Tufin Orchestration Suite Reviews

Policy analysis is the product’s most valuable feature. It can pull out various rules that we need to work on, edit, update, and so on. It can identify rules that need to be moved, or need to be optimized.

Tufin analyzes tens of thousands of rules for us. Not all one firewall, but there's thousands and thousands of rules that Tufin analyzes.

Reporting is great. The only issues that we ever run into are with usage reports. You can run into things where something will have been modified and it ends up changed or something like that. Other than that, reporting is great.

The capabilities Tufin has for Check Point products are excellent. It'd be nice to get the same level of features that it does for Check Point up to par with Cisco, Palo Alto, and so on. There's a couple of things that are lacking. For example, on the Palo Alto side, if you're using a lot of layer 7 rules, there's very little visibility into that. When you run policy analysis, you're still only getting back source IP, dest IP, ports. It's not showing the URLs, all that kind of stuff. That's the main thing.

The only other thing I could see being improved would be regarding one bug. Once in a while when you save a policy analysis query and you click save, it goes back to the screen where it lists them all. Someone else's will be there, and it's somehow swapped them with another engineer who was saving something at the same time. It doesn't happen often, but when it does, it's annoying. Especially if you've just entered a whole lot of info into it.

I’m rating it an 8 because of a couple of those little nagging features, the little bugs. But by and large, it does the job that we need it to do at the moment. We're going into the new world of SecureChange. We'll see how that goes, too.

In our previous configuration, it would take a beating. It would take days to get certain reports out of the system. We've just purchased a whole bunch of new hardware, and Tufin’s been a lot more stable. I'm getting reports again very fast.

Based on looking at some of the other products out there, Tufin is definitely the leader of the pack. It's a good choice. Make sure you buy enough hardware, and make sure you know how you're going to use it. A lot of the features get very processor- and database-intensive, and you should have the proper gear to use it.

The best feature is being able to query all our Check Point devices and certain other vendors like Fortinet as well. It can query and find unused rules and unused objects to clean things up for us.

I use reporting and assistance as a tool for cleanup. I would love to be able to get the newest version into our company and have it be used as a manager of not only Check Point but also the other vendors that we use. It looks like it's all there. - Fortinet, Palo Alto, some Cisco and other devices.

The fact that that we won't have to log into a Fortimaneger to manage Fortinet and then log into another to do Check Point, being able to log in straight to Tufin, build a rule and have it push it to the correct devices. That's huge and that's something that I really like about the new version.

We had some issues because of our unique configuration.

I can't say too much about scalability, simply because it was not scalable for our environment because we are using a splintered specialized version just for our company. The Tufin apliance just doesn't play well with that specialized version. But for the things that we do have that are general release, it's awesome. It takes a little bit of a fiddling around but again, we're on an older version. It works flawlessly.

Rating: because it's our unique older version, I'd give it a 6 or 7 but we only use it for reporting and cleanup. If we had the latest version, I'd easily give it an 8 or 9 because it can do so much more.

We use this solution for Firewall audit, compliance, and some automation.

Using Tufin makes it easy to visualize when investigating or auditing configs.

The most valuable feature is alerting, which lets me know when someone has made a change. When something stops working I can see what has been done and by whom.

This solution is easy to set up and use.

It is very easy to see what has changed when comparing two different revisions.

I would like to see visibility into the FW features like IPS/Content Filter policies, the same way it does for FW rules/policies.

The primary use case is tickets.

Tufin has made handling firewall rule request tickets more centralized and easier to manage.

We have previously use Tufin to clean up our firewall policies, but we are not doing that currently.

The workloads are the most valuable feature right now, as it stands.

We find that the change workflow process is flexible and customizable. We change our workflow several times a year.

The visibility is good for the most part, but there are limitations to it. E.g., there is a lack of certain routing/networking protocols across all the vendors that they support.

The solution is not sophisticated enough for us to automatically check if a change request will violate any security policy rules.

Tufin's cloud-native security features are lacking in support.

I would like the application to have faster response times. E.g., the dashboard may take up to two minutes to load. Or, when we do the topology seating its two and a half hours. I would like to get those times down and increase the efficiency of the product there.

I would like more support for Juniper and Junos Space. I would like more of the features which are offered for other platforms being extended to the Juniper platform.

The USP needs improvement. It is pretty much not usable right now for us. It is all IP-based. The issue with that is we may have one subnet, but we have multiple things that would go in different zones all in that same subnet. Therefore, to use the USP, we would have to bring it out in tons of /32s, and it's not usable. Whereas, it would be far better if we could just put tags associated with IPs, then do USP based on tags.

In the sense of operating, the stability is good, but in the sense of performance efficiency, it is bad.

The scalability is bad.

We did not have a previous solution that we were using. We were looking to work towards improving the whole requesting of firewall policies.

We used a reseller for the deployment. Our experience was not that great, which has more to do with how our supply chain works and why we picked them. However, I don't ever really talk to them or hear from them.

We have seen ROI from the side of operations, and we'll probably get to more of that as time goes on. However it took a while to get to that point.

The solution has helped us reduce the time it takes us to make changes by at least a day.

It did reduce the time part of engineers manually spending time on processes from the aspect of manually having to go through the network and finding the path that a request would take to know where to put the rules. We have had some issues with topology, so not all of our tickets get that advantage. Probably 40 percent of them are that way, so that's why right now it is not as big of a gain.

We did consider other solutions.

Do proper research. Look at Tufin and all of the other products.

The primary use case is for firewall auditing. We use it for audit monitoring, login changes, and firewall changes. We are looking at automation, but not yet.

The product is good at auditing the changes that we make in our environment.

We use this solution to automatically check if a change request will violate any security policy rules. For example, if the engineer is making a change that hasn't been authorized, we will know about it.

The product streamlines our change management process. It assists us in reporting on some of the compliance for our auditing department. It helps us in managing the process and having some auditing capabilities.

• The reporting is its most valuable feature.
• The change impact analysis capabilities of this solution are good. 
• It is able to detect our changes, email, and alert us.

There are features that we haven't used, and we need to understand them first.

Product seems to be stable. We haven't had any outages yet.

I personally haven't called into support yet, but some of my peers have. They seem to get their questions resolved.

We previously had FireMon, but FireMon kept giving us inaccurate information and not up-to-date information. Therefore, we thought we would try out Tufin, which has provided us with the information that we needed.

There were some hiccups here and there with the initial setup, but we used Tufin's support to assist us with that.

We deployed it in-house.

On the shortlist was AlgoSec, which was the only one that we actually tested.

Tufin and AlgoSec were pretty much in the competitive price range, but this one provided us better integration into the Check Point environment.

Seriously Tufin for your final decision.

From my perspective, I think that it’s hard to break it down to a single feature. The visibility it gives and the customizability it provides is invaluable and the change automation is the most powerful capability, at least for now. The application awareness component is a close second. As more organizations adopt this revolutionary way of visualizing enterprise connectivity, SecureApp will fundamentally change the way connectivity is provisioned and decommissioned.

The product suite itself brings together organizational units. So when you talk about operations, development, management and auditing, all of these organizations have their own interface and abilitie to understand what different parts of the company are doing.

I think Tufin is continuously moving towards broader support for other platforms. Including a significant focus on the cloud. This approach is critical to the model of normalizing policy management across the environment - regardless of platform.

We've used it for nearly eight years.

It's absolutely stable and this is why I always promote it. They have the finest set of coders and developers you can find.

The distributed architecture capabilities allows this solution to scale to anybody’s needs.

The support team is second to none. They have multiple offices in multiple countries. They're always available. I know the support teams and leaders personally and they are of great quality.

It’s very easy to get up and running. With anything that is so feature rich and customizable, the installations range from a couple of days to more complex with many days and script writing. It just depends.

Spend the time to evaluate all of the components of the Tufin suite. When you bundle different features together and you bundle components, you get a better price.

We often find customers that have purchased this product for a specific purpose and they limit its use to only that purpose. Do yourself a favor and really explore the entire product and maximize the features and functionality of what you have purchased.

Policy management.

A lot of policy is legacy. With SecureTrack, I can track the policy and find all the policies that we're not using. Basically, we create a process out of it and actually get rid of those legacy policies.

I don't have a real idea of how many policies we’ve found, but the outcome for that policy management is usually better for our file work because it runs much more smoothly because of less policy, less memory usage, and less CPU.

We try to make the file work much more efficient. We also do auditing for file work, such as who made changes on the file work. You can use it for accountability, if needed. 

We also use some of the compliance features. We define policy on what is compliant. If anyone tries to create certain stuff that is not compliant, we get notified. I haven't fully utilized Tufin yet and I'm working toward that area. Hopefully I can give it a higher rating as we explore more functions. We know the capability; we just need to get to that point. If we reach that point, it'll be much better actually. We’re just not there yet.

We’re hoping to be able to share the data Tufin’s collecting with other platforms so they can be more integrated with those metrics, because the governance tool is where we create policy. And then using Tufin’s metric, we can actually know what kind of policy we can create. That would help out.

It's good. I haven't rebooted.

We are big, but we are only using a fraction of what Tufin is capable right now. I'm hoping that we can explore a lot more and then try to utilize more on Tufin because my big way to look at Tufin is this ability to gather all that data. If Tufin doesn't have that footprint, you won't get that data. So right now, I'm working on that.

For my current company, I inherited it.

I haven’t thought of using any other solution, so, I haven't looked at other solutions yet.

Let Tufin help you see what can be. Make the tool work for you and be creative.

You can't always use it in a certain way. There are many ways to use a tool. You just have to be creative on how you use the tool. Find holes and ways to use it.

Figure out how you use the tool, and then figure out if you can create a process out of it, so you are not only using it when you are free. You want to use it as a process because it has to be repeatable. If something is not repeatable, there's no way to improve the process.

If I'm going to find a policy right now and I don't repeat that process, those policies will continue to become legacy, so you have to repeat using the tool.

We use Tufin for oversight and revision control to avoid implementing rules that are against security policy documentation, and also to correct any kind of issues or mistakes in policy changes.

It can be useful for comparing rule changes to create rules that are more efficient and more consistent.

We primarily use Tufin to alert us whenever a firewall policy change has occurred. We immediately get an email with a summary of what changed, the objects, any kinds of rules that were created, and so on. We can review that from our email client to see what the other admin changed and visually see if they did something that was against our standards, if it was just a poorly written rule or something like that.

It's asking a lot, but anytime they add stuff to the rule usage analysis or the policy generator - those things are amazing already as they are - we'd really like to leverage that for cleanup and so on. One of the biggest issues for an encroached application silo firewall is that the policies get super-complicated and cleanup is not only a hassle but can impact business.

I’d like to see the cleanup process be more efficient. That's my biggest headache and the biggest elephant in the room. When you have a policy that's got hundreds of rules, help me clean it up please: tell me what rules aren't used, tell me what rules are redundant, and tell me how I can simplify the rule base. I mean it does a lot of that today, but feel free to innovate there. Make it better.

It has been stable. We pretty much just set it and forget it. It reaches out to us or, when we want to go consult it, we don't typically have any problems pulling it up.

It has scaled well for us. We probably have about a couple hundred firewalls feeding it information including rule usage and so on.

We haven't really had to use technical support. I think the only time we had to was during implementation. We have kind of a weird setup where we needed to split out syslog for rule usage analysis because we consolidated our syslog in one place. We said, "Hey, can you just have Tufin pull from that?" Support helped us with that.

Implementation was easy. The previous solution we had didn't really work. We brought Tufin in, got it working, and rolled it right out.

I was involved in the implementation, not so much in the vendor selection. Of course, I knew about Tufin, its reputation and so on, so I was not opposed to it at all.

I’m rating the product a nine just because I’m stingy with my tens.
Tufin delivers on everything that we've asked them. For a similar use case, they're solid and you're not going to have any kind of surprises or issues that are going to crop up from what I've seen. As an administrator rolling something out and having it work the first time, that's pretty much all you can ask for.