Tufin Orchestration Suite Reviews

Policy management.

A lot of policy is legacy. With SecureTrack, I can track the policy and find all the policies that we're not using. Basically, we create a process out of it and actually get rid of those legacy policies.

I don't have a real idea of how many policies we’ve found, but the outcome for that policy management is usually better for our file work because it runs much more smoothly because of less policy, less memory usage, and less CPU.

We try to make the file work much more efficient. We also do auditing for file work, such as who made changes on the file work. You can use it for accountability, if needed. 

We also use some of the compliance features. We define policy on what is compliant. If anyone tries to create certain stuff that is not compliant, we get notified. I haven't fully utilized Tufin yet and I'm working toward that area. Hopefully I can give it a higher rating as we explore more functions. We know the capability; we just need to get to that point. If we reach that point, it'll be much better actually. We’re just not there yet.

We’re hoping to be able to share the data Tufin’s collecting with other platforms so they can be more integrated with those metrics, because the governance tool is where we create policy. And then using Tufin’s metric, we can actually know what kind of policy we can create. That would help out.

It's good. I haven't rebooted.

We are big, but we are only using a fraction of what Tufin is capable right now. I'm hoping that we can explore a lot more and then try to utilize more on Tufin because my big way to look at Tufin is this ability to gather all that data. If Tufin doesn't have that footprint, you won't get that data. So right now, I'm working on that.

For my current company, I inherited it.

I haven’t thought of using any other solution, so, I haven't looked at other solutions yet.

Let Tufin help you see what can be. Make the tool work for you and be creative.

You can't always use it in a certain way. There are many ways to use a tool. You just have to be creative on how you use the tool. Find holes and ways to use it.

Figure out how you use the tool, and then figure out if you can create a process out of it, so you are not only using it when you are free. You want to use it as a process because it has to be repeatable. If something is not repeatable, there's no way to improve the process.

If I'm going to find a policy right now and I don't repeat that process, those policies will continue to become legacy, so you have to repeat using the tool.

We use Tufin for oversight and revision control to avoid implementing rules that are against security policy documentation, and also to correct any kind of issues or mistakes in policy changes.

It can be useful for comparing rule changes to create rules that are more efficient and more consistent.

We primarily use Tufin to alert us whenever a firewall policy change has occurred. We immediately get an email with a summary of what changed, the objects, any kinds of rules that were created, and so on. We can review that from our email client to see what the other admin changed and visually see if they did something that was against our standards, if it was just a poorly written rule or something like that.

It's asking a lot, but anytime they add stuff to the rule usage analysis or the policy generator - those things are amazing already as they are - we'd really like to leverage that for cleanup and so on. One of the biggest issues for an encroached application silo firewall is that the policies get super-complicated and cleanup is not only a hassle but can impact business.

I’d like to see the cleanup process be more efficient. That's my biggest headache and the biggest elephant in the room. When you have a policy that's got hundreds of rules, help me clean it up please: tell me what rules aren't used, tell me what rules are redundant, and tell me how I can simplify the rule base. I mean it does a lot of that today, but feel free to innovate there. Make it better.

It has been stable. We pretty much just set it and forget it. It reaches out to us or, when we want to go consult it, we don't typically have any problems pulling it up.

It has scaled well for us. We probably have about a couple hundred firewalls feeding it information including rule usage and so on.

We haven't really had to use technical support. I think the only time we had to was during implementation. We have kind of a weird setup where we needed to split out syslog for rule usage analysis because we consolidated our syslog in one place. We said, "Hey, can you just have Tufin pull from that?" Support helped us with that.

Implementation was easy. The previous solution we had didn't really work. We brought Tufin in, got it working, and rolled it right out.

I was involved in the implementation, not so much in the vendor selection. Of course, I knew about Tufin, its reputation and so on, so I was not opposed to it at all.

I’m rating the product a nine just because I’m stingy with my tens.
Tufin delivers on everything that we've asked them. For a similar use case, they're solid and you're not going to have any kind of surprises or issues that are going to crop up from what I've seen. As an administrator rolling something out and having it work the first time, that's pretty much all you can ask for.

The multi-vendor support is very important for us. This is the most important feature because our system has integrations of software and hardware from many vendors. Tufin has also integrated well, supporting our system of multiple vendors.

Our company has a common policy that we need to ensure covers three different vendors we work with. Tufin helps us to manage this as it's where we've defined the common policy and also where we manage it.

I think that Tufin needs to be as-a-service, that is, in the cloud. The installation also needs to be easier. Additionally, with Tufin's business model, the licenses are quite expensive.

It's hard to stay updated with the last version. That's really the main hurdle we have with our deployments of Tufin.

It's quite stable, but you always need to do updates. Staying updated has prevented instabilities.

We don't have this issue because we only have four firewalls. It has scaled for our needs.

The initial setup was straightforward and pretty easy.

We implemented it ourselves with our in-house team. It was easy.

Sometimes it's very difficult to get the ideal revenue out of this tool. It's expensive.

The licensing is expensive. Maybe for a big company, the price and the licensing is not a problem. For a small or medium company, though, it could be an issue.

We also looked at AlgoSec and FireMon.

We use both modules, SecureTrack and SecureChange. With Securetrack, we follow rules implementation and compliance; with SecureChange we manage the workflow of firewalls openings.

Thanks to Tufin we're able to manage the life cycle of rules and to keep logs of each firewall modification. Policies are also optimized using the tool.

Checkpoint and Cisco products are well implemented and managed. For Fortinet firewalls some features are not yet available.

In networks where the WAN is managed by a third party, some features may be missing if you're not able to have information about routing, ACL, etc

2 years.

Product is quite complete. The hard work concerned building a topology on the product base on reality of the network. Some workaround we do in reality may be hard to model using the tool. Topology is mandatory for SecureChange to work.

Product is stable and we've had no problems concerning stability, even if we're not able to have a clear view of the capacity of this tool. There is no reporting on capacity. For instance, there is no alarm.

No issue specifically, but for large networks several appliances are required to have a distributed architecture. Also, for SecureChange it's necessary to have a separate instance so the topology calculation has no impact on user interfaces.

Excellent, even if we have more contact with support team, customer service is always checking that everything is fine.

Excellent, the support and the post sales service is the best I ever had. They're always available and listen our concerns. Even some features required have been delivered a few weeks after the requirement.

We used another solution some years ago, but we switched, first of all, for performance and stability issues. The old solution was not able to handle the number of rules we can manage in our network.

The main setup subject will be to check what's the first need you want to answer. In our cases we want to manage our life cycle of rules and we work on it. Start small and grow up smoothly while you understand your network topology.

Vendor was quite good. This is a tool with which the need to understand your network is mandatory. You must have an in-house team to be fully operate this tool. This is also the easiest for support.

Our main ROI is to be more agile and flexible for rules lifecycle. We're able to answer faster with the same number of people.

Pricing is correct. You've got one or several appliances and pricing is not too high. After licensing is per firewall managed by the tool, so you can grow smoothly.

We did an evaluation of the different solutions on the market, and it was our vendor that recommend us the solution.

I recommend this solution. In our case, it was the missing part to be able to provide a better service to our clients.

We use this solution for recertifying connections, application-based automation, and compliance with regulations.

The workflows save time and speed up the authorization processes for applications. For network operators, it enhanced visibility. For application operators, it increased knowledge of dependencies and also provided them with impact awareness.

Before this solution, we used Excel sheets. This approach did not provide ways to filter the options for implementing changes. The filtering of lots of criteria is very valuable.

I would like to see more configuration options on next-generation firewalls, defining possible standards for devices.

The tool is highly reliable.

We have not run into limitations around scalability. Depending on the devices, it is better to have a sizing discussion with the sales engineer.

In the beginning, we did not have a dedicated support handler and it caused some issues because the service requests were interrelated. When we later obtained a central contact in support, it improved the handling.

Prior to this solution, we used Excel and firewall vendor consoles.

The initial setup was fairly complex because of the agreement with the network provider.

We implemented this solution in-house with the support of Tufin Professional Services.

I suggest talking with Tufin about the flexibility of the pricing structure.

We did not perform our own evaluation. However, one of the daughter companies evaluated multiple products (Tufin, FireMon, and AlgoSec) and selected Tufin. We relied on their research.

Implementing the tool is easy, but introducing the changes within the company can be challenging.

We are doing firewall automation through Tufin.

In terms of the change impact analysis capabilities of this solution, we get a lot of CNR queues and it has saved a lot of time when making changes. And the analysis tells us that we have made a particular change and it sends out a lot of alerts. We can analyze them and do some auditing stuff as well with Tufin.

We have a lot of teams that do stuff in Tufin, management teams, auditing staff, and a team for implementation. So the time it saves us across that whole scenario is hard to pin down, but it has saved us a lot of hours in implementing the CNR queues, approximately 20 to 30 hours a week. That a big time savings.

The solution will automatically check if a change request will violate any security policy rules. We have an auditing staff using this feature within Tufin. If we have an open rule, it will send us an alert and we can see why this alert has been sent and take action on it.

Tufin helps us ensure that security policy is followed across our entire hybrid network. We can set up rules and policies for this and we can do a lot of auditing as a result.

The topology and the config backup that we see for devices are key features we get from Tufin.

The change workflow process is flexible and customizable. We went through a lot of difficulties while doing stuff, and it now provides a lot of flexibility while making changes. We can go back and implement the changes again and that is one of the things that is very flexible. If we have a firewall completed and we want to redo it, if we need to re-engineer a particular firewall and open a different destination, we can do that by creating a break-fix. A break-fix is one of the things that we can use to redo things on Tufin, itself. That is one of its useful tools.

Auditing is another good tool within Tufin. The automation stuff and searching of reports are good for auditing as well.

I have gone over compliance issues in Tufin, but compliance is one of the things which might not be that clear in Tufin. It just shows the configuration. That is one of the things they have to work on. It is one of the constraints, in my opinion.

The topology is good but they could work on it and get something better out of it.

If we talk about the complexity of getting more nodes over Tufin, Tomcat or web services become flat. This is one of the constraints that I have seen. The web services are not that stable. This has to be checked and taken care of.

If you have a normal load in Tufin it works perfectly fine. But they need to work on the stability because if a certain amount of load is put in Tufin it just breaks downs, from what I've seen lately. That has to be taken care of. The parameters for the platform also matter in that situation, but if they can work on the stability, that would be great.

The scalability is fine but when it comes to web services, in my experience, Tomcat has always gone down; after a certain amount of load it breaks down and we have to get things restored again. The scalability is perfectly fine but, performance-wise, they have to work on the platform or the base of Tufin to make it more robust. In a bad situation, if a lot of guys are logging in, it breaks down.

Although I am in India, we have U.S. support. I haven't had any interactions directly with tech support, but one of my counterparts in the U.S. talks to them and sorts things out for us. I haven't had any discussions with them where I can analyze their work.

It was challenging at the time because we wanted to implement a lot of things which Tufin doesn't have as default. There was a lot of customization required and it took a lot of time - one or two months - to sort that out.

We did not have a previous solution. We were moving towards automation and we wanted something that would save time in doing firewall queues and creating firewall rules. We were looking for a good tool and Tufin was one of them. It is a multipurpose tool that gives us topologies, and auditing and alerting.

I don't think we had any issues installing it. That was not a problem. It is not that difficult but it is not easy either. The setup was normal and I wouldn't complain about it.

Our deployment took about ten to 15 days to get things onboarded. There were many other guys who were also involved in it and I don't remember entirely, but I think that's how long it took to onboard things.

The number of people involved in the deployment depends on the infrastructure and what kind of services you are looking for. If you're looking at server management, that would require one or two guys. If you're looking at onboarding of devices, you would need another one or two guys. For the auditing stuff, again, another one or two guys could do it. So for each of these areas, one or a maximum of two guys could handle it. Once you are done with onboarding, managing it takes two guys.

Regarding our implementation strategy, our primary motive was to get firewall automation in place. With that in mind, we worked to bring in all the devices and all the firewalls. Then we started talking about getting the different packages over to it and working to get the firewall automation done. There were a lot of things we had to do - it took months - when we had to bring in new patches or requests.

It was Tufin only and one or two guys within our team. There was no third-party involved.

Firewall automation was one of the biggest concerns we had, and we have largely sorted that out with this tool. If we are saving hours, then we are saving money.

I was involved with the pricing at the start. But then management took over that issue. In terms of affordability, this company is using it, so it seems they are fine with it. We just provide management with our requirements and it's their concern and responsibility to bring us what we need. Since we still have this solution, I think they are fine with it. But it's a management call.

My advice would depend on what kind of implementation and what kind of environment you have. If you are looking for automation and auditing you should think about this solution. Talk to the technical guys at Tufin about how your environment works and can ask them about what they can do. If you are looking for automation you should look at Tufin.

Regarding Tufin's cloud-native security features, I am only familiar with their on-prem stuff. I haven't seen any of the cloud features on Tufin yet. I would really like to know what it will bring us at the end of the day.

We have three or four teams using it on different platforms and for different use cases, like auditing and alerting. On my team there are 25 guys using it. I don't have any idea how many guys on other teams are using it. Our security area is managing and maintaining it.

As engineers, we are certainly using it daily. I just made a scheduled change today through Tufin. We are certainly using it but I can't say what our plans are for it in the future.

I would rate Tufin at seven out of ten. The things that come to mind with this rating are the implementation of firewalls, the alerting and security. We can set out the security rules. I deducted three points because of the platform. I don't think that it has a stable platform. If there are 20 people and 22 need it, it will not be able to support us in that scenario. So that is a weak point. Stability and robustness are the things I'm looking for.

It can compare policy revisions side by side to see when you've made a change, and what the change is. It also lists the detail of the objects and policies. In other words, it has the ability to list all the policies as well as having side by side revisions.

I think we knew we needed to invest in the solutions because of a replacement we had to do last year. We had no other way of gathering the information. It wasn’t replacing anything.

I would like to be able to see the changes made on the software blades that Check Point has, such as URL filtering, IPS.

I’d like to see it work with F5. It's supposed to work and it doesn't. The problems we have with the F5 is what brings the rating down, because that was a big part of the reason we purchased it. If they fix the F5 issue, I’d probably rate it an 8 or a 9.

We have been using it for one year. When we first implemented Tufin, we were replacing firewalls that had been in place for so long, there was absolutely no way of migrating the policy over so we had to recreate it from scratch. We were able to use the information provided from Tufin to do that.

We’ve used the recording tools a little bit, but just for Check Points, not the F5s. They're helpful in a way. Sometimes it seems like they're giving you partial information, like it wants to give you some information that you've made a change to, but it's really hard to track down where that change actually was made. It’s more like configuration-level changes are difficult to read on the report.

We've had issues with using Tufin for the F5 load balancers. We can't get our information out of our F5s.

Using technical support was kind of cumbersome. They couldn't figure out what the problem was with the F5s. After they thought they found the problem, we set up another set of F5s. The problem that they thought was causing it, was no longer in place with the other set of F5s, but they didn't work either.

I was involved in the initial setup a year ago. It was straightforward. It was pretty easy to set up.

We weren’t comparing it to anybody else.

Keep in mind that you're only going to get the network security layer of the Check Point showing up on the recording. You're not going to get all of the software blades that come along with it. One of the things my manager was disappointed to find was that we weren't able to gather that information.

Tufin has helped us a lot. It lets us clean up the rule base in a short period of time and remove unused rules. Tufin provides you a report on rules for this that lets you delete objects that are obsolete and no longer needed in the rule base. If you don't use a tool like Tufin, this is done manually and may take days, because for every object, before you delete it, you have to make sure that it is not being used by someone else.

From a security point of view, Tufin can provide the posture of your environment, meaning whether your rule base is secure or not. It will analyze the file rule base, tell you if the service you enabled is secure, and give you some advice how to deal with the situation.

I want Tufin to be used by my entire team, but due to a lack of training and lack of resources, we are not able to do that. I would like to see more training videos that can be distributed to my team in order to really take advantage of the product.

We have been using it for about 3 years now.

I find it very stable. We haven't had any big issues since we started using it. Issues we have had have mostly been related to new features being added that weren’t supported by the device. In those scenarios, we submit the case to Tufin and they tell us about the new release.

We are a big company and I can say that we are not using the product in its fullest capacity. We have a different type of policy because we are using different vendors and different technologies, and while we have some issues with the juniper devices, it has absolutely been scalable.

Tech support has been fine. Right now I have an ongoing case and there is a delay, but it mostly comes from me because I took time to respond and they are telling me other ways that I know.

I implemented FireMon three years ago for a customer because the customer specifically requested it. I found it very hard to put in place. I wasn’t a part of the Tufin implementation, but in terms of the product itself, Tufin is easier to use.

I would give Tufin an 8 out of ten because some vendors own multi-contexts, and there are challenges supporting these devices. We are having issues with the Juniper device, for example.