Tufin Review

SecureChange automates everything from the validation to the pushing of rules

What is our primary use case?

We are using Tufin to generate reports on unused rules and for compliance reporting.

How has it helped my organization?

In our environment we have two data centers which have the same IP address for service in both. This means that in data center A, server X's IP address is the same as server X's IP address in data center B, but it's sitting in a different firewall. So we are exploring SecureChange to automate the pushing of rules in both gateways at the same time. That way we will be able to track to which firewall, in which data center, we have pushed rules.

It helps us to meet our compliance mandates because we are able to define whatever compliance we are subject to. We are a financial institution so we have to comply with PCI DSS, we have to comply with certain financial rules and regulations. We are able to do that with Tufin.

It also helps ensure that security policies are followed across our entire hybrid network. So far there have been no complaints from the auditor who is checking our firewall rules. The only exception is that, because we have so many requests in a day, some of them are not used yet by the requester. What our auditor sees is only the unused part. But we are 80 to 90 percent compliant.

Finally, I expect it will help our engineers to spend less time on manual processes, that it will cut half of the time spent looking at all the rules and validation. Currently, 70 percent of my engineers' load is looking at rule validation and requests that are not being made correctly.

What is most valuable?

We are still using only one-third of the functions that Tufin has, but SecureTrack is among the most valuable.

The most valuable function is the SecureChange where it is able to automate everything from the validation of the rules to the pushing of the rules. We are mainly using Checkpoint and Tufin together.

In addition, it's helpful that we can generate accurate and detailed rule-usage reports. That enables quick clean up.

In terms of visibility, Tufin does show all the schedules based on the usage.

Another feature I like in Tufin is that we are able to track the flow of the source and destination, passing through which level of device and which firewall. It makes our operation, our daily tasks, much easier than doing it manually for each and every request.

What needs improvement?

There is room for improvement in the speed of Tufin. It is using so many of my VM resources and yet it is still a bit slow. They need to improve how they do their database indexing. That is the main fault of Tufin right now for us. It's slow. Even though we are allocating 64 gigs of RAM, we still have to wait for a few minutes for a single report to be generated. Otherwise, it would be a perfect tool.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

The stability is great. It has never gone down. The only problem is the slowness.

The stability is dependent on the devices. The part where we are having a problem now is the result of migrating to RAT which is using APIs which keep going down when our MDS has a heavy load.

What do I think about the scalability of the solution?

In terms of scalability, the only issue is the licensing part. You have to have the correct license to go to a larger installment.

If you previously used a different solution, which one did you use and why did you switch?

This solution is the first of its kind in our bank.

How was the initial setup?

The initial setup was straightforward. I was able to deploy Tufin in a few minutes only. Integrating with devices - as we are using Checkpoint, API, Syslog - is simple.

For now, we have only installed one server, not distributed. Soon we will go for distributed, because we need to collect all the logs from all our overseas sources.

I was the only one involved in the deployment and am the only one who takes care of the maintenance and day-to-day configuration. Our firewall team will be using Tufin but they don't do the maintenance. At the moment there are about 15 users. Half of them are the firewall team and then there are a few auditors and a few people in the business unit who are monitoring the rules.

What was our ROI?

ROI is measured in engineers having time for their families and being able to have more time to do other things. It is not a specific figure, it is more a matter of how time is spent.

What's my experience with pricing, setup cost, and licensing?

The current licensing scheme is quite confusing but it is clearer than the old one. If you have one MDS you just buy the MDS license and the gateway license. That's most of it.

Before this, they broke it down into VS, virtual environment, physical environment, single boxes, cluster boxes. Now the licensing part is much more straightforward. If you have ten gateways you don't need to define one as a single and another as a cluster gateway.

Pricing is quite high. We did compare it with AlgoSec but the pricing is not much different between the two.

Which other solutions did I evaluate?

The decision was made before I joined the organization. I don't know if they looked at competitors or not. Currently, we are looking at AlgoSec, if it can replace Tufin or compete with Tufin in terms of features.

The main differences between the two are only in the pricing and the look and feel. They both do the same thing. Both will be able to achieve our organization's targets. But in terms of look and feel, our engineers are already used to what we have. And I do prefer Tufin.

What other advice do I have?

If you are looking at a large environment and a large number of policies, you really need Tufin to help you manage all the rules. We have 25 policies, and each policy has around 1,000 to 1,500 lines of rules. Managing that manually would not be easy.

We haven't started using the change impact analysis capabilities of this solution yet. We are still testing it. We are not that familiar with the process yet.

Because our team is doing cleanup every three months, we need to keep generating a report every day to have correct visibility: which rules are unused and which rules need to be removed to be optimized. We are using it quite intensively. I don't know how we can increase usage until we deploy and start using SecureChange. At that point it will be more intensive because after SecureChange everything will be automated and they will start only using and looking at the secure Tufin interface, in terms of rolling out all the requests.

We haven't seen a reduction in the time it takes to make changes yet, because we are still tweaking the SecureChange part. We will be testing it in a few months' time. We need to see integration with our ticketing system because people are making requests over HPSM and Tufin needs to be able to grab them first, before we can start to roll out SecureChange.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
See it in Action

Schedule Your Tufin Demo Now

Add a Comment
Sign Up with Email