Tufin Review

Firewall automation saves us hours of time, but the platform stability needs work


What is our primary use case?

We are doing firewall automation through Tufin.

How has it helped my organization?

In terms of the change impact analysis capabilities of this solution, we get a lot of CNR queues and it has saved a lot of time when making changes. And the analysis tells us that we have made a particular change and it sends out a lot of alerts. We can analyze them and do some auditing stuff as well with Tufin.

We have a lot of teams that do stuff in Tufin, management teams, auditing staff, and a team for implementation. So the time it saves us across that whole scenario is hard to pin down, but it has saved us a lot of hours in implementing the CNR queues, approximately 20 to 30 hours a week. That a big time savings.

The solution will automatically check if a change request will violate any security policy rules. We have an auditing staff using this feature within Tufin. If we have an open rule, it will send us an alert and we can see why this alert has been sent and take action on it.

Tufin helps us ensure that security policy is followed across our entire hybrid network. We can set up rules and policies for this and we can do a lot of auditing as a result.

What is most valuable?

The topology and the config backup that we see for devices are key features we get from Tufin.

The change workflow process is flexible and customizable. We went through a lot of difficulties while doing stuff, and it now provides a lot of flexibility while making changes. We can go back and implement the changes again and that is one of the things that is very flexible. If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix. A break-fix is one of the things that we can use to redo things on Tufin, itself. That is one of its useful tools.

Auditing is another good tool within Tufin. The automation stuff and searching of reports are good for auditing as well.

What needs improvement?

I have gone over compliance issues in Tufin, but compliance is one of the things which might not be that clear in Tufin. It just shows the configuration. That is one of the things they have to work on. It is one of the constraints, in my opinion.

The topology is good but they could work on it and get something better out of it.

If we talk about the complexity of getting more nodes over Tufin, Tomcat or web services become flat. This is one of the constraints that I have seen. The web services are not that stable. This has to be checked and taken care of.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

If you have a normal load in Tufin it works perfectly fine. But they need to work on the stability because if a certain amount of load is put in Tufin it just breaks downs, from what I've seen lately. That has to be taken care of. The parameters for the platform also matter in that situation, but if they can work on the stability, that would be great.

What do I think about the scalability of the solution?

The scalability is fine but when it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again. The scalability is perfectly fine but, performance-wise, they have to work on the platform or the base of Tufin to make it more robust. In a bad situation, if a lot of guys are logging in, it breaks down.

How are customer service and technical support?

Although I am in India, we have U.S. support. I haven't had any interactions directly with tech support, but one of my counterparts in the U.S. talks to them and sorts things out for us. I haven't had any discussions with them where I can analyze their work.

It was challenging at the time because we wanted to implement a lot of things which Tufin doesn't have as default. There was a lot of customization required and it took a lot of time - one or two months - to sort that out.

If you previously used a different solution, which one did you use and why did you switch?

We did not have a previous solution. We were moving towards automation and we wanted something that would save time in doing firewall queues and creating firewall rules. We were looking for a good tool and Tufin was one of them. It is a multipurpose tool that gives us topologies, and auditing and alerting.

How was the initial setup?

I don't think we had any issues installing it. That was not a problem. It is not that difficult but it is not easy either. The setup was normal and I wouldn't complain about it.

Our deployment took about ten to 15 days to get things onboarded. There were many other guys who were also involved in it and I don't remember entirely, but I think that's how long it took to onboard things.

The number of people involved in the deployment depends on the infrastructure and what kind of services you are looking for. If you're looking at server management, that would require one or two guys. If you're looking at onboarding of devices, you would need another one or two guys. For the auditing stuff, again, another one or two guys could do it. So for each of these areas, one or a maximum of two guys could handle it. Once you are done with onboarding, managing it takes two guys.

Regarding our implementation strategy, our primary motive was to get firewall automation in place. With that in mind, we worked to bring in all the devices and all the firewalls. Then we started talking about getting the different packages over to it and working to get the firewall automation done. There were a lot of things we had to do - it took months - when we had to bring in new patches or requests.

What about the implementation team?

It was Tufin only and one or two guys within our team. There was no third-party involved.

What was our ROI?

Firewall automation was one of the biggest concerns we had, and we have largely sorted that out with this tool. If we are saving hours, then we are saving money.

What's my experience with pricing, setup cost, and licensing?

I was involved with the pricing at the start. But then management took over that issue. In terms of affordability, this company is using it, so it seems they are fine with it. We just provide management with our requirements and it's their concern and responsibility to bring us what we need. Since we still have this solution, I think they are fine with it. But it's a management call.

What other advice do I have?

My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin.

Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day.

We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it.

As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future.

I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Schedule Now

Sign up for a free demo

Add a Comment
Guest

Sign Up with Email