{ticketId}/tasks
      description: Workflow tasks for a ticket
      operations:
      - name: get-ticket-tasks
        method: GET
        description: Retrieve all workflow tasks for a ticket
        inputParameters:
        - name: ticketId
          in: path
          type: integer
          required: true
          description: Ticket identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: ticket-task
      path: /tickets/{ticketId}/tasks/{taskId}
      description: Single workflow task
      operations:
      - name: get-task-by-id
        method: GET
        description: Retrieve a specific workflow task
        inputParameters:
        - name: ticketId
          in: path
          type: integer
          required: true
          description: Ticket identifier
        - name: taskId
          in: path
          type: integer
          required: true
          description: Task identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: update-task
        method: PUT
        description: Update a workflow task (approve, reject, or provide implementation)
        inputParameters:
        - name: ticketId
          in: path
          type: integer
          required: true
          description: Ticket identifier
        - name: taskId
          in: path
          type: integer
          required: true
          description: Task identifier
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        body:
          type: json
          data:
            status: '{{tools.status}}'
            comment: '{{tools.comment}}'
    - name: workflow-definitions
      path: /workflow_definitions
      description: Workflow template definitions
      operations:
      - name: get-workflow-definitions
        method: GET
        description: Retrieve all workflow definitions configured in SecureChange
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: network-policy-api
    description: Unified REST API for Tufin network security policy management.
    resources:
    - path: /v1/devices
      name: devices
      description: Network devices managed by SecureTrack
      operations:
      - method: GET
        name: get-devices
        description: List all network devices in SecureTrack
        call: securetrack.get-devices
        with:
          vendor: rest.vendor
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/devices/{deviceId}/rules
      name: device-rules
      description: Firewall rules for a network device
      operations:
      - method: GET
        name: get-device-rules
        description: Get firewall rules for a device
        call: securetrack.get-rules-by-device
        with:
          deviceId: rest.deviceId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/topology/path
      name: topology-path
      description: Network topology path analysis
      operations:
      - method: GET
        name: check-path
        description: Check if traffic is allowed between network endpoints
        call: securetrack.get-topology-path
        with:
          src: rest.src
          dst: rest.dst
          service: rest.service
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/network-objects
      name: network-objects
      description: Network objects across managed devices
      operations:
      - method: GET
        name: search-objects
        description: Search for network objects
        call: securetrack.get-network-objects
        with:
          name: rest.name
          ip: rest.ip
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/risk
      name: risk
      description: Risk analysis and policy compliance findings
      operations:
      - method: GET
        name: get-risk
        description: Get risk analysis findings
        call: securetrack.get-risk-analysis
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/change-tickets
      name: change-tickets
      description: Security policy change tickets
      operations:
      - method: GET
        name: get-tickets
        description: List security change tickets
        call: securechange.get-tickets
        with:
          status: rest.status
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: create-ticket
        description: Submit a security change request
        call: securechange.create-ticket
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/change-tickets/{ticketId}
      name: change-ticket
      description: Single security change ticket
      operations:
      - method: GET
        name: get-ticket
        description: Get a specific change ticket
        call: securechange.get-ticket-by-id
        with:
          ticketId: rest.ticketId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/change-tickets/{ticketId}/tasks/{taskId}
      name: change-ticket-task
      description: Workflow task in a change ticket
      operations:
      - method: GET
        name: get-task
        description: Get a workflow task
        call: securechange.get-task-by-id
        with:
          ticketId: rest.ticketId
          taskId: rest.taskId
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: update-task
        description: Update a workflow task
        call: securechange.update-task
        with:
          ticketId: rest.ticketId
          taskId: rest.taskId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9080
    namespace: network-policy-mcp
    transport: http
    description: MCP server for AI-assisted Tufin network security policy management.
    tools:
    - name: list-devices
      description: List all network devices (firewalls) managed by Tufin SecureTrack
      hints:
        readOnly: true
        openWorld: true
      call: securetrack.get-devices
      with:
        vendor: tools.vendor
      outputParameters:
      - type: object
        mapping: $.
    - name: get-device-rules
      description: Get firewall rules for a specific network device
      hints:
        readOnly: true
        openWorld: false
      call: securetrack.get-rules-by-device
      with:
        deviceId: tools.deviceId
      outputParameters:
      - type: object
        mapping: $.
    - name: check-network-path
      description: Check if traffic is allowed between source and destination IP addresses
      hints:
        readOnly: true
        openWorld: false
      call: securetrack.get-topology-path
      with:
        src: tools.src
        dst: tools.dst
        service: tools.service
      outputParameters:
      - type: object
        mapping: $.
    - name: get-topology-map
      description: Retrieve the full network topology map from SecureTrack
      hints:
        readOnly: true
        openWorld: true
      call: securetrack.get-topology-map
      outputParameters:
      - type: object
        mapping: $.
    - name: search-network-objects
      description: Search for network objects (IPs, ranges, groups) across all managed devices
      hints:
        readOnly: true
        openWorld: true
      call: securetrack.get-network-objects
      with:
        name: tools.name
        ip: tools.ip
      outputParameters:
      - type: object
        mapping: $.
    - name: search-services
      description: Search for service definitions across managed devices
      hints:
        readOnly: true
        openWorld: true
      call: securetrack.get-services
      with:
        name: tools.name
        port: tools.port
      outputParameters:
      - type: object
        mapping: $.
    - name: get-risk-findings
      description: Get security risk analysis findings including policy violations and unused rules
      hints:
        readOnly: true
        openWorld: true
      call: securetrack.get-risk-analysis
      outputParameters:
      - type: object
        mapping: $.
    - name: list-change-tickets
      description: List security policy change tickets in SecureChange
      hints:
        readOnly: true
        openWorld: true
      call: securechange.get-tickets
      with:
        status: tools.status
      outputParameters:
      - type: object
        mapping: $.
    - name: create-change-ticket
      description: Submit a new firewall rule change request to SecureChange workflow
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: securechange.create-ticket
      with:
        subject: tools.subject
        description: tools.description
        priority: tools.priority
        workflow: tools.workflow
      outputParameters:
      - type: object
        mapping: $.
    - name: get-change-ticket
      description: Get details for a specific security change ticket
      hints:
        readOnly: true
        openWorld: false
      call: securechange.get-ticket-by-id
      with:
        ticketId: tools.ticketId
      outputParameters:
      - type: object
        mapping: $.
    - name: get-ticket-tasks
      description: Get workflow tasks for a change ticket
      hints:
        readOnly: true
        openWorld: false
      call: securechange.get-ticket-tasks
      with:
        ticketId: tools.ticketId
      outputParameters:
      - type: object
        mapping: $.
    - name: approve-change-task
      description: Approve or update a workflow task in a security change ticket
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: securechange.update-task
      with:
        ticketId: tools.ticketId
        taskId: tools.taskId
        status: tools.status
        comment: tools.comment
      outputParameters:
      - type: object
        mapping: $.
    - name: list-device-revisions
      description: Get policy revision history for a network device
      hints:
        readOnly: true
        openWorld: false
      call: securetrack.get-device-revisions
      with:
        deviceId: tools.deviceId
      outputParameters:
      - type: object
        mapping: $.