Tufin Orchestration Suite Reviews

The biggest thing that we have been using is the automated reporting. I work on a very specific portion of our network enclaving strategy. For the initial ones we’re working on, I get a big report every Monday that has a full listing of volumes and changes on all the rules. It means I don't have to log into the firewall to see how we're doing as far as progress and what we're doing.

We also use the on-demand stuff every time they make a change, I get a report of the change that's happening. We don't necessarily do the operational side but we have a sort of governance and policy oversight, and consulting oversight. We can determine whether this is the right thing to do for what they're doing. I don’t even have to log in and I don't have to go look for the information. I don’t have to go in to the Check Point console, log in, and do a lot of stuff. I get these reports in my email and I can analyze them and look at them when I want to. That's very helpful for me.
We also use it in the field for the people that have oversight over their zones. They get a change report and a risk analysis report out of Tufin. They don't have to log in every time something happens. It gets pushed to their email. To me that's a big value.

The other thing that brings a lot of value is the ability to get visibility without giving someone admin rights in the Check Point consoles. We are able to specify for these roles. While we're doing policy and strategy in consulting, we don't need admin rights to be able to make changes. That's a big help also. We can get to the info without having to log into the consoles and get those type of permissions that we really don't need in our role.

We've used some of the rules recommendation modules. You can give it a certain data feed and it will recommend a rule set to accommodate that. That's the other tool that has been helpful for us. Our biggest problem is that we have a very complex environment. It can get a little crazy when we throw it at the rule engine. 

I haven't seen where they've gotten recently with the whole zone policy matrix that they showed us a year or so ago, but to me that's going to be one of the big things, it's going to drive us.

There was a feature they were working on that will allow you to go in and set up your zones, and you do a to-and-from policy for each zone. It uses that when it evaluates the rules that you try to put in to determine whether it complies with the zone policy. We need to be able to build out a business decision model with the zone policy that lives on without someone having to look at it every time. I think that's going to be one of the better things for us. So that we can see the zone policy management and we can be assured that policy is being enforced. If they get outside of that, we get notified. We know that nothing can happen unless we get notified. Even if they declare emergency, which sometimes you have to do, that we will get notified. Nothing can happen without us getting notified. To me, that's going to be one of the big things to try and keep the whole environment in the level of security posture that we want to try to get done.

The biggest thing for a very, very complex environment like ours is to keep everything in line with what we're trying to do.

I’m rating the product an 8 mainly because I want it to get into the zone area and those kinds of things. I think it's a great product, but there's a couple of spaces that would be very helpful if they could improve on. It is a good product. Don't think 8 is really bad. It's really good.

Learn it and dig into it, because it's got some great capabilities. For me, it's been great.

We can identify rules that are not used. We can identify rules that are open.

When importing the devices, they made it nice where you can script it and import all the devices into Tufin. That was a nice little feature.

I like the SecureApp feature. That looks like it's pretty handy. The compliance portion of it, where you build your security database. It runs against that security database and figures out whether the correct ports are opened up or if there are vulnerabilities.

I know that in importing some devices, I think routers and switches showed up the same. Router would be layer 3 but they would only show up in Tufin as a layer 2 device. On the Cisco portion of it, there wasn't separation between that.

At this point, there aren’t any other configurations I’d like to see.

I’m using SecureTrack basically to evaluate rule bases.

I have not really found any other side benefits. I don't really use it that much and it's relatively new. I don’t use any of the recording features.

I wouldn't say we had stability issues.

We have, I think, over a thousand devices right now, and we haven’t had any scalability issues.

I’ve never used technical support.

I was part of the initial setup. I imported devices but that's about it. It was pretty easy. You can put it in an Excel spreadsheet and import it that way or as a CSV file.

It's a pretty useful tool if you have a large environment with a lot of devices and you're trying to make it easier for the technicians to basically pawn the work off and make the application team more accountable.

With the limited knowledge I have of it and the limited use, I would probably give them an 8. I never give anyone 10's or 9's.

• The comparison of what changed.
• I also like being able to use the historical data - did this access exist on this date a week ago, two weeks ago, etc. Because I'll have a customer who's like, "Hey, our traffic isn't working anymore. It used to work, and now it doesn't. Why not?" I would go, and I'd check the policies, see what existed, if it did exist, and then I know that somebody removed it, and I can find out who. It's a great tool.

We're currently using SecureTrack. We've deployed SecureChange, it's currently essentially at this point in a deaf status. But from SecureTrack, one of the most useful tools that I've had as well is the usage reports. Whether it's zero usage or if it's the higher use rules. Let's say I've got a rule at rule number four thousand that's just getting pegged like crazy. It's the number one hit rule. We're wondering why our firewall CPU is going crazy? It's spiking. So we go over to the report, see what rules are getting hit, and we see the bottom of our rule base is getting slammed. Now we know we need to move those rules up and optimize our policy.

We're in talks with sales about them writing code to integrate with some of our different tools, so that's nice. I can't really think of any features that either don't exist or we haven't already requested.

We've asked for integration with the tool that does our baseline, that tells what traffic is and isn't allowed with our change control system. We've got the core routing and everything imported, so that was nice. A couple integrations there.

When we initially had it, it was on a single box, so it was pretty slow. A lot of people had access and they ran reports after reports after reports, and it got stepped on a lot. Once we upgraded, we got HA Pair, and then we've got distributed log folders now, and it runs super smooth. Maybe three years ago I experienced some bugs where it would kick me out of policy query. I would be building a query, and it would just kick me out, or it didn't save the changes, or it just forgot that I was doing something, but I haven't had that happen in maybe two and a half years.

Well, we did, and then we upgraded the hardware. Not a big deal at that point.

Upgrading the hardware resolved the issues because the amount of logs that we generate is pretty insane. Having that one little box handle the entire enterprise full of logs was not very efficient.

I wasn't involved in the initial setup. I've been involved in the upgrades for the recent versions.

I was a secondary contact, so I was only helping, but it was extremely easy. I watched what he did, and it was a piece of cake. He's our Tufin guru on site, so we let him handle the majority of the implementation.

Most important decision criteria: ease of use and the robustness of the tool. We checked FireMon, for instance, and they didn't have anywhere near the features we were looking at, and it was nowhere near as user friendly.

Play with the tools. See what kind of reasons you think you'd need to use it. Why are you looking for this tool to begin with? See how easy it is to pick up for your team. They may not be familiar with a tool; let them play with it for a few minutes and see. Give them a task. How easy was it to get that task done?

There are a few things. One is that from the portal people are able to request access. It is going to be able to stage the policy, add the rules or objects or whatever is needed for us so that all we need to do is push the policy at the time. It almost doesn't need a human being to be involved in the rule staging of provision process.

We've been using Check Point for 10+ years and some of the rules were converted from other systems, mainly from Cisco devices. The conversion process or the migration process is not the cleanest. We end up with rules that we call over-saddling. Rules which are really not needed.

We're talking about a ton of rules. We have policies that have 3,000 rules. It's able to give us reports that tell us these 10 rules or 100 rules in our policies are not needed. Either we need to fix the rule which was a bad rule or we do not need another rule.

One thing it's not currently able to do is remove rules. For instance, one of the biggest things is that we have a server what we call decommissioned. That means they no longer need it. Either the application is end of life or they bought a new server and they took on new IPs. But we still have rules that allow the IP, so there's a hole there. Right now you cannot say, "Hey, Tufin, this IP is obsolete. Please remove all the rules that allows this IP."

Another good thing is that Tufin has a good portal. 

We were using Skybox. Tufin has that fun end to the user which Skybox doesn't.

I would recommend it.

With a tool like this, spend a few dollars to bring in their professional services to help out. Tufin is not going to be for a really small company. One of the important things is that you need to get your network team on-board.

We purchased Tufin for the rule based analysis, so that when we did a Check Point migration from the earlier versions everything was OK. We now have rule based analysis, and we can move in, see unused rules, and try to optimize the rule base.

Tufin enabled us to clean out the rule base pre-migration. There's no point in migrating old and unused rules and objects to a new solution, so we were trying to be a bit proactive. That's why we purchased this solution and we had someone from Interel come over and help us configure it.

SecureChange has been a bit of a challenge. It's been a long time coming, and I guess improvement is also needed in their relationship with the customer to get the initial functions of it working. It's more making the move towards SecureChange which possibly isn't down to them, it's probably down to our relationship with our reseller and nailing each other down. Maybe it's a non-issue. For what we use it for, it's been great.

We've used it for between four and six years.

After a while, we found that we'd not really given it enough TLC for a couple of years. Therefore, we ended up in the situation where we had to get the guys from Interel to fine tune the appliance memory wise because it was little old. By the time we started using it to its full extent, you end up being able to fine tune it and eventually realize even that wasn't going to cut it and we ended up having to virtualize and it seems to be OK now.

We didn't have as much advanced management at that time. Over time, we've merged with other areas of our business and inherited many more advances, bobbles, with that, I think that's where we came across the problem that we wanted so many things active and realized that we did actually need to upscale the deployment.

We originally purchased it mainly for Check Point and then ended up purchasing Cisco ASA and Palo Alto licenses, so we ended up with more stuff than we originally purchased it for. Hence the need to upgrade for VMware and memory.

It has been good. When we've had an issue they've been very good. We were on the phone and I remember a conference with the support guys and they really went out of their way to help us out.

It was fairly easy to deploy. We originally purchased the 500 series appliance, which was mid-range appliance and then we ended up eventually virtualizing that appliance and moving it to VMware, which is what we've now got. I don't remember ever having any major issues.

We did look at another solution, but don't ask me what it was called, I don't even remember. We did look at it at the same time, but it couldn't really do half of the things that Tufin did. I can't remember back that far, but I remember we looked at it and it was all really clunky. It didn't feel right, it didn't do half of the stuff that it was meant to be able to do and it was very slow as well. We pretty much put it out straight away.

It's done a good job. We've not fully utilized all of its features, we've hardly scratched the surface really, it's a powerful bit of tech and we've pretty much used it for a specific purpose that we purchased it for and realized it can be used a lot more, having said that we ended up purchasing second shares as well. We are now in the process of testing SecureChange because that was something that was really pushed through quite recently.

For us it works, it's a great solution, but that's not to say that there isn't a better one out there. Anyone that looks and researches, they probably look at different supplies of the same solution and make up their own minds really. It is the best tool for the job and technology moves on so, who knows.

It’s the fact that before Tufin it wasn’t possible to manage firewall changes. We used emails.

Different departments can actually intervene at the same time on the same workflow and actually accelerate the job. Previously, we didn’t have that, so that’s a big thing.

• Previously, we couldn’t figure out a way to make our processes more efficient. With Tufin our goal is to automate this process. We haven’t achieved it yet but at least we have a vision.
• The fact that tickets can be dispatched automatically and analyzed prior to them being validated by the security teams.

We have some regressions from one burden to another. It was hard, so that’s definitely something we’re not happy with.

We have a PS module that we have been developing since we started working with Tufin. It was around two years ago and still isn’t finalized.

One of the things that I would like to see improved is the stability of the solution.

They do everything they can to reply as fast as they can but sometimes when problems are too complex, and they have to involve R&D, it can take quite a while to solve.

It was already deployed when I started working here, and it was a change for me, but it was straightforward. Most of the guided stuff was internal to the company. The architecture is not good but that’s got to do with the architecture on our side.

We also looked at AlgoSec, and it looks interesting especially the workflow parts which are more detailed.

We use SecureTrack and SecureChange to manage all of our firewalls. 

We use the latest version.

The biggest benefit for us was the time frame to complete a ticket. It went from approximately a week and a half to two weeks down to about three days.

We use it to clean up our firewall policies, which gives us better security policy and less junk on the firewalls.

Risk analysis is automatically in our policy.

The most valuable feature is automation.

The visibility of the policies are very good. It sees different things. The recordings are very good.

We use a lot of workflows and have a lot of custom things developed by Professional Services. It is very customizable.

We would like better communication on tickets, a better way to do metrics, and better communication to the customer. The biggest change that my team would like right now is communication on the process of the ticket, so the customer knows where their ticket is while their waiting.

At least in our environment, the dynamic learning of the topology needs improvement.

If you would have asked me two weeks ago, I would have said the stability was excellent. However, we had some upgrade problems. They were worked out and the support was excellent in helping us get it fixed. In general, the stability is very good.

We have a very big environment. The scalability works well.

Pretty good. They know when to escalate. We never put in easy tickets, They know to escalate quickly if they have to. We have our own technical account manager too.

We invested in SecureChange to do automated workloads. When we deployed SecureChange, part of it was to automate our workloads to have more time to do more things, like making the ticketing process shorter.

Firewall rule changes went from a week and a half to around three and a half days.

We have not recently evaluated any new solutions.

Tufin is not perfect, but it's really good.

Make sure you know your environment well. Tufin will help with knowing the firewall rules, but be well-documented before you start with your security policies.

The approval process is a lot more automated, but the implementation process didn't change.

We don't use Tufin in the cloud yet.

We don't have compliance mandates.

For us, it's more about managing the policies and having an overview of all the policies that are available, that we currently implement, and bringing them to a central console so that we can have an overview of what's going on. We deploy Tufin for one of our customers, it's not for ourselves.

The key, convincing element that made our customer go with Tufin is that they have the ability to centrally monitor and view all changes that have been made in the network, and they are able to revert any problems that they encounter, if somebody has made a problematic change.

The policy overview is valuable.

The key area for improvement is the integration to F5. One of the things that we encountered with another customer is that there were some limitations when we tried to migrate policies from F5 into Tufin. Half of the network is F5 and there were a couple of other firewalls and they're trying to centrally manage them. There were issues in terms of managing the policies for F5. It's not as seamless as it should be.

Documentation to help users integrate to an F5-type of environment would be great, so that users would understand and know the limitations, rather than having to go through a PoC and then realize that it's just not suitable for integrating F5 products.

So far, the stability has been reasonably good. We haven't encountered any major issues. Even when integrating to overseas central management systems, it has been quite seamless.

Scalability is something the customer will be exploring in the next phase.

I think that the major limitation is its ability to integrate into more products. With the common products, the older products, it integrates very well. But with the newer products, like I said, F5 for example, they do have some issues. I'm not too sure about other firewall products and other DDoS products that could be in the network.

For now, the customer is trying to integrate the product into the rest of the group. That's currently being studied by some of their overseas counterparts to see if it's suitable. The plan is that the customer intends to proliferate this across the entire network, but that step will take place over five years' time.

Technical support is excellent, I would give a big thumbs-up to the technical support team.

We didn't use a previous solution, this is our main solution.

The initial setup is reasonably straightforward and the support team is quite good. They're very helpful and they're very knowledgeable.

The deployment, overall, took about three months, in terms of studying the customer's environment and doing some consultation and a deep-dive with the Tufin consultancy team.

We are an integrator, so we have a fairly decent understanding of the product and it wasn't that difficult to deploy.

Pricing played a big part here. We didn't present AlgoSec or FireMon. We got good support from Tufin directly. We managed to position it with an effective price for the customer. The customer had evaluated other products but, due to price as well as support, they chose Tufin.

We evaluated Tufin together with FireMon and AlgoSec.

The first priority is to evaluate how expensive your firewall family is. If you have, for example, F5 then you would probably have similar problems to what we encountered with F5. But if you are deploying general firewalls, like Palo Alto and Cisco, that's fine. You have to evaluate how you are going to import existing policies and how you are going to monitor those policies when they transfer them across to be centrally managed and monitored by Tufin.

In terms of users of the solution, we set up for the customer a central admin who is the main administrator that controls the entire dashboard. In addition, there are viewers who only need to view and monitor the reports and the like. It's the IT firewall team that makes changes to the firewall and backend system. So there are three main groups of users.

We do the maintenance for the customer, so if there are any patches or any updates that are critical we work with the customer to identify a suitable time for us to do the system upgrade.

We manage our customers' IT infrastructures. We then bring in vendors according to what each customer requires. We are the system integrator, integrating to their backhand system. We provide consultancy and advice to the customer with regards to the types of products that they should choose. Eventually, we support products once they have deployed them. A lot of customers don't have a big IT team locally to support the infrastructure, so we provide that level of support.

From an implementation and costing-strategy standpoint, I would give Tufin eight out of ten. It would be much better if they could improve the F5 support and also enhance the documentation in terms of integrating firewall products.