Tufin Orchestration Suite Reviews

We use this solution for firewall compliance reviews.

This solution has helped us to speed up our review process. After we do make a change, we're able to quickly review what has actually changed. 

This solution has helped us with compliance because we're able to map out certain firewall rules against compliance requirements, and we're able to write reports to show us exactly what our firewalls look like in those areas.

From our perspective, the most valuable features are the compliance and firewall reporting modules. Indirectly, we use Tufin to clean up our firewall policies. We run reports, and then use those reports to drive improvement in the firewall rules. The visibility into the Check Point firewall rules is a lot easier to look at using a Tufin report as opposed to a Check Point report.

This provides good visibility of our firewall rules. Using Check Point is a little cumbersome to get what you need, so with this solution, we’re able to filter through and better get the information.

Tufin has a lot of tools for PCI compliance, as well as other modules that support things like SOX, but there is nothing substantial out there for the NERC CIP space. It would be nice to have some automated tools for NERC CIP compliance.

One of the areas that I've had challenges with is making complicated reports. There is an ability to pull in CSVs, but I've struggled to find the format that the CSV should be in.

I could spend hours building out a policy to check the firewall rules, and then the next person comes along and they don't see it because it's stored within a user profile. Consequently, they have to build out the exact same thing for hours instead of just being able to export it, and then import it into their profile.

The stability of this solution is fine. We don't have any issues with it, at least as far as I know.

It seems to be really scalable once you have all of the modules working together. We have a broad array of subgroups that we're working on compliance with, from really small to really large, and it works well with all of them.

I've never had to deal with their technical support.

I was not part of the initial setup of this solution.

Using this solution has allowed us to reduce the amount of time we spend making changes by approximately twenty percent.

This solution has a lot of functionality that we aren't using at this point, but it seems to have the flexibility and scalability. The drawback is the lack of integrated NERC CIP.

For anybody researching this or a similar solution, I would always tell them to look at all of the available options, but Tufin does all of the things that we needed it to do.

I would rate this solution an eight out of ten.

We use Tufin to do the review of rules, best practices, changes, and usage. So, it's an outside entity looking in to see what's happening on the rules sides. Then, we can do recertification for our rules, so they can be used again. Tufin puts it together really well, saying what's needed or not, then cleaning things up. We've been a customer for a very long time with them, and we're pretty pleased.

The solution's visibility is excellent for Check Point.

There's a new feature that validates standards. It allows the checks and balances against it, so it doesn't even go forward. It just says, "You're not right. Do it again."

We just got done with major audits. Tufin was able to provide information to give back to people, and say, "Hey, this is what I need to do, and what we're doing."

It's working on helping us meet our compliance mandates. We're a bank, so we're always chasing it, but it is helping us a lot. Rule recertifications are our biggest thing. However, what happens in the world of firewalls is people will put in rules to get what they need but don't ever clean them up when they stop using them.

The reporting is very good and provides in-depth knowledge for Check Point. We can write the rules as we see them. We can review rules and do searches. It has its own database which pulls all the information in regularly. This is very nice, and it is a good product for us.

I like the change impact analysis. It tells you what is going on,so you can review what has changed. In case you have to go backwards, and say, “Oops, that wasn't supposed to happen. How do I go get it?”

We were just talking to them about usage for the F5 platform. They will not be going after specific environments, but a more OpenAPI. They will have other companies write it, etc. It's a little different than I had expected.

It is a very stable product. 

It has very good growth. The scalability is very nice. We're doing a distributed environment right now. So, it has met our needs, which is nice.

The technical support has been excellent.

We were the first North American company to do this product, a long time ago. So, I don't know how the initial setup went. It's been a while. However, every time we go back and do stuff, it has been a pretty straightforward installation.

We used an integrator and professional services.

The overall experience was very good. I liked it.

We have seen ROI.

Buy Tufin because it works! I love the product. It's been a great product to work with. The people are great, and the support is awesome. I have had no downside out of it.

We're just getting started on the change workflow. So, we're learning it, and it's working well.

It helps with our review process. We do a peer review, saying "Hi, here's all the changes," then you can look at it and go, "Oops I forgot something," or, "I don't think that was in any drop," and we can go back and review that. This is where it helps us minimizes errors. Before Tufin, we would not end up not catching these errors.

We are automating, so we are getting to a place where our engineers are spending less time on manual processes.

We are using Tufin to be security compliant within our organization.

This solution was a need for our organization to stay compliant and it has helped us in this way.

The most valuable feature of Tufin is rule analysis.

I have been using Tufin for approximately three years.

Tufin is stable.

The scalability of Tufin is good.

We have approximately 20 people using Tufin in my company. We have many teams using the solution, such as security, operational network, and network architecture.

We do not have plans to increase the usage of this solution.

The support I received from Tufin was responsive and helpful.

I rate the support from Tufin a four out of five.

Positive

I have previously used AlgoSec and we switched because the price was too high.

The initial setup of Tufin was complex. We had some issues with the architecture.

We did the implementation of the solution in-house.

The price of Tufin could be lower.

We have a team of three engineers that do the maintenance of the solution.

I would recommend this solution to others.

I rate Tufin a nine out of ten.

We use two main modules. We really appreciate the change manager. It's one of the most valuable aspects of the solution.

The technical support is pretty good.

We need the solution to have full compliance with IPV6. 

We also use VMware features and we need the solution to be fully integrated. We used to make micro-segmentation. We'd like to be able to do this again, and for that to happen, we need more integration.

The pricing of the solution is rather expensive. 

It needs to be more comprehensive. There are also some drawbacks in trying to import a policy matrix inside. If some people design a policy matrix in the file, in an Excel file, the problem is that we will have to work a bit to interact with it properly. Something more economical needs to be in place to deal with the policy matrix.

We have a small team working with Tufin. That said, even though the team is not a big team, we have a lot for it to do. Tufin now is our policy manager for the private cloud. It's the main policy manager. We also use Skybox for the legacy part.

I've dealt with technical support in the past. They are okay. They really try to work with us. I'd describe them as being helpful and responsive for the most part. We're largely satisfied with their level of service.

We also use Skybox Security Suite. We use both that and Tufin simultaneously.

The initial setup was actually handled by another team. I can't speak to the implementation process due to the fact that I did not participate in the process directly.

As an architect, the pricing seems expensive to me. For what it does, I would say it's expensive. 

I can only really compare it to Skybox, which is a solution we also use. 

If I compare it with Skybox, I see it is the best. It is better than the Skybox. However, we need it to do more. 

We are not a reseller. We are an IT enterprise. We are customers and end-users. That said, our relationship is evolving. It's becoming something like a partnership, as we need more features and are making suggestions and trying to develop it out a bit. 

I'm not sure of which version of the solution we're using. I can't recall the version number off-hand.

I'd rate the solution at a seven out of ten.

We do risk, cleanup, and change.

It reduces human error and speeds up the whole change process.

The change workflow process is flexible and customizable. There are five default workflow processes out-of-the-box. However, every customer is different. Everybody has a different request process. That is why it's so customizable. You can add another step, you can delete a step, or you could put in an exception. It is very flexible.

We use this solution to automatically check if a change request will violate any security policy rules. E.g., we will not be allowing SSH to the Internet. That is one change request where we can be like, "Put that right on top of the policy." 

This solution has helped us to meet our compliance mandates, especially with the default out-of-the-box templates, then you can create your own.

This solution helps us ensure that security policy is followed across our entire hybrid network. You can have a Unified Security Policy which reaches across all networks, so if you are having a change submitted, it doesn't matter if you're enforcing it or not. You can get an alert saying, "This is a violation." That's a value-add.

• Cleanup
• Visibility
• Scalability
  

Cleanup is its most valuable feature. We use Tufin to cleanup our firewall policies. You can see unnecessary, unused objects. A lot of times, you will create a host, then it's not used. It's like, "Delete that, because we don't need that in the database." Or, it's a rule that is not needed: unused rules.

Its cloud-native security features are good. They add even more visibility to your environment.

I would like more out-of-the-box workflows in SecureChange with more default config, so you don't have to create those workflows yourself. This would be the biggest thing.

I would also like more enforcement. Right now. it's a lot of alerting. You see it in Tufin, but you have to go to Check Point or whatever device to make the actual action.

We already know the user interface is getting redesigned in TOS 2.0. That's naturally been the customer complaint in my experience, "Where are things in the GUI? The GUI is cumbersome." Now, I'm used to it, but when your first learning it, it is unintuitive.

The stability is very good, especially now that they are developing a lighter weight operating system on top of the OS with 2.0 coming out this year. 

The current version is slow. I deal with a lot of large environments, which is mostly what Tufin has. It is slow because it is a database, Tomcat Server, and web server. Reports are slow. If you're generating manually on the fly, you can set them to run at night, then it's not a big deal.

The scalability is good, because you can have a central server, distributed server, and remote collectors. You can have remote land sites or branch offices. You can have the collectors collect the data for you. You don't have to rely on just one server.

The technical support is very good. It is a lot better than the firewall vendors themselves.

There were not enough resources to do the changes themselves. We definitely went offshoring. Now, you see a lot of that coming back because there is not enough people. We needed a system to do it.

At first, the initial setup is complex. Once you know it, the initial setup is straightforward.

First, you have to install the operating system. Then, you have to install the application, where there are certain version requirements. You can't just go right to the latest OS version. You have to go back to the older one, then upgrade those as well. It is a little cumbersome.

I am an integrator. Sometimes, we have to use Tufin on the back-end.

We have seen ROI just in the time savings and knowledge. Knowledge is power. Having the solution do it automatically for you without you doing the work is huge. If you are spending $50,000 a year, it could have cost you a $100,000 in man-hours without it, especially if you are working with a team..

This solution has helped reduce the time it takes our customers to make changes by 50 percent.

Engineers are spending less time on manual processes by 50 percent.

While licensing varies greatly, it is about $50,000 a year.

We did consider other vendors, but Tufin is the market leader. We only deal with the best of breed. We like to go with the best.

Do a proof of concept or proof of value. You will see the value right there.

The visibility is top-notch. I know the vendors as well, like Check Point and the firewall product underneath it. I know with Check Point, specifically, and I have seen some issues with it. However, overall, there is still a lot of value in the cleanup.

We primarily use this solution for Change automation. We do not use USP, yet.

This solution has somewhat helped us with meeting our compliance mandates. We’re still working on it, and it’s a work in progress, but we’re better than we were.

Using this solution has helped to reduce the time it takes us to make changes. Our average was about five business days, and we’re down to same-day delivery. For some of our environments like QA and non-production, where we allow changes during the day, they can be done right away. 

Our engineers are spending significantly less time on manual processes.

The most valuable feature of this solution is that it reduces both the time required and the number of errors when making changes. We reduced the time it takes to make a change from a week down to a few hours. It means that the business gets a faster turnaround time, and our group is not as much of an obstacle for getting things done. It reduced the change error, so there is a lot less manual work being done.

The automation provided by this solution has mostly eliminated the human error element.

The most powerful thing in Tufin is the ability to use the SecureChange API, where we can supplement our own functionality in addition to what is built-in.

There are some limitations in the product and we were unable to use the Clean Up reports. 

We haven't been able to use the unified security policy and a lot of the violations and stuff like that. So, we're not getting a whole lot of visibility. Again, there are limitations there, so we haven't been able to deploy that yet.

USP does not support VPNs, which is a big thing for us, so we haven't been able to utilize it.

One thing that could be improved is the moving of data from one step to the next. As it is now, we have to manually do that via the API, but there should be a way to carry over data between the different steps without us having to code that.

It could definitely use some refinements and utilize fewer resources. It uses a lot of hardware to do not a whole lot of tasks.

This solution is stable. We don't have any issues with it, but it's a resource hog.

This solution is not entirely scalable, although we have a very small footprint, so we don't really need it to be. For our use case, it's okay. I think that the distributed architecture, which we don't use, would allow it to be a lot more scalable, but I haven't had any experience with that.

Technical support for this solution is good. We have a technical account manager and he's been right on point with most of our stuff. It's a fairly complex thing that went to R&D. It took some time, but that's to be expected.

The initial setup was completed before I was there, but I have heard that they had a lot of issues with setting up high availability. Other than that, it was pretty straightforward.

We used a G2 reseller for our deployment and it was a good experience.

Our licensing fees are approximately $250,000 USD.

This solution checks a lot of the checkboxes, but it seems to be quite limited in some of the more advanced features that the firewalls do. This can be quite restrictive in terms of what you can and can't accomplish with it.

I have indeed referred two former co-workers at another company to look at this solution. I think that it would help them significantly.

The newer, more advanced features that we would like to use are just not supported by Tufin yet. I think that it's in their roadmap, but they just aren't there yet. Specifically, we are doing things like URL filtering, user identification, decryption, and inspection, which are typically done by devices other than firewalls. Palo Alto supports it, and we're using it, but it creates some complexity with the automation.

I would rate this solution a seven out of ten.

I am working in a DevOps environment. We are trying to automate firewall rules and allow Tufin to push these changes for us. Using SecureChange and SecureApp, it makes life easier for the user community and the firewall engineers by not having to manually input firewall rules. The DevOps environment allows the users to pick from a catalog and request what they need. SecureTrack gives us the audit capability of what is/was implemented.

To me, SecureTrack is the greatest thing since sliced bread, it allows you to see what is used and not used with your firewall, and gives extensive analysis in a very short period of time.

I can run SecureTrack for a week and have a great idea of what’s being used. Ideally, you want to let it run for a year, accumulate data, go over a years’ worth of data and decide what really needs to be cleaned up.

You will see in one report what is being used (IP addresses or services) and what has never been used.

Gone are the days of reviewing logs to figure out, "do I still need this rule/service?" It’s been a really great piece of software.

Probably in the ad-hoc reporting. They give you the canned reports. We do use the API calls, but it would be nicer if they could just give you a drag-and-drop function in the reporting. Pick anything out of the database and massage that data the way you want it.

Tufin has been working with us hand-in-hand lately because they do see that we are doing a lot of cloud-development work with automation. It’s in all our best interest going forward and they have responded seeing the future is in the cloud.

Personally I have been using Tufin for seven years across different companies.

No issues encountered. Strongly encourage an HA environment.

It’s holding up real good with scalability and stability. We have not run out of power on the box. They have been here on site and see what we are doing and how we are doing it. We are telling them what we need and they are doing it. They are pushing the envelope in their development side to try and meet our demands.

The level of service is excellent. I can’t overstate that. We open a lot of tickets because we are using a lot of things that a lot of people are not using in the product, which is too bad. Most people don’t understand the power this product brings to the table.

The technical support team is right on top of it. They don’t just leave you hanging. They know the guts of the product. They are able to get in and figure out what is happening and get you up and running again.

A lot of companies will put the new guy on the front lines so that they learn the product line quicker, Tufin does not do that, these guys actually know their stuff. If they don’t know they go straight to the developers. I can’t praise them high enough.

We have a great relationship. You need help and they are there. If that’s operating system support or the application, their engineers are very resourceful. Looking at their roadmap, we see great improvements coming to cover the new world of automation and cloud computing.

Bottom line they are very responsive, and very good.

It’s easy to deploy. It’s a very easy product to work with. It’s one of the easier products to implement.

In-house with Tufin on-call ready to help.

We have made a ROI. We have invested a lot of money in these products. Any company that puts in SecureTrack alone will see a very quick return on investment.

With SecureApp we are automating cloud development work, the only thing we have to do at the end of the day is go to the firewalls and click ‘install’. It will do the end to end analysis for you.

You need to approach it from a cost perspective. If you have to go through and analyze a rule base, it’s going to take you months and months and a lot of people. If you use Tufin, right off the bat, it’s collecting the information and it’s going to tell you what’s been hit or not. It will tell you how many hits on each source/destination address, and services.

It’s the Swiss army knife of tools. I’m sold on it. It’s so easy to use. We use it to its full potential. It has some great bells and whistles.

We are an IT service provider. We are using it in our company and on the customer side. So, we have internal customers, and we are also a solution provider for external customers.

We can check and analyze the current status of our firewall rules.

Their pricing can be better. It is not very transparent. 

In terms of functionality, we have not had any particular or special disadvantages other than the integration, but every tool that you take to integrate with your infrastructure is more or less complicated. For example, you have a history in your firewall infrastructure, and the longer the history is, the more you have to work on it to integrate. We see that in our infrastructure. We have been a service provider for more than 40 years, and we have been on the market for 20 years. We have a lot of customers, and there are some individual requests and setups. For the integration of Tufin or any other tool, you need a certain level of standardization. We have more disadvantages on the site from different firewall vendors. For example, with Drupal, you can integrate any individual firewall, but for Fortinet, you have to use a Fortinet manager.

We are not looking for any additional features at the moment. We are not planning to buy any other modules.

I have been using this solution for five years.

Until now, we have not had any problems in terms of stability.

It has been scalable so far. We don't have any issues.

On the administration side, 15 people are working with it.

I would rate them a six out of 10. In many cases, we had to escalate.

I didn't work with a similar product previously.

Its implementation process is complicated.

It is expensive, but as compared to other players, it's more or less okay. Their pricing is not very transparent. This is my biggest point regarding Tufin. I've never seen a price list or something like that. It's always individual, and in many cases, it's very confusing to know what is the base and what is the price.

I would advise thinking about which modules you really want to use. We are using it only to have a transparent view of the firewall rule base and nothing more. We are not using any modules of this solution because we want to be and stay independent. For example, for the execution of the firewall rules, we use our own system. We have also developed all the other things ourselves so that in the future, we can switch to another product. So, you have to take care that you are not fully dependent on Tufin. 

I would rate it a seven out of ten.