Tufin Orchestration Suite Reviews

We use Tufin to do the review of rules, best practices, changes, and usage. So, it's an outside entity looking in to see what's happening on the rules sides. Then, we can do recertification for our rules, so they can be used again. Tufin puts it together really well, saying what's needed or not, then cleaning things up. We've been a customer for a very long time with them, and we're pretty pleased.

The solution's visibility is excellent for Check Point.

There's a new feature that validates standards. It allows the checks and balances against it, so it doesn't even go forward. It just says, "You're not right. Do it again."

We just got done with major audits. Tufin was able to provide information to give back to people, and say, "Hey, this is what I need to do, and what we're doing."

It's working on helping us meet our compliance mandates. We're a bank, so we're always chasing it, but it is helping us a lot. Rule recertifications are our biggest thing. However, what happens in the world of firewalls is people will put in rules to get what they need but don't ever clean them up when they stop using them.

The reporting is very good and provides in-depth knowledge for Check Point. We can write the rules as we see them. We can review rules and do searches. It has its own database which pulls all the information in regularly. This is very nice, and it is a good product for us.

I like the change impact analysis. It tells you what is going on,so you can review what has changed. In case you have to go backwards, and say, “Oops, that wasn't supposed to happen. How do I go get it?”

We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected.

It is a very stable product. 

It has very good growth. The scalability is very nice. We're doing a distributed environment right now. So, it has met our needs, which is nice.

The technical support has been excellent.

We were the first North American company to do this product, a long time ago. So, I don't know how the initial setup went. It's been a while. However, every time we go back and do stuff, it has been a pretty straightforward installation.

We used an integrator and professional services.

The overall experience was very good. I liked it.

We have seen ROI.

Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it.

We're just getting started on the change workflow. So, we're learning it, and it's working well.

It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors.

We are automating, so we are getting to a place where our engineers are spending less time on manual processes.

We are using Tufin to be security compliant within our organization.

This solution was a need for our organization to stay compliant and it has helped us in this way.

The most valuable feature of Tufin is rule analysis.

I have been using Tufin for approximately three years.

Tufin is stable.

The scalability of Tufin is good.

We have approximately 20 people using Tufin in my company. We have many teams using the solution, such as security, operational network, and network architecture.

We do not have plans to increase the usage of this solution.

The support I received from Tufin was responsive and helpful.

I rate the support from Tufin a four out of five.

Positive

I have previously used AlgoSec and we switched because the price was too high.

The initial setup of Tufin was complex. We had some issues with the architecture.

We did the implementation of the solution in-house.

The price of Tufin could be lower.

We have a team of three engineers that do the maintenance of the solution.

I would recommend this solution to others.

I rate Tufin a nine out of ten.

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

We do risk, cleanup, and change.

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

• Cleanup
• Visibility
• Scalability
  

Cleanup is its most valuable feature. We use Tufin to cleanup our firewall policies. You can see unnecessary, unused objects. A lot of times, you will create a host, then it's not used. It's like, "Delete that, because we don't need that in the database." Or, it's a rule that is not needed: unused rules.

Its cloud-native security features are good. They add even more visibility to your environment.

I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing.

I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action.

We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.

The stability is very good, especially now that they are developing a lighter weight operating system on top of the OS with 2.0 coming out this year. 

The current version is slow. I deal with a lot of large environments, which is mostly what Tufin has. It is slow because it is a database, Tomcat Server, and web server. Reports are slow. If you're generating manually on the fly, you can set them to run at night, then it's not a big deal.

The scalability is good, because you can have a central server, distributed server, and remote collectors. You can have remote land sites or branch offices. You can have the collectors collect the data for you. You don't have to rely on just one server.

The technical support is very good. It is a lot better than the firewall vendors themselves.

There were not enough resources to do the changes themselves. We definitely went offshoring. Now, you see a lot of that coming back because there is not enough people. We needed a system to do it.

At first, the initial setup is complex. Once you know it, the initial setup is straightforward.

First, you have to install the operating system. Then, you have to install the application, where there are certain version requirements. You can't just go right to the latest OS version. You have to go back to the older one, then upgrade those as well. It is a little cumbersome.

I am an integrator. Sometimes, we have to use Tufin on the back-end.

We have seen ROI just in the time savings and knowledge. Knowledge is power. Having the solution do it automatically for you without you doing the work is huge. If you are spending $50,000 a year, it could have cost you a $100,000 in man-hours without it, especially if you are working with a team..

This solution has helped reduce the time it takes our customers to make changes by 50 percent.

Engineers are spending less time on manual processes by 50 percent.

While licensing varies greatly, it is about $50,000 a year.

We did consider other vendors, but Tufin is the market leader. We only deal with the best of breed. We like to go with the best.

Do a proof of concept or proof of value. You will see the value right there.

The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.

We primarily use this solution for Change automation. We do not use USP, yet.

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

This solution is stable. We don't have any issues with it, but it's a resource hog.

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

We used a G2 reseller for our deployment and it was a good experience.

Our licensing fees are approximately $250,000 USD.

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

We are an IT service provider. We are using it in our company and on the customer side. So, we have internal customers, and we are also a solution provider for external customers.

We can check and analyze the current status of our firewall rules.

Their pricing can be better. It is not very transparent. 

In terms of functionality, we have not had any particular or special disadvantages other than the integration, but every tool that you take to integrate with your infrastructure is more or less complicated. For example, you have a history in your firewall infrastructure, and the longer the history is, the more you have to work on it to integrate. We see that in our infrastructure. We have been a service provider for more than 40 years, and we have been on the market for 20 years. We have a lot of customers, and there are some individual requests and setups. For the integration of Tufin or any other tool, you need a certain level of standardization. We have more disadvantages on the site from different firewall vendors. For example, with Drupal, you can integrate any individual firewall, but for Fortinet, you have to use a Fortinet manager.

We are not looking for any additional features at the moment. We are not planning to buy any other modules.

I have been using this solution for five years.

Until now, we have not had any problems in terms of stability.

It has been scalable so far. We don't have any issues.

On the administration side, 15 people are working with it.

I would rate them a six out of 10. In many cases, we had to escalate.

I didn't work with a similar product previously.

Its implementation process is complicated.

It is expensive, but as compared to other players, it's more or less okay. Their pricing is not very transparent. This is my biggest point regarding Tufin. I've never seen a price list or something like that. It's always individual, and in many cases, it's very confusing to know what is the base and what is the price.

I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. 

I would rate it a seven out of ten.

Our primary use case is firewall automation. We use SecureTrack and SecureChange. We have distribution serves, Remote Collectors, but what we primarily use is SecureChange integrated with ServiceNow for users to submit firewall requests. They then go to SecureChange which designs the rules and implements them.

When it comes to the turnaround of firewall rule requests, it used to take about a week to implement and have the customer test for firewall access. Now, it can take just one day. The implementation itself takes a minute or two. For the customer, it may take the rest of the day, by the time that the policy is installed and the customer tests, either that evening or the next day.

While I'm not involved in the leadership, I believe the solution has helped us to meet our compliance mandates: from a firewall perspective, as well as an audit perspective, as well as review of the rules and source and destination port requests.

As for ensuring that security policy is followed across the entire hybrid network, we're getting there. That's part of why we implemented Tufin. We are implementing that across our multiple offices. Once we get to that state, it will ensure that security policy is followed.

Finally, using the solution, our engineers are spending less time on manual processors.

In general, the automation piece is the most valuable feature: having SecureChange make the change on the firewalls, instead of my having to go manually make the changes on the vendor product.

In terms of cleanup of our firewall policies, we don't officially use Tufin, but I, as an architect, do use the Automatic Policy Generator to review existing rules: high hit-count rules and open rules which aren't very secure. We use that to then build firewall rules which tighten up our firewall policy.

The change workflow process is flexible and customizable. We have had to edit and alter some of our workflow and it's pretty easy, pretty simple, pretty straightforward. We use Tufin support, their helpdesk, for that because we're a very new customer.

In terms of the visibility the solution provides, we have hits and misses with it. Overall, we think it works. We would like to get more automated, but that could be an issue internally with services and ports that we allow between different zones and our USP matrix. We're working with Tufin representatives to help solidify that and clean that up a little bit. That's one of the headaches and hiccups that we have right now: the full automation piece. We have automation to an extent, but we still have requesters who submit requests that still require approval, whether it be firewall leadership approval or cyber leadership approval. We want to determine what ports are allowed between the zones, as I mentioned, so that we can have full automation and there's no human interaction at all.

We would like to see automation metrics, from a reporting standpoint. We would also like to see automation of site-to-site VPN tunnels. We would like to see automation of Check Point application-based firewall rules. That's available on the Palo Alto side, but we are primarily a Check Point site on-prem. We have Palo Alto on the cloud but most of our on-prem stuff is from Check Point, so we're waiting for that. Those are some of the key things we're waiting for.

My impression of the stability is positive. We haven't had any issues. We even went through an upgrade about a month ago and it was a smooth process.

As for scalability, we're finding that out right now. We're building out two new Remote Collectors for our global deployment of an additional 150 to 180 firewalls, plus additional Layer 3 appliances. We're working through that right now. Hopefully, it will be a smooth transition but I can't say for sure because we haven't actually implemented it yet.

I would rate tech support as "fair." Response time is a little slow, but when they do respond, and when time is available for them, we work through things pretty quickly to resolution.

I wasn't involved in the initial setup, but from what I've heard from others from whom I took it over, it was very straightforward.

I know they reviewed other solutions but I don't know which, for sure, since I inherited the project. I would assume AlgoSec and FireMon were reviewed as well.

Be as detailed as you can within your introductory meetings, and your planning and implementation phases, because if you don't mention something and it comes back later, you're going to have to work through it. That could take time, it could take extra money. You want to make sure, upfront, that you know everything you want to do so that it's all included in the cost for the Professional Services implementation.

We do use it on the cloud; we're having some trouble right now defining the network policy on our cloud. We're working through that; it's part of being a new client.

I would rate Tufin a seven out of ten. We're a very large, complex organization, so we're still working through some stuff that we focus on, things that, perhaps, other customers don't, or that Tufin doesn't have integrated in the TOS software.