Tufin Orchestration Suite Reviews

Our primary use case is firewall management and policy management.

It has very good visibility with all our devices. We can see how they interact with each other, and if we're doing the right things or not.

We find it to be flexible. If we have a change that needs to be done, it will go ahead and do it for all our devices, regardless of the manufacturer that we have associated with it.

We are still in the beginning phases of it, but we're hoping that it can change how all of our policies are determined and implemented.

The most valuable feature is the consolidation of firewall products.

The change impact analysis capabilities of this solution are pretty good. We like the product a lot.

I would like the following additional features:

• Easier integration with more automation.
• Ability to get better results from rule-based requests.
• Ability to do some policy browsing and find out where they're hitting, specifically.
• Ability to pull hit count reports more easily. 

It's pretty stable. I haven't had any issues with it.

The scalability is pretty good. All we have to do is just add another device and buy another license. It seems pretty straightforward.

I personally haven't worked with them, but I've heard good things about how responsive they are. They've always been able to find the answer that we needed.

We had no solution previously. So, we needed something that would help make our decisions on better securing our network.

The initial setup was straightforward. It was very easy to setup and integrate. We had no issues.

Most of the work was done by us. However, we worked closely with Tufin support, and we have good things to say about that.

We also evaluated FireMon. We did not go with them because the solution was not as easy to install or incorporate in our organization. To us, Tufin just seemed to be the better product.

It's very solid product. There are definitely a few things that I wish I could do with it, but I'm so new to the product that maybe I'm just not looking at the right spots.

Try it out. It's pretty cool. I was very impressed with the initial presentation and how it could automate everything. It's just that getting to the point where you want it to do what you need it to do is definitely time-consuming and a lot of work. However, I think it will be worth it in the end.

We are working to use this solution to automatically check if a change request will violate any security policy rules. We are not there yet.

We are still in the process of getting it developed. Some of the portions that I have used have helped me, as I can just go to one place and find out if a rule exists, or if there's any type of traffic.

We are using SecureChange to start orchestrating a lot of our changes. Our users can then request changes instead of having to go directly to us. We are trying to automate some of those pieces.

The visibility is very good. We have managers who are overseeing it, and they are approving things through it.

The whole process is flexible and customizable. We are building the matrix, then we're putting in exceptions. We have to add manual exceptions into it, and they have to come to us first before they can get it approved, which is good.

We use this solution to automatically check if a change request will violate any security policy rules. Similar to what we are doing with Azure, where they request a change, and if it violates policies, it gets kicked back. Then, we have to review it and figure out what they're doing. We can then move forward with it, if it's approved.

• The Orchestration
• The way that users can access it directly.
• The change impact analysis capabilities of this solution are good.

• The hardest piece is getting the matrix built.
• Room for improvement includes how we are pulling the routing cables and getting SNMP enabled.
• Tufin could provide a train for running its reports and showing people how to use them.

The solution is very stable. We've upgraded several times and not had any issues. For stability, it's perfect.

We're in the process of scaling it. We started off small, and now, we're enlarging it to cover more of the enterprise. The scalability is good.

I haven't used technical support. My colleague has, and they are very good. They work through solutions.

The initial setup was pretty straightforward. It communicating with the firewalls and management server were the big pieces.

Well when we first started, it was through a reseller. Then, as we're bringing in SecureChange, we have been doing it all that ourselves.

The reseller was Structured Communications, who is in Portland. It was part of a package deal that we built with them. Our experience with them was good. We used them a lot.

We don't have to go through our firewall group, who actually does the rules. They don't have to create tickets to send to us, then take a couple of days to get all that stuff built and put in place. Now, it is usually the same day, or within a day.

This solution helped us to reduce the time it takes to make changes. We used to spend up to an hour to do a change, and now, it's around five minutes.

Engineers are spending less time on manual processes. They are now spending half their time on manually processes, 20 to 30 minutes, because we don't have to go out and touch things anymore.

We're still in the process of implementing things, so we haven't really seen a lot of return yet, but we're hoping.

It is a good solution, somewhat easy to implement, and gives you a lot of information. It takes time to learn all the little nuances of it.

I don't think we're using cloud native security quite yet.

The way we've set up our policies are pretty unique in what they do, so there's not a lot of compare between them. But, historic is really important. We look at them and we say what is and what isn't important. We run through the compliance and the best practices. We're just starting to look at real usage and integration. That way, we would be able to say, "Okay, if this hasn't been used in a long time, maybe it's time to get rid of it." And we would be able to do our own cleanup because the tool will then tell us the value on long-term usage so we can take more advantage of it in real time.

We perform a lot of compares that show what was and what is now in our rule sets. In case there are issues or when somebody says, "Hey, this was working but now it doesn't," or, "Oh, I'm pretty sure that was in there and you must have removed it," we can validate those changes and go back in the history, say yes or no and do compares. There's a lot of new features that we're hoping to utilize, learn more about, and take advantage of. It's a timing thing and it's also education. We've been a Tufin customer for a long time and really like the product. We need to grow as much as the product is growing. 

There's tons of stuff in the product. The issue is more about what I don't know about it than what I am using it for. They definitely have kept up with the product and kept it moving forward. It looks like a really great partnership with Check Point and a lot of vendors. We're a Check Point shop, so it works very well.

We’ve asked them how to shorten the length of the change reports for global rules. They're going to try to allow us to select whether the global rule is reporting, or they're going to tell us how to do it a different way. We just brought it to their attention, so we're going to bring it to engineering. We’d like the reporting to be something similar to the reporting that Check Point puts out. There's some functionality that is very simple. I'll call it human reporting, such as a shared secret for a VPN change. Tufin does a really great job providing technical reporting, but it is unreadable to the average person. You look at it and think, "Yeah, I don't know what that did." We're asking Tufin to look at it, go over it with us, and say, "Is there a better way?" Either we're doing it wrong or they can improve the product to make it a little more usable, or at least readable.

It's been a very strong, reliable product.

As long as we keep up with the revisions, it's been very scalable. We just did another upgrade because we considered it a little slow. We were running an old version. Once we upgraded, it's been rock-solid. It's always been there, it's always been good.

We've been with Tufin for a long time. They’ve been very responsive to us. There was some changeover, and we have a new sales team. They called up, we had a meeting, and then, boom, we said, “Okay, let's schedule our upgrades.” That happened within two weeks.

The sales team so far has been great. We mentioned to them we're not educated enough on the product, they've already started talking to us about how to fix that. They're very responsive to our needs. It's a time and place issue, like anything. Unfortunately, we have to make the time and effort just as much as they have. They want to know when we want it. So they've been great for us, we've been very pleased with Tufin as a company.

They've been great. We have a good relationship with them and the product does a lot of things that we want. When I get challenged or it doesn't do what I want, it very easily could be me. I may be using it in the wrong fashion. 

We learned how to use it by just going and figuring it out ourselves. The way I'm doing a lot of things might not be the way they were designed to be done. But, as far response times from the company and everything else like that, I've been really pleased.

We've had it for a very long time. We've just been upgrading it as long as I've been with the company. It was in place before I joined the company.

At the moment, we’re not thinking of switching to another vendor. I know there's a couple of other monitoring solutions, like FireMon, or a couple of other systems that people have looked at.

Try it. It's a great relationship, but it's also a great product to work with.

We use SecureTrack for tracking unused rules, tracking risky rules for compliance, and policy optimization, which I think is the best because you get duplicate objects and you get covered rules. I would say that trying to tune your policy and get rid of unused rules is the most valuable for us.

At the moment, we have not really found any other side benefits, but we will be implementing SecureChange which will then allow us to track changes. The topology feature will show us what devices in the pack need to be touched. Depending on the complexity of the routing and knowledge of the environment by the engineers, policies could be missed that need the rules. That particular aspect is going to help us a lot.

I’d like to see the application topology developed more. You have a database layer, a web-front end and other applications that, along with the policy rules, have a path that they need to take and they need to traverse several devices. That gives you almost like a network topology of the applications and I believe that you're going to be able to use that for compliance also. I can’t think of any other configurations I’d like to see right now. Nothing's perfect.

With change restrictions, we can't remediate things immediately, but Tufin gives us the information we need to then submit a change, to go ahead and clean up the policy.

We have not come across any stability issues. We support the platform, we support all of our platforms and that's the one that we've had to do the least amount of support for, but I can't speak for the other engineers.

I don't know how many devices we have in there but there hasn't been a problem. We have several business units with multiple devices across each business unit. I don't believe that I've come across a problem getting a large amount of devices in.

Tufin’s technical support engineers seemed to be knowledgeable and very helpful.

I helped import devices for a specific business unit I was supporting at the time. I found it to be very intuitive and not hard to use at all.

If you're in a large environment, a large enterprise, it's a good tool. It does certainly help with the workload. For the app team who are trying to develop the applications, it makes them more accountable for how it's supposed to work.

It allows us to use the compliance portion of it to do our compliance reports. It also allows us to do peer review on our changes when we do firewall pushes. Before we do our firewall pushes, we compare what changes we made during the staging process in the week. We go over them to make sure that nothing is going in that should not be going in. Also, we check each other's work to make sure nobody fat-fingered anything and gave somebody some crazy access to somewhere that shouldn't have been.

There should be a heck of a lot more benefits for us. The problem being we don't have the time or the training to do that. We just upgraded to 16.1. Now that we're on a supported version, we hope to get some training so that we can utilize the product a lot more than we currently are. It does exactly what we need it to do. I think with some tweaking and some more knowledge of the product, I think we'll get to where we need to be.

When we do our change reports, some of those reports come out at a thousand pages. We have to submit those to management. When they look at the report, they say, "Why is this report a thousand pages?" We found out that, when we do a global rule, it removes all the global rules and then re-adds all the global rules.

We're in a Provider-1 environment, we have four CMA's, we have 78 firewalls. That generates a huge report. Management looks at it and says, "This is useless. You should filter through x amount of pages to get to the meat."

From what we found out, they have an idea about how to fix it, but I don't think they really know what to fix.

We also have had challenges with the way it does certain functions. For example, the exceptions. I think a lot of it could be we're just not trained and don't have the knowledge of the system. And I think once we start getting in there and start using it more, that's when we’ll find little things that happen like the global policy injection and removal. Our biggest challenge now is we have new management. When we send them the reports, they're not really happy with the reporting structure of it.
Otherwise it does what we ask it to do. It's never been down, it's always reported everything that we needed to report. We never have challenges in that regards. But again, it's a lot of the reporting structure that is challenging for us right now.

We don't have a problem with it crashing at all. We've never had a problem with it crashing at all. It's always been functional.

I think it's been solid. It's always been there for us.

We have used support in the past. We use it mainly for compliance, for when we want something not to show up on a report.

They're constantly upgrading, they're constantly adding new things to it. That's a good sign. As the technology changes, they're on the forefront of it to get you those reports and use that technology in their new functionality. They just need to keep doing what they're doing.

Tufin provides insights through various reporting capabilities. It provides a level of insight into change that didn't exist before and gives us the ability to validate changes against business needs. It has also allowed us to automate certain functions. We are still very new at it, but we have been able to leverage some of the automation capabilities to begin to clean up our environment. We haven't gotten into the SecureApp module yet.

There are some report capabilities that we weren't aware of when we purchased the product. They're kind of in a hidden area. One of the reports is called the permissiveness report and it uses some type of algorithm to measure risk of rules, rule bases and firewalls. We're still exploring a lot of the reporting capabilities. There's a lot of depth to the product.

There are capabilities to measure risk and to report on non-compliance access and rules, and you want to clean that up naturally. Unfortunately, the automated cleanup only works for Cisco right now, and doesn't work for Check Point. We have been told that that's on the roadmap, hopefully for 2016, but automated rule cleanup and rule removal are probably the biggest deficiencies that we've encountered at this point.

In addition, the SecureTrack product is not as seamless as I would like it to be with SecureApp and SecureChange, but that's also on the roadmap to correct. If you are in Secure Track and you want to use SecureChange, you actually have to login to SecureChange.

We have only had the product for four or five months.

There have been no problems with stability.

We have about 22,000 rules and 120 devices that we're monitoring. We haven't had any scalability problems.

There's a little bit of a learning curve, particularly with the depth of the product, but it's not difficult.

I would rate it a nine out of ten, comparing it to other solutions in the market and the value that it’s provided to us already. I lowered the score because of the deficiencies I wrote about previously, but didn’t lower it that much because they are aware of it, they have addressed our questions, and they have it on the roadmap.

With the firewall policy management with Check Point, we found great value in the tracking, specifically given that we use rules and we use objects within those rules. It's very helpful to provide evidence of PCI (Payment Card Industry) compliance during our yearly PCI audits. PCI is a set of data security standards that's published by the card holders: VISA, MasterCard, Discover, and American Express.

We can provide evidence the nothing's getting into that environment that isn't already approved to go in.

We are in the process of automating our firewall rule management and requests, and we are looking into SecureChange and SecureApp. We're also trying to use it as a tool to collaborate with the application owners so that we can better manage documentation around data flows.

We're spinning up AWS for our development environment, so we're going to be leveraging the checkpoint instance at AWS. So we want to get visibility, monitor rules, and use the policy management just like we've done with our on-premise environment.

No issues at all.

Yes. Originally we had 360 rules, but because of the growth of our environment and our move, it's up to 1100 rules. There are no performance issues.

Great technical support. Tufin also has great sales and presales teams, and we’ve been able to leverage their engineering support as well. They have been very helpful.

We initially deployed the product to look at a couple of our gateways, and then we decided to upgrade and expand it to all of our gateways. So I was involved in that upgrade. We expanded our environment, expanded our gateways, and bought some additional licenses.

No. Even though we’ve expanded the use of it here, we've always used Tufin. I also used Tufin at a previous employer.

The most important criteria for me is hit count, how often the rules are being used and visibility. All of that is critical information to optimizing our policies.

I'm the manager of a team of six engineers. The feedback that I get from them – and they're very vocal – is that they love the product. It's great.

I'm a tough rater, and I probably wouldn’t give a 10 to anybody. But I would say Tufin is an 8. As far as software products go, it delivers.

I find that he most valuable feature is actually optimizing my real firewalls. It shows me any issues. I track the change and it will tell me when it is actually going to affect any other rules or any other applications. That is the biggest feature.

Then the reporting functionality that comes along with it - for one change, this change what, when, etc. This is the main function that I will always be using, as well as positioning of the rules on the rule base and to optimize the firewall for me. Those are the best features and that is what sold me initially.

The thing I like about it is that it's real time, that's the biggest benefit. It helps me with everything that I need to do. Every time we want to make a change we put it in the system and it tells us, OK all good, or it tells you, these, this and this you have to fix. Have a look at it, send it to the service, they have a look at it, mediate, put it through again, and if it is clean it will go.

It prevents human error. That is the biggest benefit for me as you can load in as much high availability as you wish. Human error is always the thing that is hardest to get rid of as well because now the change team don't question any rule base that we are putting in because of the checks Tufin does prior to the change, so we know the impact is not going to impact anybody else. What the biggest problem was whenever we would change a rule before there was always the question, what is the small thing doing. Now I can do production changes during production time. Due to this, we have a seen a positive impact for the company, and that is what they wanted.

Small reactive. It is sometimes stuck or kind of jumps, but no actually business impact, but from an IT perspective, whatever we want we are getting on the fly.

It's not actually user intensive, so it does not hamper our power in any way.

It is expensive. It cost me about a million, which is quite expensive for us, but the benefit is worth it.

I used to have FireMon, and we changed it  because of their features. The main feature that made us change was SecureChange, and like I said when you do changes now, assist with the change that you are going to make to see if there is impact to the other, so this is what gives us this feature, now you can assess and say, will it have a problem? That is why it helps with the changes.

I'd definitely say go with Tufin as it's a brilliant solution. What is brilliant is the firewalls themselves. I'd check out CheckPoint as well to make sure that the solution meets your needs and works with your plans. It doesn't matter what CheckPoint plans you use, Tufin works with them all.