Tufin Orchestration Suite Reviews

The visibility of the changes that are being made on the network. From a firewall perspective and router perspective, we have all our network devices in Tufin. We monitor all the changes that are made constantly. Prior to changes being made, they get approved by our IT security department, and then they're monitored after they're changed as well.

We haven't used it to push configuration yet, but we do have a third party network vendor that does our network changes for us. We immediately know if something was typed wrong or configured incorrectly. We'll get an email from Tufin, and we'll know that they typed something in wrong or incorrectly because that's the email that we receive from Tufin. A lot of times they'll transcribe things, and rules will get set in different directions. We'll know immediately when something happens.

Being the Director of Networking, that's what I'm primarily concerned about. It's to make sure that all the network changes that are being made are the correct changes, we're not opening things up to vulnerabilities that we shouldn't have, as well as making sure that we're locking down what we need to lock down.

I like what's there today. I don't use the product that heavily as much as our IT security department does. Right now the product is doing exactly everything that I want to see it done. I would like to see the ability to have the changes in the configurations pushed out more easily and managed through Tufin to eliminate that human error factor more.

We haven't run out of room with the product yet. It's very scalable. We fly to 115 different locations,we have 3 different data centers, and we monitor all our network devices, firewalls and routers through Tufin.

If you don't have a product like Tufin, get a product like Tufin because it's amazing. It gives you insight into all changes that are done within your network. It's awesome, and it gives you the ability to manage it even though we haven't rolled that piece out ourselves yet.

We use SecureTrack for troubleshooting, APG (Automatic Policy Generator), implementation of new requests, change monitoring, rule and object usage reports.

This solution provides an unified display of rules across vendors.

We use this solution e.g. for cleanup and processing of shadowed rules.

Using this solution saves us time and money. The Automatic Policy Generator saves time because we are able to identify the required policy when a client doesn't know what he needs.

We are able to perform an inventory analysis for colleagues.

The most valuable feature of this solution is APG, the Automatic Policy Generator. Further there are very good capabilities for policy browsing and reporting implemented.

I would like to see better report integration in this solution.

I would rate the stability of this solution a nine out of ten.

The scalability of this solution is ok.

The technical support team for this solution is very polite.

There was some functionality in the integration with Check Point that was initially working not in the best matter, and it was only fixed after Check Point got involved.

We did not use another solution prior to this one.

The initial setup of this solution was not complex. It was simple.

Our in-house team handled the implementation and deployment of this solution.

Tufin is expensive but it is very good.

We did evaluate other options. However, Tufin was the best one that we tried.

Following installation, we mentioned to the SE what ports were on the rule already, and he responded that those were the right ports. So immediately, Tufin already saved us work. And there was already traffic to the destination of a requested rule that needed to just be added to another group. Previously, we would have had to make a new rule and type in the source destination ports. With Tufin, however, the group already existed and we just needed to add it to another group.

Object look-up is also valuable. When someone needs to know about a particular endpoint and what's allowed to it, we only need to type in the IP address and are then able to see every rule associated with that address line by line.

From the very beginning, Tufin has kept our rule set compact so that we don't have to keep stacking up rule after rule. We still have to analyze and find rules that are too open, but it helps use make the right rules in the right places.

It's also a huge deal to us to be able to see the configurations as they change over time, and to know which firewall is responsible for which segments. It allows us to look at all our firewalls at the same time and not have to SSH one after another. We've got it all right there with Tufin -- one pane of glass that shows us everything.

With new engineers to the company, I pull them aside and show them Tufin. Within one hour, they have all the information they need to start creating firewall rules. It's incredibly easy to use. I can't imagine life should it if it should go offline. It's made a huge difference for us.

I'd like to see code provisioning.

It's been up for two years.

We had no issues with deployment.

I believe we had one reboot due to a code upgrade. This was only a single incident.

Our current machine handles all firewalls for one of our business units. We're at a point where we've ordered a larger one to handle 200 firewalls. We'll take the smaller one to have an additional collector. The scalability is very good.

Excellent.

These guys have been amazing. They will work tirelessly. I've only had a few calls, but every time I've had a call, the answer came through in a timely fashion and we got things sorted out. Usually it was user error, they told us, and they didn't lecture us about it.

We simply turned it on, gave it an IP address, and logged into that IP address. Getting it set up with other firewall was straightforward, as was setup for interoperation with Active Directory. We now have group-managed logins.

We looked at FireMon because it's able to analyze rules. But for daily, operational stuff, such as finding rules that already exist and which firewalls are involved, Tufin is much easier and more efficient to use. It was a no-brainer.

It already does traffic analysis and secure change. We've got the secure app so we can keep track of the business critical things. They shouldn't change that. I love the left-hand pane, and being able to navigate that and being able to see things in the split pane on the right-hand side. There are other vendors out there who will decide I need to just have everything at the top and scroll down.

The best thing to do would be get all your firewalls in there and let it bake overnight. It does take some time to collect the data in the config files. Once that's done, teach your help desk staff and the firewall operators how to use this to look up existing conditions and to determine right away whether a rule needs to be made, or whether a group needs to be added, or whether the rule already exists.

The most valuable features are the ease of use and the portal. It is very easy to log in, to navigate, to produce reports and to create workflows. Creating workflows is actually one of the best features that I've seen in the product.

It also gives tremendous insight in that we now know exactly where the rules are, who they belong to, if they being used, and if we need to follow up on a yearly basis to find out if they still need access or if we removed the access because the server went down for whatever reason. Seeing that these rules are actively used helps us a lot. Before Tufin, we knew that we had issues with regards to how many firewalls we had in place. We had rules that were outdated and never being used. We started bringing visibility to that, and that's when we decided that we needed assistance on how to audit the firewall rules.

Not only is it secure to use, but also we put it out to our customers for them to submit firewall requests. We train them on how to fill out a firewall request, which then goes to us for review. There's a lot of work in detailing what changes are necessary for our firewall, but that's more of the technical side. The user side just needs to understand how they submit the request appropriately, and it took Tufin to do that.

One of the reasons we got Tufin was that pre-Tufin, our firewall had more than 1,200 rules. It was very difficult for us to understand when a rule was last used and if it still existed. With Tufin, we're able to manage and say, "Okay this rule was requested, we know who is the author, and we know who it belongs to and to what application." Understanding and visibly seeing what we can do with the firewall rules and how to audit them helps us manage it better.

I would like see the workflow process expand out to give us the ability to tie it to other APIs. I would also like it to log some of the requests that we have and have better dashboard metrics.

Tufin SecureChange, Tufin SecureTrack - we’ve used it for almost a year and a half.

There have been no stability issues whatsoever. It’s rock solid.

With regards to scalability, we are not only using this product for firewall rule management, but also for other manual workflows that we used to have but are now incorporated into Tufin to allow us to automate and actually have visibility into these manual processes. It’s now online instead of being paper copy. We haven’t had an issue with scalability and it’s been able to keep up with this transition.

Because of the training, we had less calls to technical support since we know how to manage the product. The tech support we have used went well.

A co-worker recently came to me and asked, "What do you think about Tufin and AlgoSec in comparison”? I told him that Tufin’s customization options out of the box, the value that you get from the training, and the improvements to our organization made it a no-brainer.

I would rate it a nine out of ten, since there's room for improvements, as always.

Some of our customers has Tufin, and we manage it. We're also planning to have our own Tufin that we're going to use as a leveraged service for all of our customers.

Visibility is its largest and most valuable feature. You can see everything or all the devices on the network for each customer. It provides you a larger view of what might be wrong with the network and how you can improve it with firewall rules, etc. 

If you are talking about secure change, being able to automate the entire change process is pretty much the winner for us. It is going to really reduce the time that it takes for us to do changes, and we can just go out and get more customers.

They've got such a large number of APIs, and it is so easy to use their APIs. Effectively, they allow us to use it with anything. The only way to improve it more is by offering support for implementing their APIs into certain hardware or software that we might use. They can provide support for implementing APIs.

We have been using this solution for three months.

I have not contacted their technical support.

We didn't work with any similar product, but we are just going with secure track and secure change, not secure cloud and secure app. That's all that we really need at this time, and obviously, we will work with Tufin in the future if we need more.

A few of our clients have decided to implement Tufin themselves, whilst we just manage their firewalls. We were not involved in the setup of the management suite. However, after seeing the benefits of this, we have heavily considered the use of Tufin on a number of our other clients we manage.

We have identified that setup is a part of this and in our conversations with Tufin sought to address this. They offer a service for the full setup of the platform for use as an MSSP, and then providing a hand off service towards the end of this setup process which teaches engineers how to setup the remaining required devices.

For the full functionality, Tufin utilises all L3 devices on the network, so setup can be quite daunting. However, we identified that it would take ~30 minutes per L3 device, some of which can be done simultaneously. This is the biggest drawback to Tufin integration. However, Tufin can be used to some degree without this, meaning you can reap the benefits of it sooner rather than later.

What we found is that the return on investment will be pretty quick. This is because of the time saving that Tufin offers in FW changes, we can implement more changes at a faster rate. This has huge savings for employee's workload and the cost of their work. We have freed up a large majority of our FW engineer's time. The huge ROI we witnessed has resulted in us identifying that we can go to market to gain more customers and really broaden our customer base without the 'con' of hiring more people.

Because we're quite a large company, the initial price wasn't too much of a factor for us. This is because the ROI was so significant for us.

We identified others, like Firemon and Skybox, however we found that they were not as mature as Tufin, not offering the same range of Firewall Vendors, e.g. Palo Alto, Check Point, etc., and the same level of automation.

I would advise others to definitely work with Tufin and work out the best costs. Work out how soon you'll realize your return on investment. That has been a major kind of help. They've been brilliant in trying to help us develop a business case for using it, and then internally, I am sure there will be a massive help for implementing it in the future.

I would rate Tufin a nine out of ten based on the whole experience that we've had with it and the real kind of capabilities of the product.

In my group, we use Tufin to prove recourse. With firewalls, in terms of searching for existing rules, if we are looking for a particular rule, it shows whether an object exists, the network objects that exist. And if it does, it shows what is already in place and if we need to add something here and there. It's basically research analysis.

We use it for pulling your own reports, and checking the existing rule database from different firewalls from different managers.

I think they can improve the speed, although our speed issues might not be related to Tufin. Sometimes it is slow generating the reports, but I guess it depends on your infrastructure, if you have a good enough server. If you have more servers, the better.

If your infrastructure is big, and you're pulling a lot of metrics from many devices, it can be slow. But, if you add more servers, like a database service that reports are being pulled from, that speeds up the report generation a lot.

I know Tufin is great tool and can offer a lot more. I'm sure other groups or other people use it for what my group needs.

We are big, but I don't really know about scalability issues. I don't work on Tufin. I just utilize it. We just added a few more servers. In the last few weeks, the reports were coming pretty fast from busy firewalls.

I didn’t really use customer support. It's pretty self-explanatory when it comes to running reports and pulling metrics.

I was not part of the decision to use it.

We have not thought of using any other solutions. We have had Tufin since I joined the company.

It would be beneficial to get some kind of training from someone who knows the product, maybe from Tufin or someone else familiar with the product and the features. I know it can offer a lot, and you want to use its full potential.

1. It's easily deployable.
2. It provides change and reporting on changes 
3. One of the features helps you clean up firewall rules, and maintain a good, clean rule set.

From an organizational standpoint, it can help improve for one by streamlining the change process, assisting and streamlining the change process for firewalls, routers and switching ACLs.

Also, it can help with compliance from an organizational standpoint, maintaining a certain level of compliance. Also, reporting - it provides reporting to auditors for the organizational level that need to provide evidence and for other auditors outside the organisation.

They could improve their support. 

They've already known about their support being kind of shaky. They can make the product more MSP ready, managed service provider ready. They can do that.

Outside of that, I can't really think of anything right now, but making it MSP ready and providing better support, I think they can definitely improve upon.

5 years.

I am impressed with the deployability. The set-up is really straight forward. I mean, I had one of my guys who has never really touched a computer before set one up.

I believe it is stable, well not every time, but 99.9% of the time.

It scales okay. They can add some scalability to it, yes, they can definitely add scalability to it.

Their pricing is too expensive, and I think they're one of the best products on the market but I think they can't get enough market share because of the pricing (the licensing). It's too expensive. They changed licensing models a couple of times I think, but I think they need to be more cognizant of the middle market, as far as licensing. 

My advice would be to do your research first on the product. Make sure it's going to cover everything you need, which it does. They have several uses for Tufin, several models as far as function like Securetracks, Securechange and the Secureapp, so you've got to do your research and someone may need all of the orchestration, the full Orchestration Suite.

I would ask you to just research it, make sure you get what you need because quite often people go to buy Tufin and they go to buy the Securetrack just the Securetrack firewall changes, that they end up getting a quote for Securechange, Secureapp, and not even know it, and they say "Oh, that's too expensive," but that's not really what they wanted, they just want the Securetracks.

I would also have them get a competitor, a demo ware competitor and compare it to Tufin just so they can see how well Tufin out-performs their competitor.

In regards to my rating of 8, if they did mark the price down, change the licensing model to include more middle market, so they can reach the middle market and get more market share, and also provided their partners, and this is going to be a big one for them, provide their partners with two-way licensing so their partners can use the product for free.

If I am partnering up with Tufin, and I've got to keep downloading demos to use it and I have to advise potential users about the Tufin product, it's just not going to work. They should give me the product for free, especially if I have sold a few deals for them, they should give me the product for free with a couple hundred licenses that I can use anywhere I want to. This should be done every year, so long as I'm a partner.

That would help increase their visibility, their market share, and bring them up from an eight to maybe a nine or so.

We primarily use this solution for integration, and we deploy the solution on-premises and on cloud.

They have very good responses regarding integration and internalization with open tickets.

The solution does not have automation with other Firewalls and it should be included.

We have been using this solution for approximately five years.

The solution is scalable. Currently, approximately 60% of our organization uses it.

We have had a good experience with customer service and support.

We have used AlgoSec.

Licensing costs are charged every year.

I rate this solution a six out of ten. The solution is good but can be improved by including additional automation in the next release.