The primary use cases are firewall support and generating rules.
The primary use cases are firewall support and generating rules.
It is definitely a time saver. We can process more rules on a daily basis. It allows the customers to request their own rules. Sometimes, they need a little help, but they can submit it. As long as it passes the risk analysis, because it has to get through our NSA group. We just apply and push it that night.
We use Tufin to clean up our firewall policies. It benefits us, because you can run a query for whatever your cleanup criteria is, e.g., "Has it been hit in 90 days?" It displays the list, then you can see the rules right there. If you want to get rid of it (or highlight it), then it creates a ticket that goes ahead and flags them all as disabled. While you can delete them, we always disable first. Then, we have a strip that comes back, and if it's been disabled for 90 days, then the system will remove them.
The change workflow process is flexible and customizable. When we first got it, Tufin created a workflow based on our requirements. Since then we have modified and tweaked it. We added in Palo Alto, and we just keep adding steps. We can also add scripts. We have multiple scripts for a workflow, which makes it very flexible. You write the script and plug it into the workflow, then it's working.
We use the Unified Security Policy to automatically check if a change request will violate any security policy rules.
This solution has helped us ensure that our security policy is followed across our entire hybrid network. It is the same Unified Security Policy editing each request. It is the same set of rules. If it's good enough for Check Point, then it will be good enough for Palo Alto, and it's all zone based.
The rule provisioning is the most valuable feature. We had a ticketing system, like Remedy, which had a homegrown product. It would take your source destination port and do a bit of analysis, then give us a ticket with the spreadsheet. Then, we had to take the information from the spreadsheet and enter it into the firewall. Now, with Tufin, it identifies which firewalls, generates the rules, and you just apply them. It is a big time saver.
When it comes to searching our firewalls for things, I prefer the Policy Browser as opposed to going to the GUI. It seems just easier to search. I can start off with our Provider-1 for Check Point, search there, and get the information. Then, I can change the little drop down to say, "Okay, now go search Palo Alto." I don't have to change my search criteria, the platform pulls it right up.
We like what we have seen out of SecureTrack 2.0 with its improved search capabilities, where you can do greater than, less than, not equal, etc. Right now, if you're in there and you want to do a search, you have to write it in a specific way, since you can't use a not statement, less than, or greater than. Therefore, it will be a lot easier to maintain your USP because it has the new editor. It looks more like a spreadsheet online. I am just a little disappointed to hear because we are using SecureChange that we can't go to SecureTrack 2.0 yet. We have to wait for a couple of more versions.
On Palo Alto, we were told that you want to go with the panorama. Then, all the gateways are under it, so everything you create has to be as a shared object. When we first brought this to Tufin, Tufin said, "No, it's more secure to only have local objects." However, it sounds like Palo Alto has now convinced Tufin that shared objects is more the way to go. Otherwise, you have a lot of stuff filtering down to all the firewalls. Tufin gave us a script to plug into our workflow to make things shared, but I am expecting this will become more a part of our base product.
They have found some things, like our database is huge, which they finally realize. I guess they didn't really have in their plans to do much with shared objects on Palo Alto, but they are saying that this is what is really making our database swell. They are saying it's on their side and are putting in their fixes to fix it, which is good.
The topology needs improvement. If I click on the network tab, I can go get a cup of coffee, come back, and my topology is still not painted. Maybe, it's just because we have so many devices, but looking at the topology, it is too slow. The problem is that when I click on the network tab, I do not want to see the topology. I want to click on the "Next" button, so I can put in the source and destination, so I can see the path. However, I still have to sit there and wait for the topology to load, and it's frustrating. I'll click on topology and try to click that "Next" button in time to where I can get around it. But, typically, you have to wait for that topology to paint. When it paints it, it's just a bunch of black smudges because there is just so much there. It can't paint it to where you see something. I can always zoom out, or something like that, but it's really worthless.
It seems stable. We've had problems always with the same box, which is our SecureTrack primary. We are probably on our seventh one. The last one, Tufin took it to their site. They shook it out, tested it, and beat it up, then gave it back to us. Since we were already on the standby box, we just had it up there running. It was in the HA cluster. As soon as somebody did some switch work, it failed over. Within a couple of hours of being on that box, it crapped out.
We have definitely added gear, so it is scalable. We've added two more distribution servers and probably seven or eight more collectors. It is definitely scalable.
We'll get somebody who is our main person, then all of a sudden they will be doing something else. One guy used to be our support person, and now, he is a TAM.
We are a tough account. With some of the issues that we have, the support team has told us, "You are the only ones who have ever had this." We are like, "Really? Why?"
They usually come up with a solution. It may take a little longer, but they do come up with a solution.
The previous solution was written in-house.
We had a product called Skybox and whoever wrote the app would query Skybox for compliance, etc. Then, it would generate a spreadsheet, and we had to work off the spreadsheets. They sort of knew that this wasn't very efficient.
The guy doing the initial setup made it look very easy, but it took us a little while to get up to speed on it.
We used Tufin for the deployment.
This solution has helped reduce the time it takes us to make changes. Previously, it was taking up to seven days. Now, unless there is an issue with the request, we usually have it done in a day.
We did PoCs. We looked at FireMon, AlgoSec, etc. Tufin came out on top, so we started implementing it, as it was the product that we chose.
With AlgoSec, you had to pay them for all of your workflows. So, if you wanted the workflows, you had to pay them. I don't know how quick that would be as a turnaround, because we would have had to do the whole, "Here's what I want." We didn't like that at all.
Tufin has been a good investment. Unfortunately. We've got some people in our organization who are in love with Skybox and think Skybox can do no wrong. They are trying very hard to replace Tufin with Skybox, even though Skybox hasn't even done any provisioning. I think they're just misguided. It's a product that they love, and maybe it is good at compliance, but as far as provisioning, I haven't seen it.
Give Tufin a good look. The Tufin team is always trying to stay on top of it. When Check Point came out with a R80.10, it wasn't very long before Tufin could generate rules or provision to R80.10, which was good. Now that R80.20s are out, they can provision to those. I think R80.30 is close, but I haven't heard them saying that they can provision to that yet. They can also provision to the latest versions of Palo Alto. Since those are the two that we have, I don't know about Fortinet or Juniper, but I'm sure they're trying to stay on top of those as well.
We're not really using the cloud parts of it yet.
Our engineers are spending less time on manual processes. However, it does depends on what you call engineers. Our firewall engineers don't do much with Tufin. We had a dedicated engineer, but he changed groups with the promise that he was still going to support Tufin. He wasn't over there very long and now no longer does anything with Tufin. We are pretty much on our own. We came up with our own solutions. We have some people who are good at writing scripts and are pretty self-sufficient.