Tufin Review

Workflow makes approvals easier but there are limitations to the object types we can create

What is our primary use case?

With SecureChange we use the workflow, and we use Tufin USP to see if there are any rule violations.

How has it helped my organization?

It saves space in our Check Point database. We are able to manage the Check Point firewalls and our Fortinet firewalls through Tufin. It provides us with good correlation.

The approval process is a lot easier through the workflow. Also, the firewall cleanup is a lot easier with Tufin. 

The USP violations process is not easier for us, the technical firewall operators, but it makes things much easier for the management team, including the CSO. Once we build the USP and they approve it, they can then blindly approve based on the USP results. But it is not that convenient for us.

It has helped us meet compliance mandates. We configure the USP based on the company's standard policy and guidelines. If something violates the USP we will know, and then we can make a decision to approve or reject. It is helping in complying with the company's policies.

What is most valuable?

So far, Tufin workflow is very valuable for us. Before, we would send an email or a notification to get approval from the manager or the CSO. Now, with Tufin workflow, it is very easy to get approvals from the manager, the CSO, or from the VSO. It's a very easy process. It is easier to manage. It is easier to implement firewall policies through Tufin.

We are also able to use Tufin to clean up our firewall policies. We build reports, based on six months of data, to see which rules are not needed. Based on that report we do firewall cleanup. But now that we have SecureChange and the workflow, we should go with the workflow to clean the firewall rules. 

There are a lot of benefits to using the reporting. It gives us duplicate objects, duplicate services, shadow firewall rules, and the firewall rules not needed for a given number of days or months.

What needs improvement?

Regarding the change workflow process being flexible and customizable, it is to a degree, about 70 percent. There are pros and cons to the workflow. You cannot customize it fully and there are some limitations. You cannot create a pure object, a firewall, IP, or service (single layer) object. You can only create a firewall object group. That is one of the challenges. 

The other challenge is with the schedule window. Tufin added the Check Point CMA and when you schedule to push the firewall policies, it pushes all the firewalls on the CMA. That is a major drawback of the schedule window.

Tufin has increased the time it takes us to make changes. It is easier to clear the firewall policy on the Check Point or the Fortigate Manage Server. We are doing an extra job on Tufin so it takes time.

Tufin is a security product. It should not only manage the firewalls, but it should work independently. It should not rely on different products. For now, Tufin relies on and works with different vendors and products. It should work independently.

What do I think about the stability of the solution?

Tufin is very stable. There have been no major outages. 

Sometimes there is an SSL correction between Tufin and the management server. Sometimes it gets broken but I don't why. Apart from that, it is very stable.

What do I think about the scalability of the solution?

We can add as many firewalls as we need. It's just a matter of purchasing the licenses. It has good scalability.

How are customer service and technical support?

Tech support is very bad. I would give a zero rating to tech support. Compared to Check Point and Fortinet, Tufin tech support is worse. Even the Professional Services team doesn't like to respond to email. It is poor.

My team doesn't have a good relationship with Tufin. The Professional Services and even our Tufin account manager are not friendly. They're not helpful to us. But the Tufin product is fine.

How was the initial setup?

The initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

I believe our cost is more than $100,000 per year.

Which other solutions did I evaluate?

There is so much competition in the market. Every vendor claims its product is number-one in the market. But so far Tufin - it partners with Check Point - is fine.

We didn't evaluate any competitors or consider other products.

What other advice do I have?

Tufin is not mandatory to manage firewalls or to manage any products. But it supplements. It will help you to get approvals and to push firewall policies. In the long run, when you have to manage hundreds of firewalls, obviously Tufin will help.

We are working on the USP, but so far we only rely on Tufin between about ten and 20 percent to see USP violations.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
See how Tufin can simplify your network security management

Find out how automation and orchestration of security policy management can help you increase agility and efficiency, while reducing risks and ensuring compliance and audit readiness. Request a Tufin demo today.

Add a Comment
Sign Up with Email